Facebook can also be used for phishing. We’ll show you how to protect yourself.

More than 2.7 billion active users communicate monthly via Facebook, the largest social network worldwide[1]. This makes it one of the most powerful tool for communication between people in the online world. It is used not only for conversations, but also for presentation of products, services and also political opinions and attitudes. This gives many opportunities to misuse people’s presence and even their relationships for illegitimate purposes.

We are familiar with e-mail phishing. E-mails trying to obtain sensitive data from users under various pretexts have various topics and forms. Facebook, as a communication platform, can also be misused to spread spam or phishing. However, the way in which illegitimate content is distributed differs. Since this is a large network and content spreads rapidly, it is easy for an attacker to run a phishing campaign with a very large reach. There are various ways to do this.

Attractive statuses

You must have noticed it on Facebook too. An attractive offer for earning, actually without much effort. And it’s shared by your friend, who comments on his status that it really works! Just click on the link…

This is an example of how different phishing campaigns can look like, whose only aim is to spread these scams among as many users as possible. It is sufficient if one of Facebook users clicks on the malicious link and the knock-on effect will start. If the user clicks on the link, the same message will automatically appear on his timeline. An attacker does not have to worry too much about the distribution of the malicious link, as it is shared among users.

What can clicking on such a link cause? For example, stealing login details for your Facebook account or installing malware in your device. It can be widely used; from sensitive data theft through  recording your keyboard to a misuse of your computer or mobile phone for other attacks.

Competitions for awards

Attackers love creating content that users share with a vision of attractive winnings. Competition for a new phone, TV or even a refrigerator. All you have to do is share your status and start following a specific page. Were you lucky and approached by a competition provider? Unfortunately, you won’t be the only one. 

This is a classic scheme – an attractive content has many shares and thus potentially many victims. An attacker then addresses several of them and asks them for different types of data; most often data from payment cards in order to confirm the identity of the winner, or to send money to this particular card (in the case of prize money). Of course, this is a scam. Nobody needs your credit card information except for you. 

Fake users

Anyone can create a Facebook user account. This, however, means that there may not be a real person behind the account or the person whose name is displayed on the social network. These accounts can be used to execute several types of attacks.


One of the good examples are romance scams. An attacker creates a profile, where he presents himself as a wealthy senior gentleman or a war veteran, who is looking for love and at the same time wants to bequeath his life savings to someone, as he is alone or a widower. However, using social engineering techniques, he forces his victims to carry out various activities, such as sending money, receiving postal items with a fictitious value but with a high cash on delivery, providing various sensitive data and so on. Attackers build up their credibility in different ways, for example by sending a small amount of money to victims at the beginning of their “relationship. The victims are often older people who are not experienced in the use of technologies and trust almost everyone they meet on the social network.

Are you a man and you were requested by an unknown beauty with puckered lips to “be friends”? Do pay special attention. Fake profiles of this type try to make contact, gain the victim’s trust and lure compromising information that can later be used for blackmailing. It is also possible that an unknown attacker wants to get closer to his victim through you. People trust friends of their friends more than complete strangers.

Another example of a fake account is forging the identity of real people. In many cases, public personalities (actors, sportsmen, politicians, etc.) are affected. An attacker uses these accounts to spread malicious content, such as phishing websites.

Attacks via Messenger

After compromising the user account, an attacker can use various tools. For example, an original tool for sending messages on Facebook – Messenger. By using Messenger the attacker uses personal communication, with the trust of the potential victim to the sender of the message. It works similarly to statuses, only the spread of malicious links or entire files takes place privately, between the infected account and another victim. Here, also, various results come; from installing malware  through spreading a scam to stealing personal or sensitive data (such as phone numbers, bank details, etc.).

The phone number you provide to the attacker can be misused, for example, for playing various games and competitions. After obtaining the number, the attacker will definitely contact you several times and ask you to send confirmation SMS codes. Such an attack leads to a high phone bill.

There are also cases of account cloning. The attacker selects a user with a large number of friends, makes the same account (name, photo, profile information, etc.) and then asks the same users that the real person has in his Facebook contacts to add him as a fiend. Then it’s easy; for example, the attacker comes up with a story about a serious illness and the need for more money and so on.

How to protect yourself?

There is effective protection against “classic” phishing techniques as well as against phishing on social networks. There are a few simple precautions that any user can handle without any effort:

  • First of all, learn the rule that if something looks very good, it will certainly not be true. For example, if someone tells you via the social network that you have won the lottery or that you will become a millionaire in a few days without any effort, there will definitely be a catch. Before you click on anything, consider critically what it may cause.
  • Clicking on untrusted links in statuses can have far-reaching consequences. Always pay attention to the source from which the status comes and also the profile that has posted such status.
  • If you receive a suspicious message from your friend, check it with the sender in a different way, such as by phone or in person. Thus, you can also warn your friend that there is something wrong with his social network account.
  • Nobody gives you anything for free. Do not respond to users who send you attractive offers or ask you for information they don’t need, and report their profile as fake. The procedure  for Facebook is here.
  • If your Facebook contact posts suspicious statuses or links to suspicious websites, warn your contact about it. In the case of Facebook, there is a tool for reporting a compromised profile. In the profile, which you think is compromised, open the menu with three dots, then go to “Find support or report profile”, then click on “I want to help” and finally on “Hacked”.
  • Keep your devices updated. Vulnerabilities are a gateway for attackers also through phishing on Facebook. Updates also apply to applications and software in your devices, from the operating system to the web browser.
  • To log in to Facebook, use a strong password, different from other passwords to other services, and use the option of multi-factor authentication and notification of unauthorized attempts to log in to your account. These options can be found in your settings in the “Security and login” section.
  • Keep your Facebook profile data safe. Do not share your data, photos and any other information publicly but only with your friends. However, the best privacy protection is not to share anything sensitive on your profile, for example, holiday photos or information about your family or work.
  • Facebook friends should match the real ones. Only people you know in your personal life add to your contacts. You can verify that the Facebook profile has a real owner from the real world. Pay close attention to “friends of friends” if you don’t know them in person.

If, despite your caution, you become a victim of an attacker and your account or device is compromised, follow the recommended steps:

  • Inform your friends that your account has been compromised. This will prevent possible further harm with the warning for your friends that published statuses or messages from you are not legitimate and should not be responded.
  • “Clean up” the compromised device. Get rid of malicious code. In many cases the best way is to reinstall the entire device and deploy data backups.
  • Change the password to your Facebook account. If an attacker did this for you, reset your password. We recommend that a new password is complex and certainly different from what you have in other services. You can also use a multi-factor authentication option when signing in.
  • Inform Facebook that your account has been compromised. The procedure is very simple via this link: https://www.facebook.com/hacked/
  • Check permissions of Facebook applications or applications that are connected with your profile. Remove those you don’t use or they seem suspicious and you’ve never heard of them. Attackers can control your account also through these applications, even if you take all necessary security measures. 


[1] https://www.statista.com/statistics/264810/number-of-monthly-active-facebook-users-worldwide/






« Späť na zoznam