Image default

Careful! This Facebook phishing scam wants your login info

Facebook login screen on a mobile deviceImage: Pixabay

“I can’t believe he’s gone. I’m gonna miss him so much.” 

If you see a post on Facebook with these words (or even in this vein), watch out—your friend’s account is being used to spread a phishing scam.

Here’s how it works: An attacker steals an account. Then they post this vague but worrisome message, along with a website link that looks legitimate. (It’s usually an URL that starts with the Facebook domain or looks like an embedded video from BBC News.) The link redirects to a phony site that asks for your Facebook login info to proceed. If you enter it, the page captures your credentials. Afterward, you’re redirected yet again—Bleeping Computer, which reported on this issue earlier this week, says mobile users get punted to Google, while those on a desktop PC get pushed off to other scummy websites promoting browser extensions, VPNs, or affiliate sites. 

If your Facebook account gets taken over, your account gets used to spread this scheme to your network.

While this particular scam isn’t new—its initial appearance was about a year ago, according to Bleeping Computer—it still has fresh legs. I spotted this phishing attempt in the wild just last week when an acquaintance’s account posted the Facebook redirect variant of the message.

Bleeping Computer

To protect yourself from this campaign (and any others that rely on a compromised password), you can take a few steps. First, if you think you’ve fallen for one of these bad links, change your password as soon as possible. Pick one that’s strong, unique, and random—you can use a password manager to generate and store it.


Norton 360 Deluxe

Norton 360 DeluxeRead our reviewPrice When Reviewed:$49.99 for the first yearBest Prices Today:$19.99 at PCWorld Software Store | $49.99 at Norton

Next, enable two-factor authentication (2FA) on your account. It adds a second layer to the login process, in which you have to enter a six-digit code or use a hardware token in addition to your password. More secure forms of 2FA (software tokens or a hardware key) should stop would-be hackers in their tracks since they won’t have access to the app generating the tokens or the hardware key. (Note: 2FA codes sent over SMS are riskier, since an attacker could hijack your phone number to get those text messages routed to them.)

Finally, you can use an antivirus program or browser extension that detects and blocks malicious links. It’s not foolproof, but it adds to your overall safety net. Online security is about layers—having more than just a password helps safeguard you more thoroughly.

Alaina Yee is PCWorld’s resident bargain hunter—when she’s not covering software, PC building, and more, she’s scouring for the best tech deals. Previously her work has appeared in PC Gamer, IGN, Maximum PC, and Official Xbox Magazine. You can find her on Twitter at @morphingball.

Recent stories by Alaina Yee:

Best antivirus software 2024: Keep your PC safe from malware, spyware, and moreMicrosoft says you should always ask this one security question to avoid scamsAVG Internet Security review: Reliable, budget-friendly antivirus software

Related posts

Nvidia GeForce RTX 4080 Super review: The 4K graphics card you want


Ubisoft says it won't delete your digital games


CES Hands-on: MSI Claw vs Steam Deck vs Asus Ally


Leave a Comment