First I'm going to explain it so you understand it exactly... then I'll show you what to do if it happens to someone you know... and then how to keep it from happening to you.
I call them scammers rather than hackers, because they aren't actually hacking into your Facebook account. Although many people do think they've been hacked. They freak out that someone has access to their Facebook account and they change their FB password, etc.
While it's never a bad idea to change an online password every so often, rest assured that in the scenario I'm about to explain, the scammer has not hacked into your FB account nor do they have your password.
Because there is more than one person in the world with any given name, Facebook couldn't let only one "Mary Smith" be called "Marry Smith" on Facebook. How would the other thousand Mary Smith's in the world feel? (They'd probably feel like the thousands of Mary Smiths who don't get to use their name on Twitter or Instagram, but that's beside the point.).
So when you create a FB page, you get a unique identifier, but you can CALL yourself anything (within reason).
So let's say Mary Smith #1 makes a Facebook page using Mary Smith as her profile name. So when Mary Smith #2 comes along, she makes a Facebook page also using Mary Smith as her profile name, but the URL to her page will be different from that of Mary Smith #1. But what YOU see when you look at either profile page (more on this later) is just a FB page that says "Mary Smith" and probably a photo of each respective Mary Smith.
When you want to find someone on Facebook, you search on their name, right? And more often than not, more than one FB account with that name comes up. So you either look at the avatar (profile) pic to see if you recognize who you're looking for or you see if they've listed a location where they live, etc.
So what's the scam?
If you get a friend request from someone you thought you were already friends with on Facebook, 99% of the time you're being scammed into "friending" a fake FB account.
What these people do is look around for people whose "friend lists" are public (more on that later too). Then they just make a new FB account, call themselves your name (remember, your name is not proprietary on FB) and start sending out friend requests to all the friends on YOUR friends list.
Now your friends will most likely do one of two things. They will either go, "Oh heck, I know her; of course I want to be FB friends with her". Then they confirm and are now friends with the scammer.
Or... they will go, "Um... she's already my FB friend. What's going on?"
Three times in the past month, I did this second thing. Then what I do is notify my friend (make sure you're using their real account when you msg them... find them from your friends list and make sure you see reasonable posts on their timeline).
You can check out the timeline of the person making the friend request without having to friend them. What you'll usually see is rarely anything more than the fact that it's a new account and they have a profile pic. There will be no history and their friends list will usually be short... only those friends who have already fallen for their scam. You can see the scammer's friends list without friending them (unless they're clever enough to do what I'm about to show you at the end of this blog post)... and if you want, you can let these friends on the list know they "friended" a scam artist. But that's not usually necessary because FB shuts down these scam accounts almost immediately after being reports.
If this happens to your account (someone impersonates you), don't post on your FB wall that you've been hacked. You weren't. There is nothing compromised about your FB account. Someone is just impersonating you. They do not have any of your private information.
Okay, so what you want to do (and I can't show you screen shots of going through the steps until this happens again) is report it to FB. Anyone can report it. I've done it numerous times. I'll try to recall the steps.
Open the scammers timeline (just click on their name, don't accept the friend request), then look for the extended menu next to the "Message" tab (see first red circle).
In the extended menu is an option to REPORT. Click on that, then you'll see options (now here's where I'm going off my memory). I think the one I pick is "this person is impersonating a friend" (or something like that).
Go through the questions... it will ask you the name of your friend (I usually just put the URL to my friend's true FB page).
When I report these to Facebook, the scammer's account is shut down within minutes. WTG, Facebook!
The only time it might not be a scammer (that other 1% of the time), is if my friend, for some reason, created a second FB account for themselves. So I usually msg my friend and ask before I report it. If they say they haven't created a new FB profile recently and requested my friendship, then I go ahead and report the scammer.
So back to unique FB identities for a second.
Let's say Mary Smith #1 created her FB page a long time ago. She may have the URL (to her FB page) as something like: https://www.facebook.com/marysmith
And her page (her timeline) will say Mary Smith next to her avatar picture on her FB banner.
When Mary Smith #2 comes along, she won't get the URL that says Mary Smith. Her URL may even look more like this: https://www.facebook.com/profile.php?id=100012083678532&fref=jewel
But her page (her timeline) will say Mary Smith next to her own avatar picture on her FB banner.
Let me back up and show you what I see if I search on the name "Laura Bracken". Here's what I see...
Notice there are four "Laura Bracken" FB accounts right away. They all have avatar/profile pictures but only two have locations. Sometimes it isn't easy trying to find someone you really want to find. People looking for me might not know which one of these I am... unless they knew I live in Penryn, CA.
Anyway, now I'm going to show you how each of these "Laura Bracken" accounts look different.
Here's the URL to my account.
When I started my FB account, there was probably a question asking me what my name is and another one asking me what I want to be known as, or something like that. (Sorry, I don't feel like creating a fake FB account right now just to demo the process.)
But anyway, you can see, my name (Laura Bracken) shows up next to my avatar, but my URL is something different.
Here are Laura Bracken #2, #3, and #4. BTW, I'm not exposing anyone's secret info... these profiles are all open to the viewing public.
Then click DONE.
If you select "Only Me", no one can see your friends list with one exception. People who are my friends and your friends will be listed as "mutual friends". So your FB friends will always be able to see who you and they both have friended, but your FB friends will not see anyone who is your friend but not their friend.
I don't know why FB has it set this way, but it's better than nothing.
So there you have it.
If any part of my explanation is wrong or confusing, let me know via comments and I'll see what I can do to fix this.
If this info helps you in any way, let me know via comments. I love knowing that taking a chunk out of my day to blog stuff like this is actually useful to some people. :-)
NEW INFO: To help you see what it looks like if someone who is already your friend gets their account cloned. The spammer will send a friend request to all of the person's friends (because he has access to that list).
For any friend request I get, I do a search on their name (I have a lot of FB friends and can't remember then all). If two profiles show up for the person and I'm already friends with one of their profiles, I click on the name of the new request then I can report it. All I have to do is put my real friend's name in the form and then FB contacts them to confirm they did not create a new profile.
[Update: check out my follow up post: What if your Facebook account really was hacked?]