It all started with a text on the Facebook Messenger application: "What's your phone number mate?"

Queensland resident Louise Manning thought it was an old friend reaching out to her, so after a little back and forth she responded.

"I gave him my phone number," she said.

Within minutes, she was locked out of her Facebook account — her precious memories and access to her friends now in the control of a stranger.

She said her friends then started receiving similar messages from her now hacked account.

"Several of them flagged it and went 'that's weird', because I don't normally use [the word mate]," she said.

"But others didn't pick it up … I've heard of two people so far that have been hacked via my account."

Some of her friends reported her account to Facebook owner Meta and it was removed by the service.

"I originally signed up to Facebook in 2006, so that's nearly 20 years of photos of family and friends and things that have happened.

"My sister passed away from uterine cancer about three weeks ago … most [of our photos] were on Facebook, so that's really sad.

It's the latest blow for Ms Manning, who had personal information like her passport and drivers license leaked as part of the 2022 Optus data breach.

The scam isn't a new one — it's been around for years. But many like Louise are continuing to fall victim to it.

How does the scam work?

Scammers posing as friends pretend they have lost their mobile and need the victim's phone number so they can get a text message code sent to it, which would ostensibly allow them to log back into their social media account.

Unbeknownst to the victim, that code then grants the scammer access to their account and they are soon locked out.

Professor Neil Curtis, a cybersecurity expert from the University of Southern Queensland, said for someone's social media account to be accessed through a phone number alone — without giving the scammer a code — it would require the offenders to have access to the phone's sim card.

"If they've hacked your sim card, so if they've gone to a service provider and pretended to be you and got them to duplicate the sim, they now receive all your calls and messages," he said.

"But that only works if you have text-based multi-factor authentication [set up]."

Professor Curtis said he recommended against displaying birthdays or other important information to social media, as that information could end up in the hands of scammers.

If that important identifying information wasn't shared, the biggest risk of a Facebook scam — apart from losing your memories if the account is shut down — is the reputational risk, he said.

"Somebody might see your Facebook account come up with nefarious activities, it might be selling Bitcoin, or pornography," he said. 

"All your friends that are in your Facebook account are all going to be hit as well."

Thousands of scams reported this year

Across the country, there have been 21,657 hacks or identity-based scams reported to Scam Watch so far this year.

The Australian Signals Directorate (ASD) said cybercrimes were a persistent and disruptive threat.

"Cybercriminals are adapting to capitalise on new opportunities, such as artificial intelligence, which reduces the level of sophistication needed for cybercriminals to operate," the spokesperson said.

In its annual cyber threat report released this week, the ASD found identity fraud was the most self-reported cybercrime type for individuals, followed by online shopping fraud and online banking fraud.

"Australia's more populous states continue to report more cybercrime — Queensland and Victoria report disproportionately higher rates of cybercrime relative to their populations," the spokesperson said.

"The average cost of cybercrime per report increased year-on-year for small businesses and individuals — to $49,600 [up 8 per cent] for small businesses, and $30,700 [up 17 per cent] for individuals."

Professor Curtis said multi-factor authentication apps like Microsoft Authenticator were a powerful way of protecting social media and other accounts online, especially if users enabled biometric tools like face or fingerprint scanning to authorise those applications.

He said families should have passphrases with each other that only they know in case they lose their phones, which would allow them to easily verify they are who they say they are.

People should also ring each other, even over social media apps, to be sure they're speaking to who they think they are, he added.

"We're in Black Friday this weekend, so this is the time that the all the hackers are going to be smashing your phones and smashing your email account," he said.

Meta removes accounts

For its part, social media giant Meta, which owns Facebook and Instagram, said it had removed 1.2 billion fake accounts and 322 million pieces of spam content from the platform.

"Meta doesn't want scams on our platforms and we are continuing to invest in tools and technology to prevent them," a Meta spokesperson said.

"The safety of our users is of utmost importance, and we continue to work with industry, the government and law enforcement to protect Australians from scams."

Louise Manning said at the end of the day, she was lucky. She lost no money because of the scam — just her time and memories.

"Everybody needs to know about this," she said.