After a hacker took over her social media, a North Texan said she watched, helplessly, as a stranger used her good name to take money from people. She said she couldn’t get help from the social media platform.
Read on for more of her story. You’ll also hear from experts about key steps you can take to protect your social media identity.
“MY WHOLE WORLD HAS BEEN JUST UPSIDE DOWN”
When we met up with Judy Miller of Fort Worth last week, she was at the end of her rope.
Get top local stories in DFW delivered to you every morning. >Sign up for NBC DFW's News Headlines newsletter.
“My phone's blown up,” said Miller. “My whole world has been just upside down.”
She said she’s received constant calls and messages after someone hacked into Miller’s Facebook page – posting that Miller is moving and selling her things.
“Washers, dryers, big-ticket items,” said Miller of the post. “Their story to them is these items are going fast.”
Lesley Elam of Arlington said she responded to the post, “A dear friend of mine knew that I was looking for a refrigerator. She happened to get a Facebook post from a friend of hers, Judy Miller, and she sent it to me.”
Elam shared screenshots of Facebook messages. In them, the person operating Miller’s Facebook page insists on a deposit until Elam can pick up furniture and appliances the next day. Elam said her family sent a total of $1,000 through Venmo.
“Because this dear friend of mine knew her and I was like, yeah, I totally trust it,” Elam told NBC 5 Responds.
Elam said she went to address the supposed seller provided and found a vacant house. She got Miller’s phone number from their mutual friend and called.
“She said, ‘Sweetheart, my account has been hacked and I have been trying to get this taken care of,’” Elam said.
“THE PERFECT STORM”
Miller said she’s heard from dozens of people since losing control of her Facebook account around Halloween.
“I would say probably 40 to 50 that I know of that contacted me after the fact. Some of them were $300, $1,000,” Miller said.
Reporter Diana Zoga asked Miller, “You said 40 to 50 people you've heard from. Is it 40 to 50 people who almost gave money?”
Miller responded, “Oh, there are many more that almost gave money.”
Zoga asked, “Forty to 50, that you know of, that contacted you and said, ‘I sent money to Judy Miller?’”
“Yes,” Miller recalled, “Because… it was you.”
In real life, Miller said her son is moving. Some friends figured the items posted for sale belonged to him. It helped legitimize the hacker’s post.
“It’s just the perfect storm,” Miller said.
SOCIAL MEDIA USER: NO HELP FROM THE PLATFORM
Miller filed a report with Fort Worth Police. Early on, she said she also tried to change her password to regain control of her Facebook account. Miller said she asked friends to report the page while she tried to get help from Facebook by following its online help center instructions.
“You can go through their FAQs, you can go through a rabbit trail, but no live person. It took me days to even get an email response,” Miller told NBC 5 Responds.
Miller said she requested Facebook permanently delete the account. She shared a message from Facebook saying the page is scheduled for deletion in early December.
“Which was, you know, gut-wrenching. Thinking that this would still be up for a month,” Miller said.
NBC 5 Responds reached out to Facebook and its parent company Meta about Miller’s page. We have not heard back.
CONFIRM YOU'RE PAYING YOUR FRIEND
We connected with Venmo. It shared that it has a zero-tolerance policy for attempted fraud and teams work tirelessly to protect customers. It shared links to information about avoiding common scams where it explains a scammer could change their username and profile photo to impersonate someone you know. The tips also say users should always confirm the payment request is truly coming from a friend.
Venmo said it offers purchase protection for payments marked for “goods or services.” The seller typically pays a fee for this.
Elam said the hacker told her to mark her payments “as friends.” After NBC 5 Responds contacted Venmo, Elam shared an email from the payment platform that said it was refunding $1,000 as a courtesy.
“A tip to avoid being victimized is to pick up the phone and make a phone call to whoever you're conducting business with and hear their voice,” said Nathan Martin, chief prosecutor in the Financial Fraud Division at the Tarrant County District Attorney’s Office.
Martin said he can’t speak to specific cases or potential cases. Generally, he tells NBC 5 Responds if a consumer sends money to an unverified person, often they can’t get it back. Even if law enforcement could trace a payment, Martin said they may find a middleman who sometimes is the victim of another scam.
“Hey, part-time employment, you can work from home. Sometimes those jobs are simply allowing the scammers to utilize a bank account in your name to funnel the stolen money to,” Martin explained.
Martin said if you’re hacked and see an ongoing scam, you can let police know, but the social media platform would have to take action to disable the account. It can take time.
HOW TO BETTER SECURE YOUR SOCIAL MEDIA ACCOUNTS
“Unfortunately, it's a very lucrative type of scam and hack because it can be ongoing,” said Identify Theft Resource Center President and CEO Eva Velasquez.
Velasquez went on to explain the scenarios hackers may use, “Whether it's puppies for sale or furniture for sale or I'm in a jam, can you loan me some money, or I lost my phone, if I send you this code, will you help me get back into my account? All of those types of things? They work.”
Velasquez preaches prevention: make it harder for a hacker to take over your social media. Users can enable two-factor authentication (2FA) also known as two-step verification or multi-factor authentication (MFA) for their accounts.
Facebook’s help center recommends this to increase account security.
This would require another verification method, usually a randomly generated code sent to your phone or through an app if someone tries to log into your account from an unrecognized browser or device.
“That MFA code: it's coming to your email or to your phone. Even if your other credentials are compromised, like your username and password, they still can't get access unless they get that code,” said Velasquez.
Only use the code to verify yourself. A hacker may try to trick you into handing over the code. Never share it. Set login alerts and use strong passwords. The ITRC recommends at least 12 characters with symbols, upper and lower-case letters.
Don’t use the same password for different accounts. If one gets compromised, that means the others are in danger too.
Apply the tips to the email account linked to your social media.
Velasquez said users shouldn’t assume a hacker wouldn’t want to get into their account. Even if you aren’t active on social media, those accounts can be valuable to an online thief.
“A lot of people think, I don't want to have to learn all of this stuff, but this is the world we live in,” said Velasquez.
Miller told us she wasn’t very active on Facebook before the hack and didn’t have two-factor authentication enabled. She said it’s important to her to warn others: don’t assume the person you’re messaging on social media is your friend.
“It's frustrating, to say the least. It’s humiliating,” Miller said. “These people acted on a person that they trusted, obviously, and that's heartbreaking.”
The Federal Trade Commission has information about how to recover and secure hacked email and social media accounts here.
You can find more tips from the ITRC about social media account takeovers here.
You can find Facebook two-factor authentication information here.
This link takes you to instructions for Instagram.
Two-step verification information on LinkedIn can be found here.
NBC 5 Responds is committed to researching your concerns and recovering your money. Our goal is to get you answers and, if possible, solutions and a resolution. Call us at 844-5RESPND (844-573-7763) or fill out our customer complaint form.
Get top local stories in DFW delivered to you every morning. Sign up for NBC DFW's News Headlines newsletter.