Fraudsters can not only glean reams of valuable personal data from what users post on their Facebook pages; if they can actually hack a Facebook account where users have stored their payment details, they can steal substantial sums.
In what could be viewed as a weakness in Facebook’s systems, once you use the site to make a purchase you’re unlikely to be asked for subsequent authorisation – or be notified by your bank or Facebook.
Jasbir Mann discovered that more than 100 fraudulent payments, adding up to almost £12,000, had been made to an online gambling game using his Facebook account.
Mr Mann, who runs his own yoga studio in Warwickshire, said he kept his debit card details stored on Facebook as he occasionally paid to advertise his business on the social media site.
I'm a yoga instructor, not a millionaire. This is a lot of money we're talking about
The adverts usually cost about £30. But between Sept 26 and 28 he was horrified to view 110 transactions, ranging between £21 and £215, made to an online poker game site he had never used.
“Aside from the occasional lottery ticket I don’t gamble and do not know how to play poker,” he said.
He immediately contacted his bank, Barclays, which cancelled his card and told him to remove his details from Facebook. Facebook began refunding some of the transactions, paying £5,747 of the stolen £11,878 back in 30 tranches on Sept 28.
But then the refunds mysteriously stopped.
Mr Mann, 45, checked his Facebook account and saw – in the “Payments history” section within “Settings” – 110 transactions that matched the fraudulent payments.
He raised a dispute with the social media giant. Moments later the entire history disappeared, he claimed.
Mr Mann said he received a couple of messages from Facebook asking for him to submit further details using the generic link it included. But he said it didn’t work.
Mr Mann turned his attention to Barclays and tried to spur it into action.
Here, also, the process was “slow and disjointed”, he said.
Mr Mann said: “I can’t believe Barclays and Facebook have taken so long to deal with this. I’m a yoga instructor, not a millionaire.”
Mr Mann also questioned why the payments weren’t flagged up by Facebook or Barclays as suspicious.
Almost two months after the fraud occurred, Facebook finally refunded the remaining £6,132 to Barclays without explanation, following pressure from Telegraph Money.
Chris Underhill, chief technical officer at Equiniti Cyber Security, warned that fraudster attacks via Facebook are common because the information available is so valuable.
He said: “Your account can be linked to paid-for services such as apps, games and online shopping. And once you’ve authenticated the payments – depending on how they’re set up – you’re not asked to reauthenticate them.
"Facebook holds more on you than you think,” he added.
“If someone gets access, they can download your entire history and use it to impersonate you.”
He suggested keeping an eye on your access history to see if your account has been logged into from devices that aren’t yours.
You can also set up “two factor” authentication, which will send you a code to confirm login attempts.
Facebook has not answered Telegraph Money’s questions regarding how Mr Mann’s account was accessed, how the fraudsters managed to steal £12,000 and why initially it refunded only some of the cash.
The social media site apologised for delays in keeping Mr Mann informed, and a spokesman said: “We can confirm that unfortunately this account was compromised. A full refund has now been made.”
Facebook said it took a “number of precautions” to safeguard users and prevent unauthorised access.
Payments taken without question
Barclays said the fraudulent transactions were able to go through undetected because Mr Mann had previously given consent to Facebook using his 16-digit card number under the “recurring payments” process.
By providing his card details, he effectively “authorised” future payments, the bank said. These can be for regular or irregular amounts and frequencies.
A Barclays spokesperson said: “This is a rare occurrence of a merchant submitting numerous payments made through a customer’s existing authorisation.
“In such situations we will seek the return of the funds through the chargeback process – and dispute forms were issued to the customer to progress a claim.”
How did the fraud occur?
Facebook refused to explain how the fraudsters managed to access Mr Mann’s account, but Mr Underhill provided a theoretical explanation.
Conmen obtain passwords through data breaches or by sending out “malware” via email, he said. This, when accidentally installed by an unknowing user, accesses passwords saved on users’ computers or smartphones.
You can check if your password has been breached by entering your email address on haveibeenpwned.com.
Once fraudsters have your password and username for one service, they can check to see if they’ve been reused on other sites using software known as “credential stuffers”.
Telegraph Money reader Kristy Jasper, 28, had almost £4,000 stolen from her business account by fraudsters.
When she reported it to the police she was told the likely cause was her use of identical passwords for numerous online accounts. These included PayPal, Amazon, LinkedIn, Facebook and a website used to buy office supplies.
Criminals can also get hold of personal details through “phishing”.
This ruse involves a criminal posing as a trusted organisation, or individual, over email or another form of correspondence in order to trick victims into handing over their personal information.
Fraudsters have been known to send out emails purporting to be from HMRC, the police and banks.