Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    Facebook-Themed Scam Aims to Steal Your Credentials

    Stu Sjouwerman | Jul 14, 2022

    Facebook Themed ScamA creative mix of phishing emails, solid social engineering, use of Facebook Messenger, brand and site impersonation, and a sense of urgency all add up to a believable attack.

    Most phishing scams take users through a series of hoops to jump through to avoid detection – so much so, that the hoops themselves should serve as a red flag. But in the case of a new Facebook-themed phishing attack documented by security vendor Trustwave, the steps taken are likely so unfamiliar to the victim, that they will be thrown off completely and will simply follow the steps… to give up their Facebook credentials.

    The scam starts with a simple enough email from “Facebook” stating “your page has been scheduled for deletion for violating our Community Standards.” The “Appeal Now” call to action takes users to a Messenger conversation with a chatbot under the name of “Page Support”.

    f9deb4bd693e0a86b13cdbea73f1e13d64616688

    Source: Trustwave

    The chatbot “requires” that the user be logged onto Facebook, prompting the user to log on. Within the chat is an opportunity to appeal the page deletion which takes the user to a Facebook-branded (but impersonated) “Support Inbox".

    17adeddc0c9a9ec0b6655ec2af72ec9fb2b74148

    Source: Trustwave

    The initial “appeal” form asked for login, name, and phone number. But the sneaky step is how they ask for the password. Take a look – I find this to be believable enough to fool those that aren’t tech-savvy:

    3bbb9b5252263d6b841afa5bf8a2f249e2069689

    Source: Trustwave

    Since the user has already experienced logging onto Facebook during this scam, this step feels like it’s legitimate. There’s even a fake one-time password request sent to the mobile phone number supplied to make this seem legitimate.

    What makes this scam scary is that it can just as easily be pretending to be your organization’s instance of Salesforce, Microsoft 365, or any other critical SaaS application. Users need to be aware of such attacks via Security Awareness Training so they don’t fall for the initial email in the first place, nullifying all the social engineering effort in the attack that will, no doubt, establish some credibility and gain the attackers some victims.

    Topics: Social Engineering Phishing

    Stop Being a Target for Social Media Exploits

    Social media is the new frontier for targeted spear phishing and credential theft. Use our Free Social Media Phishing Test to identify which users are likely to click malicious links or leak data on platforms like LinkedIn and X, and get your results in just 24 hours.

    Get Your Free Test

    Secure the Digital Workforce: Human + AI

    KnowBe4 empowers the modern workforce to make smarter security decisions every day. Trusted by more than 70,000 organizations worldwide, KnowBe4 is the pioneer of digital workforce security, securing both AI agents and humans. The KnowBe4 Platform provides attack simulation and training, collaboration security, and agent security powered by AIDA (Artificial Intelligence Defense Agents) and a proprietary Risk Score. The platform leverages 15 years of behavioral data to combat advanced threats including social engineering, prompt injection, and shadow AI. By securing humans and agents, KnowBe4 leads the industry in workforce trust and defense.

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the Founder and Executive Chairman of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog

    Posts By Topic

    View All