AMESBURY — Kimberly Potts calls Facebook her "lifeline" to her son Justin, who is serving in Iraq with the 101st Engineer Battalion of the Army National Guard. It's helped her stay in contact with him, to see photos of his Thanksgiving dinner and Christmas.
But late last month it also served as a gateway to scammers, who attempted to steal access to credit cards and bank accounts from the Potts family and many of Justin's friends. Justin's Facebook page had been hacked by criminals.
In West Newbury, friends of Pentucket High School senior Matt McCarthy, who died suddenly during a hockey practice, did what thousands of people do — they set up a Facebook page to honor their friend's memory. Within days it had been savaged by posters from other parts of the country who posted swastikas, racial epithets and vicious comments. The page, which had been open to all, was quickly shut off from the public and the hurtful posts were stripped.
With more than 200 million users, Facebook has become a wildly popular forum for people to find old friends, learn about their personal information and keep in touch. But it's also been heavily mined by scammers and used for bullying and taunting.
Users like Kimberly Potts and investigators like Newburyport Police Inspector Brian Brunault say people should be cautious.
"Everything is dark on the Internet," Brunault said, noting he's investigating a case of a Newburyporter whose Facebook account was hacked and identity was stolen. Facebook is inundated with complaints and subpoenas from those who have had problems on the site, he said.
"It takes virtually weeks if not months to get returns on these things," Brunault said. "There is harassment on there, cyber bullying, people post as other people to start trouble and then the thread gets connected and more people jump on board."
Scams
The scam that hit the Potts family follows a pattern of what's been called the "Facebook London Scam."
Potts was checking her Yahoo e-mail account when she saw an e-mail from her son with the subject "hi mom." The e-mail said her son had left camp and was in the United Kingdom and needed money wired to him as soon as possible.
"The note said, 'Hi Mom, sorry to bother you but right now I'm in the UK on a business trip and I lost my passport and wallet," Potts said, noting the tone of the e-mail was clearly not that of her son. The note went on to say the U.S. Embassy was helping him get his passport back but he needed bank verification so he could access his account and he wanted to get on the next flight back home.
"He asked if we could please call these numbers and wire him some money," Potts said.
"Fortunately my husband knew right away this e-mail was a fraud," Potts said. "As much as I knew he couldn't just leave Iraq and that it didn't make sense, it was unsettling to me."
Potts logged onto Facebook where she saw she had letters from Justin's friends asking if they could send money to help. After alerting everyone via Facebook of the scam, Potts reached out to other military families she knew and Justin's commander.
Potts was assured Justin was still in Iraq and had not been put on leave or any injury list.
"While I was on Facebook, knowing now that Justin was OK, Justin's chat box opened up," Potts said. "He said hi, I'm in a world of (expletive)."
Guarded, Potts asked the person on the other end three questions only Justin would know, to which there was no response.
"My husband Jim told me to shut the computer down, because he felt that they were trying to hack into my Facebook," Potts said.
Still nervous, Potts contacted Justin's friends stateside who had contact with other soldiers in Justin's division via Skype (a software application that allows users to make phone calls over the Internet).
Soon after, Potts got confirmation all was fine when Justin called to let her know he was OK.
"He said he was fine, he's still in the desert," Potts said with a laugh. "He told me to go outside and take pictures of the snow to get my mind off this. I was just a wreck for a couple of days."
According to Justin Potts, hackers had gotten into his Facebook account and were able to read where he was and what he was doing. From there, they were able to get access to his friends and their e-mail addresses listed on Facebook.
"Why does this happen?" he asked. "It would only take one person to fall for it for them to get thousands of dollars."
Potts has continued to notify military families and military personnel of the scam and while she won't give up Facebook, she will now be more cautious.
"I'll ask him questions each time I talk to him to verify it's him," Potts said. "Facebook is amazing, but anyone can open my Facebook and know I have three children, live in Massachusetts, have a high school education and like to do crafts. It's amazing but scary."
Remedies
Brunault said Facebook hacking in common but isn't sure if anyone can really prevent it from happening.
"You could periodically change passwords weekly or monthly," Brunault said. "Anything on the Internet is susceptible to be hacked. Where there is a will there is a way."
Brunault says "Facebook Freezer" is a way hackers can get access to any information posted on a person's profile.
"You type in what personal information you know about the person and it costs $2.50," Brunault said. "Then you can recall or rename the password and shazzam, you're in."
In an e-mail response to questions regarding local Facebook hacking, Simon Axten of Facebook said the company's top priority is security.
"We devote significant resources to helping our users protect their accounts and information," Axten said. "We think this focus on security is a major reason Facebook was recently named one of the top 10 most trusted companies in an independent survey conducted by TRUSTe and the Ponemon Institute."
Axten said Facebook is constantly trying to improve security and has recently created a board to monitor safety procedures.
"Our team analyzes trends in attacks and uses this information to surface compromised accounts before the bad guys get very far," Axten said. "The systems we've built look for anomalous behavior like lots of messages sent in a short period of time, or messages with links known to be bad. When we identify an account as compromised, we disable it and attempt to get it back to its rightful owner."
Axten said Facebook relies on users to help them monitor threats.
"Be very suspicious of anyone, even friends, who ask for money over the Internet. Verify their circumstances through some other means than the Web (for example, call them or mutual friends)," Axten said. "If you see something that looks amiss with your account or a friend's, please report it to us through the form in our Help Center."
Brunault says if your page has been hacked into, alert Facebook and local police.
"Be vigilant about monitoring," Brunault said. "Notify us, there are charges that can be filed — harassment, identity theft."
BOX
Protect Your Facebook Account
Specific things users can do to protect themselves from the owners of Facebook:
Choose a strong password and use unique credentials for each of your Web accounts.
Use an up-to-date browser that features an anti-phishing blacklist.
Use and run anti-virus on your machine.
Reset your Facebook password if you suspect your account has been compromised.
