MONOLITH LAW OFFICE+81-3-6262-3248Weekdays 10:00-18:00 JST



An Attorney Explains Impersonation and Account Hijacking on Facebook and Their Countermeasures


An Attorney Explains Impersonation and Account Hijacking on Facebook and Their Countermeasures

Since Facebook fundamentally requires registration and usage under real names, it is overflowing with personal information. Issues such as impersonation and account hijacking, which are problematic on other social networks like Twitter, are particularly serious problems on Facebook. Especially, many people use Facebook as a tool for their work, and for these people, impersonation and account hijacking can lead not only to a decrease in social evaluation and trust, but also to the potential for significant economic damage.

Impersonation on Facebook

Impersonation on Facebook involves creating an account with the same name as another user, posting pictures that make it appear as if the account belongs to that person, and then sending friend requests or messages to that person’s friends. As many people often mistake these friend requests as coming from the actual person, it’s important to be cautious when receiving them. Initially, the main purpose of impersonation was to trick people into visiting paid sites and defraud them of their money. However, it has also become a common method for personal harassment. By making it appear as if the real user has posted defamatory comments, the person believed to be the speaker can suffer significant damage to their social credibility and personal relationships. Additionally, impersonators may aim to gather personal information such as the addresses, birth dates, and personal relationships of their victims’ friends. This can cause significant inconvenience as it directly affects those around the victim.[ja]

Identifying Facebook Impersonators

When you receive a friend request, it’s a good idea to verify whether it’s genuinely from the person it claims to be before accepting it. Be particularly cautious if you notice any of the following personalityistics:

  • Few posts
  • The account was recently created
  • No update history
  • An unusually high or extremely low number of friends
  • A skewed composition of friends
  • An incomplete self-introduction
  • No profile picture, or a personality image as the profile picture

Impersonators may also send messages via Messenger saying things like, “I had quit Facebook, but I’ve restarted,” or “I couldn’t log into Facebook, so I created a new account.” You should avoid accepting friend requests from people you don’t know too readily. While online connections can be an effective and enjoyable way to build new relationships, they also carry many risks. If you inadvertently accept a friend request from an impersonator, immediately unfriend the impersonator’s account. This will prevent any harm to you, and the other party will not be notified when you unfriend them. If a friend has been impersonated, send them a message to help prevent further harm. To prevent the spread of harm to other friends, post a message saying, “There is an impersonator account under the name of XX, please unfriend it if you have accepted the friend request,” and report the impersonator’s timeline to Facebook.

Facebook Account Hijacking

If you notice your Facebook account has been hijacked, change your password immediately.

More malicious than impersonation is account hijacking. Facebook has a feature called “Recover your account through friends” as a relief measure for regular users who have lost their login information. This feature can be abused by sending friend requests from impersonated accounts to the target person. Some people may accept the friend request if they are told, “I forgot my password and had to create a new account.” If approval is obtained from three people, the Facebook hijacking is complete.

There is also the issue of “password leakage.” There are cases where passwords are leaked by some means (such as friends or acquaintances peeking), and there are also cases where account information registered with major sites or services is leaked. The most common form of hijacking damage is ad posting, but since Facebook is full of personal information, hijacking an account means that all this personal information can be extracted.

With the information obtained in this way, it becomes easy to freely defame others, send defamatory emails in the person’s name, make obscene posts, and easily lower the person’s social reputation.

Examples of Facebook Account Hijacking

  • Unauthorized changes to login passwords, resulting in inability to access the account
  • Spam advertisements being sent to friends
  • Leakage of personal information, including credit card details

The most common issue with account hijacking is the distribution of spam advertisements. This became well-known through the infamous cheap Ray-Ban ads. These ads display images of Ray-Ban sunglasses, tagging people and appearing on their timelines. The links lead to malicious online shopping sites. Involving friends and acquaintances in such financial troubles can lead to serious problems.

Personal information leakage can result in theft of money through leaked credit card information, and there is also the possibility of friends and acquaintances falling victim to fraud. There have been many reports of crimes committed by specialized fraud groups. Specialized fraud refers to scams that deceive money from an unspecified number of people without face-to-face interaction, using communication tools. Recently, specialized fraud using mediums like Facebook and LINE has become a problem. Fraud involving the use of electronic money is particularly problematic in specialized fraud cases.

Electronic money is easy to exchange and difficult to trace, making it a popular tool for fraudsters. They may impersonate family members, friends, or acquaintances, and send messages asking for the purchase of electronic money like iTunes and the sending of the card number on the back. This is a method that has actually caused significant damage. Be cautious of cases where specialized fraud groups are operating with the aim of stealing money.

What to Do If Your Facebook Account is Hacked

First, report the unauthorized access to Facebook. You can do this by going to the Help Center and selecting the option for reporting unauthorized account access. Next, change your password. If you can still log in, it means the hacker has not changed your password yet. Therefore, change your password as soon as possible to lock out the hacker. If you leave it as it is and your password is changed, your Facebook account will be completely taken over and the legitimate user will not be able to use it. If you suspect something, change your password immediately. Facebook has an app integration feature, and depending on the permissions given to the integrated app, a third party may be able to perform various operations.

Due to Facebook hacking, your account may be linked to an app, and the hacker may share links at will to achieve their goals. If you unlink suspicious apps, the problem can be solved. So, check the apps that are linked and unlink any apps that you don’t recognize or find suspicious. Furthermore, delete posts. You can remove spam posts from your timeline. However, if you are tagged, you cannot delete the content of posts on your friends’ pages and you will have to wait for time to pass.

Finally, make sure to apologize. Apologize to your acquaintances and friends for the inconvenience caused by the incident and any spam posts.

Facebook Account Hijacking and Legal Issues

Penalties such as imprisonment and fines may be imposed for unauthorized access to another person’s account.

What kind of legal violations does Facebook account hijacking constitute?

Unauthorized Computer Access Act and Account Hijacking

Firstly, unauthorized login to another person’s Facebook account may potentially violate the Japanese Unauthorized Computer Access Act (official name: “Act on Prohibition of Unauthorized Computer Access”).

Unauthorized Computer Access Act (Prohibition of Unauthorized Access)
Article 3: No person shall engage in unauthorized access.
Article 11: A person who violates the provisions of Article 3 shall be punished by imprisonment for up to 3 years or a fine of up to 1 million yen.

Furthermore, if you unlawfully obtain another person’s password, you may be subject to imprisonment for up to 1 year or a fine of up to 500,000 yen.

Unauthorized Computer Access Act (Prohibition of Unlawfully Obtaining Another Person’s Identification Code)
Article 4: No person shall obtain another person’s identification code related to access control functions for the purpose of unauthorized access (limited to those applicable to Article 2, Paragraph 4, Item 1. The same shall apply in Article 6 and Article 12, Item 2).
Article 12: A person who falls under any of the following items shall be punished by imprisonment for up to 1 year or a fine of up to 500,000 yen.
1. A person who violates the provisions of Article 4[ja]

In August 2016, the Tokyo District Court found a 29-year-old company employee from Omura City, Nagasaki Prefecture, guilty of violating the Unauthorized Computer Access Act. He was arrested for unauthorized access to the Facebook and iCloud accounts of seven people, including actresses Masami Nagasawa and Keiko Kitagawa, a total of 238 times.

The defendant repeatedly accessed the Facebook and iCloud accounts of a total of seven women using his home computer over a period of about 1 year and 3 months from around August 2014 (Heisei 26) to around November 2015 (Heisei 27). During this time, the defendant attempted unauthorized access to other women based on the information he obtained through successful unauthorized access, searched for password information using the internet, found answers to secret questions for password recovery, and used the password reset function, among other things. The defendant’s crimes were habitual and persistent, and they significantly damaged the social trust in computer networks.

Tokyo District Court Judgment, August 3, 2016 (Heisei 28)

The Tokyo District Court sentenced him to 2 years and 6 months in prison, as demanded by the prosecution, but suspended the sentence for 4 years, stating, “The defendant did not leak the information he peeked at. Therefore, while it is not permissible to take the defendant’s criminal responsibility lightly, considering the nature of the crime in this case, it should be said that it is still permissible to suspend the execution of the sentence for the defendant.”

Cases Where the Crime of Fraudulent Use of Electronic Computers May Apply

Also, if you commit fraud through phishing scams or impersonation, the crime of fraudulent use of electronic computers may apply.

Criminal Code Article 246-2 (Fraudulent Use of Electronic Computers)
In addition to what is provided for in the preceding article, a person who gives false information or an unlawful command to an electronic computer used for another person’s business processing, creates a false electromagnetic record related to the acquisition or change of property rights, or provides a false electromagnetic record related to the acquisition or change of property rights for another person’s business processing, and thereby unlawfully profits in property or causes another person to do so, shall be punished by imprisonment for up to 10 years.

Identifying the Perpetrator and Claiming Damages in Civil Court

Of course, if you are defamed due to account hijacking, it is also possible to claim damages in civil court.

Civil Code Article 709
A person who intentionally or negligently infringes the rights of another person or legally protected interests shall be liable to compensate for the damage caused thereby.

First, you apply for a provisional disposition for the disclosure of sender information to Facebook, Inc. If the provisional disposition order is granted, Facebook, Inc. will disclose the information, and then you file a lawsuit for the disclosure of sender information against the identified provider to identify the sender’s real name, address, etc. Once the sender is identified, if the post is defamatory, it is possible to claim damages.

Managing Attorney: Toki Kawase

The Editor in Chief: Managing Attorney: Toki Kawase

An expert in IT-related legal affairs in Japan who established MONOLITH LAW OFFICE and serves as its managing attorney. Formerly an IT engineer, he has been involved in the management of IT companies. Served as legal counsel to more than 100 companies, ranging from top-tier organizations to seed-stage Startups.

Return to Top