Sophos Cloud Optix
Facebook has today announced a new way in which it hopes to combat phishing scams targeting its 955 million users.
In a post to its Facebook Security page, the social network has explained that the public can now report Facebook-related phishing emails directly to the company.
All you have to do is forward the phishing email to the following email address:
phish@fb.com
Facebook says in its post that by forwarding the message you are helping combat attacks, and could assist in forcing phishing websites offline:
By providing Facebook with reports, we can investigate and request for browser blacklisting and site takedowns where appropriate. We will then work with our eCrime team to ensure we hold bad actors accountable. Additionally, in some cases, we'll be able to identify victims, and secure their accounts.
They don’t say so in their post, but I would imagine that Facebook’s security team would appreciate it if you would forward any phishing messages you receive *with* the full email headers if possible, as that helps determine where the emails have really come from.
Of course, regular Naked Security readers would hopefully never click on a link in an unsolicited email purporting to come from Facebook. Or, at the very least, would have some alarm bells ring and be able to tell that they had reached a *fake* Facebook login page.
For a bit of fun, here is a screenshot of a Facebook phishing webpage. Would you and your friends be able to see why this page is clearly bogus?
Find out the answers to that puzzle here.
Oh, and if you have the time, don’t forget to learn about how you can explain phishing to your grandma with our free Threatsaurus book.
If you’re on Facebook and want to learn more about spam, malware, scams and other threats, you should join the Sophos Facebook page where we have a thriving community of over 180,000 people.
Hat-tip: Naked Security reader Michael Johnson
"955 million users" Is that with or without the 83 million fake profiles?
Maybe JOK3R, they are using 'hits' verses unique visitors 🙂
I imagine that not only are there fake profiles, many profiles were started and abandoned by people that realized they don't need to be a Facebook member to be popular by sheer number of friends. There are those set by spammers, shysters, and other of similar ilk.
There are many choices on the Internet where one can expose themselves. FB is just one of them. Just how many of that magic number of members read and heed remains a mystery.
I
The new Facebook phishing policy seems to apply to your Facebook e-mail or to your regular e-mail. I haven't noticed any phishing e-mail from Facebook in those places.Where most of my phishing scams appear is in my News Feed not in any e-mails.Other than the usual report post option, I haven't seen the new phish@fb.com option in my News Feed.
Yes, a lot of times scams appear in Facebook itself, not in traditional email, so cannot be forwarded using the same mechanism.
But there are ‘traditional’ Facebook email phishing scams too.
Hi
I have received an email from a genuine Facebook "friend", that even says FOR DAVE (My name btw). This person has never emailed me before, nor me them, so it could only have come from Facebook?
If I hover over the senders name, it clearly isn't the actaul "friend".
I have since received another such email, same subject FOR DAVE, but from my mother-in-law (or at least disguised as her) who is now crapping herself thinkg she has a virus.
Do the Facebook friends have viruses that is allowing the to happen?
Thanks in advance
What would you like to see Facebook Security do next?
Other sites have had phishing forwarding addresses for years. I am pretty upset that it took Facebook this long to get a clue.
Someone is impersonating my friend’s accounts both on Facebook and Yahoo.The impersonater has denied my friend access to both accounts.Please what is the way out? Meanwhile I blocked my friend on Facebook.
It would be nice if they gave us the ability to block/delete/report the property who have pages to build up likes for random crap. It’s just blatant spam. Their pages appear as any other personal Page, but if you try to block or delete you get a red error message saying the blocking system is overloaded right now and to try later.
“955 million users” Is that with or without the 83 million fake profiles?
The fake Facebook page is very well done. Aside from the address in the menu bar, the lack of the https tag and the wrong year in the copyright, it is incredibly close to the real thing. Most of us do not spend enough time on the Facebook login page to pay attention to whether it says “Forgotten” or “Forgot” or which items are on the bottom bar.
Just pay attention to the web address in the address bar.
facebook security ??!!?? is that a joke ?? Piece of trash has no security and reporting anything to these fools is a complete waste of time !!! Unless its going to put cash in Zuckerburgs pockets it will be ignored, period !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
” I haven’t seen the new phish@fb.com option in my News Feed.”
I autologin from links, is that wrong? (That is to say, if I get, say, as I did today, a message from Twitter that I got a message, just click here, I copypaste the url into the awesome bar and get logged in automatically.)
Thumbs Up, Sophos ! Love your work.
Maybe Facebook should apologize instead of Blizzard. Hey, what about Google. We can’t live without any of them anymore. They all hold the weak or broken locks to all of our lives.
Facebook behaves like scam themselves Therefore they MUst be Scam! Remind me of people with the basic command of the English language cant communiate with them “Admin” if it exists try as u might! they suck, better to delete fb profile than put your personal details in a scam website as facebook I JUST DONT TRUST FACEBOOK
I recently had an email sent to me using Facebook as a scam. How do I report this. I have saved the email
To me when I report a “fake account” or “fake name” it means exactly that. Not an abandoned account. Today 1/09/2020 I have reported at least a dozen accounts and they say it doesn’t go against fB standards and says all I can do is block them. That defeats the purpose because if I block them that keeps them far from me but doesn’t help the next person who encounters them. So what is the point in reporting these? All of these accounts are obviously fake. I will not report this to assist fB if I am not being paid to do so. Their job is to find these accounts not for us to locate them. That is a lot of work! I learned in People You May Know that at least half of them are fake accounts it even shows in black and white where to go and shows the link to click on. If that isn’t a fake account and phish scam you tell me what is? It has been a really annoying day for me to continue to report these and to only relieve a dozen notifications claiming they do not go against fb’s community standards. Hire me to find these accounts and I will show your team just how easy it is when you make them come to you.