Facebook ID Theft – New Phishing Scam

February 5, 2009

By Larry Wiezycki:

There’s a new scam trolling the internets… and this one targets the popular social networking site, Facebook. All that’s needed is the user’s Facebook login and password and their online profile can be taken over by a hacker and exploited. By actually taking over the victim’s identity, any message broadcast to their friends over the network garners immediate attention and trust.


This was what Bryan’s status read just after his Facebook profile was hijacked leaving him unable to log into the account to remove the message. Just as the hackers hoped, Bryan’s friends started responding.

Next, posing as Bryan, the hackers replied with a series of messages describing that he had been robbed in London with no way to get home and asked them to “please send money.” One good-natured friend responded by wiring $1,200 cash to a Western Union location and the hacker grabbed their payoff.

Meanwhile, Bryan was trying to talk to someone, ANYONE at Facebook – but with no phone support the best he could do was submit an online request for support. It was too late for his good Samaritan friend whose money was gone for good.

How can something like this happen? Most likely, Bryan fell victim to a classic email phishing scam. This is where a hacker crafts a special email message that looks nearly identical to an email from a trusted service like Facebook. Contained in the email will be a link to a website designed to look and function just like the real website the user expects.

When they type in their username and password the hacker steals this information and uses it to log into the account. Usually the first thing the hacker will do is set a new password to lock out the account owner.

From that point they can do whatever they like… sometimes posing as the victim to persuade friends to send money.

Facebook safety tips:

  1. Never give out your login and password information. Facebook will not contact you asking for your password.
  2. Be suspicious of anyone – even friends – who ask for money online
  3. Whenever you are presented with a login screen check the URL at the top of your browser to be sure that the domain name “http://www.facebook.com/” is displayed.

Here are a few tips to avoid other types of email phishing scams.

Unfortunately Facebook does not offer phone support at this time. If you think your Facebook account has been compromised you can report it to Facebook here.

Information via MSNBC.