Opportunities for confusion and deception.
Mistake? Probably.
Did it do any harm? Probably not. It depends on what you did next.
Here's the thing, though: those two events -- impersonation and that email -- are very likely completely unrelated.
Become a Patron of Ask Leo! and go ad-free!
Facebook Impersonation
Facebook impersonation accounts don't mean you've been compromised. Simply report them as fake to Facebook. Phishing emails can happen at any time. Because it appeared at the same time as the impersonation, it might seem more legit, but it's not. Don't click on the links in the email, but secure your account by going to it directly and checking for issues. As always, use two-factor authentication if at all possible.
Impersonation
Anyone can create a Facebook account using your name and the photos you've posted publicly.
It does not mean your account was hacked. It doesn't mean they know your email address or anything else about you. All they did was create a new account using your name and perhaps a few photos stolen from your account. They probably used their own email address or a fake one.
Could Someone Set Up a Fake Facebook Account in My Name? goes into more detail, but the bottom line is that you, and perhaps your friends, need to report the fake account as impersonating you. Eventually Facebook should remove it.
Reporting the fake account is all you can do.
Phishing
The email you received was probably just coincidentally timed with the impersonation you're dealing with.1
Phishing attempts are constant, and I'm sure you've seen many already. They try to look legitimate and pose some kind of problem you need to act on right away. By clicking the link provided in the email, you're taken to a fake webpage that looks like a sign-in page. Rather than signing you in, it just collects your username and password for the hacker.
If all you did was click the link to display the fake webpage, chances are nothing bad has happened. Run an anti-malware scan, but delivering malware is rarely the point of these attempts. They're really about collecting your sign-in information. As long as you did not provide that, you're probably just fine. If you did, then you should assume your account has been hacked, and immediately take steps. This article on email hacks has steps applying to most all types of accounts: My Email Is Hacked, How Do I Fix It? – 7 Things You Need to Do NOW!
Do this
If you find someone impersonating you or someone you know on Facebook (or on any social media), report that fake account. It may help to enlist your friends or contacts to also report the fake account -- just take care to report the fake one, not your real one.
If you get email that is unexpected and looks official, but asks you to do something like verify an account, think twice about clicking the link. Instead, visit the service directly and check your account profile or messages for any information. Chances are there'll be nothing there, and you can safely ignore the fake message.
Of course, changing your password never hurts if you're the least bit concerned. Adding two-factor authentication to any account that supports it is also a good idea to prevent account compromise.
And subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Footnotes & References
1: I can see a coordinated effort as being possible: get the impersonating account on your radar to spook you and then target you with a phishing attempt that seems related. This would require more individual focus than most attackers bother with.
i once got PMs on FB from a friend advising me about a government program grant claiming i could get $25,000 that i wouldn`t have to pay back. this was completely out of character for my friend so i did a snip of the PM and asked her about it on her real account. she was shocked. i advised her to change her FB settings so only she could see her friends list, and report it herself.
If you actually got it from that friend’s account, their account had likely been hacked.
If you got it from a different account using that friend’s name, then it’s more likely a case of impersonation.
Hiding your friends list from all but yourself is a great way to prevent this kind of thing from happening. Someone could still create a fake account, but without having access to their friends list, they wouldn’t have anyone to send friend requests to. And without access to the friends list, the impersonator might not even bother to create a fake account.