18.06.2024 - A few months ago, a popular influencer contacted the National Cyber Security Centre (NCSC) because his Facebook account had been hacked. Social media presence and follower engagement is central to his profession. After Facebook closed the account that had been hacked, he set up a new account – but the story wasn't over yet.
The hacked account
The NCSC received a report of a hacked social media account a few months ago. Scammers often hack accounts either by guessing passwords or using passwords that they have obtained through phishing, but in this case it wasn’t clear how it had been done. It was also difficult to tell whether the influencer's public following had anything to do with the incident, but no evidence to suggest this has been found.
After the takeover of his account, the victim tried to contact Meta, the owner of Facebook, in order to regain access to his account but was ultimately unsuccessful. Experience has shown that the operators of the largest social media platforms often react to such requests very cautiously or not at all. This is probably due at least in part to the massive flood of incident reports they receive.
Nevertheless, Meta closed the victim's account after some follow-up, rendering it inaccessible to both the original owner and the fraudsters. This was very annoying for the victim because the account had a large number of followers, but still better for his reputation than having the account misused for fraudulent purposes.
He then put a lot of effort into establishing a new Facebook profile and thought that was the end of the story.
The follow-on fraud
Months later, it turned out that the fraudsters had been waiting for just that moment. As soon as his new profile was up, scammers posing as Facebook staff got in touch via Facebook Messenger and offered to recover his old account – he would just need a little patience.
But it wasn't long before the requests for money began, and at first the influencer complied, hoping he could get his old account back after all. The fraudsters used psychological tactics, skilfully interweaving demands and promises.
After a while, some obvious errors crept into the fraudsters' communication and the victim became suspicious. For example, the fraudsters briefly took a very familiar tone with him – including terms of endearment – and then a few hours later they were formal again, and after that they even became rather gruff and threatening. At one point, the scammers briefly started writing him in a different language.
All of this suggests that the fraud is not the work of an individual, but rather a criminal group that is running a number of scams simultaneously in different languages. In fact, it could well be that none of the criminals actually speaks the victim's language. Online translators and artificial intelligence make a lot of things possible, but noticeable errors can happen quickly if the fraudsters catch the wrong browser window when copying and pasting text, for example.
In terms of communication, the fraudsters were obviously poorly organised and careless – which makes it all the more incredible that they seem to have waited for months until the victim created a new account. It could be that they keep track of their victims over a longer period of time so that they can strike again at the right moment, or perhaps one group hacked the victim's account and another group later obtained information about it on the darknet.
Recommendations
- File a complaint with the cantonal police if you notice that an unauthorised person has gained access to your social media account or if you have lost money as a result of a scam.
- Be alert to inconsistencies and errors in communications (unusual formulations, shifting levels of formality, mixing up languages).
- Securing your accounts with two-factor authentication makes it much harder for fraudsters to take them over.
- Break off communication as soon as you realise that you are dealing with fraudsters. Save all evidence (chats, emails, screenshots, etc.), especially if you have lost money.
- Inform the platform operator about the attempted fraud.
Current statistics
Last week's reports by category:
Last modification 18.06.2024
