Here's an edited version of a post about Facebook account cloning I posted last year (2017) which has been getting a lot of hits recently.

Heads-up!! Almost every account is being cloned. Your picture and your name are used to create a new face book account (they don’t need your password to do this this). They want your friends to add them to their Facebook account. Your friends will think that it’s you and accept your request. From that point on they can write what they want under your name. I have NO plans to open a new account. Please DO NOT accept a 2nd friend request from “me”. please forward to all your contacts.

Clearly this is the Facebook equivalent of a chain letter, but that doesn’t necessarily mean it isn’t true, does it?

Well, it's certainly true that Facebook accounts do get cloned, but it doesn’t happen as regularly as this implies. Snopes – always a good resource for checking potential hoaxes and chain messages – classifies it as ‘partly true’ and includes this and three other examples of the messages that have circulated. David Mikkelson also points out that it’s far from new and doesn’t entail real ‘hacking’.

Clearly, this article was mostly focused on a warning that was widely circulated on Facebook for some time, rather than on the mechanics of cloning. However, I do know that some of my own friends and acquaintances have had their accounts cloned recently, and it may be that there's an uptick in the scam that has resulted in an awful lot of people reading the article above in the past few days. However, there have also been many instances of Facebook users receiving a message along these lines:

Hi....I actually got another friend request from you yesterday...which I ignored so you may want to check your account. Hold your finger on the message until the forward button appears...then hit forward and all the people you want to forward too...I had to do the people individually. Good Luck!

There are quite a few sensible pages discussing this message, which is not very useful, even if it's not a complete hoax (or worse). I've listed a few useful and relevant informational resources at the end of this article, but they don't necessarily look at either message in the context of the wider problem.

I'm hoping that presenting this article in the form of an FAQ (Frequently Asked Questions) list will make many of the issues around Facebook hacking and cloning – not the same thing! – a little clearer.

1. I got this message… Now what?

This latest message has been sent to many, many people whose accounts have not been cloned and from whom "another friend request" has probably not been received. Perhaps (let's be charitable…) the section from "Hold your finger on the message…" was intended to be offered as a template for people who do receive superfluous friend requests, but there is no text included to convey that idea. What's more, even if that was the intention, I could hardly recommend it as a template.

Suppose you receive this message. It doesn't tell you how to check on whether your account has, in fact, been cloned. It doesn't tell you what to do. It doesn't even tell you to warn other people not to accept new invitations from you (which might actually be a useful item of information to pass on). It simply puts the Fear of Facebook into the people to whom you send, causing them to think that it's their account has been cloned, which may or may not be the case, but probably isn't. Even if your account has been cloned, forwarding the message to lots of people whose accounts haven't been cloned is worse than useless. Yet that is exactly what some people have done.

2. What is cloning?

Scammers spoof the accounts of legitimate Facebook users, using the victims' names and stealing images and personal information from their accounts.

3. Why do they do it?

If the scammers trick a few people into becoming their friends, they can use the fake accounts to send scam messages to their new ‘friends’. (Sadly, it's not the priceless photographs of what you had for dinner or where you've been walking that the scammers are interested in - it's your Friends List…) The recipients will be more susceptible to falling for the scam because the message seems to come from a friend. The scam might (for instance) be:

  • Some sort of 419 (advance fee fraud) scam. There are many types of scheme that fall into this rather broad category. Most of these work on the basis of offering the victim some financial or other benefit such as a share in a transfer of funds, but first require some sort of payment. Some, though, simply threaten various undesirable consequence up to and including assassination if the victim doesn't pay up. The term 419 comes from the relevant section of the Nigerian penal code, but scams of this sort are perpetrated from many other parts of the world.
  • A 'Londoning' or 'Friend in trouble' scam. ("I've been mugged on holiday in London [or wherever], please send money so I can come home"). These are often included in the 419 category.
  • A phishing attack intended to obtain Facebook or other credentials.
  • An example of Facebook clickjacking (or more correctly, clickbaiting): your 'friend' sends you a link that looks as if it leads to interesting/unusual/dramatic videos, news, celebrity gossip, or (literally) fabulous offers and prizes. Instead, it leads to a survey scam, or worse.

The scammers might also use the new 'friendship' to access personal information. Maybe even as part of a data aggregation attack that helps them commit full-blown identity theft.

There are, of course, all too many other possibilities.

4. Why do people respond to these requests?

There could be a number of reasons.

  • Some people will still accept any friend request, whether or not they recognize the sender. You'd think they'd know better by now, but Facebook does tend to encourage scalp-hunting – um, acquiring as many friends as possible…
  • People with lots of FB friends may forget they're already friends with the apparent requester.
  • They may assume the owner of the real account has inadvertently unfriended them.
  • They may assume that the owner of the real account has changed the account for some reason, maybe because it has been hacked.

Either of those last two assumptions may be correct, but they're not safe assumptions.

5. What if someone has sent me a second request?

So don't make any of the assumptions in section (4): check with your friend. If no such request was sent, refer the friend to sections 5 and 6 below. Consider making contact face-to-face, by phone, or by email, rather than through Facebook.

6. What can I do to check that my account has (or hasn't) been cloned?

An obvious measure is to put your own name into the Search box above your news feed and see if you have a doppelgänger. You could also ask one or two of your Facebook friends – especially if you have some that you know are security-savvy – whether they've received a duplicate friend request, apparently from you.

The chances are, of course, that there are other people on Facebook who really do have the same name as you. There are measures you can take to get a clone account removed, but you will need to be sure that you're not about to victimize someone who simply happens to share your name.

7. What do I do if I think my account has been cloned?

Don't forward that unhelpful message telling people that their accounts have been cloned. And don't panic and set up a new account: it's the imposter whose account should be trashed. Facebook has a helpful article on How do I report an account or Page that’s pretending to be me or someone else? Remember, the cloner hasn't actually hacked the account.

And yes, it would be a good idea to put up a post letting your friends know there's a clone about.

8. How do I know my account hasn't been hacked?

Facebook changes where it puts menu items every so often, and it may vary from device to device. However, you need to find the Settings menu, and the Security & Logins page option should show you Where you're logged in. Unfortunately, Facebook's grasp on geolocation is often amusingly imprecise: you may find that it thinks you're quite far away from your real location, which casts doubt on its ability to show a login from a dubious location. Still, if you're in Ireland and Facebook displays logins from Eastern Europe, it's probably a good idea to investigate further. If there is a current login that clearly isn't you, you may be able to log that device out, and take the opportunity to change your password before that user logs back in.

Even if no one is currently piggybacking on your account, there are a number of options on the Security & Logins page that will reduce the risk of someone else using your account: two-factor authentication, enabling notification of unrecognized logins, and so on.

9. How can I prevent cloning?

You can't. Not least because Facebook insists on making some of your profile information public, meaning that anyone at all can access it, and setting up an account using your name and profile picture is enough to set up a fake version of your account. However, there are a number of privacy settings you can edit. Setting your Friends List so that only you can read it vastly reduces the risk that your friends will be contacted by a cloned account.

To quote my earlier blog post again:

Facebook users who make a lot of information about themselves public make it easy for a cloner to use images and information to set up a fake account. Several scams such as 'Londoning' depend on the cloner being able to contact the friends of the owner of the genuine account. While you can’t eliminate the possibility of your account being cloned, you can lower the risk by reducing the value of your account to the scammer. You can do this by tightening your privacy settings: obvious ways of doing this include setting your account so that only friends can see your post

How can I prevent clickjacking/clickbaiting?

Even your real friends might unknowingly send you a dangerous link. The difficulty is establishing what constitutes 'dangerous', and I can't give you a definitive list of 'suspicious' items, except in so far as any link posted on a Facebook feed could be dangerous. Links reflecting a mutual interest are more likely to be innocuous. The kind of generically attention-grabbing links already mentioned - interesting/unusual/dramatic videos, news, celebrity gossip, or (literally) fabulous offers and prizes – are more typical of the kind of social engineering beloved of hackers, scammers, and purveyors of malware.

More general advice

Many Facebook users find themselves receiving invitations to connect with people far beyond their circle of direct personal acquaintance. Indeed, Facebook actively promotes the idea that you should make as many 'friends' as possible. I certainly won't tell you not to connect with friends of friends, or people with shared interests encountered in groups or on special interest pages. However, a lot of unsavoury people manage to establish a presence on social media in general and Facebook in particular, and you can't rely on Facebook – or, come to that, on security software – to filter them out. If you're not prepared to be cautious, sooner or later you're going to connect with someone whose intentions are not benevolent.

While Facebook's devotion to its users' security and privacy is by no means always to be assumed, it does offer settings that enhance security and privacy. However, those safer settings are not necessarily the default. It's well worth finding out what your current settings are, and how to improve them. (See also section 8 above.)

Further information

More about the hoax message:

Cloning/fake pages and profiles:

Or comment on this post, and we'll do our best to answer any questions you may have.