Consumer Alert: The anatomy of a Facebook hack, and the one thing to do today to protect your account

ROCHESTER, N.Y. (WHEC) — I have a question for you. Do you cherish pictures and memories that are posted on your Facebook page? If so, you need to know how to protect them.

There is one thing can do today that will help protect your Facebook account. The story of what happened to News10NBC viewer Alyssa Lindenmeier is proof that if you’re hacked, you may not be able to count on Facebook to help you. You have to help yourself.

When you Google "Facebook customer service," one of the top search results is the phone number, 650-308-7300, but you won’t get to talk to a real person. Instead, you get a recording that says, “Thank you for calling Facebook. Unfortunately, we don’t offer phone support at this time."

The recorded message directs you to Facebook’s online help center where a nameless robot promises to help secure your account. Just ask Alyssa Lindenmeier. She has faced nothing but frustration in her futile fight to get her Facebook page back.

The nightmare started when someone hacked her email.

"And knowing that my Facebook account is associated with my Gmail account, I went straight to my Facebook to change that password, and as I clicked the change password button, somebody else was already in and changed the password on me,” Lindenmeier said.

It was heartbreaking. After all, Lindenmeier’s life has been on her Facebook page.

"That’s memories all throughout my high school graduation, all throughout my entire college career, with family members who are no longer with us,” Lindenmeier said.

Fifteen years of priceless pictures are now in the hands of a thief, a thief who has been very busy.

When her friends realized that she had been hacked, they got screenshots of the hacked page. And those screenshots give us useful insight into how Facebook thieves operate. Step one: Steal an account. Step two: Con friends out of their hard-earned cash.

Posing as Lindenmeier, the hacker wrote, "Hey love, can you please Facebook pay me 100 dollars? Very urgent."

In the message, the hacker instructs Lindenmeier’s friend to use PayPal’s friends and family option. That’s because unlike transactions for goods and services, payments to friends and family are non-refundable.

In this scam, the hacker says she’s with FEMA helping people during the pandemic. The scammer claims if you donate $100 to FEMA’s humanitarian assistance program, the agency will give you $1,400 in return.

But Lindenmeier’s friends didn’t fall for any of it. When the hacker asked this friend for $200, she answered, "Sure, I’ll send it with my police officer husband, so he can see who is using our friend’s account."

This thief was undeterred. Finally, Lindenmeier sent the thief a message herself.

"So, I told them this is my account," Lindenmeier recalls telling the hacker. "I just want it back, like if you give it back, we’ll forget the whole thing happened."

But those contemptible crooks tried to pull another con.

"And they responded, ‘You can have full access to your account back as long as you send me a $100 first.’”

But Lindenmeier didn’t give up. Every day, the same thing.

"I changed the password, and when I went to go change the email, it kicked me out,” Lindenmeier recalled.

That happened because not only had the thieves changed the email and password associated with her account, they also used Facebook’s own security features to keep Lindenmeier out of her account. The thief set up two-factor authentication. So, when Lindenmeier tried to change her password, the security feature automatically sent a verification code to the thief.

She sent multiple emails to Facebook security but got no response. And every time she called, she got the same recording. Lindenmeier says Facebook, a titan now valued at $1 trillion, could at least provide a bit of help when a customer calls.

"There’s a lot of security hacks going on especially recently,” Lindenmeier said. "They need a security team to answer phone calls in a situation like mine."

I reached out to my contacts on Facebook several times, and they didn’t respond. If you do nothing else, do this one thing to protect your Facebook account, two-factor authentication. Anytime anyone tries to change your email or password, the system sends you a verification code, and you have to enter that code before your email or password can be changed. To set it up on your Facebook account, click here.

For more security, go one step further. Use a verification app. It’s far more secure than sending the code through text. That’s because hackers have been able to fool carriers into sending a phone number to a new device. And the hacker needs little information to do it. If they have your phone number and the last four digits of your Social Security number, they can essentially steal your text messages through a move called a SIM swap.

So, you should instead have the verification code sent to an authentication app. Here are three recommended by Cnet:

• Google Authenticator: iOS | Android

• Twilio Authy: iOS | Android

• Microsoft Authenticator: iOS | Android

As for Lindenmeier, she got her Facebook account back through sheer tenacity and a bit of luck. She was able to access her hacked account through her still open Messenger app. She then added her email to her hacked account. The next time she requested a link to change the password, the two-factor authentication feature sent a verification code to her email as well. She was then able to change everything in settings before the hacker did so.

While Facebook did not respond to my questions regarding this investigation, this is advice a spokesman sent me several months ago when I was investigating Facebook security features.

We offer security features to help people protect their accounts that are available 24/7 in our Help Center. Here are some recommended best practices and tips your viewers can follow to strengthen their account security and prevent being a victim of account compromise:

1. Enable two-factor authentication as an extra layer of security for your Facebook account. If you set up two-factor authentication, you’ll be asked to enter a special login code or confirm your login attempt each time someone tries accessing Facebook from a computer or mobile device we don’t recognize. To see how it works, watch our video here.
2. We also encourage you to sign up to receive alerts for unrecognized logins. These alerts will tell you which device tried logging in and where it’s located.
3. We ask that people report suspicious links or posts to us right away via our Help Center so we can review and take appropriate action:https://www.facebook.com/help/reportlinks.
4. We also recommend that people ensure their other high-value accounts are secure, such as their email accounts. Sometimes, hackers may use access to people’s emails to compromise their Facebook accounts.
5. If you think your account may have been hacked, please visit https://www.facebook.com/hacked and you’ll be guided through a step-by-step process to learn how to fix it.