Column: How to stop Facebook identity thieves in their tracks
Cynthia Lim is very excited about grants available from Lions Club International during these difficult times, so she’s telling all her friends via Facebook Messenger to check out this cool source of funds.
Except she’s not.
And there are no such grants.
This racket highlights how social-media sites such as Facebook make it too damn easy for scammers to pull a fast one on users, coasting on the reputations of people’s trusted friends.
“I reported that it looked like my Facebook account had been hacked,” Lim, 64, told me. “They really didn’t seem to care, telling me only to change my password.”
The West Los Angeles resident called her exchange with the social-media giant “very unsatisfactory” and said that “you’d think Facebook would care more about this stuff.”
I don’t know about that. Facebook didn’t tell anyone when the personal information of more than 530 million users was hacked in 2019, and it didn’t bother to issue an alert when the hacked data recently appeared online.
Nor does the company seem to make it particularly difficult for identity thieves to get Facebook users to lower their defenses using direct messages on the platform.
Lim is a former L.A. Unified School District administrator. To her circle of Facebook friends and acquaintances, she’s a respected source of information about grants and alternative funding sources.
So those Messenger posts about the Lions Club appeared very appealing, and convincing, to a number of people. Lim said she’s aware of at least a half-dozen Facebook friends who took an interest in the pitch, based on her seeming recommendation.
“I felt terrible,” she said.
The Lions Club scam is sufficiently widespread that the philanthropic organization, with 1.4 million members worldwide, posted a notice on its own Facebook page warning people not to be duped.
More than 800 comments were posted below the warning. Most expressed shock and anger that the identity of someone they trust was used in this fashion.
Denice Kelley grew up with Lim and was one of those who received the posts via Facebook Messenger, ostensibly from her childhood pal, encouraging her to seek a Lions Club grant.
“The message came in around 7:30 in the morning,” Kelley, 64, told me. “I thought, ‘That girl is such a go-getter!’”
The Salinas resident said she was excited at first about the possibility of some much-needed extra funds, especially with the endorsement of a trusted friend.
For the sake of brevity, I’ll refer to the person who messaged Kelley as Fake Lim.
Fake Lim wrote that the Lions Club grants are perfect for “paying bills, buying a home, starting your own business, going to school or helping raise children.”
Fake Lim also said she had herself received an $80,000 grant through the program, delivered right to her door. (The real Lim, needless to say, received no such funding.)
Kelley replied that she was definitely interested. Fake Lim gave her a phone number to call. Kelley tried the number, got no answer and messaged Fake Lim that no one was answering.
Fake Lim responded that Kelley would need to text first to let the Lions Club know she was interested. Then someone would pick up the phone.
“That sounded really suspicious,” Kelley told me.
She asked Fake Lim via Facebook for more information. Fake Lim started being evasive.
Now concerned this wasn’t on the up-and-up, Kelley asked Fake Lim for the name of Lim’s oldest sister. She also asked Fake Lim to name the neighbors who lived next door to Lim’s childhood home.
“These were things I knew,” Kelley said. “Cynthia would obviously know them as well.”
Fake Lim, of course, did not. Fake Lim said Kelley was asking “stupid questions.” Kelley replied that Fake Lim obviously wasn’t her friend Cynthia.
“At that point,” Kelley said, “the conversation totally ceased.”
David Kingsbury, general counsel for Lions Club International, told me the scam typically involves requests for personal information, including bank account numbers.
It also can involve demands for upfront payments of taxes or delivery fees to facilitate the awarding of the imaginary grant.
“It’s infuriating,” Kingsbury said. “We don’t even award individual grants. But these guys might ask for $900 in advance before you can receive $20,000.”
As for Facebook, I know it’s unreasonable to expect the company to monitor its nearly 3 billion accounts. But the Spider-Man rule still applies: With great power comes great responsibility.
After Lim contacted Facebook to report issues with her account, she received what looks like a robo-response from the “privacy operations” team.
“Thanks for contacting us,” it says. “It looks like you’re trying to report that your account was hacked, phished or otherwise compromised.” The email instructed Lim to click on a link that would help her change her password.
That’s at best a halfhearted response on Facebook’s part to suspected fraud and identity theft.
It wasn’t until after I contacted the Menlo Park, Calif., tech heavyweight that Lim received a more engaged email saying that “it looks like someone may have accessed your Facebook account.”
A Facebook spokesman, who requested anonymity even though he’s, you know, a spokesman, declined to comment on Lim’s situation but said the company has “invested heavily” in keeping scammers at bay.
“Last year, we introduced safety notices in Messenger that are helping educate 70 million people per month on ways to spot and avoid potentially harmful interactions like scams,” he said. “There’s also a number of tools for people to control who they chat with.”
It seems to me that sites such as Facebook can be abused or manipulated so easily by fraudsters, educating people isn’t enough. Measures need to be introduced to more aggressively safeguard account security.
One suggestion: More active use of passwords and security questions before people can directly message others.
I know that would be a hassle for legitimate messages. But this problem is so out of hand, and so potentially harmful, a little hassle is a small price to pay for peace of mind.
Also, social-media users should make a habit of doing exactly what Kelley did — ask questions that only your true friend would know. A legit message sender won’t mind. A fraudster will be caught red-handed.
Kelley said she reported her run-in with Lim’s identity thief to Facebook.
“They didn’t respond,” she said. “I didn’t get an email saying they would do something. They just didn’t seem interested.”
Even if that isn’t really the case, Facebook clearly needs to do a significantly better job letting users know it takes this sort of thing seriously.