Earlier this week, I noticed my friend and classmate posting a Facebook profile photo of another friend with a changed name. I first thought he was mocking the other friend (let's call him Nandu). However, I soon received a frantic phone call from Nandu saying someone had hacked his account and changed his profile name. I calmed him down and then guided him on how to regain control of his Facebook account. I also asked Nandu to change the password and use multi-factor authentication to log in to his Facebook account immediately. He did that. However, the story does not end there.

I also discovered that the accounts of two other friends, who were also listed as friends on Nandu's Facebook account, were hacked. Someone changed their names on their profile page, just as they had done with Nandu's account and started sending friend requests to all the people listed in these three profiles. I helped those two friends regain control of their Facebook accounts (more about this later) and gave them the same advice about using a robust password and multi-factor authentication. All three sent messages to their contacts about how their Facebook accounts were hacked and asked them not to entertain recent friend requests in their names.
Hacking social media accounts and stealing information, including photos, is not new. It has been going on ever since social media started becoming popular. This, and many such scams, including impersonation of a government, regulator or bank official, luring people to invest money under the pretext of bumper profits in a very short time, threatening people with the claim of 'dangerous' courier packages with drugs and contraband sent in their name, and asking people to click on links for quick completion of 'mandatory' action or downloading files or app, have remained the modus operandi of cyber fraudsters.
All these scams are cyclic in nature. They tend to repeat after a certain period, like frogs appearing every year with the rains. In Moneylife's newsroom, we call them 're-cyclic' scams.
Fraudsters target social media accounts for varied reasons—financial gain, data theft, spreading misinformation and even personal vendetta. The methods and motivations behind these hacks can vary, but some common techniques and preventive measures can protect you from phishing, malware, password cracking, social engineering, credential stuffing (using previously stolen usernames and passwords) and SIM swap.
In phishing attacks, fraudsters send emails or messages that appear to be from a legitimate source, such as a social media platform like Facebook. For example, you will receive an email claiming to be from Facebook asking you to verify your account by clicking a link and entering your password on an authentic-looking but fake login page designed to steal login credentials.
Downloading a seemingly harmless app or clicking on a suspicious link that installs a keylogger helps hackers capture keystrokes, steal stored passwords and provide unauthorised access to the device and account details. This is a malware attack.
Hackers use automated tools readily available on the dark web to guess passwords through brute force attacks or exploit weak passwords. Common (read: lazy) passwords like '123456' or 'pass123' are too easy for even a basic password-cracking tool.
In social engineering scams, hackers manipulate account users by exploiting human psychology to reveal or share confidential personal information. For example, a hacker with basic info about you may pretend to be a government official or executive from your bank and ask you to share your login details or verification codes.
Hackers also use previously stolen usernames and passwords from other breaches to gain access to social media accounts. If you use the same password across multiple sites, a breach on one site could lead to compromises on others.
Subscriber identity module (SIM) swapping is neither too easy nor too hard for 'dedicated' fraudsters. They convince the telecom operator to issue a new SIM card for the victim's mobile number by submitting know-your-customer (KYC) documents. These documents could be genuine or fake, and fraudsters use 'convincing' power (successfully explaining why the face does not match the photo or why the fingerprints are not working) or 'sympathy' (saying the original mobile user is very sick and bedridden and can't visit the shop to get a new SIM for the lost mobile!).
SIM swap allows hackers to bypass two-factor authentication (read: one-time passcode-OTPs) and gain access to the victim's account.
This brings us to the most crucial question: How can we protect our social media accounts from hackers? While there are no foolproof measures or methods to protect your social media account from being hacked, here are a few suggestions on how to safeguard it.
Use strong, unique passwords: Create complex passwords with a mix of letters, numbers and symbols. Avoid using the same password across multiple sites.
Enable multi-factor authentication (MFA): Use MFA to add an extra layer of security. Even if your password is compromised, the hacker would still need access to the second or multi-factor, usually available on your phone.
Instead of opting for OTP through SMS as two-factor authentication, I suggest using authenticator apps like Microsoft or Google Authenticator. These apps generate six-digit passcodes (authentication codes) on your mobile device (if you are using the app) or web browsers to help sign in for online accounts. These authenticator apps implement multi-factor authentication services using the time-based OTP and hash-based message authentication code (HMAC)-based OTP (HOTP) for authenticating users of software or apps. HOTP is an event-based algorithm that uses a shared secret key and an event counter to create an OTP.
Be wary of phishing attempts: Do not click on suspicious links or download attachments from unknown sources. Always verify the sender's email address and be cautious of urgent or alarming messages.
Update software/apps: Ensure the operating system (OS), browser and all apps are up-to-date with the latest security patches.
Use security software: Install and maintain reputable antivirus and anti-malware software to protect against malicious attacks.
Regularly monitor account activity: Check your account activity regularly for any unauthorised actions. Most social media platforms offer a way to see recent logins and connected devices.
Educate yourself about social engineering: Be aware of the tactics used by fraudsters and always verify the identity of anyone asking for your personal information or financial credentials.
Secure your mobile device: Use a strong passcode and biometric locks. Do lock apps on your mobile, especially those you use for financial transactions and social media. Also, avoid jailbreaking or rooting your device (unless you know how to use such devices) as it can bypass built-in security measures.
Backup data: Regularly back up important data so that you can recover it if your account is compromised.
Use privacy settings: Adjust privacy settings on your social media accounts to limit the amount of personal information that is publicly accessible. Avoid sharing personal information or photos from your personal life, including those of your near and dear ones.
By understanding the methods used by fraudsters and taking proactive steps to secure your accounts, you can significantly reduce the risk of your social media accounts being hacked.
How do you recover your hacked Facebook account?
According to Facebook, your account may have been hacked if you notice that the email address, password, name, or birthday has changed. If you notice friend requests sent to people you do not know or, messages that you did not write, and posts or ads made that you did not create, then your account may have been compromised.
If you think your account has been hacked or taken over, you need to visit
https://www.facebook.com/hacked to secure your account. Facebook will ask you to change your password and review recent login activity.
If the email address associated with your account is changed, Facebook allows you to reverse this. When an email address is changed, it sends a message to the previous email account with a unique link. You can click this link to reverse the email address change and secure your account.
If the hacker has changed the mobile number and email ID of your Facebook account, then you need to visit
https://www.facebook.com/login/identify. Here, you need to fill in the required details to search for your account, then fill out a form and answer a few security questions. Facebook reviews these details and sometimes may ask you to share a valid ID proof to match the information you first submitted while creating the account. If everything matches, you will be allowed to recover your account and change your password and other details.