The scam got one of my daughter's college friends to send $300 to a total stranger in London. How?
First the scammers somehow hijacked her Facebook account, then sent an urgent message to all her Facebook Friends. The message said she'd been robbed in London, had no money or passport and to please wire money. My daughter's sweetest of friends sent the money without question, which is what the scammers want. They want to elicit such a strong emotion that the recipient acts first, asks questions later.
Question are what I started asking after my daughter contacted me about the scam. An FBI spokesperson said they've recently received multiple complaints reporting their Facebook accounts and other e-mail accounts were being hijacked and mails sent to all the addresses in their email lists with the same or similar message.
Although it sounds suspiciously like a Facebook problem, a spokesperson from Facebook told me that this was a manual attack, these accounts are getting picked off one at a time. He also said that the accounts were likely taken over by someone who got their passwords somewhere else - most often through another online account using the same email and password. This makes sense to some degree, as my daughter said she did have a problem with her Paypal account about a month earlier in which Paypal alerted her that her account had been "accessed by a third party." And she used the same password and email address for both accounts.
But why, all of a sudden, this rash of these scams over Facebook specifically? I still hazard it might be a Facebook problem.
But it's also just as likely that accounts were accessed through another hacked account, for example from a hacked Paypal account to a Facebook account. To me, that means that there is a secondary market for stolen credentials. In the primary market, financial information is phished and derived directly from compromised accounts. When the activity caught and the account closed, they then peddle the credentials off to somewhere labor is cheap. In this secondary market, they scour around for Facebook and email accounts that are used by the same people, test the credentials, and viola! they're in.
It's making my head spin.
Bottom line is DON'T FALL for these scams. Second, if you use the same password for multiple accounts, you might want to rethink that. Or at the least, change passwords to all accounts using that password should one go awry.