A Go Public investigation revealed that Meta has allowed fraud to spread on Facebook, as scammers lock users out of their accounts and impersonate them.

According to CBC, Lesa Lowery is one of the many victims. For three days, she watched helplessly as a Facebook fraudster scammed her friends out of thousands of dollars for fake items. Her Facebook account was stolen in early March.

After changing her password in response to a Facebook-like email, Lowery's account was hacked. The fraudster locked her out, causing her friends to lose $2,500.

Many of Lowery's friends reported the crime to Facebook, but Meta did nothing. The scammer erased warnings and banned friends. Carol Stevens, Lowery's ex-neighbor, lost $250 in the fraud.

Is Meta's Effort Enough to Prevent Facebook Account Takeover?

Author of "The Canadian Cyberfraud Handbook," cybercrime specialist Claudiu Popa slammed Meta for generating billions without protecting users, considering Meta's sales rose 16% to $185 billion last year.

Meta emailed Go Public to say it had "over 15,000 reviewers across the globe" to resolve breaches but did not explain why the retirement home fraud continued.

Cybercrime specialist Popa claims fraudsters use AI to find victims and write convincing emails. Sapio Research revealed that 85% of cybersecurity professionals think AI-powered assaults have grown.

In March, 41 US state attorneys general said that Meta helped customers after the number of Facebook account takeovers rose. Meta stated that it tried to resolve the issue but did not provide any details.

Credential stuffing attacks and data can cause account takeovers and dump sales. According to The Register, Meta has experienced a Facebook takeover through US phone number recycling. New telecom clients receive abandoned numbers without disconnecting them from the prior owner's accounts. An outdated number may receive a password reset request or two-factor authentication token, potentially leading to unauthorized access.

Meta is aware of phone number recycling-related account takeovers; however, the social media giant stated that it "does not have control over telecom providers" reissuing phone numbers and that users with phone numbers connected to their Facebook accounts no longer registered with them.

Read Also: Apple Unveils 'Safety Button' For iPhone Owners to Protect Themselves From Stalkers

Cybersecurity Experts: Government Must Take Action

In February, Cybersecurity researcher Samip Aryal said Meta fixed a severe flaw that could have taken control of any Facebook account, per SecurityWeek. Aryal, Facebook's 2024 bug bounty program leader, exposed the problem.

Facebook's password reset procedure was vulnerable. It sent a six-digit unique authorization number to a new device. This code verified the user and reset the password.

Aryal found that the unique code was operational for two hours without brute-force protection. With the target's username, an attacker may use Burp Suite to brute-force the six-digit code to reset the password or login.

The infected user receives a Facebook notice with the six-digit number directly or by tapping the notification. It was a one-click exploit, not a zero-click one.

Aryal communicated his findings to Meta on January 30, and Meta fixed the issue on February 2.

Meanwhile, cybersecurity experts recommend that government action be taken to address Facebook account takeover incidents. According to Popa, companies like Meta require legislation to protect users and respond quickly to fraud.

In the meantime, Popa advised Facebook users to strengthen online security by creating shortcuts to preferred sites, avoiding reusing passwords, and using two-factor authentication.

Related Article: Philippine Government Slams Facebook Inaction on Online Baby Selling