A few days ago I returned to my office after a meeting to find emails and voicemails telling me that someone was sending facebook messenger messages pretending they were from me. The first message sent was an innocuous “Hello, how are you doing?” But if the recipient engaged it quickly turned into how I got a $300,000 government grant to pay off my bills, and tried to convince the recipient to send an email to “the agent in charge” to see if they were eligible. I suspect if followed through it would either ask for payment of a loan application fee, or ask for credit card or other personal details.
Fortunately, it didn’t take long for my followers to realize it was a scam and not me.
This government grant scam is a known scam approach. Typically one of two things has happened. Either the malfeasant has hacked into my facebook account, or they took info from my public facebook presence and set up a spoof.
Some digging into my facebook profile, history, and security settings showed it was more likely a spoof than a hack. I use strong passwords generated by a password manager for each account I have. So it is unlikely that my password was compromised, unless there was some weakness in an app I have allowed to access facebook. (For that very reason I allow very few apps to connect with facebook.)
But just in case, I changed my password, set up 2 factor authentication, and an email alert to notify me of questionable login attempts. I have that set up on other platforms, but had not on facebook. I hadn’t bothered before because I have very little personal info on facebook. The mistake I made that allowed the spoofer to send messages to my friend list was to have my friend list open for everyone to see. Too late for this scam, but I changed that anyway.
I also posted a message on facebook letting people know it was not me.
It is frustrating how difficult it is to report this to facebook in case they can stop (or at least make life difficult for) the spoofer. Facebook has lots of ways to report various things – but they are all set up for very specific things – none of which worked in my situation. Recipients can report it (there is a “report spam or abuse” option on the gear icon beside the sender’s name) – but I can’t. There used to be a basic way to report things when they didn’t fit the methods provided – but that seems to be gone. And it’s not just facebook that does that. The thread one of my friends sent includes a gmail address for the “agent in charge”. But reporting that to gmail to try and disable the address isn’t easy. Their spoof/scam reporting method works only if you have received an email from the address – as the email header is a required field.
So how do you tell when you get a fake message, and what do you do about it?
Typical scam/phishing warnings apply. The messages are often out of character for the sender. Or they are grammatically strange. Or a gmail or similar generic email address is given rather than a corporate one. Another flag is if it tries to get info or money. If in doubt, contact the sender in another way to find out. Facebook and other messaging platforms often have ways to report malicious communication attempts. The victim will appreciate if you can take a minute to let them know and report it.