Opportunities for confusion and deception.
Did it do any harm? Probably not. It depends on what you did next.
Here’s the thing, though: those two events — impersonation and that email — are very likely completely unrelated.
Become a Patron of Ask Leo! and go ad-free!
Facebook impersonation accounts don’t mean you’ve been compromised. Simply report them as fake to Facebook. Phishing emails can happen at any time. Because it appeared at the same time as the impersonation, it might seem more legit, but it’s not. Don’t click on the links in the email, but secure your account by going to it directly and checking for issues. As always, use two-factor authentication if at all possible.
Anyone can create a Facebook account using your name and the photos you’ve posted publicly.
It does not mean your account was hacked. It doesn’t mean they know your email address or anything else about you. All they did was create a new account using your name and perhaps a few photos stolen from your account. They probably used their own email address or a fake one.
Could Someone Set Up a Fake Facebook Account in My Name? goes into more detail, but the bottom line is that you, and perhaps your friends, need to report the fake account as impersonating you. Eventually Facebook should remove it.
Reporting the fake account is all you can do.
The email you received was probably just coincidentally timed with the impersonation you’re dealing with.1
Phishing attempts are constant, and I’m sure you’ve seen many already. They try to look legitimate and pose some kind of problem you need to act on right away. By clicking the link provided in the email, you’re taken to a fake webpage that looks like a sign-in page. Rather than signing you in, it just collects your username and password for the hacker.
If all you did was click the link to display the fake webpage, chances are nothing bad has happened. Run an anti-malware scan, but delivering malware is rarely the point of these attempts. They’re really about collecting your sign-in information. As long as you did not provide that, you’re probably just fine. If you did, then you should assume your account has been hacked, and immediately take steps. This article on email hacks has steps applying to most all types of accounts: My Email Is Hacked, How Do I Fix It? – 7 Things You Need to Do NOW!
If you find someone impersonating you or someone you know on Facebook (or on any social media), report that fake account. It may help to enlist your friends or contacts to also report the fake account — just take care to report the fake one, not your real one.
If you get email that is unexpected and looks official, but asks you to do something like verify an account, think twice about clicking the link. Instead, visit the service directly and check your account profile or messages for any information. Chances are there’ll be nothing there, and you can safely ignore the fake message.
Of course, changing your password never hurts if you’re the least bit concerned. Adding two-factor authentication to any account that supports it is also a good idea to prevent account compromise.
And subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Footnotes & References
1: I can see a coordinated effort as being possible: get the impersonating account on your radar to spook you and then target you with a phishing attempt that seems related. This would require more individual focus than most attackers bother with.