Facebook phishing scams: how to spot and prevent them

Facebook has had a tough time lately: Cambridge Analytica (and others), disinformation campaigns, data breaches – the bad news seems to be coming thick and fast. Unsurprisingly the security of our once loved social media staple has come under scrutiny.

Despite falling out of favor with the public, Facebook is still the dominant social media platform boasting over two billion active monthly users, and that’s excluding Instagram, Messenger and Whatsapp.

With so many people using the platform, it’s important to consider the security concerns of users, and by extension businesses, and how threats can be mitigated.

Why should businesses be concerned about Facebook?

As a business owner or IT professional, you’re probably thinking Facebook isn’t really an issue for your organization, you’ve blocked it on the network, what harm can it do? Well, there are direct and indirect threats.

Regardless of the demographic of your workforce, it’s likely that the majority of your employees will have a Facebook account. Being cynical, this itself could put your organization at risk.

It’s amazing how much information people are willing to divulge in a very public forum. You can find out people’s jobs, current location, education, political beliefs, interests, birthdays, family and relationships, the list goes on.

Without the right privacy and security settings in place, it is very easy for a hacker to do some reconnaissance work, join up social media profiles and devise a phishing attack tailored to the individual. There are examples of a simple status update leading to users’ being extorted, threatened at gunpoint and their houses being robbed. Yes, these are civil examples, but it could be easily applied to the corporate environment.

Businesses need to make sure employees aren’t inadvertently giving away any sensitive information – something that needs to be factored into an organization’s wider security and social media policy.

Fake Facebook Profiles

Much of the fraudulent or ‘inauthentic activity’ on Facebook can be attributed to fake profiles and pages. They’re a nuisance and continual problem for the platform.

In Q1 of 2018, Facebook removed 583 million fake profiles, that’s almost 6.5 million per day.
The Facebook newsroom is awash with press stories about how they’re battling coordinated inauthentic activity in countries like Brazil, Iran and Myanmar, activity that spreads propaganda and political unrest throughout these nations. Despite success with state-level campaigns, the threats affecting the wider user base are failing to be addressed.

Every day we see stories in the news about new phishing attacks on Facebook, the vulnerable targeted and exploited. Better policing of bad actors is a must and without it, Facebook’s already tarnished reputation will continue to be damaged.

Facebook is well aware of the need to do more, but users cannot absolve themselves of responsibility, they need to practice safe browsing habits and approach online interactions with a healthy amount of scepticism. Firstly, users need to know how to identify a fake Facebook profile.

How to spot a fake profile on Facebook?

Ultimately, social media was designed for networking, in fact, part of Facebook’s mission statement is ‘to bring the world closer together’. At some point, users will bump into stranger profiles, that’s the nature of the platform, so it’s important to be able to identify the characteristics fake profiles tend to have:

1. Use of other people’s photos and information

Using other people’s photos and information is a common tactic of fake Facebook profiles, after all, the idea is to operate under an alias. Photos are usually the biggest giveaway tending to be attractive headshots, celebrities or terribly generic stock photography. There’s an easy way to work out if the photos are legitimately tied to that account.

We stumbled across this Facebook profile on a dating site’s Facebook page:

Doing a reverse image search for a couple of photos on the profile, it was very apparent that the photos were of a model.

2. Name in URL doesn’t match the name of the Facebook profile

On setting up your Facebook profile, your URL will be your Facebook ID and should look something like this:

Like with everything else on Facebook, you can customize your URL Having a URL that is incongruent with the profile name could be a warning sign that it is a fake or hacked account. For example, the name of the profile below is Sarah Collins, but the name in the URL is Oking Akin.

3. Dubious profile information

It’s rare that you stumble across a profile that is ‘complete’, Facebook has so many fields, it’s hard to keep up. However, you should be wary of inconsistencies in profile information. This is the intro box for another Facebook profile we found:

This particular account works at modelling agencies in South Africa, studied in Australia and lives in California. She might be an international jet setting model seeking love on Facebook, but it is unlikely.

4. Irregular profile timeline / history

With any account, there are likely to be gaps in activity and history, but users need to look out for inconsistencies. One profile we found went to university prior to going to high school.

5. Posting of low quality content

Browsing the Facebook pages of online dating services, the fake accounts demonstrated a clear pattern of behaviour – public introductions and announcements that they are looking for a relationship. By themselves, the comments may seem fairly innocuous, however, when digging into the profiles and comparing to other activity, it becomes very apparent.

What are the most common phishing scams on Facebook?

Romantic Scams

Romance scams are by no means new, nor are they isolated to Facebook, but Facebook is a platform that is perfect for scammers conducting this type of phishing attack.

The online dating market has proliferated over the past few years; people have become far more comfortable with the concept of it and the stigma seems to have dropped. Online dating companies like Tinder, Match.com and Bumble have emerged creating their own applications and websites to cater to their users, and in tow, sizeable social media presences.

Less ‘official’ groups and pages have cropped up to cater to a wider range of dating preferences.
The nature of social media and online dating services means there’s a blur between the two, both are inherently social and rely on interactivity between users.

So, we went on a hunt for fake accounts to see what we could uncover.

Sifting through the comments of Tinder’s Facebook page, we noticed signs that fake profiles were at work. In the context of the page, the below comment may seem fairly innocuous, but something seemed a little phishy, so we dug into the profile.

The profile itself has all the traits of a fake account: limited timeline of activity and information, duplication of photos, interests very focused on dating and truck drivers and is also based in Texas, which has been identified as a hotbed for romantic scams in recent history.

On doing a reverse image search for one of the photos on the account, you can see that the profile’s image has been indexed with a Twitter account, and features on related accounts, increasing the likelihood that this is a fake profile.

It didn’t take long to find this fake account, nor was it the only instance. We had a look through the comments section and stumbled across several more:

The Match.com Facebook page suffers from the same issue. A quick scan of the comments on the page and we found this profile:

On face value, these profiles may seem rather harmless. merely contributing to an ever increasing amount of inane chatter on the platform, however, they may be just the precursor to setting up accounts for online dating apps like Tinder, Happn and Bumble, all of which use Facebook to pull information and authenticate users.

Typically, romance scams are a form of social engineering attack that seek to gain the trust of their targets, and then manipulate them into handing over money, gifts or sensitive information. Be wary of users who:

• come on too strong, shower you with love and affection in a short amount of time
• attempt to move the conversation to a private channel and away from the original domain
• ask a lot of personal information, yet reluctant to give much away themselves
• is unwilling to meet face to face, video calls and dodges in real life conversations
• invents a reason for you to send money or gifts.

Giveaway & Prize scams

People love free stuff, that’s why giveaways are an effective marketing tool on social media. Unsurprisingly, it’s a tactic scammers have adopted to pry personal information from eager compers.

We searched ‘giveaway’ on Facebook and it didn’t take us long to stumble across our first suspicious post.

This particular giveaway seems a little too good to be true.

The link takes users to the blogspot page: https://new-yingtoying.blogspot.com/, a free blogging platform of Google’s.

Clicking both the ‘register now for free’ and ‘member login’ buttons takes the user to the same page via a series of redirects.

Not all scams will be quite this obvious.

There have been scams giving away Primark vouchers, Norwegian Air and Virgin Atlantic flights with the latter making use of punycode to deceive people.

Also be mindful of ads. Just because it is an advert and has been ‘vetted’, it doesn’t necessarily mean that it isn’t a scam.

Obviously, if you see a competition for an all expenses trip to the Caribbean, you’re going to be tempted, however, be mindful of competitions that:

• are too good to be true (like the one above)
• direct users to suspicious URLs (e.g. non-https, deceptive domains, forced redirects)
• ask for too much information or ‘engagement’ (e.g. tag 10 friends and share on all your social media accounts) from those entering
• ask for an entry fee to go into the prize draw
• are being promoted by an account with a lot of competitions with no obvious sign of any winners

Facebook Phishing Emails

We all know about phishing emails. Filtration systems have become sophisticated enough that we don’t see the bulk of them, but sometimes, they slip through.

Invariably phishing emails claim to be from support or security when pretending to be from big companies and follow similar lines of social engineering – your account has been hacked, verify your password etc etc.

This is one example of a Facebook phishing email we’ve found. By no means the most sophisticated email scam, nor the most alluring. The sender’s address isn’t the typical facebook domain for email (@facebookmail), the email itself doesn’t really make sense and there isn’t really that much to lure the potential victim in. Don’t think too many will be tricked by this particular email.

If unsure about the validity of an email from Facebook, you can always check the emails that Facebook has sent you. You can access this by heading to the settings on your Facebook profile, security and login and then scroll down to the bottom for advanced security:

What is Facebook doing to protect users?

It’s an unprecedented challenge for Facebook, policing two billion users on a platform that has been designed to bring people together and uses a multitude of continually developing technologies – it’s no wonder Facebook is struggling to solve the problem.

It is trying though.

The social media giant has over 20,000 employees dedicated to security, but to have a human review each and every post, account, advert on the site would be unrealistic based on the sheer volume alone. It would also change the way people use Facebook; if you knew someone would review everything you did on the platform, you’d likely filter your behaviour.

Facebook has established integrity and authenticity policies to dissuade scammers operating on the platform, but, as with most policies of this ilk, it seems like the flimsiest of deterrents.

That’s why Facebook is turning to artificial intelligence (AI) to resolve security issues.

AI is the in vogue technology, seemingly the cure for all modern ailments, but it does make sense.
Facebook has had great success with the deployment of Microsoft’s PhotoDNA tech, originally introduced to remove child pornography from the platform and further developed to identify other undesirable content.

While able to block millions of fake accounts every day, Facebook acknowledges the need to detect scammers that evade the initial screening. Machine learning techniques are trained on previously learned scams, much in the same way MI:RIAM is used to detect mobile threats. If an account is suspected of being inauthentic, it’ll have to bypass a number of tests to gauge credibility.

How else can users stay safe on Facebook?

Facebook users cannot rely on the platform to enforce proper governance and policing, they need to accept some responsibility for their own safety. There are a number of security features on Facebook that can be enabled and regularly checked to enhance personal security including privacy management, two factor authentication (2fa), login alerts and device management.

Additionally, Facebook has built reporting features into the platform to help users self-police.
Keeping tabs on the latest techniques used by scammers is also important. There are Facebook pages and groups such as Facecrooks which are dedicated to spotting and outing these scams.