Facebook Scams Continue to Compromise Accounts

Image Source: Facebook

Summary

The NJCCIC continues to receive reports of compromised social media accounts, including Facebook. Threat actors impersonate Facebook, target both individuals and organizations who have Facebook business pages, and use social engineering tactics through social media platforms and emails to send fraudulent messages or notifications in an attempt to deceive potential victims into clicking on phishing links or attachments, divulging sensitive information (such as account credentials, personally identifiable information (PII), or financial information), and/or installing malware to gain unauthorized access to the Facebook account. Examples of scams include false claims that the target violated Facebook’s Community Standards, warnings impacting the account if action is not taken, and notifications about friend requests, messages, events, photos, and videos. The communication purportedly creates a sense of legitimacy and urgency to convince the victim to divulge PII, financial information, and, in some cases, a copy of the driver’s license as proof of identity. Messages may also direct the target to log in with social media, email, or bank account credentials/ information.

Once an account is compromised, threat actors can change account information such as name, birthday, email address, and phone number and lock the victim out of their account by updating the password and multi-factor authentication method. They can also impersonate the victim, communicate with the contacts in the victim’s address book, and engage in further malicious activity, such as conducting social engineering attacks, sending harassing messages to contacts, posting information and/or images that violate the platform’s terms and conditions and/or acceptable use policies, and threatening extortion. Scams can also result in identity theft and financial loss.

In the above scam, threat actors impersonate Facebook and send notifications to Facebook business page administrators that their page has been disabled. The notification contains a link to view more details about the violation that, if clicked, directs the target to an interface with Facebook branding and prompts them to enter their account credentials and other personal information.

The latest Facebook scam plays on emotions and claims that someone they know just died. The threat actors identify themselves as a close friend or family member of the target and send them a message with phrases such as “look who just died,” “so sad,” or “I know you known him.” The message contains a link appearing to be a legitimate news article. If clicked, the target is prompted to enter their Facebook credentials to review further details. These credentials are sent to the threat actors in the background and used to compromise the account and send the same message to the victim’s friend list. Additionally, the threat actors can steal personal information—such as email addresses, phone numbers, and birthdates—to access non-Facebook accounts and may potentially access financial information to steal funds. In some cases, the malicious link installs malware on the victim’s computer to access passwords, photos, and files.

Recommendations

The NJCCIC recommends users and organizations educate themselves and others on these continuing threats and tactics to reduce victimization. Users are advised to refrain from responding to unsolicited communications and exercise caution with communications from known senders. If unsure of the legitimacy, contact the sender via a separate means of communication – such as by phone through official and legitimate sources – before taking action or disclosing sensitive information. Additionally, set up alerts, avoid password reuse, maintain unique passwords for each online account, and enable multi-factor authentication (MFA), choosing biometrics and authentication apps over SMS text-based codes where available. Furthermore, refrain from posting sensitive information and images online to reduce your digital footprint.

If victimized, report the scam directly to the respective social media platform, the FTC, and the NJCCIC. If PII compromise is suspected or detected, contact your local law enforcement department. Review the  Identity Theft and Compromised PII  NJCCIC Informational Report for additional recommendations and resources, including credit freezes and enabling MFA on accounts.