The head of a police financial crime unit has had his Facebook account compromised, days after the force warned people about a ‘confirmation code’ scam.

Superintendent Sandro Camilleri, who heads the anti money laundering department within the Financial Crime Investigation Department (FCID), was locked out of his own Facebook accounts last Sunday.

His personal Facebook and Messenger account is now being used by hackers to attempt to lure people to invest in financial scams.

A police report has been filed about the case.

Last week, the police shared a post on their Facebook page warning people to watch out for a new phishing scam that allows hackers to gain access to people’s accounts.

Police shared this advice to be cautious about replying to compromised accounts.

How does the scam work?

The attack is initiated by an already compromised account of a friend, who uses Facebook Messenger to ask for urgent help to get back into his or her Facebook account. 

It asks for the user’s mobile number or email and then sends a recovery code for you to share with the attacker hiding behind the identity of the friend. 

“When providing this code, the victim will be giving access to third parties to their social media account,” the police had warned.

It advised Facebook Messenger users to be cautious when replying to messages that seem to be coming from the real accounts of their Facebook friends.

A screen grab of the scam.

The scam is easy to fall for as it uses real social media accounts that have previously been hacked and it mimics a genuine Facebook account recovery feature called ‘Trusted Contacts’.

In fact, the scammer has actually initiated a ‘Forgot my password’ request and duped the user into providing details that allow the hacker to hijack the Facebook account. Camilleri’s profile is now being used to try to lure his friends into financial scams by sending them private messages.

On Sunday, Camilleri’s Facebook page uploaded a post saying that life has “been treating me so good” since a €3,500 investment yielded him €23,000 within hours.

A private message disseminated through his Messenger account also urged his friends to start investing by sending a text message to a US WhatsApp number.

A phishing scam allows hackers to hijack a person’s account and then attempt to lure people into get-rich-quick scams.

This is typical behaviour of hackers who have used the phishing scam to hijack real Facebook profiles.

Most of the posts and messages attempt to give the impression that the victim became rich overnight by investing money online and now wants their friends to do it as well.

Camilleri was appointed to head the police unit that is tasked with investigating major money laundering cases last September.

One of the most public of Malta’s high-ranking police officers, he has previously fought for the rights of police officers and founded and headed a police union.

He was one of the earliest advocates of police body-worn cameras and has developed a relatively popular online following over the years, meaning his account could be used as bait to many unsuspecting friends who know and trust him.

What should you do if your Facebook page is hijacked?

The police said it could not comment on individual cases. However, a spokesperson for the cybercrime unit said that anyone who falls victim to such a scam should warn their friends and contacts and tell them to ignore posts and messages from the compromised profile.

“The victim should also report the case directly to the social media platform to attempt to take back access to their profile,” they said.

“It is also advised that other users also report specific posts to have them removed from the profile.

“Unfortunately, the profile will be removed at the discretion of the platform, even after being contacted by the police.