12 February 2021

Facebook Password Harvesting

Your Facebook account is valuable for fraudsters as if they can get access to it, they can get access to all your 'friends'.

Most of us login using an e-mail address and password, and as we often use the same e-mail address and password in multiple places giving it away is a problem elsewhere, not just on Facebook.

And if you have an e-mail address at Hotmail, Gmail etc. then the fraudsters know where to go to try and get at your e-mails - especially if you use the same password there as you do for Facebook - and they can then cause havoc with changing your details all over the place as they will receive the confirmation messages and authorise them via your e-mail account.

A common scam is the Messenger video asking if it's you:

If you click on it, you'll see a screen like this that impersonates the Facebook login screen, although note the URL in this example is 'agilecrm.com' and not Facebook:

If you enter your e-mail address and password, you've just given the fraudsters access to your account (and potentially your e-mail, your bank accounts, PayPal, Amazon, eBay...). It's as easy as that. 

If you've been caught out, you're not the first and won't be the last. The first step is to re-secure your Facebook account. Just changing your Facebook password isn't enough, there are a few extra steps to take:

Tap on the menu button (the three lines; these are iOS screenshots - Android buttons will be in a different place) and then scroll-down to 'Settings':


Tap on 'Security and login':


You'll see where you're currently logged in, which is probably on your phone, tablet, computer, third party web sites etc.. Tap on 'see all':


Scroll down to the bottom of the list, and you'll see the 'Log out of all sessions' button: tap it:


Now you need to go and change your Facebook password on the Security menu. You should also consider setting up two-factor authentication (2FA), which means you will need to enter a code before you can login to Facebook in future. This stops other people from being able to login even if they have your e-mail address and password:


If you use the same e-mail address and password for other accounts, and there are plenty of people who do, then you should change the passwords on those too as soon as possible.

No comments: