Spam mail purporting to come from FB buddy

Yesterday I had a spam email (nothing new there) purporting to be from a friend (nothing new there either).

It was only when I thought about it more carefully that I realised it was unusual, because it wasn't the friend's email address! It was her Facebook name, that she ONLY uses on FB, and further is not her real name!

So, my concern now is how did the spammers/scammers (email contains only a link I did not visit, which probably downloads malware) not only obtain my email address, but know the name of a FB buddy to "spoof"?

The Facebook name is not something common like: "Jane Smith", so that it might be coincidence. It's quite distinctive and unusual.

My FB account is as locked-down as it's possible to be, short of being visible to me only - i.e. only friends can see my email address, only friends can see my other friends, and I only have a dozen FB friends total - all of whom I know personally, as I never accept invitations from strangers.

I understand how scammers can and do have my email address without there necessarily being any security breach at my end, as they may either be bulk spamming huge numbers of permutations, the computer of someone who has me in the address book may have been compromised, or (increasingly) some crazy namesake who doesn't seem to know her own email address has been signing me up to stuff.

All of which are annoying, without being worrying.

But somebody having my email address AND the name of a FB buddy is more concerning, as FB itself is the only place these two things are explicitly associated.

Googling suggests there could have been a FB security breach in about 2012 or 2013 that briefly allowed 'unauthorised' people to see users' emails and friends lists.

However, although any such information gleaned at the time could still be out there 2016 seems a bit of a long time lapse before I'd notice the first attempted exploit.

Any ideas? Should I be worried (for me, or for the friend)?

Ive had this before. What i assume happen is a friend of yours has there FB account hacked. That then gives them access to their friends list which you will be on, and also that friends email address

So now they just send a message pretending to be from that person. Most people tend to disclose email address/DOB/place they live etc to friends only and people think this is secure. It is if your friends dont have their account hacked. If they do then the hacker will have access to whatever information you have on your profile

You should contact that friend and tell them their FB account has probably been compromised. FB have 2 step verification now, worth using it

Edited by bobble_bob (Sat 26-Mar-16 11:22:43)

If your friend has her regular email address linked to her Facebook page, her Facebook name (and username) will show up on a search of Facebook using that email.

All that is needed is for you and her to have a mutual friend who has both your emails in their address book and for that mutual friend's email account to be compromised.

An automated search of Facebook for these emails will reveal more information which the s[p/c]ammers can the use to make their emails appear more convincing.

We are unlikely to have any email contacts in common, as she is foreign, so we don't have mutual friends and associates. I do know many of her friends "by repute", and she probably knows most of mine the same way, but in neither case well enough to be emailing any of them.

I don't think she would have an email address for anyone else that I know - and she would only try to obtain one if she thought for some reason that anything had happened to me, and was trying to find out more.