Are They Your Real Friends? Watch Out for This Social Media Scam

As long as social media platforms have been around, there have been hackers attempting to take control of accounts. Remember MySpace? My friends’ page for their band was hacked a number of times, sometimes by malicious strangers, sometimes by overzealous fans. Back then, if a hacker got into your MySpace account, they had access to your friends’ list, private messages, photos, and blog posts. It was a lot, but it’s nothing like the treasure trove of information many of today’s social media accounts contain.

Facebook accounts often contain your real name, email address, birth date, relationship status, and physical address. In addition to storing all your private messages, photos, and feed posts, Facebook is also used to log in to other websites. If a hacker manages to take over your Facebook account, they may have access to some of your other accounts around the web. The same goes for Instagram, which is also owned by Meta.

What Hackers Want

Criminals need all your personally identifiable information (PII) to commit identity fraud or to sell your account to the highest bidder. According to a report from Privacy Affairs(Opens in a new window), the cost of a Facebook account on the dark web is $45. An Instagram account goes for $40.

According to the Identity Theft Resource Center(Opens in a new window) (ITRC), the internet safety organization received nearly 500 social media account takeover reports in the first three months of 2022. That’s up from the 320 the ITRC received in 2021. Experts at the organization say criminals are committing Instagram scams by posing as a “friend” of the victim. The hacker lures in their victim with an email or a private message stating they need help getting back into their Facebook or Instagram account. The hacker sends a malicious link in their message, and when the victim clicks on it they lock themselves out of their account and give access to the hacker.

The demand for hacked social media accounts is high. Don’t let yourself be caught off guard by a scammer. Take the following steps to keep your account locked down and secure. 

• Never click on any links sent to you until you verify they’re from someone you know. If a friend sends you a message that contains a link, attachment, or file, reach out to the friend via a phone call or video chat to make sure they sent you the message. 

• Avoid sharing your personal information with anyone. Scammers build trust with their victims in the hope that they’ll hand over PII. This is especially common in dating scams. You should never share passwords, PINS, codes, or any other type of sensitive information with someone you’ve never met in person.

• Use multi-factor authentication and a strong and unique password on your account. You should also store the password in a password manager. Consider using a hardware security key to protect your accounts that contain the most PII.

• Stop downloading third-party apps within a social media platform. If third-party apps have your information, you may not know where or how it’s being stored. It is another place for hackers to get their hands on your valuable social account credentials. Only download applications from recognized stores, such as the Apple App Store, Google Play, and Microsoft Store.

• Don’t talk to strangers. Isn’t the free exchange of ideas the point of the internet? Maybe it was at one time, but these days, answering a private message from a person who doesn’t have any shared friends with you could be a setup for a phishing scam.

4 easy things you can do to be more secure online — Clarification Please

What to Do If Your Instagram Account Gets Hacked

If you believe your Instagram account has been hacked, here are six steps to take.

1. Check your email account for a message from Instagram. If you received an email from [email protected] that says your email address was changed, you might be able to undo this change by selecting “revert this change” in that message. If additional information was also changed (like your password), and you’re unable to change back your email address, request a security code from Instagram.

2. Request a login link from Instagram. To help Instagram confirm that you own the account, you can request that they send a login link to your email address or phone number. To make a request, visit the login screen, and tap Get help logging in (Android) or Forgot password (iPhone).

3. Enter the username, email address, or phone number associated with your account, then tap Next. If you don’t know the username, email address, or phone number associated with your account, tap “Need more help?” and follow the on-screen instructions.

4. Select either your email address or phone number, then select Send Login Link.

5. Click the login link in your email or a text message (SMS) and follow the on-screen instructions.

6. Request a security code or support from Instagram. If you’re unable to recover your account with the login link sent to you, you may be able to request support for your hacked Instagram account. For more information on how to do this, visit Instagram’s Help Center for step-by-step instructions.

Like what you’re reading? Get an extra story delivered to your inbox weekly. Sign up for the SecurityWatch newsletter.

What Else Is Happening in the Security World This Week?

How to Create a Strong Password Generator. Do you trust the passwords created by third-party software to be truly random and safe? No? Here’s how to build your own random generator for uncrackable passwords.

US Jails Ukrainian For Hacking 6,000 Servers and Selling Access To Them. Glib Oleksandr Ivanov-Tolpintsev cracked the passwords to more than 6,000 online servers and then apparently sold access to them on an illegal marketplace called xDedic.

Hackers Reportedly Gain Access to Drug Enforcement Administration Data Portal. Never has the term “epic fail” been more accurately used to describe what happened.

Texas Man Gets 5 Years for Buying Stolen Logins for 38K PayPal Accounts. Marcos Ponce stole an estimated $1 million in funds from the affected PayPal accounts.

EU Proposal Could Sacrifice Privacy to Address Child Abuse. The commission says it wants to establish new rules that would require companies to scan for child sexual abuse material as well as “grooming,” but critics have mass surveillance concerns.