Sarah still remembers the panic she felt when she woke up one morning and found she couldn’t access her Facebook profile.
Instead, she says she was greeted with the face and name of an unknown man, who appeared to be using her account.
Sarah’s profile used an old business email that she no longer had access to, so she couldn’t check for messages. She also didn’t receive the emails from Facebook notifying her of the change to her password.
“I was panicking,” she told SBS News.
The Sydney mum set up her Facebook account in 2007 and admits she chose a fairly basic password that she hadn’t changed — something she now realises was a mistake.
Sarah, who did not want to use her full name, said her account had been set to private and was connected to around 300-400 friends and family members.
She used it to post photos of her family every few weeks and was worried that her connections would be scammed by the person who had taken over her account.
But, as far as she knew, none of her connections were targeted, and she didn’t understand why her account had been stolen.
She said it took her six months to get her account back, after emailing Facebook in the United States with screenshots and other proof the account was hers. Before that, she had tried messaging Facebook and complaining to the eSafety Commissioner, without success.
“When I finally got the account back … it was unrecognisable,” she said. It now had over 50 personal or business accounts attached to it, including lingerie shops.
Sarah says her Facebook page was taken over by someone else. Source: Supplied
“It was crazy … I don’t know what he was trying to do with it, what the goal was? He had about eight different credit cards attached to it that I could see.”
She said her account had been transformed into a verified Meta Pay business account, something that may have only been possible because of her long history and the fact that it appeared to be a legitimate account.
According to experts, older profiles like that of Sarah — which was created 17 years ago — are particularly desirable to cybercriminals.
Old Facebook accounts are more likely to be trusted
IDCARE, which is a cyber support service, said it regularly helped clients whose Facebook profiles were taken over, saying unfortunately Sarah’s situation was far from unique.
“It is easier for a cybercriminal to take over someone else’s Facebook account than to create a fake one,” IDCARE spokeswoman Kathy Sundstrom told SBS News.
Some criminals will impersonate the real owner and message the person’s contacts to try and convince them to click on links, invest in fake opportunities or other scams.
They can also use the account to post in community groups.
“People are far more likely to trust a Facebook account that has history — as a legitimate person would have — than one that was created a few weeks ago,” Sundstrom said.
People are far more likely to trust a Facebook account that has history — as a legitimate person would have — than one that was created a few weeks ago.
Kathy Sundstrom, IDCARE spokeswoman
University of Adelaide cybersecurity expert Dr Sherif Haggag told SBS News that the date a profile was created is often one of the things people check on Facebook to ensure they are not dealing with a fake account, especially when buying and selling goods on Marketplace.
“That actually adds trust,” Haggag said. “It [looks like] a normal profile, it has normal friends, [you] can actually have mutual friends.
“That builds the trust and then they get scammed.”
‘The money just disappears’
Haggag said there were several ways cybercriminals could use established Facebook accounts to trick people, even if they changed the profile’s name and photo.
Firstly, they may interact with people to buy products like laptops or mobile phones but walk off with the products without paying.
Haggag explained one trick cybercriminals use to make it appear as if they have deposited money into a seller’s account.
Firstly, the fake buyer may say they want to deposit a small amount of money into the seller’s account, to check whether it’s a legitimate account.
That payment goes through, but when it comes time to pay the balance for the goods, they pay using a cheque deposited at an ATM.
The amount appears as “pending” in the account of the person receiving the money, but it’s a status they often don’t notice. They think the money has already been deposited and hand over the goods.
Someone was scammed after believing $4,500 was deposited into their account but the transaction was still “pending” and the funds were never transferred. Source: Supplied
The cheque eventually bounces because it’s linked to an account that has no money in it.
“The money just disappears as if it wasn’t there,” Haggag said. “[I know someone who] lost $4,500 in the blink of an eye.”
Cheap prices convince buyers to take risks
Another tactic that takes advantage of people’s trust in certain Facebook profiles involves the sale of goods at what appears to be extremely cheap prices.
If the account appears legitimate, people can be lured to act quickly and take risks to ensure they don’t miss out on a deal.
“Instead of the fridge [costing] $2,000, they will tell you it’s $500 … or $300. People will be fighting to buy it,” Haggag said.
“I’ve seen this many times … [they’ll say] ‘There are so many people contacting me, can you please send me the money? I’ll reserve it for you.'”
The scammer will give buyers an address to pick up the goods that evening. The address exists but the fake seller does not live there so the buyer is unable to pick up the goods despite already transferring the money.
‘Complicated’ scam uses stolen business accounts
Sarah also had two business accounts linked to her profile, and this may also have been attractive to scammers.
Haggag said business accounts linked to profiles could be used to trick people, especially if the businesses previously had good reviews so they appeared to be trustworthy.
In one example, Haggag said a business account began selling iPads at a very cheap price and even sent their customers delivery tracking numbers for their goods.
Instead of sending out iPads, one business sent empty envelopes with tracking numbers so buyers were fooled into thinking their items had been sent, and it was difficult to prove they hadn’t received them.
But instead of shipping them iPads, an empty envelope was sent to a different address in the same suburb. The tracking number eventually showed the item was delivered, making it very difficult for them to prove otherwise.
“You won’t be able to dispute it because they have a tracking number that says it’s been delivered to your suburb,” Haggag said.
“It’s very complicated and very hard to actually convince Australia Post or Facebook or eBay that you actually didn’t get the product.”
How to protect yourself
Both Haggag and IDCARE said activating multi-factor authentication on Facebook was the best way to protect an account.
“Prevention is always better than the cure when it comes to Meta,” IDCARE’s Sundstrom said, referring to the parent company of Facebook.
“It can be very difficult to regain access to an account after it has been compromised, although Meta has worked a lot in this space to make it easier and now provides guidelines on what to do if your Facebook account has been compromised.
“There is no one to call though and it remains a frustrating process for people going through it.”
Prevention is always better than the cure when it comes to Meta.
Kathy Sundstrom, IDCARE spokeswoman
SBS News contacted the Australian Cyber Security Centre, the Australian Competition and Consumer Commission and the eSafety Commissioner for advice about what to do in this situation, and all of these agencies responded that it was not their responsibility.
Facebook was also contacted for comment. Its online guidance is available at .
Sundstrom said it was also helpful for people to check and change their privacy settings to ensure they knew who their friends on Facebook were.
Take precautions when buying or selling online
When interacting with people online, Haggag recommends checking the URL of the Facebook account to see if the name listed there matches the one listed in the profile.
For those selling goods online, Haggag recommends meeting potential buyers during the day in a public location such as a supermarket, shopping centre or even a police station.
If you are buying or selling items online, it’s safer to meet the other party in a public place such as a supermarket, shopping centre or even a police station. Source: AAP / Morgan Sette
Ideally, you would also not meet them alone, and never at night, he said. Meeting at your home can also be risky.
Haggag said he knew of someone selling a mobile phone who had the device snatched from their hands on the doorstep of their home by a man who had come to buy it.
He said he didn’t want to tell people not to buy or sell goods online because some profiles were genuine.
“I would say there have to be lots of precautions,” he said. “I would say be careful.”
‘I didn’t get back a lot of friends’
Sarah said the hack on her account also caused her to lose access to her Instagram profile, and her Spotify account was accessed.
“I saw his face on Spotify and I had a heart attack, like, ‘Get out of my life,'” she said.
Sarah said she was able to shut down Spotify and regained access to Instagram once Meta gave her Facebook account back.
But she eventually decided to shut down her old Facebook account and started a new one, a process that has been a “bit of a nightmare”.
Because her new account was only created in 2023, old Facebook groups that she was previously part of didn’t want to accept her as a member.
She can’t start a business account, and buying and selling items on Marketplace has also been harder.
“People don’t trust you,” she said.
Some of her previous Facebook friends have not wanted to re-add her as a connection as they are suspicious she is a scammer.
“I didn’t get back a lot of friends because they were like, ‘We don’t think that’s you, we think you’re the scammer.’
“I’ve got my family, I’ve got some friends but yeah, people are a bit cautious.”