Are you on Facebook? So are scammers. Here are some of the most common con jobs on Facebook you should watch out for and how you can tell if you’re being scammed.
While various social media platforms have popped up over the years, Facebook remains one of the most popular of them all. Case in point, per its most recent Earnings Report, Facebook has more than 2.85 billion monthly active users. Of course, this attracts all flavors of scammers who are looking to make a pretty penny at the expense of the unsuspecting users. And even though Facebook has multiple defensive measures in place to stop scams from making their way to users, some, inevitably, make it through the cracks.
In this article, we’ll look at some of the most common ways scammers try to dupe Facebook users out of both their personal data and money.
Phishing scams could be considered the mother of all scams. They have been around for eons, at least in internet terms, and are an evergreen that cybercriminals use continuously. The general aim of cybercriminals is to acquire your personal information so that they can use it further in other criminal activities, ranging from identity theft to selling data on dark web marketplaces.
To this end, the cybercriminal will impersonate Facebook, saying that someone may have logged into your account or your password has been reset or anything else that will instill a sense of urgency, and include a link to log into your account. However, the link will direct you to a bogus copy of the Facebook login page, which will then harvest your access credentials and give the fraudsters access to your account.
Figure 1. Fake (L) versus legitimate (R) Facebook login page
There are several signs that you might be dealing with phishing – for example, if the email starts with a generic greeting or uses your associated email handle, instead of being personalized. Or, if the email address of the sender seems off or isn’t associated with an official Facebook email. You can check the proper format of the support email address by going to your account and requesting a password reset. After you receive the official email from Facebook examine the “From:” field, which will show you what email address Facebook uses to contact its users. Another telltale sign is if the email is riddled with spelling mistakes. You can brush up on your phish-spotting prowess by quizzing yourself here.
Can I interest you in a loan?
These types of scams are quite a regular occurrence on the popular social media network and are easy to spot. The premise of the loan involves the scammer sharing public posts where they claim to offer instant loans for very low interest rates; all they need is a minuscule advance fee.
The text usually includes some kind of backstory attempting to inspire confidence, such as the lender being a successful businessman with a “proven” track record of lending money to a ton of satisfied customers. However, one of the telltale signs of the scam is that it is usually written in broken English, with multiple grammatical and syntax errors. Beyond that, it is hard to prove any of the claims since those are just the words of the scammer, trying to coax potential victims out of their money.
In this case, the smartest course of action is to ignore these posts and report them. And if you’re looking for a loan it is probably better to seek out a reputable institution that provides them, rather than be scammed by a dubious loan shark advertising on social media.
To quote The Office’s Dwight Schrute, “Identity theft is not a joke, Jim!” In this scenario, the scam is quite straightforward with the cybercriminal cloning your entire social media profile to a T and trying to impersonate you. Alternatively, they’ll clone the account of someone you know and try to contact you while impersonating your friend or relative.
The purpose of this ruse is usually either some form of advance fee fraud, or they’ll claim that they are in trouble and need you to send them money to bail them out. The scammers might also attempt to target you in a phishing attack or send you a link to supposedly funny or thrilling content, but in reality, it may infest your device with malware.READ ALSO: Attack of the Instagram clones
You can check whether your account was cloned by searching for your own name in Facebook’s search bar. As for supposedly being contacted by someone you know, like a friend: if the messages might be indicative that something is off, you can check by contacting your friend from another medium such as a text message or a phone call. Alternatively, a dead giveaway could be if you receive a friend request from somebody you’re already a friend with.
Coming to you live, from Facebook!
Another scam involves what, at first glance, appears to be a live video of a competition, usually involving a celebrity. To add veracity to the ruse, the video of the celebrity is real – well, at least partly. The actual video is recorded from a live session the celebrity had in the past and is rehashed and edited for the scam’s purposes by including various descriptions aimed at convincing fans to participate in a scam such as “the first XY to respond will win US$xy”.
The con artist will create a whole fake account impersonating the celebrity, mirroring their official social media accounts, but will supplement the name either with a typo or some addendum like “TV” and then share the video. If the fans choose to comment, the scammer will reach out to them directly, with the aim of convincing them to either share sensitive information or sending money from their accounts – this can be done by sharing a link to a malicious website.
While we’re not recommending that you avoid all celebrity-endorsed competitions or events altogether, caution is advised. If a similar competition pops up on your wall, your first course of action is to verify whether you even follow the celebrity, and then try to find the said celebrity’s official social media channels to assess whether a competition is really taking place. If the “live video” appears in unrelated groups and pages you follow you should immediately become suspicious.
Giveaway scams work much in the same vein as Live scams, and that’s by trying to reel users in under the pretense that they could win big with little to no effort on their part. The tactic usually utilizes the creation of a page or an account that impersonates a specific brand, celebrity, band, or basically anything a would-be victim would find attractive, and then create a competition centered around it.
The ruse usually emulates legitimate competitions, asking users to like, comment, tag, sign-up and share the competition to further its reach. Once they’ve completed these tasks, they’re led to believe that they are in the running to win first-class airline tickets, concert tickets, products, or other attractive prizes.
After that, the potential victims are contacted to share their personal details, complete a survey, visit a malicious website or complete a similar action that would get them to share their personal information. However, as is usually the case, the victim won’t win anything but will have either lost sensitive information or have earned money for the scammers by filling out a survey.
There are multiple ways to figure out whether you’re the target of a giveaway scam. You can check whether the page sharing the giveaway is verified or go to the official profile or website of the organization behind the “giveaway” and see whether it has shared it or promoted it in any way; you can even contact them directly to inquire if it really is organizing something similar. Grammar and spelling mistakes can also be a giveaway.
Crypto is all the jazz
With the popularity of cryptocurrencies increasingly on the rise, there has been no shortage of all manner of cryptocurrency-related scams making the rounds on the internet, ranging from namedropping Elon Musk to hacking Twitter accounts to promote Bitcoin and Ethereum scams. The goal of these scams is the same: trick you into sharing sensitive information about you, your payment information, or access to your crypto-wallet, or into transferring your cryptocurrency stash to the fraudster.
The scam itself usually contains a link, which will then probably redirect you to a website, where you’ll have to fill out your personal data and, in some cases, even access credentials to your cryptocurrency wallets. Once the cybercriminals get their hands on the data they need, they can use it to commit identity fraud, withdraw money out of your wallet, or even use the data to badger you into investing in various fraudulent cryptocurrency schemes.
Alternatively, a cryptocurrency giveaway scam could ask people to send their digital cash to a valid cryptocurrency address promising to double the sum; however, nothing of the sort happens.
As with any investment opportunity, you should always do your due diligence and thoroughly investigate anything that promises a quick return on investment or low-effort high-yields. And be especially careful of any offer that would try to convince you to part with your sensitive data.
Scam ads and shopping scams
These two go together like strawberries and cream. The ads themselves could be considered the first step in the victim’s journey, where the con artist tries to cajole them into clicking on the ad that will redirect them to a fraudulent marketplace by offering goods with ridiculously steep discounts. This often includes luxury items like Ray-Ban sunglasses, or the scheme may revolve around seasonal events like Black Friday or Cyber Monday.
Whatever the case, once you get to the marketplace, and even go through purchasing something the end scenario will spell bad news for you. The “faux shop” might harvest your personal information and payment data, which could lead to identity fraud and charges racked up on your credit card.
Alternatively, you might actually receive a package but it won’t be what you ordered, often a cheap knock-off of the expected item, and once you alert the “vendor” they’ll request that you return the package and they’ll send you your purchased item. However, the shipping charges will be more than the cost of your order and you have no guarantee you’ll get reimbursed.
Where bait and switch scenarios are concerned, the consumers aren’t the only victims. Sometimes fraudsters will rip off legitimate merchants by using images from their sites and offering poor knock-off versions of their wares and will then let the legitimate vendor deal with the fallout.
The best advice remains to do your research on the vendor you’re purchasing from, look at their terms of service, shipping, and return policies. Also, look for reviews to see what customers have to say about their services and if the vendor requests too much personal information, you should probably reconsider buying from them.
Crowdfunding, donation, or charity scams are another way cybercriminals like to prey on victims. In this case, they try to abuse people’s empathy and willingness to help those in need, and they do so by creating bogus charities or by impersonating real ones. Sometimes, scammers try to capitalize on a recent tragedy, such as natural disasters, accidents, or other tragic events that would convince people to donate.
However, there are also various causes that take in donations all year round, like supporting veteran military personnel, donating to various charities involving specific diseases, or battling the climate crisis. To coax money out of empathetic people, cybercriminals will create a page or group on Facebook claiming to be a charity soliciting donations for any one of the variety of causes and try to pressure users into donating by posting sensitive photos or shocking videos and using emotion to push you to donate.
If you’re planning to donate to any charity you’ve encountered on social media, look into it. Perform a quick search engine query to see whether any results come up – legitimate charities are usually registered. Beware of charities that request your personal or payment information, and if they request payment via cash, wire transfer or gift cards consider that a red flag immediately. If you want to donate, the best way is to go through the official website of a legitimate charity or foundation, where you can verify how they work and what the official donation channels are.
Beyond regular users, cybercriminals also target businesses and brands, specifically by going after their Facebook pages. The premise of this scam is relatively simple: the fraudsters will often start off by impersonating Facebook Support and then message the page owners claiming that they breached the content policy and are accused of “Copyright Violations”.
The message will also contain a link to “officially” contact Facebook Support with an addendum that the page owners have 24-48 hours to reply or the page/account will be suspended. However, all of this is an elaborate hoax to get ahold of the login credentials to access the page. If you click on the included link, you’ll be redirected to a form that you will have to fill out, after which you’ll be redirected to an imitation of Facebook’s login page.
Figure 2. Bogus copyright violation notices
It’s safe to say that if you violate any of Facebook’s policies, it will notify you in due course through the official support channels, and not message you directly as a client or friend would. To communicate with you, Facebook uses a dedicated support inbox where all of its support messages will appear. If you receive a direct message like this, avoid clicking on the links and directly contact Facebook’s support, which will deal with the issue and most likely ban the scam artist targeting you.
While Facebook runs a relatively tight ship when it comes to policing the content that appears on its platform, cybercriminals remain as creatively deceptive as ever. They try to find every little chink in Facebook’s content moderation armor so that they can spread their scams and hoodwink as many users out of their hard-earned money.
As always, the best advice remains to be vigilant and scrutinize everything, especially since social media have been inundated with troll posts ranging from fake news from unverified sources to COVID-19 vaccine scams and everything in between.
written by Amer Owaida, ESET We Live Security