Having your Facebook account hacked can be annoying, but Doreneia Karolski has lost more than time to a social media scam.

Karolski and her husband, Bryan, own Baker’s Best Painting Plus LLC, a business registered with the Oregon Corporations Division.

The couple use the business’ Facebook page as a reference and occasional portfolio for their work.

But recently Doreneia has been fighting to recover access to the page, saying that hackers have taken advantage of clients and friends, and gotten away with significant damages.

“We had people send over $1,000 to the scammer, believing it was us,” she said.

The hacking has spread beyond the Karolskis’ page as well.

“My friend had her account stolen, and someone showed up at her house trying to get their money back for the couch they paid for,” Doreneia said.

Baker City Police recently responded to a similar incident near the golf course, with an upset patron showing up at a residence regarding a non-existent motorcycle.

Such issues can be a death blow for a small business’ reputation.

“We have major business owners as friends on our pages, and these scammers are asking for hundreds and thousands of dollars,” Doreneia said. “Some people aren’t responsible and don’t take the appropriate steps to make sure they are not being scammed before sending money. And that can result in very angry people showing up at your home or place of business.”

Baker City Police Chief Ty Duby said that although such instances can be difficult to combat, he recommends users take advantage of the two-factor authentication feature available for most social media accounts.

The Karolskis used that feature, but it was set up on Bryan’s work phone.

While at work, Bryan received an authentication request from Facebook’s “trusted contact” backup system, but didn’t read the message verbatim to Doreneia, who proceeded to forward him their confirmation PIN.

The moment Bryan authenticated that PIN, the hack was complete, and the “account change” emails poured in.

“We’re seeing (hackers) not only take over the accounts, we’re seeing them taking over and listing property and selling something on the marketplace,” Duby said.

Facebook profile can also interlink to a wide variety of Meta services.

Once the hackers have locked you out of your account, they will quickly cut off outside access to the page, and establish any of the missing security measures so that all redundancy falls back to themselves.

Getting any sort of restitution is difficult.

“Facebook does not consider the theft of Facebook accounts and scamming of money as a Facebook community violation, and they will not help you recover your account if all other options fail,” Doreneia said, despite their having physical records proving their ownership of their company.

“We have notified the Sheriff’s department and the FBI, and have sent emails daily to Facebook asking for help,” Bryan said. “Facebook has not replied or responded. It’s very scary because our data and information can now be downloaded and sold on the dark web.”

Doreneia said the couple has looked into securing a so-called “white-hat” hacker to reestablish her accounts, although she’s leery of that prospect.

Troubles on the horizon

Typically scammers launder their ill-gotten money via iTunes, prepaid debit cards or through cash transfer apps, and the moment it crosses state and national boundaries, local police power effectively ends. By then you may have to parse it to the FBI, FCC, FTC or perhaps even Interpol to follow through with grievances.

Such scams ride on the coattails of other new digital frustrations. While the Karolskis’ scammer never escalated beyond messaging, a new concern includes AI voice emulation, something common on video-sharing platforms such as TikTok and SnapChat.

As described in a March 2023 article in the Washington Post, as one voice speaks into the microphone, a wholly different character comes out the speaker, a vocal simulacrum that can literally be cobbled together from a recorded sample of anyone.

According to news accounts and a consumer alert from the Federal Trade Commission, this technology has recently been used to extort money from elderly grandparents who had no reason to doubt they were speaking to their granddaughter. The fact that this could have even been a video spoof only adds to the worries, though the glitches inherent to live facial filters tend to render that option less effective.

Combined with the means to fake your outgoing caller ID and phone number, very little stands to prevent someone from effectively pretending to be a friend, parent, doctor, lawyer or sheriff.

Caller ID’s trouble itself can be traced back to telecom’s industry-wide “Signaling System 7 (SS7) protocols,” the electronic signatures that provide caller information. And to spite a constant bombardment to the FCC with spam complaints, tele-providers receive little public pressure to obsolete these flawed designs.

As the AI era ramps up this could become worse, but at some level it could also improve, for example in the form of AI secretarial services. The machine efficiency of spammers could be met, one for one, with the efficiency of machines vetting out constant, random phone calls.

Securing yourself

Experts say good security starts with good intuition, and after that a good password, with letters, numbers and symbols.

The power of a password is not only a matter of the variety of its characters, but its sheer length. If a password is 1-5 symbols long, a “brute-force” hack can smash through it almost instantly, methodically testing every combination. But a 10-character password could take as long as five years to crack with the same method.

If you’re subscribing to something online, a neat trick is to use the optional “Middle Name” fields to add the business’s name verbatim, so if you start receiving spam addressed to John “HouseCorp” Doe, you know right away which company it was their mailing list was sold by (or stolen from) and can hold them accountable.

Passwords requiring symbols sometimes neglect to forbid the standard comma symbol. This can come in handy as many hackers with physical access to a server will extract something called a “CSV” sheet of logins, or “Comment Separated Values.” With a strategic comma symbol in place, it can ‘trip’ the extraction in such a way as to ruin all of the data that follows it.