Facebook scammers take over deceased user accounts

Read time 3min 00sec

Scammers are taking over the Facebook accounts of deceased users and using them to commit acts of malfeasance, such as hacking and cloning. This is causing a great deal of distress to family and friends. 

Accounts that are being exploited are ones without a legacy contact. Despite the fact that adding a legacy contact to a Facebook account is a simple process, research by Comparitech found that some two-thirds of users don’t have one, or don’t even know what a legacy contact is.

Brian Higgins, security specialist at Comparitech, says a Facebook legacy contact is similar in nature to an appointed executor. “When someone dies it’s customary to appoint an executor to administer the distribution of their estate and other personal wishes.”

He describes a legacy contact as something of a digital caretaker, with limited yet useful control over the deceased account. “Although it has no protection against fraudulent account use or cloning, it’s still a sensible idea, as it allows the contact a certain control over how these criminal activities may be dealt with.”

When it comes to ‘digital wills’, he says Comparitech’s advice has always been to keep access credentials and instructions for all social media and other online accounts on a USB or other air-gapped storage device and let your family know where to find it if you die.

Should a Facebook user pass away, their assigned legacy contact or contacts can write a pinned post that sits at the top of the profile in question. They can respond to friend requests, change the profile picture, manage tribute posts and remove tags in other users’ posts. They can also request that the account be deleted. They cannot log into the account itself, read the individual’s private messages, remove friends or send friend requests. To do this, the user would have had to leave a trusted contact their username and password.

Should no legacy contact be assigned, the account can be memorialised, but no-one will be able to manage it. Family members who are verified can ask for the account to be deleted, but this isn't a quick process. Moreover, if the user isn’t reported to Facebook  as deceased, the account will remain active indefinitely.

Although users can request their accounts be deleted in the event of their death in Facebook’s settings, Comparitech advises to carefully consider the possible consequences. Once a profile has been deleted, it makes it far easier for cyber crooks to put up a fake account impersonating the original, with no competition from your genuine account. Having your account memorialised also helps to keep friends and family informed about funeral details and suchlike.

Accounts can be deleted by legacy contacts, so it's up to the user to inform their contact of their wishes, and have them memorialise the account first, and delete it at a later stage. 

Setting up a legacy contact is straight forward. Under ‘General Account Settings’ is a section called ‘Memorialisation Settings’ which allows the user to chose a contact, as well as enable them to download a copy of what the user has shared on Facebook.

Login with