Facebook phishing, however, is a more focused scenario that relates to malicious actions performed by approaching victims on Facebook. According to a 2020 threat report, Facebook is one of the top sites impersonated by phishing sites or cybercriminals, along with Microsoft, Apple, Google, PayPal, and Dropbox. Attacks are usually run through fake or stolen accounts (of an acquaintance or of a business known to the victim), and used to steal sensitive information, such as bank login details, or to get the victim to download malware onto their computer. If that succeeds, the attacker will likely use the newly obtained Facebook account to carry out further attacks on more victims.
Common Facebook Scams
One of the more popular Facebook phishing scams revolves around prizes. A fake Facebook page, usually belonging to a business, posts about a prize being given to people who perform an action, such as visiting a website or providing personal details, as well as sharing the original post with their friends to increase its popularity and creditability. Another popular scam uses the romance theme – fake profiles used to write comments in dating groups to lure victims into online “relationships” that eventually end up with requests for money, airline tickets or any other commodity that can be profitable for the attacker.
A few notable prize scams posted on Facebook from recent times include: Virgin Atlantic celebrating its thirty-fifth birthday by giving away two free tickets, Ellen DeGeneres giving away prizes, and Costco giving away $75 coupons. Each of these campaigns had hundreds or more people participating through sharing and providing their details.
Another common scam is sponsored ads. They pop up in a user’s Newsfeed and take them to a phishing site if they click the ad. The victim is then asked to provide credit card details, email address info, etc. to find out more about the product. These types of scams are much harder to detect, as they can target a specific audience.
Recognising a Facebook Scam
Despite some of these scam campaigns appearing downright obvious to informed individuals, a lot of people are less aware and might become a victim. There are a few warning signs that can help to determine whether or not you are actually dealing with a scam:
- Visiting a page that asks you to re-enter your Facebook credentials. If the conversation began on Facebook and you have not logged off, there is no reason to provide your username or password again.
- A sense of urgency – scammers will often want to create a sense of urgency to catch victims out and prevent them from thinking things through. For example, scams might state that “this is a limited-time offer”, urging you to reply quickly, otherwise you will miss out. Countdown timers are common as well, where you are given 5 or 10 minutes to complete a survey (which is a fake), to then win a prize.
- Being approached by old friends – if you have someone in your Facebook contacts with whom you have not spoken in a while, and they suddenly send you a strange message with a link or an attachment, it is most likely a scam.
- Similarly, approaches from people who are not on your Facebook friends list, but who want you to click a link or download an attachment, could also be dangerous. It is recommended to check that person’s profile information, as scam campaigns often use newly created profiles with generic pictures. If you have mutual friends, ask them how they know them, to verify the profile’s legitimacy.
- Grammar or spelling mistakes – as scammers often approach victims from different countries, it is common for them to have spelling or grammar errors, since they are not writing in their mother tongue. Texts that seem to be copied from Google Translate or have multiple mistakes should raise suspicion.
What to do if you fall victim
If you have fallen victim to a fake Facebook post, you can report it, so it lessens the chance of someone else falling victim.
Note: It is also important that the scam website is taken down, by a Cyber Security company, like FraudWatch International, otherwise the threat will still be out there.
To report a scam:
Report the fake posts to Facebook using this
If you have fallen victim to a scam and provided your Facebook login details, there are some steps you should take:
- Change your Facebook password as soon as possible. If you use your Facebook password for other websites or services, change it on each of them as well.
- Set your account to Multi-Factor Authentication (MFA) using this This identifies first time logins from devices and sends a code to your phone to verify it is you. That way, even if someone has your Facebook credentials, they will still not be able to access your account.