Avoid These “Facebook” Phishing Scams—or Risk Losing Your Account
Liquid Creative is well aware of the recent increase in phishing scams from devious people impersonating Facebook and Meta. We’ve received these emails ourselves‚ in our Liquid accounts and the multiple accounts we manage for clients. Sadly, some of our clients and loved ones have been fooled by these tricks. Thankfully, we’ve been able to recover most of the accounts. Sometimes, it’s just not possible.
What are Facebook phishing scams?
Phishing is a common internet crime, where a scammer impersonates a company, government agency, or even a person you know, and tricks their victims into sharing personal information like the login information to their accounts. Then the scammer proceeds to take control of those accounts for their own benefit.
Facebook phishing scams usually show up in one (or all) of these three ways: as a direct message through Facebook or Instagram (Messenger), as an email, or as an SMS text message. In all cases, the sender often impersonates Meta, Facebook, or Instagram.
Common phishing scams targeting Business Pages
The following isn’t an exhaustive list of phishing scams that target Business Pages, but it gives you a good idea of what to watch out for:
Facebook will never ask you for your password in an email or send you a password as an attachment.
- Claims that your page has gone against Meta’s community standards, and that your account will be blocked if you don’t act.
- Claims that your page has violated copyright laws, and that you will be sued if you don’t act.
- Warnings that your account has been compromised or hacked, and that you need to log in to recover it.
- Questions about a product or service with a fake link, or a request that you download a file (that’s infected).
Common phishing scams targeting Personal Profiles
Since your personal profile is tied to your business page, scammers only need to gain access to your personal account (or any admin’s on your business page) to be able to access your business account. To do this, scammers often use these types of techniques that target personal profiles:
- Impersonating someone you know
- Friend requests
- Contests and giveaways
- Job offers
- Games and quizzes
Click on these scams, and you’ll likely land on a website that looks like a Facebook page (or actually is a Facebook page), but is a fake one created to impersonate an official Meta account. In each of these scenarios, the scammer requests some kind of access and then uses it to take control of your account and lock you out.
What happens after my account has been hacked?
One of the worst things that can happen when your account gets hacked is this: Scammers then use your Ad Account to run ads for their own products and services using your credit card.
They can also impersonate your account and reach out to people or companies you know and scam your colleagues too!
Just losing access to a business account that represents your brand and that you’ve probably worked hard to build is bad enough, but it’s not the worst of it.
Is this message from Facebook legit? Examples of different phishing messages and how to recognize them
Example of a “Meta email” phishing scam
This email received by one of our clients is a good example of a phishing scam where the sender pretends to be the company Meta. The email “From” line claims the email was sent from the Meta Help Center, but if you look at the accompanying address, the email is actually from zadhu.com.
The email includes the actual name of the business page on the subject line and in the content. It claims you violated community standards and copyright laws. Then it warns that if you don’t act within 24 hours, your account will be deactivated.
It includes a link to a Facebook page. The link will take users to a fake Facebook page that impersonates Meta. From there, they’ll ask you to give them enough information to take control of your account.
Examples of direct message phishing scam
Similar to the email above, you can get a direct message via your phone app or on your computer. In this case, the message will be from a user that claims to be Facebook or Meta. They will probably use Facebook’s logo and/or some kind of warning sign.
You may also receive a message from someone impersonating a user who pretends to be interested in your products or services. But, they will send you a link or a downloadable file.
Example of an SMS message phishing scam
Similar to the examples above, you may get a text message with the same modus operandi. You’ll start to notice the pattern, and you’ll be ready to ignore, block, delete, or report!
How to detect a phishing email or message
Here are some of the most common warning signs:
- Email is not from a Facebook or Meta domain. Facebook uses the following emails when reaching out to users: @facebookmail.com, @facebook.com, @fb.com, and @meta.com.
- Typos, grammatical errors, unusual fonts, or excess of emojis ⚠️ 🚫 🚩
- User’s name or avatar is not from Facebook or Meta.
- Design doesn’t look like it comes from Facebook or Meta.
- Time-sensitive requests (e.g., “Do such and such, or you will be suspended in 24 hours.”).
- Links you have to click to solve the stated problem.
Please consider that scammers are becoming increasingly effective at impersonating official messages, so always take extra precaution.
What to do if you suspect you’ve received a scam email or message
Our recommendation is to NEVER click on an email or message from Facebook. If you wonder if the email or message is legitimate, you can log into your personal profile, your business page, or your business manager account directly and make sure everything looks good. If there is a problem with your account, you’ll probably see an official warning message from Facebook in the account itself—not via a text, direct message, or email.
If you are sure it’s a scam, you can:
- Delete or ignore the message.
- Mark it as spam.
Example of how to mark an email as spam in Gmail:
Example of how to mark a direct message as spam in Meta:
- You can take the extra step and report it to Meta. You can do that by forwarding it to firstname.lastname@example.org, or you can report it on this page.
What can I do if I fall for a Facebook phishing scam?
If you or someone you know already fell for a phishing scam, the most important step you can take is to contact Facebook and tell them. Follow the instructions on this page or through Facebook’s chat support (you need to still be able to access your personal profile and be logged in to do this).
If you are not sure if your account was compromised, you can reach out to this Facebook page.
If you have a credit card attached to your Ad Account, contact your bank and cancel your cards.
If you have a credit card attached to your Ad Account, contact your bank and cancel your cards. Also verify whether or not the cards were used for any unauthorized purchases. If the cards have already been used, you will need to file an appeal with your banking or credit card company. If they haven’t been used yet, still cancel them and get new cards.
Take all kinds of screenshots that can be used as proof—for your financial service, your own company records, and Meta. This includes emails, direct messages, and any kind of actual warning you’ve received from Meta once your account was hacked.
If you have questions, we have answers. You’ve got business objectives. We’ve got marketing solutions. Contact Liquid Creative today.