Facebook Phishing Scam Targets ‘Fan’ Pages
CREDIT: Image via Shutterstock | Mathias Rosenthal
No matter how popular your fan page on Facebook may be, "Facebook Security" is not asking you to verify it, contrary to what the creators of a new phishing scam want you to believe. Users who fall for this scheme will give phishers access to their Facebook accounts and whatever personal information is stored therein.
Anyone who has administrative duties on a Facebook page (for a business, product or public persona, as opposed to a traditional personal profile) should be on the lookout for this scam. According to the Australia-based security blog Hoax-Slayer, the scam begins with a message in an admin's Facebook message inbox.
The message informs users about a new Facebook feature called the "Fan Page Verification Program," which is fake: "After many Fan Pages have been stolen lately leaving us no choice but Deleting them forever, we have come up with an original solution about the Fan Page's Security," it reads.
If the message's broken English, missing punctuation and inconsistent capitalization don't give it away as a scam, perhaps the fact that there is no such thing as a Facebook "Fan Page" will. Facebook instead uses the Pages moniker; the word "Fan" is nowhere to be found in Facebook’s official Help Center.
The phishing scam attracts users by adopting the language of a two-step verification program, similar to the ones offered by Twitter and WordPress. Upon clicking on a link that takes them to a page outside Facebook (this should set off warning bells), users must enter their username, password, Facebook-page URL and a 10-digit "verification code."
The message also appeals to users' egos by assuring them that Facebook Security has a vested interest in saving "high-quality content," like theirs. If users fail to comply by May 30, the scam message reads, their pages will be "suspended permanently." [See also: 11 Facebook Privacy Steps to Take Now]
The Facebook-page URL and verification code are, of course, irrelevant. The phishers want email addresses and passwords. With these in hand, they can access Facebook information known only to the user and those closest to him or her (potentially including home address and phone number), as well as access a rich trove of new potential victims. After all, unsuspecting users are more likely to click on a link from a "trusted" friend than an unknown source.
Amateurish phishing scams like this one are easy to avoid, especially considering official communications from Facebook never request a password or use unintelligible language. If you find yourself on the receiving end of this message, consider tipping off the real Facebook Security — it will put the information into more useful hands.