How to Recognise and Avoid Facebook Phishing Scams

Image: © depositphotos.com/ bizoon

Online criminals use a variety of methods to target Facebook users. These include Facebook cloning, like-farming, and survey scams. But, Facebook phishing scams are the most dangerous and potentially damaging of these.

Why? Because, unlike cloning and fake prize scams, phishing allows criminals to actually take control of your account and use it as they see fit.

Facebook phishing scammers want your personal and financial information. They want the login credentials for your Facebook and email accounts. They want your credit card numbers. They want to steal your identity.

Below I discuss the most common tactics that Facebook scammers use to steal your account login details and other personal and financial information. I then discuss ways of recognizing Facebook phishing scam attempts and include links to a number of examples of such scams.

Set aside a few minutes to go through this report and you will come away well equipped to protect yourself from Facebook phishing scammers. You’ll also be in a position to help your Facebook friends avoid being scammed by letting them know how such scammers operate.

Fake Facebook Security Notifications

One very common way that online criminals attempt to hijack your account is by sending you fake messages that claim that your Facebook account is about to be disabled or suspended.

The messages, which may arrive via Facebook’s internal messaging system or via email, appear to originate from official entities such as “Facebook Security”, “Facebook Admin”, or the “Facebook Ads Team”. Typically, the messages warn that your account has been reported by other users or is in violation of Facebook’s Terms of Service and is therefore about to be closed or suspended. But, claim the messages, you can avoid the pending account closure by clicking a link to “confirm” or “verify” your account.

If you do click the link, you will be taken to a fraudulent website that has been built to look like it is part of Facebook. Once on the fake page, you will be asked to log in with your Facebook account email address and password.

In many cases, you will then be taken to further fake forms that ask for your email account password, your credit card details, and a lot of other personal information. After submitting all of the requested information, you may receive a final message claiming that you have successfully avoided the account suspension or closure.

Meanwhile, the criminals can collect the information you supplied and use it to hijack your Facebook and email accounts. Once they have gained access, they can use the compromised accounts to launch further spam and scam campaigns, including more Facebook phishing scams like the ones we are discussing here.

They can also use your credit card to make fraudulent purchases. And, if they have gathered enough of your personal details, they may even be able to steal your identity.

This Hoax-Slayer YouTube video describes these “account disabled” phishing scams in more detail:

Simple Social Engineering Tricks

In other types of Facebook-related phishing scams, you may be tricked into clicking a link in a personal message from a friend.

The message may claim that the friend has seen you in a compromising photo or video and you should click to access it.

Or, they may claim that you have been featured in a video that is “going viral” on YouTube or another video sharing website. The messages include a link that supposedly allows you to view the video.

But, the links open a scam website that claims that you must log in with your Facebook username and password before you can access the supposed video or photo. Criminals can harvest the information you supply and use it to take control of your Facebook account.

And, of course, you will never get to see the promised photo or video, which never existed in the first place.

Other versions may claim that you should click to view a “breaking news” report or “urgent” warning. Again, the link will lead to a fake Facebook site that is designed to steal your login credentials and other personal information.

You might be more inclined to believe these messages and click on them because they appear to have been sent by one of your Facebook friends.

Why would a friend send you such a message? Often, you receive these messages because your friend’s Facebook account has been hijacked by scammers and used to distribute more of the same scams. In other cases, the bogus messages may have been sent from a cloned account and did not actually come from your friend at all.

Bogus Admin Messages

Some phishing scam messages may simply claim that Facebook is performing an update and you must click a link to log in to your “updated” account.

Or, they may claim that some of your account or credit card details appear to be out of date and must be verified by clicking a link and following the instructions.

As with other types of Facebook phishing, the links open fraudulent websites that try to trick you into first entering your Facebook login credentials and then filling in a bogus “verification” or “update’ form.

Use Caution and Common Sense

If you receive a message or email that seems to have some of the characteristics that I’ve discussed above, then, proceed with caution. Don’t click any links in the messages.

Instead, log in to Facebook either by entering the address into your browser’s address bar or via an official Facebook app.

If you do receive a message from Facebook about an account issue, it will not threaten an immediate account suspension if you do not click a link. Genuine Facebook messages will not directly ask for your account password or other identifying information such as social security or driver’s licence numbers.

And, if a message that claims to be from Facebook has misspellings and strange or unusual grammar, it may well be a scam.

The scam messages also link to web addresses that do not belong to Facebook. If you do inadvertently click a link and what appears to be a Facebook login page opens in your browser, always check the web address.

Aside from the uncommon exceptions described in the next section, the web address should always start with “www.facebook.com” as shown in the following screenshot. If it is not, then you are likely to be on a scam website and should not proceed.

Some Important Points About Facebook URLs

As noted, aside from some rare exceptions, real Facebook web pages have “www.facebook.com” at the beginning.

However, do note that there may be words, letters and numbers AFTER the “.com” section of the web address (URL). For example, the URL for Facebook’s Safety Center may be something like this:

Despite the long and confusing string of digits in the URL, we can immediately see that it is a genuine Facebook page because it begins with “www.facebook.com”.

The exceptions? Some special Facebook web pages such as those aimed at Facebook developers may use a subdomain such as “developers.facebook.com”. That is, the address may contain a word such as “developers” in place of the “www”. But, on genuine Facebook web pages, “facebook.com” will always follow the subdomain section of the URL:

Scammers often use URLs that contain the word “facebook” but do not really belong to the genuine Facebook website. For example, the URL may be something like “www.facebook-[other words or numbers].com”. Victims who quickly glance at the URL may notice the word “facebook” and mistakenly believe that they are on a genuine Facebook web page.

Scammers can easily and cheaply register domains that include the name of targetted companies – including Facebook – within the URL:

Note also that ALL genuine Facebook pages will be secure. That is, they will have “https:” before the “www” and a lock icon will be displayed in the address bar. If you go to a website that claims to belong to Facebook and it is not a secure site, then the website is a scam.

That said, it is important to keep in mind that phishing scam sites may also be secure. It is now quite easy for web developers, both legitimate and criminal, to create secure websites at no extra cost. So, online criminals are now more commonly creating scam websites that are secure and display the padlock.

Thus, while it is true that any non-secure website that claims to be part of Facebook is sure to be a scam, criminals may still create fake Facebook websites that ARE secure.

Disguised Links

In some cases, links in the scam messages may be disguised so that they only appear to go to the genuine Facebook site when they actually go to another website.

If you hover your mouse cursor over a link in an email, the real URL will usually be revealed either in the status bar at the bottom of your email program or in a small popup. Be very cautious if the actual link is different to the link displayed in the message.

This is a common scammer ploy and is used in many different types of scam messages, not just those related to Facebook.

Examples

You can reinforce your knowledge of Facebook phishing attacks by checking out some of the Facebook phishing reports that I’ve linked to below. The reports include real examples of phishing scam messages. Some of these reports are years old. Nevertheless, phishing scammers continue to use variations of the same scam messages.