Not just Twitter DMs: Scammers now phish usernames, passwords, and credit cards via Facebook PMs

Not just Twitter DMs: Scammers now phish usernames, passwords, and credit cards via Facebook PMs

Phishing scams, which are used to acquire information such as usernames, passwords, and credit card details, take many different shapes and forms. Most arrive via email spam, but many also spread via social networks; for example, on Twitter, using direct messages has been a very popular tactic for years. For whatever reason, the same can’t be said about Facebook private messages, but it appears that scammers are giving it a go now.

Security firm GFI has discovered that much like using compromised Twitter accounts to send direct messages (DMs) to their followers, phishers have begun using the same tactic on Facebook via private messages (PMs). Here is the scam the company has spotted:

WARNING: Your account is reported to have violated the policies that are considered annoying or insulting Facebook users.system will disable your account within 24 hours if you do not do the reconfirmation.
Please confirm your facebook account below:


The Facebook Security Team
Inc: Departemen 415 PO Box 10005 Palo Alto CA 94303


If you click on the link in question, it will ask you to go through a security check consisting of five pages. You’ll be told to enter your basic personal information and credentials (including email and password) used to log in to Facebook, and then eventually your credit card number as well.

Once the scammers have all this information, they will send out the exact same message to all your friends. Furthermore, your credit card number will undoubtedly also be used to buy up goods and services.

Remember: Facebook will never ask you to enter all your personal information. Here is GFI’s advice:

Unsolicited messages from phishers landing on your private message inbox are no longer limited to Twitter. Despite this old method being used in a different platform, our advice on how to avoid falling for such scams remain the same: Always check the URL to be sure you’re not going to visit a link that is completely unrelated to Facebook—”Think before you click”, remember?; be skeptical about messages claiming to have come from Facebook; lastly, never share the URL to anyone on Facebook or on your other social sites as this only increases the possibility of someone clicking the link and getting phished themselves.

In short, to avoid all this, simply ignore the Facebook message and delete it from your inbox. You can’t be a victim if you choose not to participate in the scam.

Image credit: Nate Brelsford

Read next: Russia’s Yandex launches its first US app: Wonder, experiment in voice-controlled social search [Updated]