How to report phishing to Facebook

Filed Under: Facebook, Featured, Phishing, Social networks, Spam

Facebook phishingFacebook has today announced a new way in which it hopes to combat phishing scams targeting its 955 million users.

In a post to its Facebook Security page, the social network has explained that the public can now report Facebook-related phishing emails directly to the company.

All you have to do is forward the phishing email to the following email address:

Facebook says in its post that by forwarding the message you are helping combat attacks, and could assist in forcing phishing websites offline:

By providing Facebook with reports, we can investigate and request for browser blacklisting and site takedowns where appropriate. We will then work with our eCrime team to ensure we hold bad actors accountable. Additionally, in some cases, we'll be able to identify victims, and secure their accounts.

They don't say so in their post, but I would imagine that Facebook's security team would appreciate it if you would forward any phishing messages you receive *with* the full email headers if possible, as that helps determine where the emails have really come from.

Of course, regular Naked Security readers would hopefully never click on a link in an unsolicited email purporting to come from Facebook. Or, at the very least, would have some alarm bells ring and be able to tell that they had reached a *fake* Facebook login page.

For a bit of fun, here is a screenshot of a Facebook phishing webpage. Would you and your friends be able to see why this page is clearly bogus?

Fake Facebook login page

Find out the answers to that puzzle here.

Oh, and if you have the time, don't forget to learn about how you can explain phishing to your grandma with our free Threatsaurus book.

If you're on Facebook and want to learn more about spam, malware, scams and other threats, you should join the Sophos Facebook page where we have a thriving community of over 180,000 people.

Hat-tip: Naked Security reader Michael Johnson

, ,

You might like

17 Responses to How to report phishing to Facebook

  1. J0K3R · 1156 days ago

    "955 million users" Is that with or without the 83 million fake profiles?

  2. Internaut · 1156 days ago

    Maybe JOK3R, they are using 'hits' verses unique visitors :)

    I imagine that not only are there fake profiles, many profiles were started and abandoned by people that realized they don't need to be a Facebook member to be popular by sheer number of friends. There are those set by spammers, shysters, and other of similar ilk.

    There are many choices on the Internet where one can expose themselves. FB is just one of them. Just how many of that magic number of members read and heed remains a mystery.


  3. Freida Gray · 1156 days ago

    The new Facebook phishing policy seems to apply to your Facebook e-mail or to your regular e-mail. I haven't noticed any phishing e-mail from Facebook in those places.Where most of my phishing scams appear is in my News Feed not in any e-mails.Other than the usual report post option, I haven't seen the new option in my News Feed.

    • Graham Cluley · 1156 days ago

      Yes, a lot of times scams appear in Facebook itself, not in traditional email, so cannot be forwarded using the same mechanism.

      But there are 'traditional' Facebook email phishing scams too.

  4. Dave Todd · 1142 days ago


    I have received an email from a genuine Facebook "friend", that even says FOR DAVE (My name btw). This person has never emailed me before, nor me them, so it could only have come from Facebook?

    If I hover over the senders name, it clearly isn't the actaul "friend".

    I have since received another such email, same subject FOR DAVE, but from my mother-in-law (or at least disguised as her) who is now crapping herself thinkg she has a virus.

    Do the Facebook friends have viruses that is allowing the to happen?

    Thanks in advance

  5. Naked Security from Sophos · 1116 days ago

    What would you like to see Facebook Security do next?

  6. Bob Whitmore · 1116 days ago

    Other sites have had phishing forwarding addresses for years. I am pretty upset that it took Facebook this long to get a clue.

  7. Adamu Sule Alhaji · 1116 days ago

    Someone is impersonating my friend's accounts both on Facebook and Yahoo.The impersonater has denied my friend access to both accounts.Please what is the way out? Meanwhile I blocked my friend on Facebook.

  8. James Lowe · 1116 days ago

    It would be nice if they gave us the ability to block/delete/report the property who have pages to build up likes for random crap. It's just blatant spam. Their pages appear as any other personal Page, but if you try to block or delete you get a red error message saying the blocking system is overloaded right now and to try later.

  9. Jean Burger · 1116 days ago

    "955 million users" Is that with or without the 83 million fake profiles?

  10. John Arendt · 1116 days ago

    The fake Facebook page is very well done. Aside from the address in the menu bar, the lack of the https tag and the wrong year in the copyright, it is incredibly close to the real thing. Most of us do not spend enough time on the Facebook login page to pay attention to whether it says "Forgotten" or "Forgot" or which items are on the bottom bar.

  11. Austin Moloughney · 1116 days ago

    Just pay attention to the web address in the address bar.

  12. Wayne Brown · 1116 days ago

    facebook security ??!!?? is that a joke ?? Piece of trash has no security and reporting anything to these fools is a complete waste of time !!! Unless its going to put cash in Zuckerburgs pockets it will be ignored, period !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

  13. Davtwo Frompmog · 1116 days ago

    " I haven't seen the new option in my News Feed."
    I autologin from links, is that wrong? (That is to say, if I get, say, as I did today, a message from Twitter that I got a message, just click here, I copypaste the url into the awesome bar and get logged in automatically.)

  14. CyberHood Watch · 1116 days ago

    Thumbs Up, Sophos ! Love your work.

  15. Michael Collins · 1116 days ago

    Maybe Facebook should apologize instead of Blizzard. Hey, what about Google. We can't live without any of them anymore. They all hold the weak or broken locks to all of our lives.

  16. john · 437 days ago

    Facebook behaves like scam themselves Therefore they MUst be Scam! Remind me of people with the basic command of the English language cant communiate with them "Admin" if it exists try as u might! they suck, better to delete fb profile than put your personal details in a scam website as facebook I JUST DONT TRUST FACEBOOK

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley