Scammers are using Facebook's 'Notes' feature in a clever trick to fool people into giving up their passwords
- A clever Facebook scamming attempt makes use of the social network's "Notes' feature.
- People are writing notes that imitate official Facebook copyright warnings, then using them to trick users into giving up their passwords.
- There is a constant arms race between tech company security teams and scammers, hackers, and fraudsters trying to exploit their users.
Scammers have a crafty way to try to trick users into giving up their Facebook passwords - and they're using the social network itself to pull it off.
The phishing attempt tries to scare users by thinking their Facebook pages are at risk of being taken down for copyright reasons, and uses Facebook's "Notes" tool to make the hoax more legitimate.
It's another example of how scammers, hackers, and fraudsters are in a constant arms race with tech companies in their attempts to exploit the companies users', and how even the companies' own products can be co-opted to deceive people.
Business Insider found the phishing attempt when it was sent to our tips email, so here's how it works.
First, a user receives an email purporting to be from Facebook, warning them that their Facebook page was flagged by an unspecified "third party" and is at risk of being taken down.
"We received a report from a third party that the content you posted on your page infringes or otherwise violates their rights," the warning reads. "You manage a Page representing a company, organization or other entity that we have reason to believe you are not authorized to represent."
BIIt then invites users to follow a link to verify their identity, and this is the part that distinguishes it from a more rudimentary phishing attempt. Normally, the scammers might redirect the user to a website imitating Facebook - but instead, the user is taken directly to the real Facebook, to a Note that imitates an official copyright complaint.
It looks official, the user can see they're logged in and definitely on the real Facebook, and the note author is the generically named page "Policy Issues." If the user isn't very familiar with Facebook's user interface and Notes tool, it'd be easy to assume this is an official, Facebook-sanctioned warning - rather than an unauthorized imitation.
BIThe user is then told to follow a second link to continue the appeal process. This appears to be another official Facebook link, but it disguises a bit.ly short link that takes the user to facebook.com.fbmailcopyrights.com, a phony site pretending to be the real Facebook.
BIThe user is then asked to fill in various details, including their name, page name, and email address. Their password isn't requested until the last minute, in a realistic-looking "security" prompt after they hit send.
BIOnce the user does that, their account is compromised.
Using two-factor authentication - a security measure that requires entry of a code sent to a user's device before the login process finishes - can help mitigate some risk, by ensuring the phishers aren't able to access the user's account (though the password is still compromised). Users should also avoid re-using passwords, to ensure that if they accidentally expose the password for an account on one service their accounts elsewhere aren't at risk too. And before entering sensitive information, always make sure to check the URL to ensure the website is the real deal - rather than just a clever pretender.
A Facebook spokesperson said that the company had disabled the page behind the fraudulent note. In a statement, they said: ""We encourage people to report suspicious messages and posts like this one, and we educate people about keeping their account secure, including by not using their Facebook password anywhere else online. More information is available in our Help Center: facebook.com/help/phishing."
Got a tip? Contact this reporter via encrypted messaging app Signal at +1 (650) 636-6268 using a non-work phone, email at rprice@businessinsider.com, Telegram or WeChat at robaeprice, or Twitter DM at @robaeprice. (PR pitches by email only, please.)
Read more:
- Instagram's lax privacy practices let a trusted partner track millions of users' physical locations, secretly save their stories, and flout its rules
- Mark Zuckerberg's personal security chief accused of sexual harassment and making racist remarks about Priscilla Chan by 2 former staffers
- Facebook says it 'unintentionally uploaded' 1.5 million people's email contacts without their consent
- Years of Mark Zuckerberg's old Facebook posts have vanished. The company says it 'mistakenly deleted' them.