Phishing is getting increasingly cunning...
tl;dr: identity theft is incredibly easy these days.
I had what looked to be a message from an old work colleague (old in every sense of the word - I last worked with him about a decade ago, and I think he's retired now). We'll call him Dave, to keep things simple.
Oddly, it came up as an "new contact" message, but the name was correct, as was the profile photo. So I raised an eyebrow, clicked on it, and was greeted with a message which looked very out of character. E.g. "I'm blessed and highly favoured". Bonus points for the UK spelling, but it's still not something Dave would say.
And then they tried to tell me the "good news" about some HSS thing. Which a quick google revealed to be some american grant thing which is highly susceptible to scams. And a further check indicated that it wasn't actually Dave's account. In fact, given the length of time since he last posted, it's debatable if he's even using Facebook any more!
What I suspect has happened is that my work colleague's has left his profile and friends list as public. And so, someone's grabbed his profile photo, set up a fake account with the same name, and has been working down his friend's list.
So, I set up a group conversation between Dave and "Dave" and said: Dave, meet Dave. Dave, I'm afraid Dave has cloned your account and is attempting to scam people. Might be worth checking your privacy settings!
And then I reported "Dave" for FB (for all the good it's likely to do) and blocked him for good measure...