Socially Unacceptable Media – Part Two
In our last Blog post, I told you about a Facebook scam that is being deployed via the messenger service. Unfortunately, this is not the only way scammers use social media to trick their victims. Let me explain.
If you’ve been following this series, you know that many of my posts recently touch on the topic of fraud. It’s for a good reason – fraud is rampant; the internet makes it so easy to accomplish. Enlightened users will know not to trust everything they see online. They’ll know that you always want to check online communications – in any form – before acting on them. Thanks to this critical eye, we can catch phishing attempts like the one I am about to share with you.
Facebook boasts over 3 Billion users worldwide. Therefore, it is safe for a fraudster to assume that a user whose email address they acquired will likely have an account on the platform. Moreover, many users have an alternate recovery email address associated with their account if they ever need to reset their credentials. Let’s go over a scenario.
You receive an email from Facebook. Diligent internet users know to always hover over the sender’s name. Hmmm, security@facebook.com – that is an actual email address used by Facebook. That means it’s a real message from them, right? Not so fast. Take a look at a series of emails I received this week.
· I received this email at 9:39 AM to my main personal email. Obviously, I had not requested a password reset, or I wouldn’t even be posting this blog.
· I received the same exact email three hours later – including the same recovery code. Have you ever seen a reset request anywhere that is good several hours later? Those typically expire after a few minutes, let alone several hours.
· The same emails, with different recovery codes, were also sent to my alternate email at the same times. Facebook has this alternate email on file for recovery, so it caught my attention.
Even though the emails caught my attention, I still proceeded with caution. I hovered over the sender and Googled the sender’s email. It turns out this is a real email from Facebook. But, as I hadn’t requested a password reset, I knew it was a spoofed email at best, or my Facebook account had been hacked at worst.
Rather than click on any links or buttons in the suspected emails, I decided to pull up my Facebook account to verify it. Did you know that you can confirm legit emails from Facebook directly in-platform? Here’s how.
1. Log into Facebook from a desktop.
2. On your profile, click on your picture in the upper right corner.
3. Select “Settings and Privacy”.
4. Select “Settings”.
5. On the left side of the screen, select “Password and Security” from the Meta Accounts Center box.
6. Click “Password and Security once again.
7. Under “Security Checks,” you can select several options. In this case, we are checking to see if Facebook sent an email. Click on the “Recent Emails” option.
8. If you have multiple profiles, select the profile you want information about. For instance, I want to see information about my personal Facebook account, so I will click on my personal profile. If I wanted information about my other Facebook accounts that I am an admin on, I would click on that profile instead.
9. “Recent Emails” shows two categories of emails: security emails and other emails. Legitimate emails sent by Facebook would appear here. I, however, had this message for both options:
Let’s wrap this post up by going over some security reminders.
“Think before you click.”
Before you take any action, consider the source. Is the message really coming from the sender as implied? A Google inquiry shows that the email address is correct. It does not, however, confirm that the sender isn’t being spoofed. Remember, NEVER click on a link unless you know the sender.
Finding out if an email is being spoofed takes some extra steps. In my situation, I was able to do some investigation on Facebook outside of the email in question. In other cases, you might need to call a known, published phone number, close the message, visit a known, trusted, secure website, or make an additional Google inquiry. Known scams usually pop up in Reddit feeds where users share their experiences to help tip off others about potential fraud.
One last thing…it only takes a moment to update your passwords. When in doubt, change passwords on your accounts. That goes for email, social media, and frequently used apps.
Have you been the victim of a scam? I want to hear from you. Leave a comment below or email me.
Krista Kyte is a personal finance blogger and personal banker with over 21 years of experience in the financial industry. Krista is passionate about helping our members understand their financial situations. She writes tips that help consumers reach and maintain financial security and start living the life they’ve always wanted.