Facebook account takeover attacks have become increasingly sophisticated, with scammers posing as Meta support staff and creating convincing phishing sites to steal credentials. To protect yourself against these threats, implement these essential prevention measures:

• Enable two-factor authentication with an authenticator app rather than SMS1

• Set up login attempt limits to prevent brute-force attacks23

• Create unique email addresses for Facebook notifications to isolate potential breaches1

• Be wary of attention-grabbing posts claiming to be from Meta/Facebook support, especially those tagging multiple accounts4

• Watch for poor grammar or odd word choices in supposed "official" communications5

• Monitor account notifications closely and respond immediately to unauthorized changes3

• Use account takeover prevention software that can detect suspicious login patterns23

Meta recently patched a critical vulnerability in Facebook's password reset process that could have allowed attackers to brute-force six-digit authorization codes and take over any account. This vulnerability, discovered by researcher Samip Aryal, has been fixed, but it highlights the ongoing need for vigilance against evolving takeover techniques.6

Deepfake investment scams have evolved into sophisticated operations that leverage AI technology to create convincing videos of celebrities and business leaders like Elon Musk to promote fraudulent investment platforms. In one notable case, an 82-year-old retiree lost $690,000 of his retirement savings after being convinced by a deepfake video of Musk promoting a high-return investment opportunity.12 These scams typically begin with Facebook ads leading to fake news articles featuring celebrity endorsements, which then direct victims to fraudulent investment platforms where they're persuaded to enter personal information and ultimately transfer funds.3

The tactics employed by these scammers include:

• Using traffic distribution systems (TDSes) to filter potential victims based on location and other criteria3

• Employing registered domain generation algorithms (RDGAs) to create convincing domain names3

• Conducting validation checks on user information to ensure they're targeting real people32

• Creating multiple versions of ads to evade detection, with only some containing malicious content3

• Setting up subscription traps that generate recurring revenue under the guise of discounts3

• Operating call centers that provide victims with instructions on transferring money to fake platforms3

A bipartisan coalition of 41 state attorneys general, led by New York's Letitia James and co-led by attorneys general from Florida, Illinois, and Tennessee, has united to pressure Meta into addressing the escalating crisis of account takeovers on Facebook and Instagram12. The coalition's letter calls for Meta to thoroughly review its data security practices after seeing dramatic increases in account hijacking, with some states reporting a 1,000 percent rise in complaints between 2019 and 20232. In January 2024 alone, 128 complaints were filed with the New York Attorney General's Office about this growing problem2.

The attorneys general have outlined specific actions Meta should take, including increasing staff to respond to account takeover complaints, investing in better mitigation tactics, implementing multi-step authentication measures, and taking stronger enforcement actions against scammers34. As Attorney General Tong of Connecticut noted, "Meta's security measures are woefully inadequate, enabling a dramatic rise in these scams"3, while Illinois Attorney General Raoul highlighted that account takeovers "can do real harm to the livelihoods of small business owners who use these platforms to promote their work and connect with customers"5.