Published: July 25, 2023 on our newsletter Security Fraud News & Alerts Newsletter.
As anyone who uses Facebook (or any social media) there is a seemingly endless supply of scams that go around all the time. Once we think we’ve seen them all, we are bombarded again with new ones or with new versions of them. Often, trickier to spot. This goes on ad nauseam. School may be out for the summer, but education continues on when it comes to cybersecurity threats. One, first reported in 2017, is circulating again that takes advantage of a feature of Facebook that no longer is supported. It’s the “Trusted Contacts” capability. The following is based on a true story.
Who are trusted contacts?
The “Trusted Contacts” functionality was set up by Facebook (FB) to allow a friend to be a trusted contact in case you could not log in to your account. It was Facebook’s earlier version of two-factor authentication (2FA). These days we get a one-time code by text, use an authenticator app, or a hardware key to do that 2FA. There are many other and better ways to do 2FA now and perhaps because of that, Facebook discontinued the support of the “Trusted Contacts.” Whatever the reason, they don’t offer it any longer.
Well, this phishing trick brings the trusted contacts terminology back. You may receive a text or Messenger request from a friend on FB with the message “can I add you to my facebook trusted contacts list" or something similar.
Your reply is…
We’re just going to say right now that your answer is to not answer. Don’t reply with something snarky or reply at all. That’s because your reply is going to be sent to a scam artist. And worse, even if you don’t get that message, you can get contacted at some point. You may get a response from the phisher-person. In fact, if they figure out you’re onto them, they change the verbiage to “I’m trying to secure my account and facebook gave me an option to send a password reset code to my active friends.” Nope. There are other ways to reset the password and neither your friends nor your enemies need your help to do it. So, just ignore that. Whoever that is, is not your friend. Preferably, remove or delete that chat so you don’t accidentally reply to it later.
So, what happens if I do reply?
Here’s what is going on with this scam. Somehow these scammers got your FB name. It could be in any number of ways. They send that message about being a trusted contact. Because you think it’s your friend, you reply that it’s ok. They trust you enough to ask you this favor, right? Well, maybe that real friend does, but in this case, it’s the furthest from a friend who is asking. In fact, it may not even be a person. It could be a bot.
They tell you they are sending an “unlock” code to your email address. You are to go to your email, get that code and send to them. Then you get a link to click to supposedly reset their FB password so they can get into their account again. What it actually does, is allow them to reset YOUR password and get into your account. That’s because they actually request a password reset from your account by clicking the “forgot password” link in FB from your account login page.
Well, this is the problem. Now they have your password and they’ve likely already changed it and the email address associated to your FB account. So, if you try to reset it again, they’ll get your reset code. Fortunately, FB does have other safeguards in place so you can get your reset code some other way. But, you have to be fast if you’re going to beat them. Likely, they’ve changed your phone number too. They have probably collected your friends’ contact info, stolen your photo to use on a fake page, and tried contacting your friends to continue the scam.
What if I just cannot get control of the FB page?
First, don’t feel bad. It happens. Next, take a deep breath.
Have someone post to their FB feed that your account was taken over and not to accept any new friend requests from you or reply to any messages asking to be your trusted contact. In other words, get the word out so no one else falls for this.
Next, change your email password. This is just for safety’s sake and not because they have your email password.
Next, check out Facebook’s help and support section to find out how to recover your account and give it a try. However, it’s unlikely you will be able to recover it since the attackers have full control.
Admit defeat and let everyone know not to send to or accept messages from you using Messenger or your FB account.
Ask everyone to unfriend you and block you.
Yes, folks, this one is a doozy.
Do you use your FB credentials to log in to other accounts?
If you use your FB, Google, or whatever other credentials to log into any other accounts online, don’t do it again. Why? Because now you have to go to each of those accounts and change your password. Make sure those are unique passwords. Do not reuse them. It’s a bit more challenging to remember them all, but find a naming system that works for you and use it to create a different one for each and every online account. If you have to write them down in a spiral notebook, do it. Just keep it tucked away out of sight.
If you get messages from friends you haven’t communicated with in a while with some request for help, it very well could be a phishing attack. Contact that friend by phone or email separately and get the scoop rather than replying to a text message that you weren’t expecting. Most of the time, you’ll probably find out it was not really someone to be trusted.
If you decide to create a new Facebook page, try to use an authenticator app or a hardware key set to your 2FA rather than your email or phone number. But the best way to avoid this is not to reply to such messages in the first place.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at firstname.lastname@example.org