Facebook users need to stay on the lookout for a scam email claiming their account is going to be shutdown. Researchers at Abnormal Security have discovered the new phishing attack which is designed to steal passwords from Facebook users and from admins that run company Facebook pages. The scam begins with a victim being sent an email allegedly from ‘The Facebook Team’ warning them their account could soon be disabled.
This is allegedly due to a user repeatedly posting content that infringes on someone else’s rights.
Once scaring a victim into thinking their Facebook profile could soon be taken down, the email’s recipient is urged to start an appeal.
The email includes a link which goes to a Facebook post, and within this is another link that sends users to a separate website.
To file an ‘appeal’, a Facebook user is told to enter sensitive information including their Facebook password.
But this is all part of an elaborate scam to trick people into handing over the keys to their Facebook account. Once a bad actor has this they can not only collect information from a victim’s Facebook account (which can be useful for identity theft) they could also lock a user out from accessing their Facebook account.
Speaking about the threat, Abnormal Security said there’s one unique thing about this phishing scam which could make it especially effective.
The study said: “What makes this attack interesting (and particularly effective) is that the threat actors are leveraging Facebook’s actual infrastructure to execute the attack. Rather than sending the target straight to the phishing site via a link in the email, the attackers first redirect them to a real post on Facebook.
“Because the threat actors use a valid Facebook URL in the email, it makes the landing page especially convincing and minimizes the chance the target will second-guess the legitimacy of the initial email.
“In addition, it appears the attackers are targeting accounts of people who manage Facebook Pages for companies. For these individuals, a disabled Facebook account wouldn’t just be an inconvenience; it could have an impact on their marketing, branding, and revenue. If they believed their account was at risk, they would be particularly motivated to act quickly.”
If you have already been targeted by this scam, or want to stay safe from any future threats, Facebook on its website has advice for people who are the targets of a phishing scam.
The social network advises anyone who thinks they’ve fallen for a phishing scam to report it, change their password and make sure they log out of any devices they don’t recognise.
Facebook also recommends users turn on multi-factor authentication, which helps to add an extra level of security for your account.