Facebook scams are getting sneakier and sneakier - with the latest attack using the lure of a free T-shirt celebrating Facebook's birthday in an attempt to steal the secret backdoor key to your account.
The offer seems attractive enough - a webpage claiming to celebrate Facebook's 7th birthday, saying that it has over 1.9 million official T-shirts in stock.
All you have to do is verify that you are a Facebook user, claims the following webpage. And this is where things get very sneaky.
The webpage tells you to visit Facebook Mobile, and find on that page the personalised email address that you can use to post status updates or upload photos and videos straight to your profile.
Many people are probably unaware that such a thing exists - but every Facebook user has a secret mobile email address they can use for this purpose.
The important thing, of course, is to keep it secret. Because if someone else finds it out, they'll be able to post status messages to your Facebook page or upload videos and photos to your wall - which your friends will be able to see.
The scammers, unsurprisingly, want your secret mobile email address for Facebook. And so they claim that you have to hand it over to verify you are a legitimate Facebook user in order to get your T-shirt.
The scammers have even had the gall to make a YouTube video showing how to find the secret email address on the Facebook Mobile page, and where to enter it on their form:
The above video is made by a YouTube user called "vicsthedevil" and we have to assume that they are intimately involved in the scam. They posted the video on 5 September, the same day that they registered the website domain name where they are hosting their scam.
Of course, you're still hoping that you're going to receive a free T-shirt. So you may not baulk at the idea of completing a survey (which, by the way, earns commission for the scammers) and giving them your snail mail details so they can send through your free gift.
Good luck, by the way, on that T-shirt. My hunch is that you won't ever receive one. But the scammers now have the ability to post to your Facebook page and upload pictures to your account, and you have helped them earn some money in the process.
If you were hit by this scam then you must refresh your Facebook mobile upload email address - that way the bad guys you just gave it too won't be able to use it as a secret backdoor into your account.
How to refresh your Facebook Mobile upload email address
Some commenters have asked how do you change your Facebook Mobile upload address. Unfortunately, Facebook has made it somewhat tricky to find this option (maybe that's why the scammers felt they had to make their own explanatory video!).
Refresh the page until you see an option like that displayed below. You may have to scroll down the page to find it.
You should now see your Facebook Mobile upload address. Beneath it you should also see an option to "Find out more". Click it, and a screen like the following should pop up.
On this page you should find an option to refresh your mobile email address - but note! Facebook warns that you can only refresh it a limited number of times.
If you don't change your mobile email address on Facebook, you're just asking for trouble. In the past, Facebook pages such as that belonging to the Van Gogh Museum have been hit by scammers who abused the mobile upload feature.
It would be great, of course, if there was a way of telling Facebook to not allow any email address to be used for mobile uploads, as I would imagine that many individuals and companies would find the permanent blocking of the feature attractive.
If you're a Facebook user and want to keep up on the latest threats and security news I would recommend you join the Sophos Facebook page - where more than 100,000 people regularly discuss the latest issues.Follow @gcluley