This year, the NHS Counter Fraud Authority is supporting Action Fraud and Meta in encouraging the public to protect their social media and email accounts as data shows there were more than 35,000 reports of social media and email account hacking made last year.

Action Fraud, the national fraud and cybercrime reporting service, has launched a campaign, supported by Meta, to encourage people to take an extra step of online protection by enabling 2-Step Verification for each online account they have. The warning comes as reporting shows nearly £1 million was lost to hackers last year.
The most common motives for social media hacking were either investment fraud, ticket fraud or theft of the targeted account, reporting insights revealed.

Adam Mercer, Deputy Director of Action Fraud, said: “As social media and email account hacking remains the most reported cybercrime this year, this Action Fraud campaign marks a critical issue for everyone who has online accounts. That’s why we’re raising awareness of the ways people can protect themselves online.
“Follow Stop! Think Fraud advice and protect yourself online: enable 2-Step Verification on each online account you have – this will help prove your identity and stop fraudsters trying to steal or access your valuable information. Secure your social media and email accounts by ensuring each password is strong and uses three random words. Remember to never share your passwords with anyone else.”

David Agranovich, Security Policy Director, Meta, said: “Scammers are relentless and continuously evolving their tactics to try and evade detection, which is why we’re constantly working on new ways to keep people safe while keeping bad actors out. Two-Factor Authentication (2FA) is one crucial example of how people can add an extra layer of security to their Meta accounts, to help reduce the risk of scammers accessing your accounts. We’ve also started rolling out facial recognition technology to help people get back into compromised or hacked accounts and are always working on new ways to stay ahead of scammers.”

In the reports made to Action Fraud, there were various different methods of hacking highlighted, these include:

On-platform chain hacking

This is when a fraudster gains control of an account and begins to impersonate the legitimate owner. The goal is to convince people to reveal authentication codes, including one-time passcodes, that are sent to them via text. Many victims of this type of hacking believe it’s a friend messaging them, however the shared code was associated with their own account and the impersonator can now use it to access their account. Usually when an account is taken over, fraudsters monetise control of the account via the promotion of various fraudulent schemes, like fake tickets or crypto investment schemes, while impersonating the original account owner. 

Leaked passwords and phishing

The other common method of hacking is when account details are gained via phishing scams, or the use of leaked information used from data breaches, such as leaked passwords. This becomes prevalent as people often use the same password for multiple accounts, so a leaked password from one website can leave many of their online accounts vulnerable to hacking. 

Scammers Exploit Nurse’s Identity to Sell Fake Oasis Tickets

A nurse from Didsbury, Adriana Murty, has fallen victim to a scam where fraudsters hacked her social media accounts to sell fake Oasis concert tickets. Adriana’s Facebook and Instagram were taken over by the criminals, who offered non-existent tickets for £150 each. At least one friend was duped into paying £600 for four tickets.

Adriana, who reported the incident to Action Fraud, has warned others to be vigilant. Despite her Facebook being shut down, her Instagram remains under the scammers’ control. She urges fans not to hand over money for tickets that don’t exist. Action Fraud advises the public to buy tickets only from official sources, avoid paying by bank transfer, and use credit cards when possible. Always enable two-step verification and report suspicious posts online.

What can you do to avoid being a victim?

2-step verification (2SV) will keep criminals out of your account – even if they know your password. Turning on 2SV gives your most important accounts an extra level of protection, especially your email and social media accounts. It can be turned on in a matter of minutes – time well spent to keep the fraudsters out

Email and social media passwords should be strong and different to all of your other passwords. A good way to make sure your passwords are ‘long enough and strong enough’ is to combine three random words to create a unique password which is easy to remember

Report Fraud 

Report suspicious emails by forwarding it to: report@phishing.gov.uk
Find out how to protect yourself from fraud: https://stopthinkfraud.campaign.gov.uk

If you’ve lost money or provided your financial information to someone, notify your bank immediately and report it to Action Fraud at actionfraud.police.uk or by calling 0300 123 2040. In Scotland, call Police Scotland on 101.