One friend request. Real money gone.

A second profile for my cousin appeared with the same photos; I assumed she had been hacked and started fresh, so I accepted the new request.

The DM contained a link to “confirm” her identity.

The page looked like Facebook login; I entered my password before the URL registered as wrong.

Within hours the account sent urgent money messages to my friends list while I fought to regain access.

Clone profiles mine people who already trust the name; combined with phished credentials, scammers DM everyone for cash or gift cards.

Friends sent hundreds thinking I was stranded.

While I clicked I wanted to be supportive of a fresh start after a hack instead of treating the duplicate as a stranger.

I reached my cousin on video using her old number; she had not created a new profile, which meant the duplicate was fraud and I needed to report and recover in parallel.

I apologised to people one by one; Meta’s recovery flow took weeks, and the reputational hit stung more than any cash I did not personally lose.

Before I accept a duplicate account, I message an existing thread or call on a saved number.

2FA stays on every social account.

• Enable two-factor authentication on social accounts; warn contacts if you are cloned.
• Never log in from DM links—open the app or site you trust directly.

For more help, see our Report a scam page and Spot and avoid scams guide.