Set up 2FA or put your online accounts in danger

A few weeks ago, I had my Covid jab, and count myself extremely fortunate to have been able to be so protected.

However, unbeknownst to me, I was not protected from a phishing attack the very next day, and have been locked out of my own Facebook account (someone has taken it over) ever since.

If I had had 2-factor authentication (2FA) turned on for my Facebook account, I would have been protected, and none of the hassle and annoyance would have happened.

If nothing else, please turn on 2FA for all your social accounts. If there’s a lesson to be learned from all this, this is it.

So, what happened?

Well, as my lovely wife warned me, who’d had the AZ jab the week before, you can feel a little whoozy on day 2. I felt fine on the day of the jab itself. The professionalism of the people who administered it all was great to behold. I turned up at 8.30am for my 9.10am appointment, and it was all done and dusted, including a 15-minute wait post jab with a juice box, and I was back in the office by 9.30am.

However, day 2, come the afternoon, I was flagging a bit. I didn’t feel sick, just a bit tired, and certainly not ‘on my game’.

Unfortunately, it was at this precise moment the phishing attack came.

I don’t know if that was a pure coincidence, or if someone had seen I’d had the jab (I had posted that I’d had the jab on Facebook and Insta – as above) and decided to hit me the next day knowing I could be vulnerable.

It was around 3pm, and I was clearing out some emails. Sitting among them was an email that looked like it had come from Facebook warning me about some suspicious activity on the account. Someone had been trying to log in, unsuccessfully.

“We noticed you’re having trouble logging in”… the email ran, and then offered me a nice Facebook coloured button that invitingly read “Log in with One Click”.

My wife received an identical one as well a few days later…

The phishing attack email

The ‘Facebook’ phishing attack email

Now normally, I’d have noticed that the email was not from Facebook, despite all the colouring, logo and font. The email was was ‘security@facebookmail.com’ (not facebook.com) after all – a clue that this is a phishing exercise.

I’d have been suspicious and would never have clicked on a link I did not know about.

However, as I say, I was not on my game, and was clearing out emails hurridly, in a daze, and clicked on it. I then entered my login and password, changed my password, and then found I could not get in, with my old password or my new one.

It was too late. The attacker could see my real password – had already changed it to their own one, inserted their own hotmail email, and I was now completely locked out of my own Facebook account.

That shook me, and woke me up.

Locked out of my own account

The account was one I’d set up in 2007, and had 1,500+ friends on it. I spent 10 minutes seeing if I could get back in, reset the password, waiting for a passcode, but of course I had no access anymore, and kept going round in circles.

I realised that 1,500 contacts of mine could now be vulnerable. Also, two business accounts, with credit cards and spending power attached could be abused. I quickly had my 2 fellow admins take “the now fake me” off those accounts.

Reaching out to some friends and IT experts, we tried in vain to wrest back control, report the attacked account to Facebook, but of course there’s no one to ring up, no one to talk to.

Almost 4 weeks later, my previous account is still not in my control, and still live. I have had to start a fresh account, and am now using that.

Lessons Learned

  1. Facebook has no customer service – what company can take our money, but have no responsibility around customer service? No one to ring? No one to fix this? Upwards of 50 friends have reported what has happened to Facebook, but nothing is done. We just get automated messages saying ‘there is no suspicious activity with this account.’
  2. Turn on 2FA – if I’d had 2FA switched on, then anyone changing my password would have had to insert a code sent to my mobile phone number (the 2nd factor of the authentication). That would have stopped the attack in its tracks.
  3. Don’t click on links from within emails – if I’d not clicked on that phishing email and entered my password, none of this would have happened.

Please set up 2FA if you are reading this. If you’re not sure how to do this, please read this.

Cyber attacks like this are all-pervasive. I count myself as a reasonably IT-savvy guy, but I fell for it. Make sure you are fully protected, with two-factor authentication on all your online accounts. NOW!

About the author

Charlie has spent more than 20 years in Perth’s tech and startup sector, firstly as a founder himself, through to exit, and more recently as a writer, advisor and investor. Originally from the UK, Charlie worked in Singapore before arriving in Perth in 1997 to do an MBA at UWA. Graduating as top student in 1999 he set up online real estate business aussiehome.com, running it for 10 years before selling to REIWA, whereupon Charlie ran reiwa.com. In 2013, he moved to Business News to lead their digital transformation as CEO, and then worked for the federal government’s Accelerating Commercialisation program, funding pre-revenue startups and innovative businesses. He now works in an advisory capacity for multiple tech and other businesses, is managing editor of Startup News and co-host of the Startup West podcast. He also writes a column for Business News on startups. Charlie sits on the advisory boards of WA Leaders, TEDxPerth, WAITTA, the Perth Symphony Orchestra, and the full board of Rise Network.

Leave a Reply