PSA: Facebook page admins, beware of this elaborate scam

Having a social media presence is important these days especially when it’s one of the main channels of reaching your customers or community. Losing your Facebook page due to policy violations is something that should be taken seriously and it appears that scammers are now using an elaborate tactic to trick Facebook page admins into giving away their login credentials. If you are managing several Facebook pages, this is something you should take note.

Recently, we’ve received an email claiming that our Facebook page has violated one of more of Facebook Page’s terms. Without providing much information on the actual “violation”, the email directs you to a Facebook URL where you can supposedly file an appeal.

As shown above, the email was sent from a different domain name although it is signed off as “Facebook Support”. If you click on the link, it goes to a Facebook page which carries the same message. For the initiated, this looks legit but this is actually a Facebook “Notes” page which anyone can create from a Facebook page.

What’s scary is that they can disguise a URL which links to another location. As shown below, the supposed link to file an appeal, actually links to a bit.ly URL instead of an official Facebook page.

If you click through, it lands on a different website that pretends to be a Facebook page. The page which has a typical Facebook Help Centre interface shows an “Appeal Page Policy Violation” form which will requires you to provide your email address, page URL and your password.

This is obviously a scam to trick users into passing over their Facebook login information. If you provide your email and password through these fake forms, the attacker could hijack your Facebook account and pages. Once they have control, they can misuse your account to scam your contacts and followers.

If you’re a Facebook page owner, we would want to remind you to be aware of such phishing tactics. Always check on the Facebook platform itself instead of clicking on a link from an email or other channels outside of Facebook.

To prevent the scammers from targeting other victims, you can do your part by reporting the email or the Facebook page for scam or misleading activities. If you’re using Gmail, you can report the email as a Phishing Message for their internal review.

How to avoid getting scammed?

1. Always double check the source of the message
   The first indicator is to check where the message is from. If you’re notified by email, make sure it is genuinely from the platform itself (e.g. facebook.com) and not some other email addresses. Alternatively, you can clarify with the platform through the official support channels.
   
   In the case of Facebook, they would usually notify you of any errors or violations on the Facebook platform itself. Similarly, on YouTube, there will warn you of any copyright or violations via YouTube Studio.
   
2. Verify the URL
   Sometimes looks can be deceiving. Although the displayed URL looks legit, you can mouse over to see if it is linked to a different page. Even if you accidentally clicked on it, do look at the URL bar to notice any changes in the domain name. Like the example given above, the supposed Facebook.com link goes to a random ngrok.io URL.
   
3. Look out for verified badges and labels
   This tip is important to detect scam promos by pages that pretend to be from genuine brands. This include fake KFC pages which promises to offer free vouchers or meal when you join a survey. At first glance, it is hard to tell because these fake pages have ripped off same official images from the official site.
   
   Before you proceed, do take a look at the actual Facebook page and see when it’s created and whether it has the verified blue tick. In most cases, the scam pages are created recently and it has hardly any followers.

Related reading