Security researchers from AccessNow have discovered a new Facebook phishing scam that can also fool a professional technical user into falling victim to this scam and helping attackers to get access to your Facebook account.
The new scam is using a Facebook account recovery feature called “Trusted Contact”— which sends secret codes to some of your close friends in order to help you recover your Facebook account in case you forget your password or it has been hacked.
According to researchers:
Here’s how the attacker attempts to exploit your trust in order to extract the information needed to steal your account:
– You get a message from an attacker on Facebook Messenger, who is using the compromised account of someone on your Friends list.
– The attacker asks for your help recovering their account, explaining that you are listed as one of their Trusted Contacts on Facebook, and tells you that you will receive a code for recovering their account.
– Then the attacker triggers the “I forgot my password” feature for your Facebook account and requests a recovery code.
In an effort to help, you send the code you’ve just received to your “friend.”
– Using the code, the attacker can now steal your account from you, and use it to victimize other people.
This new scam targets Facebook users and relies on your lack of knowledge about the “Trusted Contacts” option.
To secure your Facebook account, you are always recommended to be careful to each recovery emails you get, and read the recovery message or email correctly, even if it is sent by one of your real friends.