Phishing Attacks on Facebook

Phishing is one of the most common security issues on (Facebook). Despite the simple mechanism of this cyber threat, phishing attacks can be crafted in a very sophisticated and deceptive manner. In essence, a phishing attack involves stealing login credentials from unsuspecting users.

An example of a classic phishing attack consists of an email being purportedly sent by a bank, and which alerts consumers of an immediate need to access their online accounts due to an alleged security breach. The graphic design of the email and the urgency of the content crafted by hackers who specialize in phishing can often be flawless, thereby making the first stage of the attack successful. The second stage consists on directing the victims to a website that also resembles the access page of their online banking accounts, where they are directed to enter their credentials.


Once a victim has been duped into providing their online banking login information, it is easy to imagine the next step taken by the hackers behind the phishing attack: they can authorize wire transfers, request debit cards, apply for lines of credit, steal information, etc. Internet security analysts estimate that more than one billion dollars were lost to phishing attacks in 2012, and this is an issue that unfortunately continues to get worse.

A typical phishing attack on Facebook is a fake website that may look exactly like one of the various login pages used by this social network. The likely intent of the attackers is to gain control of a Facebook profile for the purpose of posting updates that direct friends to malicious sites. At the minimum, the attackers intend to distribute spam; in more serious cases, they may want to steal virtual currency for online games such as Zynga poker chips.

The best protective measure against phishing attacks on Facebook is to learn to recognize obvious attacks. Messages that are misspelled or that present typos along with the Facebook logo are very possibly front ends of sloppy phishing attacks. Another clear sign would be mismatched links, which can be corroborated by hovering over a suspicious link with the mouse pointer and looking at the status bar at the bottom of the browser; if the URLs do not match, the message may be part of a phishing ploy.

Facebook is not in the habit of asking its members for credit cards, bank account information, social security numbers, etc. Emails that claim to be from Facebook and ask for this information should be considered phishing attacks.

Enjoyed this post? Share it!