Phishing scams that try to trick you into putting your real password into a fake site have been around for decades.
Precautions such as using a password manager and turning on two-factor authentication (2FA) can help to protect you against phishing mishaps.
Unfortunately, these precautions can’t immunize you completely against phishing attacks, and cybercriminals are getting better and better at tricking innocent users into handing over both their passwords and their 2FA codes at the same time, as part of the same attack…
…at which point the crooks immediately try to use the combination of username + password + one-time code they just got hold of, in the hope of logging in quickly enough to get into your account before you realize there’s anything phishy going on.
Even worse, the crooks will often aim to create what we like to call a “soft dismount,” meaning that they create a believable visual conclusion to their phishing expedition.
This often makes it look as though the activity that you just “approved” by entering your password and 2FA code (such as contesting a complaint or cancelling an order) has completed correctly, and therefore no further action is necessary on your part.
Thus the attackers not only get into your account, but also leave you feeling unsuspicious and unlikely to follow up to see if your account really has been hijacked.
Now “prove” yourself
At this point, you need to provide some proof that you are indeed the owner of the account.
As you can see, the likely result for anyone who got sucked into this scam in the first place is that they’ll give the scammers a full five-minute window during which the attackers can try logging into their account and taking it over.
The end of the scam is perhaps the least convincing part, but it nevertheless serves to shift you automatically off the scammy site and to land you back somewhere entirely genuine, namely Facebook’s official Help Center:
What to do?
Even if you aren’t a particularly serious social media user, and even if you operate under a pseudonym that doesn’t obviously and publicly link back to your real-life identity, your online accounts are valuable to cybercriminals.
Simply put, by letting cybercriminals into your social media account, you ultimately put not just yourself but also your friends and family, and even everyone else on the platform, at risk.
Remember, with Black Friday and Cyber Monday coming up this weekend, you’ll probably be receiving lots of genuine offers, plenty of fraudulent ones, and any number of well-meant warnings about how to improve your cybersecurity specifically for this time of year…
…but please keep in mind that cybersecurity is something to take seriously all year round: start yesterday, do it today, and keep it up tomorrow!
This content was originally published here.