I got this in my inbox today and was compelled to warn others about this.  It looks like a legitimate Facebook friend request email, but when you look a little closer, it’s anything but legitimate. It’s a wolf in sheep’s clothing; a phishing scam disguised as a legitimate Facebook friend request.

facebook phishing scam example

OK, it’s not truly “new” but it is important enough to warn others about.

First of all, what is a phishing scam?  Wikipedia’s article on Phishing describes it well:

Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing is typically carried out by e-mail spoofing or instant messaging,[1] and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to deceive users,[2] and exploits the poor usability of current web security technologies.[3] Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures.

A phishing technique was described in detail in 1987, and (according to its creator) the first recorded use of the term “phishing” was made in 1995. The term is a variant of fishing,[4] probably influenced by phreaking,[5] [6] and alludes to “baits” used in hopes that the potential victim will “bite” by clicking a malicious link or opening a malicious attachment, in which case their financial information and passwords may then be stolen.

The first thing that tipped me off was the “From” email address: an AOL.com email.  Facebook will only use Facebook email to send you requests and notifications – never something that just anyone can set up, such as an Aol, Yahoo, gmail or hotmail address. So that’s the first sign this was a Facebook phishing scam.

That was a dead giveaway, then I decided to blog about this and looked a little further to share additional information to help keep you safe online.  Whenever you want to see where a link goes, you can just rest your cursor (mouseover) the link and it will show you what URL the link goes to.  Sometimes, usually in a browser, it will show it in the bottom bar of the browser on the left side.  In this case, within Outlook, it shows the URL near the link itself.

Facebook phishing scam

As you can see, that is most definitely NOT a Facebook.com link.

So what would happen if you clicked on the link? Well, I didn’t click on it because I know better, but I’m guessing that it would most likely take you to a page that looked like a Facebook login page, and when you enter your user name and password it probably just captures the information and they have control of your Facebook account.

Alternatively, it could be something more malicious than that – they could hijack your browser, install some sort of malicious virus or other malware, or who knows what?

So surf safely.  Only accept friend requests (…etc.) from within Facebook.

Avoid Facebook phishing scams, and others as well.  These Phishing attempts are not limited to just Facebook – they masquerade as legitimate emails from LinkedIn, your bank, credit reporting services, and many, many more. Some will ask you for your social security number and other information that the thieves can then use to steal your identity.  Scary stuff.