Facebook account takeovers are targeting people you know, turning friendship into fraud
Go Public finds dozens of instances of the same scam running rampant on the site
For three days, Lesa Lowery says she could do nothing but watch as a fraudster impersonated her on Facebook, swindling her friends out of thousands of dollars for goods that didn't exist.
The entire time Meta — the company behind the social media site that has billions of users worldwide — ignored the crime.
"I just felt helpless," said Lowery, who told Go Public her account was taken over by the fraudster in early March. "I literally sat there and cried," she said.
"I felt really bad for everybody whose money was taken." She'd connected with hundreds of people on Facebook, many of whom she'd lost touch with in person.
- Got a story you want investigated? Contact Rosa and the Go Public team
A Go Public investigation found Lowery is one of many being targeted by a scam the social media giant is allowing to run rampant on its site.
Here's how it works: After locking a user out of their account, the scammers begin impersonating the user and claiming an elderly parent has moved into long-term care and that they are selling off some belongings.
"It was a multitude of really good things — hot tubs, trucks, tractors and all these people were messaging," Lowery, from Sussex, N.B., said of the post on her Facebook page.
She could see the posts offering items for sale, but wasn't able to access the direct messages people were sending the scammer.
It's called an account takeover. Once the account is hijacked, the attacker can post publicly and access the victim's contacts and private messages.
It's just one example of big social media players, including Meta, making billions from users while failing "to protect them in such a basic way," said cybercrime expert Claudiu Popa, author of The Canadian Cyberfraud Handbook and a cybersecurity expert who advises government and companies.
Meta — which also owns Instagram, Messenger, Threads and WhatsApp — made about $185 billion Cdn in revenue last year, a 16 per cent year-over-year increase, according to its 2023 annual report.
"There is no customer service," Popa said. "And as a result, what starts as a small issue is exacerbated into a massive identity theft or identity fraud."
In an email to Go Public, Meta said it has "over 15,000 reviewers across the globe review potential violations on Facebook and Instagram," noting that they receive "in-depth training."
But it didn't say why its systems are failing to catch the retirement home scam that's all over the site.
Read Meta's response to Go Public here.
'Embarrassed that I had fallen for it'
In Lowery's case, the scammer accessed her account after sending an email that looked like it was from Facebook.
It said her account had been compromised and that she needed to change her password. When she clicked the link in the email, she was asked to input her old password and choose a new one.
Now armed with her password, the fraudster was able to access Lowery's account and take it over, locking her out.
When she was finally able to regain access to her account days later, Lowery found that her online friends had been swindled out of a combined $2,500 in the form of deposits for the items they thought they were buying.
Lowery says several of her friends reported the crime to Facebook as it was happening, but Meta did nothing to stop it.
When they tried to post warnings on the page itself, the scammer would delete the warnings and block them. Lowery's former neighbour, Carol Stevens, lost $250.
The two hadn't seen each other for years after Stevens moved away, but they kept in touch through Facebook.
"I never felt pressured. I never got the feeling that I had to be rushed to put a deposit down," Stevens said about her online conversations with the fraudster.
"I would not have fallen for it, except that I thought it was my friend Lesa and she's the most honest, trustworthy person I know."
Stevens intended to buy more, but was tipped off to the scam when the bank receipt she got from the first e-transfer she sent on Mar. 6 had a name on it that she didn't recognize.
"I felt embarrassed that I had fallen for it," said Stevens, who reported the crime to the Canadian Anti-Fraud Centre (CAFC).
"I didn't realize that someone could take over a page … and then pretend they were them in a chat on Messenger."
Go Public confronts scammer
More than 16,000 Canadians reported being victims of cyber fraud in 2023, totalling almost $429 million in losses according to the CAFC.
The highest fraud losses on record, according to the organization. And that's just the tip of the iceberg. According to the CAFC website, only an estimated five to 10 per cent of fraud is ever reported.
Go Public found dozens of other fraudulent posts on Facebook using the same scam to trick users out of money by making them think they're dealing with trusted friends.
Many of the posts use the same wording and even the same photos. Posing as a customer, Go Public contacted several of the scammers behind the fraudulent posts, asking to buy generators that were posted for sale between $800 and $1,500.
One responded within minutes, impersonating the Facebook account owner for about an hour while negotiating the price, and even offering to deliver the item.
The fraudster asked for a $300 deposit to be sent through online payment service PayPal.
When Go Public revealed we were investigating Facebook frauds and asked why they were scamming people and if Meta had ever shut them down, the fraudster replied with a smirking emoji.
AI fuelling fraud
Cybercrime expert Popa says scammers are using artificial intelligence-powered servers to identify potential victims and their email addresses, and to create emails that are specific to the social media sites people use, or the businesses they engage with.
"If you've got the right logos and the right username … people are more likely to click and get infected and get defrauded," he said, noting that AI can also be used to match someone's writing style and tone.
A U.K.-based tech market research agency, Sapio Research, surveyed more than 600 senior cybersecurity experts from U.S. companies last year.
The majority saw an increase in cyberattacks in the past year, and 85 per cent of those believe those attacks were likely powered by AI.
Regulation needed: expert
In March, a group of 41 U.S. state attorneys general demanded that Meta provide support for users after a "dramatic and persistent spike" in complaints about account takeovers, exactly what happened to Lowery.
They noted Meta's massive layoff of around 11,000 employees in November 2022, which reportedly focused on the "security and privacy and integrity sector."
Meta responded to the group, saying it's taking steps to address account takeovers. But it's not clear what those steps are.
Meta announced layoffs of another 10,000 employees in March 2023. When Go Public asked if all the layoffs impacted the company's ability to respond to fraud, Meta did not answer the question.
Instead, the company said, "To detect malicious activity and help protect people … we also constantly improve our detection, enforcement and support systems."
Popa says regulations are needed for organizations like Meta that collect sensitive data, and he says companies should be required to have customer service in place to deal with fraud quickly.
"Whether it's human or an AI, the organizations need to respond to people's actual needs," he said.
Go Public asked Public Safety Minister Dominic LeBlanc and Public Safety Canada if regulations are being considered. They didn't answer the question.
Until that happens, Popa offers this advice for staying safe online:
- Create shortcuts to your favourite sites and always use them to access your top sites and accounts, so you never have to depend on links from emails that could easily be fake.
- Never reuse passwords and always use two-factor authentication. "Convenience is the opposite of security," he said.
As for Lowery, she was only able to get back into her account days later, when Facebook asked her to confirm her identity by uploading a photo and official identification — in her case a passport.
Both Lowery and Stevens say Meta should be doing a better job of responding to fraud on its platform.
"When Facebook first came out, it was a great way for people to keep in touch with people. It wasn't a multitude of ads and scams," Lowery said. "They should start taking control of that."
She says she can't help but blame herself for falling for the scam, but knows she's one of many that get sucked in.
"I always thought I was so Facebook savvy, you know, that would never happen to me," she said. "But it's so easy."
Lowery has since shut down the account the scammer used and opened a new one that only includes friends she keeps in touch with outside of Facebook.
She and Stevens reported what happened to New Brunswick RCMP and the Canadian Anti-Fraud Centre, but haven't heard anything since.
Submit your story ideas
Go Public is an investigative news segment on CBC-TV, radio and the web.
We tell your stories, shed light on wrongdoing and hold the powers that be accountable.
If you have a story in the public interest, or if you're an insider with information, contact [email protected] with your name, contact information and a brief summary. All emails are confidential until you decide to Go Public.