Private-message phishing scam seeks to snag Facebook users

File photo

No, your “Facebook friend” didn't see you in a mysterious video

Facebook users beware: if your close friend or trusted relative sent you a private Facebook message claiming that you were seen (or tagged) in a video, that's almost certainly a piece of phishing bait sent by a scammer hiding under your friend or relative's identity.

From the perspective of a phishing scammer, snagging victims through Facebook messaging is both harder and easier than ensnaring victims via regular email: It's harder in the sense that potential victims are unlikely to ever see your scammy messages unless they first accept you as an official “Facebook friend” (or if you manage to take over a genuine friend's account).

However, once you are accepted as a “Facebook friend,” any scammy phishing-bait messages you send via Facebook messaging are more likely to be read than phishing-bait messages sent to random strangers' email accounts.

Back for more

Hoax Slayer reports that a video phishing scam first seen last year enjoyed a revival on Facebook this week:

“Hey [Name of user], wat are u doing in this video lol! Search ur name and skip to 1:53 on video. Type in browser with no spaces-> [Web address removed]”


This message, which arrives from a friend via Facebook's personal messaging system, asks what you are doing in a video the friend has watched. The message instructs you to enter a web address into your browser, search for your name, and then skip to a specified place in the video to see yourself.

The tone of the message suggests that there may be something compromising or embarrassing about the supposed footage. ...

Needless to say, this is a phishing scam. Chances are the message actually did come from your friend's genuine Facebook account — but only after hackers hijacked that account, most likely without your friend's knowledge. You definitely want to ignore and delete that message, and also find a way (preferably other than Facebook) to let your friend know about the scammers sending out Facebook messages in his name.

It's also possible your friend's account was not hijacked, but imitated: it's pretty easy for scammers to make fake Facebook accounts that look like the legitimate accounts of real people you know and trust, by simply copying photos, video and other content from the real accounts.

What to do

If that phishing-bait message came from an imitation Facebook account, the owner of the real account can use this link to report the fake to Facebook.

If you see a fake account in the name of a real friend, let your friend know but don't bother reporting the fake to Facebook on your friend's behalf, since Facebook's Help Center says “Please keep in mind that we can only act on reports from the person who's being impersonated.”

Suppose you received one of these video-phishing message and actually fell for the bait. What would likely happen next? If you visited the phisher's specified web address, you'd see a fake Facebook page asking you to log in, including your password. That alone is enough for the phishers to hijack your own Facebook account.

But there's more: After you type your real password into that fake Facebook login page, you'll be offered the chance to install an app -- a scam app, not a real Facebook one -- which, among other things, will use your newly hijacked Facebook account to send additional phishing come-on messages to everyone on your Facebook friends list.

The more people fall for such scams, the more prevalent those scams become, which is why the best way to fight them is to ignore them.

Take an Identity Theft Quiz. Get matched with an Authorized Partner.