Phishing with friends

Hands typing on a laptop with doodles in the air.
OCCU  -  11.19.2024

Being tagged by a friend on Facebook is a fun way to share memories, reminisce about a concert you went to together or share a throwback picture of you in high school.  But sometimes being tagged or mentioned could be the work of a hacker looking to take advantage of you. 

The scam looks like this: a Facebook user receives an email notification that a "friend" has mentioned them in posts on the social network and encourages the user to click through to see the post. When they do, the user is taken to a fake Facebook verification webpage. Clicking the link isn’t the danger, however. The phishing happens when the user unknowingly enters their login credentials into that fake Facebook login page.

Once hackers have a user’s login credentials, they set up a dummy Facebook profile and send out hundreds of friend requests. When a friend accepts the request from the duplicate profile, the hacker will send a message or post with tempting messages to entice a click on the link, such as, “Hey, what exactly are you doing in this video? How embarrassing!” And the cycle continues.

Unfortunately, this type of phishing takes place all over the internet, not just Facebook. The scam spreads because people are not aware of it. To protect you from this type of scam, we recommend the following:

Check the URL

Before entering your login credentials or any other personal information into a website, be sure you recognize the URL in the browser. If you’re unsure, reach out to the organization or navigate to the website on your own by typing in the correct website domain again. Also, verify that the domain is secure.

Protect your device

Keep your malware, firewalls and virus protection up to date. If you have a Mac, don’t trust the myth that you are immune. All devices need protection. If your computer has been infected with a virus, you need to run antivirus software to keep your information secure.

Log out

After you are done with a session of browsing your news feed, log out. That goes for any website you interact with, such as your financial institution or email account.

Check the sender

Always check the email address of the sender before downloading an attachment or giving personal information. This means not just checking the sender’s name, but also clicking into the details to see the sender’s email address and clicking reply to see the email address your message would go to if you were to reply. There may not be an exact match and that’s OK. However, it should be a red flag if you're receiving an email supposedly from Facebook but the  address is from a Gmail account, for instance.

If you’ve been hacked — on Facebook or another website — do what you can to halt the damage: Change your password and add additional layers of authentication or notifications when someone logs in to your account.

Knowledge is power! Keep yourself and your personal information safe by using these tips and share with your friends to spread awareness.

Related Content

Scam phone call

What’s vishing? How to spot phone scams

Email isn’t the only vehicle for phishing scams. Voice phishing, or vishing, has gotten easier with voice over internet protocol (VoIP) technology. We...
Read More
Locked blue padlock with technology digital design.

Member security: Protecting your privacy and finances

Taking action to protect your data helps prevent identity theft and contributes to your long-term financial wellness. Learn more about basic online...
Read More