5 steps scammers use to trick users into compromising social media accounts
Scammers have devised numerous ways to compromise Facebook accounts, and one method involves tricking users into handing over sensitive information through a series of calculated steps. Like many others, this scam preys on the user's trust and lack of awareness about the basics of online security. It often starts with a confusing or intriguing message, most of the time asking if the user has received a certain amount of money. Sometimes, the scammer asks if the target wants to double their money in just a few hours. For someone who hasn't been expecting any funds, such a message can create a mixture of curiosity and concern. If the user responds negatively or expresses interest, the scammer uses this as an opening to engage further, cleverly manipulating the conversation towards acquiring sensitive information, starting with something as simple as a phone number.
I recently received such a message and decided to play with the scammer to understand better how they trick users. This firsthand experience shows how convincing and manipulative these scammers can be, using a mix of urgency and seeming legitimacy to lure their targets into complying with their requests. Here's how this scam typically unfolds:
1. Initial contact: The scam begins when a scammer sends a random message to the user, typically asking if they have received a certain amount of money. For someone who hasn't been expecting any funds, this can be intriguing, and when greed kicks in, the target will be under the spell of the scammer. If the user responds negatively, the scammer uses this as an opening to request the user's phone number to resolve the issue or ensure the supposed money reaches the correct person. Another variation is that scammers post messages on Facebook groups informing people that they will help those in need; all they need is to ask "how." When users comment with "how," the scammers will send them a message inquiring if they want the money.
2. Reset attempt: The scammer will then ask for the phone number where the target could be contacted. Once the scammer obtains the phone number from the user, they proceed to the Facebook login page and select the "Forgot Password" option. Here, the scammer enters the phone number provided by the user. Facebook, aiming to assist a user in regaining account access, uses this number to verify the account owner and sends a security code via SMS to the number.
3. Code retrieval: The user then receives an SMS from Facebook containing a security code intended to reset the account. This is a legitimate feature that Facebook provides to assist users in regaining access to their accounts if they forget their passwords.
4. Deceptive request for the code: The scammer then contacts the user again, claiming that the received code is somehow related to the processing or transferring of the promised money. They manipulate the user into sharing the code by asserting that it is necessary to complete the transaction. Scammers often pressure the victims by telling them they must immediately send the code within the next few minutes.
5. Account takeover: If the user is deceived into sending the security code back to the scammer, the scammer enters this code into the Facebook reset page. This allows them to set a new password, effectively locking the original user out and gaining unauthorized access to the account. With control over the account, the scammer can then engage in further malicious activities, such as spamming the user's contacts, accessing sensitive information, or impersonating the user for fraudulent purposes.
This scam exploits a blend of social engineering techniques and the misuse of legitimate account recovery features. To avoid being a victim, it's crucial never to share security codes or personal details with strangers and to verify the authenticity of any unusual requests through direct, official channels.
Social engineering involves people's psychological manipulation into performing actions or divulging confidential information. Scammers are adept at crafting believable scenarios that can deceive even the most cautious users.
To safeguard against such threats, Facebook account holders must be cautious and think critically about the legitimacy of any unexpected contact or request. One should only share security codes, passwords, or personal details with people who are verified as trustworthy. This includes resisting the urge to respond impulsively to urgent or emotionally charged requests claiming to be from friends or acquaintances, which are often tactics used to exploit the natural human tendency to help others in need.
Furthermore, verifying the authenticity of any unusual or suspicious requests through direct, official channels can provide an additional layer of security. For instance, if someone claims to be contacting you on behalf of a company or a friend, it is wise to reach out to the company or friend directly using a phone number or email address you know to be genuine. This approach helps to ensure that you are not inadvertently providing sensitive information to an impostor.
Protecting our accounts from such scams involves a combination of awareness, skepticism, and proactive verification. By adhering to these practices, users can significantly reduce their risk of falling victim to the clever and manipulative tactics employed by scammers looking to exploit the functionalities intended to make our digital experiences smoother and more secure.
Protecting our accounts from such scams involves a combination of awareness, skepticism, and proactive verification.