There are two common mistakes that help the bad guys clone or hack someone's Facebook account.
Mistake number one: accepting friend requests from people you don't know. Scammers create fake accounts in hopes of finding a few people to accept their friend requests.
If you accept, the scammer gets to see a list of all of your friends. They can then send them friend requests. Suddenly, one of these fakers can build a friends list of several thousand. Those strangers you've welcomed into your Facebook world can also see all of your photos and posts.
Since they can see your photos, they can right-click on your profile photo, save it, then upload it again and create a cloned account in your name.
Mistake number two: Making your friends list visible to everyone. To fix this, go into your settings and privacy. Under who can see your friends list, make sure it's either friends or friends of friends or only me.
Does cloning someone's Facebook account do anything except annoy people? It can. Maybe you've received a message from a friend whose account has been cloned. The scammers hope at least a few friends click on a link they send. It could install malware on your computer, or take you to a website asking you to log in with your Facebook credentials. If they have your Facebook username and password, they can and they will log in and change the password so you can't get back into your account. And good luck getting it back.
The most important step is to accept friend requests only from people you know.