- What Are Facebook Phishing Emails?
- Red Flags of Facebook Email Scams
- How to Protect Yourself from Suspicious Emails
- Fallen for a Facebook Phishing Email?
- Frequently Asked Questions
If you receive an email that asks you to log into your Facebook account, be on the lookout for red flags, like:
- Misspellings and grammatical issues
- A sender's address that doesn't match Facebook's official email address
- A Facebook logo that doesn't look quite right
- Suspicious links to non-Facebook websites
These are all signs of phishing attacks that can lead to your Facebook account being compromised and your identity being stolen.
What Are Facebook Phishing Emails?
The goal of Facebook phishing emails is to get inside and control your Facebook account, whether to target other Facebook users (i.e., your friends) in other scams or to access your sensitive information.
Sometimes, it may start as an email that appears to come from someone you know or trust. Some scammers like to make it look like you're getting an email from a friendly or reliable source to get you to drop your guard.
Here's how the scam works.
You Get an Email from "Facebook"
You receive an email that looks like it comes from Facebook but doesn't. It may use the Facebook logo and look like the real deal. The email directs you to log into your Facebook account to:
- Read an important message
- Secure your account
- Save your messages
In some cases, scammers will threaten you to get you to act quickly and without thinking. For example, threatening to delete all of your messages (due to your inactivity on the platform) unless you log in.
Example Email from Scammer
A user just logged into your Facebook account from a new device iphone 11 pro. We are sending you this email to verify it's really you.
>> Report the user
>> Yes, me
The Facebook Team
In the following example, the scammers use fear tactics to get you to call the scam phone number, but you can spot some red flags:
- The sender's email address, although the name is from "Facebook," the email address is from an @facebookhelpline.org address, which isn't an official Facebook address.
- There are a few typos (e.g., extra spaces, un-needed capitalizations, misspellings) in the email that you wouldn't see on a legitimate Facebook email.
In the following example, the Facebook phishing email looks legitimate. In this case, check the sender's email address to ensure it's from an @facebookmail.com email address and check the link goes to a facebook.com URL before clicking on it.
You Click a Link to "Go to Facebook" or "Log In"
After you click the link in the scam email, you land on a website that's not Facebook.com. However, it's designed to look like the real Facebook site, so you may not realize it's a fake. Here, you will be asked to enter your login credentials. (Sometimes, the scammer will provide a phone number for you to call.)
Check the Link Before You Click
It's important to carefully check the URL of any link you click on within an email. Don't click on any links that don't take you to Facebook.com. These phishing attacks are designed to steal your information, not take you to Facebook.
Not all is lost immediately if you click on the link in the email. You'll likely be sent to a page like the below example, which looks almost exactly like the actual Facebook login page. When you get to this point, you must check the URL to make sure you're on the real Facebook website.
After entering your login credentials, the scammer can then use them to log in to your Facebook account, make changes, steal information, or pretend to be you.
The first thing some attackers will do is change your password so you can't log in yourself. This buys them some time so they can try to take information, modify information in your account, or impersonate you.
The Scammer Steals Your Identity
With access to your Facebook account, the scammer can send messages to your connections containing phishing links or even viruses and malware. Since the messages are coming from you, your friends won't be cautious since they trust you and aren't suspicious of the messages sent from your account.
Once You Know Your FB Account is Compromised, Inform Your Friends
If you've lost access to your Facebook account, you should warn your FB friends not to trust any messages or posts from your account.
If you use the same password on Facebook as you do with other accounts, the hacker will also be able to access those. This can include your bank accounts, emails, and other social media profiles. This is why it's essential to use different passwords for each of your accounts—that way, if one account is compromised, your other accounts are still safe. A password manager can help you create strong and unique passwords and store them, so you don't have to remember them all.
Red Flags of Facebook Email Scams
When you receive an email from Facebook, look for tell-tale signs of a scam. Some of the most common red flags include:
- An email from a non-Facebook email (i.e., doesn't come from an @facebook.com or @facebookmail.com address)
- Typos, grammatical errors, and spelling mistakes
- Weird spacing within the copy and design
- A request for your Facebook login credentials
- A link to a non-Facebook page (e.g., not Facebook.com)
How to Protect Yourself from Suspicious Emails
There are a few different ways to beat and avoid phishing scams.
If you receive suspicious emails, you should:
- Never click on Facebook links sent to you via email. Instead, log into your account directly via the Facebook app or by typing the URL into your browser.
- Always check the URL to ensure you're on a legitimate Facebook page. If the URL doesn't include "facebook.com," do not enter any information.
- Don't trust Facebook emails that don't come from "[email protected]."
Fallen for a Facebook Phishing Email?
If you've fallen for this scam, you should quickly lock the scammer out of your Facebook account and prevent further damage.
Change Your Facebook Password
If you think you've been phished, you should first log into your Facebook account and change your password. Switch it to something tough to guess, preferably something entirely unlike your previous one. If you can change your password, you have regained control of your account.
If you use the same password for any of your other accounts, change those immediately.
Check Your Account for Changes
You will want to check your Facebook account for any activity that you didn't make, such as:
- Status updates
- Profile information
- Comments on posts, pictures, and other content
- Sent messages
To view your Facebook activity log:
- Click the small down arrow in the upper right of Facebook.
- Choose Settings & Privacy, then Activity Log.
- Filter your activity by date to see if there was any activity since you last logged in. Then delete any unwanted posts, likes, comments, connections, or profile information.
Also, if you use Facebook advertising, you should check your advertising account. The attacker may have launched a campaign that benefits a company other than yours.
You will also want to go into your app settings by clicking the icon with the three lines in the top corner of Facebook and log out of any devices you don't physically have in front of you.
If You Can't Log In, You Can Recover Your Account
To recover your account and follow the instructions online. Find the account you want to recover, and then reset your password.
Report the Scam
Report any emails that look strange or like a scam to [email protected]. This will help Facebook address future attacks and protect other users.
Additionally, you can report the scam to the authorities (e.g., the Federal Trade Commission and the FBI).