Beware! Facebook accounts being hijacked via Messenger prize phishing chats

Facebook users are being warned of a phishing campaign that tries to break into accounts, disguised as a Facebook Messenger chat from a friend.

Finland's National Cyber Security Centre (NCSC-FI) has raised the alarm about an active campaign seen in the country, but presumably equally capable of working elsewhere in the world, where Facebook users are duped into handing over credentials that would allow a complete stranger to break into their account.

The attack works like this:

• The intended target receives a message from a friend via Facebook Messenger.  The friend asks for the target's phone number. Unbeknownst to the targeted user, it is not their real friend who are communicating with them via Messenger, but someone who has hijacked their friend's account.
• The "friend" tells the target that they need their phone number to enter them into a lottery contest or prize draw, and that a verification code will be sent to the phone number's owner via SMS.
• The "friend" asks for the code.
• The phone number and authentication code is enough for the so-called "friend" to log into the targeted user's account, and change the password and associated email address.
• Now able to pose convincingly as the targeted user, the "friend" attempts to scam friends of the targeted user - and so it continues...

In some cases, according to NCSC-FI, the scam has extended to request credit card or banking information with the pretence that it will help transfer a prize payment into the victim's account.

In a screenshot shared by NCSC-FI, messages are shown coming from an attacker which ask for a mobile number to enter a competition, and to expect a verification code to be sent via SMS.  A minute later, the attacker says that an 8,100 Euros prize has been won by the pair, and that the code is required to receive the funds.

So what's the advice?  I'm afraid you may not like it: you shouldn't trust Facebook messages from anyone, including people you know.  Because whenever you receive a message, you cannot be sure that it really was from the person who claims to have sent it - all you might know (and this isn't even always the case) is that it was their account that sent the message.

So, if someone says something to you that is out of character, or asks you to do something or for personal information that they wouldn't normally request, then treat the communication with suspicion.  Maybe make contact with the person you believe is contacting you via a different method to seek reassurance that it is who you think it is who is contacting you.

And if someone asks you to forward a security verification code you should always refuse.

Although these particular attacks have been reported as occurring in Finland, there is no technical reason why they couldn't be taking place in other parts of the world, and using different languages.

On occasion, users have fallen into a false sense of security when being scammed in their own language because they are so used to phishers and identity thieves concentrating on major languages such as English.