While Facebook (now Meta) is a great place for sharing life moments and staying in contact with friends and family, it is also one of the most common places for scams and fraud on the Internet. A recent report from AI-based cybersecurity firm Vade concluded that in 2021 Facebook once again dominated social media phishing.
With this in mind, it’s now more important than ever to know how to protect yourself from these attacks while using the social network. This article looks at various phishing scenarios and explain what telltale signs to look for. We’ll also walk you through various recommendations that will help you keep your account and personal information safe.
What Is Social Media Phishing?
Phishing is a technique commonly employed by hackers on social media to gather sensitive information such as account login credentials, credit card info, and other personal data through impersonation. This data may then be used to steal your funds and to launch other scams and attacks.
A typical Facebook phishing attack comes in a form of a message or email containing a link in which potential victims are asked to provide or confirm personal information. These scams can sometimes be hard to spot to the untrained eye, especially since they can contain a link that leads to a Facebook lookalike site. Luckily, it’s possible to tell the difference between a genuine Facebook email and a fake one, as you’ll learn further in this article.
With more and more scams being exposed each day, users need to remain alert and cultivate a healthy dose of skepticism when it comes to the links they receive, be it in the form of an email that looks like it came from Facebook or a friendly message from an acquaintance.
How to Spot a Facebook Phishing Email or Message
Scam emails or messages used to be riddled with bad grammar and outlandish claims, but they’ve come a long way since then. It’s still easy to fall for the traps laid out by hackers, but there are ways you can determine whether a suspicious link comes from a legitimate source or not. Below we list some of the things you need to pay attention to.
1. Determine Whether the Sender’s Email Address Is Legitimate
“Does it look legitimate?” is the question you should be asking first. Take a good look at the sender’s email address. A common hacking tactic is to slightly alter the domain of a well-known company such as Facebook to convince potential victims that the email is coming from them. If in doubt, use Facebook’s Help Center or search online and see if other people have received similar emails.
For instance, it’s worth knowing that Facebook sends email notifications from @facebookmail.com, but if you have never received a message from this email address before, it might appear suspicious. Thankfully, Facebook confirms that it is indeed using this address. In fact, it warns that if you’ve received a Facebook email notification from another address you should probably ignore it or delete it.
Another way to verify that the email came directly from Facebook, is through the website or app. Here’s how you can do so yourself.
PC
Open Facebook in your browser and go to “Settings & Privacy –> Settings” by clicking on the down arrow next to the notifications icon at the top right.On the left, select “Security and Login.”
In the Advanced section in the right part of the display, go to “See recent emails from Facebook.”
If you have a match for your questionable email, you just confirmed its validity. If it’s not there, you might want to be extra careful when taking the next step. Facebook doesn’t keep an extended backlog of emails it has sent to you, so you won’t be able to see the emails you’ve received in the past week, for example.
Mobile
- Visit the “Settings and Privacy” section.From the list of options choose, “Password and Security.”Look for the “See recent emails from Facebook” feature in the “Advanced” section. Swipe up a bit to find it.Check if the email you have received recently matches any email in this section.
2. Pay Attention to the Email’s Subject
The email’s subject can also provide clarity regarding the message’s source. If the subject is overly positive, say, alerting you that you’ve won something even thought you didn’t participate, know that it’s a scam. Likewise, if the subject is urgent and obviously intended to provoke an emotional reaction, you should most likely skip this one too, or at least investigate the issue further before deleting the message altogether.
Be especially wary of messages that urge you to do something and threaten you with particular unpleasant consequences if you don’t comply. For instance, emails that instruct you to change or password if you don’t want your account to be locked. Don’t fall for these tricks; Facebook (or any other reputable company for that matter) will never send emails like that.
3. Hover Your Mouse Cursor Over the Link
Go to your PC, open the email in your browser, and hover over the link within it. What do you see? If it’s a long link which doesn’t resemble the address from where it came, it’s best to bet on the side of safety and just forget about the link. To give you an example, if it points to “buildyourvision.com” or something fishy like that, stay away from the link.
4. Check if the Email Is Personally Addressed to You
Another hint that the email you’re looking at is a scam is that it’s not addressed personally to you. If Facebook would be writing me, I’d be greeted with “Hi, Alexandra.” In opposition, suspicious emails tend to use generic formats such as “Dear Sir/Madam” or even more basic forms of address such as “Hi.”
5. Check if the Email Asks for Any Personal Information
Any unsolicited email asking you to provide sensitive information such as bank details, passwords, or ID information is a red flag and points to a probable scam. The rule of the thumb while using Facebook is to abstain from sharing your private data over the social network. Reputable companies will never ask you for this kind of information over email, or worse via Messenger.
If you still aren’t convinced and want to double check, don’t use the link included in the email. Instead, go to the site in question, log in, and see if you’ve received any notification or message related to the matter. If you can’t see anything, then you can rest assured it’s a scam.
Common Facebook Scams to Watch Out For
Hackers have gotten more creative over the years, coming up with new ways to con people out of their money. Fortunately, you can protect yourself by educating yourself and being aware of some of the most common scams doing the rounds on Facebook.
Romance Scams
These usually start with targeted users receiving a friend request from someone they don’t know. The scammer will then try to establish a rapport through direct messaging, which if successful will form the basis of an online relationship. All of this is done in the hopes of receiving money to pay for phantom flights and visas.
Job Scams
Another type of common scam on Facebook involves fake job ads. The good news is that it’s pretty easy to detect one. If a job sounds too good to be true, then it probably is and you shouldn’t fall for the trap. Similarly, if the job poster requires you to pay for the “privilege” of applying for the job or if you need to make a down payment to secure the position, then the position is most likely a scam. Instead, use reliable job websites to apply for work the old-fashioned way by submitting your CV and letter of intent.
Access Token Theft
This method for gaining access to your private data works by sharing a link that requests access to your Facebook profile or page. The link might appear as if it came from a legitimate app, but make sure you check for small incongruities, as explained in the previous section.
“You’ve Won!” Scams
This is another too-good-to-be-true-type of scam. If you know you didn’t play the lottery or participate in any contest recently, you should have no qualms about deleting a message alerting you that you’ve won something. You obviously didn’t win, because you didn’t play.
These types of scammers usually ask you to pay a small fee to have a larger prize unlocked or have the gift sent to you. At the same time, if you haven’t heard of the company/brand/campaign before, it’s again safe to assume that you’re being targeted by hackers. Use your common sense when it comes to these types of offers.
If you still have doubts, check on the Internet for details about the company. Search for the campaign or contest and see if they are really running something like that. Get some proof before taking another step.
Fake Friend Requests
While Facebook can help you expand your social circle, being open to making new friends on the social app also leaves you vulnerable to hackers. It’s a good idea to be wary of who you add to your friend list, as those accounts will have access to your private information.
Adding unknown persons can also lead you to getting involved in a romance scam, so make sure you vet the person’s profile before adding them. If it’s mostly empty or if they have only friends with suspicious profiles themselves, think twice before adding them.
How to Avoid Phishing Scams on Facebook
Facebook is a rich platform for various phishing scams, but the good news is that you can take some action to discourage hackers from targeting you. The first thing you should probably do is secure your account.
Keeping your account as private as possible is encouraged, as it allows you to fly under the radar. To begin with, change the privacy of your posts from Public to Friends only and hide your Friend list. If you use Facebook to make new friends and are reticent to make your profile completely private, you should still take steps to secure their account in order to ensure no unwanted parties can access your Facebook without permission.
1. Use the Privacy Dashboard to Secure Your Account
Scams come in many disguises. Therefore, it’s important to be aware of what you can do to diminish the probability of being targeted.
Open Facebook in a browser of your choice.Click on the downwards arrow in the upper right corner next to Notifications.
Select “Settings & Privacy.”
Next, click on “Privacy Checkup” to go to Facebook’s dedicated dashboard.
Here you are given quick access to a number of options all related to your Facebook privacy and security.
From this location, you can control the kind of data you share and who can see it.
- Who can see what you share: lets you manage the audiences for your posts and stories. From here, you can also easily make information such as your date of birth or the school you’ve attended private. How to keep your information secure: checks if your password is strong enough and recommends turning on two-factor authentication (2FA) or login alerts. 2FA adds a layer of extra protection to your account, so our advice would be to enable this option. With this in place, anyone who tries to log in to your account would also need to type in a one-time code in addition to your password.How people can find you on Facebook: is an important setting to tweak in order to avoid getting fake friend requests. Here, you can also set your phone number and emails as private.Your data settings in Facebook: shows you a list of third-party apps and services you’ve used your Facebook credentials to log in to. To stop sharing your information with these apps, remove them from here.
On mobile, the “Privacy Checkup” dashboard is missing, but do not worry, you can still access the individual options from your smartphone.
Open the Facebook app on your phone.Tap on the hamburger menu in the upper right corner.
At the bottom, tap “Settings & Privacy.”
Select Settings.
Next go to “Password and Security.”
Tap on “Check Your Important Security Settings” at the top to see if your password is strong enough and quickly enable 2FA or login alerts.
If you want to make your profile more private, go ahead and check the “Audience and Visibility” section in Settings and from “How People Find and Contact You” or Posts make sure your content and data is not available for everyone to see.
2. Check Your Login History Frequently
To make sure no one else has unauthorized access to you account, check your log in history regularly. This way, if you spot a fishy device or location from where you seemingly logged in on the list, you can immediately remove it.
Open Facebook in your browser and go to Settings.
From the menu on the left, select “Security and Login.”
Find the “Where You’re Logged In” section on the right side of the display.Tap on “See More” to see a complete list of where you’ve logged in recently.
If you notice a suspicious device or location (for instance, if you never logged in with your Facebook account on a Linux device), tap on the three dots next to the entry and select the “Not You?” option. Alternatively, you can choose to “Log out” remotely from this device.
If you want to make sure you didn’t forget logging out of your account on a certain device, scroll down all the way to the bottom and click on “Log out of all sessions.”
Go to “Settings & Privacy -> Password and Security” in the Facebook app.
Tap on the “See all” link in the “Where you’re logged in” section.
Tap on the three dots next to a suspicious entry and select the “Secure Account” option to reset your password. Alternatively, you can press “Log out.”
You can also swipe down all the way to the bottom of the list of devices and press on “Log out of all sessions.”
3. Don’t Click on Suspicious Links
Many phishing attacks on Facebook come in the form of an email or a message from a friend that contains a seemingly harmless link that you’re supposed to click. Bearing this in mind, you should always evaluate any link that displays any dubious qualities.
In the case of official-looking emails, know that you can check on Facebook whether these messages where actually official. In the case of links that come from a friend, before clicking, always reach out to said friend first and ask them if they truly sent the link.
Frequently Asked Questions
1. Can I notify Facebook about a possible phishing attempt?
Yes, you can and it’s actually encouraged. If you’ve received an email that you believe might be a scam, you can delete or ignore it. However, it would be best if you report the email. Write an email to phish@fb.com describing the issue.
2. I think my account has been compromised due to a phishing attempt. What can I do?
Go to Facebook’s Hacked page and fill out the details specific to your phishing situation. Next, Facebook will walk you through some steps that will help re-secure your account. The first step is to change your password. Continue to follow Facebook’s prompts and review you email address(es), pages you followed, and more.
3. I can’t log in to my Facebook account? What do I do next?
If you’ve lost access to your Facebook account, it might be due to a phishing attempt. To recover your account, visit Facebook’ Identify page and follow the steps as prompted.
Make sure you use a PC or mobile device which you previously used to log in to Facebook. Next, search for your account using your name, phone number, or email address. Follow the instructions to reset the password for your recovered account.
Image credit: Rawpixel
Alexandra is passionate about mobile tech and can be often found fiddling with a smartphone from some obscure company. She kick-started her career in tech journalism in 2013, after working a few years as a middle-school teacher. Constantly driven by curiosity, Alexandra likes to know how things work and to share that knowledge with everyone.
Our latest tutorials delivered straight to your inbox