Phishing Scheme Poses as Facebook Security to Steal Passwords

Phishing Scheme Poses as Facebook Security to Steal Passwords


We are urging Facebook users to be on the lookout for a phishing scheme that is looking to steal your passwords. NakedSecurity recently published a blog post stating that scammers are now using Facebook apps to dupe unsuspecting users out of their Facebook password.

The scheme involves sending users an email purporting to be from Facebook’s security team, telling them that their accounts have been found in violation of Facebook’s terms of service and asking them to click on a link to log in and verify their account to avoid suspension. If you get this message in an email, don’t click the link and DON’T enter your username and password!

To keep yourself safe, don’t reply to messages from ?ac?bóok S?cur?y or click on links in emails that ask for your passwords. No one from Facebook will ever ask for your password, and users should be wary of anyone posing as such.

Looks can be deceiving

Part of the scheme being used by the bad guys is a Facebook app designed to look like a legitimate Facebook security page.

facebook ?ac?bóok S?cur?y phishing scheme scam password steal

Fake Facebook security page, via NakedSecurity.

This is a screenshot of the Facebook app users will see when they click on the URL in the email. Notice that the name ?ac?bóok S?cur?y is a made-up jumble of characters that were arranged to look like they spell out the words “Facebook Security.”

The app has nothing to do with Facebook and isn’t from Facebook’s security team. Pay special attention to the URL in the screen shot below:

facebook phishing scheme security stolen password ?ac?bóok S?cur?y

This screenshot, provided by NakedSecurity, shows what users will see if they click on the link in the email. Notice the incorrect spelling of the word “suport” in the “account_suport_help” part of the URL. This obvious, glaring flaw might be easy to spot by people accustomed to seeing these kinds of scams, but they can look pretty convincing to many who are less “tech savvy.” Also be aware that this kind of scheme is very easy to replicate and may use any combination of addresses and designs to fool users into willfully handing their passwords over to criminals.