If you have a Facebook account and follow the news, you are likely to already have heard of a new Facebook chat phishing scam that has been devised by online criminals in an effort to get you to part with your credit card information.
It is no surprise that another Facebook chat phishing scam has been uncovered, but what is particularly interesting is the amount of effort that has gone into the latest scam. The latest Facebook chat phishing campaign shows how sophisticated the campaigns are becoming, and how easy it is to fall for one of these scams.
Convincing Facebook Chat Phishing Scam Uncovered
The criminals behind the latest Facebook phishing scam are trying to obtain a considerable amount of data and, if successful, will obtain credit card numbers, expiry dates, CSC codes and login names and passwords. The scam was discovered by Kaspersky Labs, and it operates via the Facebook chat function. Phishing is more commonly associated with randomly sent spam emails, targeted emails, and malicious websites, yet the techniques work equally well on social media websites. Perhaps even better.
In this case, the Facebook chat phishing scam is not just convincing, it is scarily good. The scammers compromise a Facebook account, and alter the account name to ‘Facebook security’. They then use the chat function to send a message to the entire contact list of that person, warning them that their account has been compromised. If login details are not confirmed, their account will be shut down. Since the message comes from “Facebook Security”, it appears legitimate.
The message also contains a link that must be used to confirm the account details. Clicking on that link will direct the soon to be victim to a mock up Facebook site that looks reasonably legitimate. The victim then enters their login credentials to access that site and, by doing so, gives the scammer access to their entire account, including their contact list. In this case that is not all. The fake website then asks the user to confirm their email password, compromising that account as well. Since users often share passwords among many different online sites, other accounts could all to easily also be compromised as well. Kaspersky Labs has also reported that this Facebook chat phishing scam then requires users to make a payment, for which they will need to divulge their credit or debit card number, expiry date and CSC code.
Of course, this last step should get alarm bells ringing, as Facebook does not charge users for the service it provides. However, many will fall for this scam out of fear of loss of their account. Sometimes, reason flies out the window and only after information has been divulged do users wonder if they may have been scammed. Even if credit cards are not provided, the scammers will have access to contact lists to try the scam on others
Protect your MSP clients with the newest zero-day threat protection and intelligence against anti-phishing, business email compromise and zero-day attacks with PhishTitan.
Free Demo
This scam is complex, but it relies on the user falling for the initial Facebook security message. However, it is important to remember that Facebook or any other reputable company, will not ask for a credit card (plus expiry date and CSC code) to verify identity. You should also bear in mind, that it is not in Facebook’s interests to shut down your account, and highly unlikely that they would do so and prevent you from gaining access to it again.
Be Wary Online – Criminals are Devising Ever More Complex Ways of Obtaining your Data
Phishing is used by online criminals to obtain your data, and the campaigns take advantage of technical and social vulnerabilities. The situation is only likely to get worse, yet even with the current high risk of attack, not everyone is implementing measures to protect themselves, in fact many are leaving themselves wide open to identity theft and fraud. All it takes is one successful phishing scam and everything can be lost. For businesses the problem is just as bad. Fraud and network damage can be considerable, and in many cases catastrophic.
Unfortunately for businesses, all it takes is for one employee to fall for a phishing scam and a network can be compromised, and that can come from a Facebook chat phishing scam just as easily as a bogus email attachment. Once access to a PC has been gained, a network can be accessed and sabotaged, or data and corporate secrets can be stolen.
It is therefore vital for companies to take precautions. Training staff about phishing avoidance is advisable, and continued training essential, but to reduce the risk of employees’ phishing identification skills being put to the test, it is worthwhile installing powerful web filtering software as well as email security software.