There have recently been a number of reports concerning this.

Facebook cloning is a scam in which the attacker copies the profile picture of an authorized user, creates a new account using that person’s name and sends friend requests to people on the user’s list. The exploit is often successful because many unsuspecting friends just accept the scammer’s requests, assuming that the actual user has created a new account for some reason or forgetting that they are already friends with that person.

The scam doesn’t require any advanced technical knowledge or skills because the user accounts aren’t actually hacked, just copied. Anyone on Facebook can see anyone else’s profile picture and copy the image. Furthermore, because of the nature and purpose of social networking, most people’s friend’s lists are public, which means that the attacker can see, and send a request to, any or all of the user’s friends.

The user’s actual account has not been compromised and their messages and other data are as secure as they had been, depending on their privacy and security settings. The risks involved with Facebook cloning fall on the user’s friends. Once the scammer has accessed enough of the victim’s friends, there are a number of ploys that may be attempted. The scammer may, for example, request emergency funds, pretending to be stranded somewhere while travelling, or try to get advance funds from the targets for some bogus future payoff. In other cases, the scammer may use social engineering tactics to convince targets to provide sensitive information, which can then be used for identity theft.

Several posts that frequently make the rounds claim that all or almost all Facebook accounts are being cloned, which is not the case. Nevertheless, account cloning is an actual threat. As with the burden of risk, the onus is also on the account owner’s friends to protect themselves from the exploit. The best way to prevent yourself from falling prey to Facebook cloning scams is to be careful about friend requests in general: Don’t automatically accept requests without checking out the requester’s profile and never accept unless the account seems valid. If you receive a request from someone who is already a friend, be doubly suspicious.