Intro
Social media is wonderful for staying in touch with family, but it's also where scammers spend a lot of their time. They're not just on email and the phone anymore — they're on Facebook and Instagram, and they're surprisingly good at blending in.
This lesson covers three things. First, the privacy settings that actually matter — there are a lot of options, and most of them are not the ones to worry about. Second, how to spot a friend request that's really an impersonator. Third, what to do if a real friend's account gets hacked and starts sending you strange messages.
The privacy settings that matter
Facebook and Instagram have dozens of privacy settings. You don't need to understand all of them. There are four that account for almost all of your exposure:
Setting 1: Who can see your posts. The default on Facebook is often “Public,” which means anyone in the world can see what you post. Change this to “Friends.” On Instagram, set your account to private. Strangers don't need to see your daily life.
Setting 2: Who can send you friend requests. On Facebook, you can change this from “Everyone” to “Friends of friends.” That alone cuts down impersonator requests significantly.
Setting 3: What information is visible on your profile. Birthdays, hometowns, employers, family members — that's the exact information scammers use to write convincing impersonation messages. Hide what you don't need to display. Your real friends already know your birthday.
Setting 4: Search engine visibility. Facebook has an option to prevent your profile from showing up in Google searches. Turn it off if you can. This makes it harder for scammers to find you in the first place.
The Phase 5 PDF that goes with this lesson walks through each of these four settings on Facebook and Instagram with screenshots.
How to spot an impersonator friend request
This is the most common Facebook scam, and it works like this. You get a friend request from someone who looks like a friend you already have. Same name, same profile picture, maybe even the same cover photo. You accept, thinking they made a new account. Then they message you with a story — they're in trouble, they need money, they're in a different country and lost their wallet.
It is not your friend. It is a scammer who copied your friend's name and pictures to make a new account.
Three checks before you accept a friend request from someone you think you already know:
- Search their name on Facebook. If their real profile is still active, you'll see it — and that's a clue the new request is fake.
- Look at the new account's friends list. A real account has lots of friends, photos going back years, posts with comments from people you know. A fake account has very few of any of those.
- Message your friend on a different channel — a text, a phone call, an email. Ask if they made a new account. They almost certainly didn't.
If something feels off, decline the request. You can always accept later if it turns out to be real. You can't un-accept a scammer who's already in your friends list.
When a real friend's account gets hacked
Sometimes the suspicious message comes from your actual friend's actual account — because their account has been hacked. The hacker is using their identity to message everyone on their friend list.
How to tell. The message asks for money, asks you to click a link, says they're in trouble, tries to get you to claim a prize, or pushes you to invest in cryptocurrency. Real friends don't message you out of the blue with any of those things.
What to do. Don't reply on Facebook. Call your friend, text them, or email them on a channel that's not Facebook, and tell them their account may be compromised. They'll thank you. Then go to their hacked account's profile, find the three-dot menu, and choose “Find Support or Report Profile.” Facebook has a path for hacked accounts that gets the real owner back in.
A few other Facebook habits
Don't take quiz polls that ask “your stripper name is your first pet plus the street you grew up on.” That's not a quiz; it's a password-recovery question survey. The same goes for “the first concert I went to,” “my mother's maiden name,” and “the name of my first elementary school.” Those are the answers to the security questions on your real accounts.
Don't share posts that ask you to “type AMEN to bless this sick child” or “share this for a chance to win a car from Walmart.” Those posts are run by scammers building lists of accounts they can later message with impersonation scripts.
If you wouldn't tell a stranger at the grocery store what street you grew up on, don't put it on a Facebook quiz.
Recap
Four settings to check: who sees your posts, who can friend-request you, what's visible on your profile, and whether you're searchable in Google. Three checks before accepting a request that looks like a friend: search for their real profile, look at the new account's friends and photos, and message them on a different channel. And one habit: when in doubt about a message from a friend, contact them somewhere other than Facebook.
Today, open Facebook and change your default post audience from “Public” to “Friends.” It takes about thirty seconds and it cuts your scammer exposure by more than half.
Try this today
Look at your most recent five Facebook friend requests. For each one: do you actually know this person, in real life, or just from another Facebook contact list? If you can't picture their face, decline.