“I can’t believe he’s gone. I’m gonna miss him so much.”
If you see a post on Facebook with these words (or even in this vein), watch out—your friend’s account is being used to spread a phishing scam.
Here’s how it works: An attacker steals an account. Then they post this vague but worrisome message, along with a website link that looks legitimate. (It’s usually an URL that starts with the Facebook domain or looks like an embedded video from BBC News.) The link redirects to a phony site that asks for your Facebook login info to proceed. If you enter it, the page captures your credentials. Afterward, you’re redirected yet again—Bleeping Computer, which reported on this issue earlier this week, says mobile users get punted to Google, while those on a desktop PC get pushed off to other scummy websites promoting browser extensions, VPNs, or affiliate sites.
If your Facebook account gets taken over, your account gets used to spread this scheme to your network.
While this particular scam isn’t new—its initial appearance was about a year ago, according to Bleeping Computer—it still has fresh legs. I spotted this phishing attempt in the wild just last week when an acquaintance’s account posted the Facebook redirect variant of the message.
To protect yourself from this campaign (and any others that rely on a compromised password), you can take a few steps. First, if you think you’ve fallen for one of these bad links, change your password as soon as possible. Pick one that’s strong, unique, and random—you can use a password manager to generate and store it.
Next, enable two-factor authentication (2FA) on your account. It adds a second layer to the login process, in which you have to enter a six-digit code or use a hardware token in addition to your password. More secure forms of 2FA (software tokens or a hardware key) should stop would-be hackers in their tracks since they won’t have access to the app generating the tokens or the hardware key. (Note: 2FA codes sent over SMS are riskier, since an attacker could hijack your phone number to get those text messages routed to them.)
Finally, you can use an antivirus program or browser extension that detects and blocks malicious links. It’s not foolproof, but it adds to your overall safety net. Online security is about layers—having more than just a password helps safeguard you more thoroughly.