We have a very active Facebook media effort for our page:
facebook.com/HawaiiChee. We’re partnering with many content creators for content, so the message was very plausible.
What made the phishing attempt realistic?
The URL provided in the main call-to-action link went to the official Facebook site. That was probably the only part of the email that I read super-carefully. Normally, a slightly misspelled URL is a tip-off to a scam site.
There were no other typos in the email. So, the first part of the phishing attempt worked. It got me to click on the URL. Normally, that’s a pretty bad mistake already, but I knew I was going to the official Facebook site, so how bad can that be?
I skimmed very quickly the content on the left side of the Facebook page. HTTPS to Facebook. Must be legit, right?
Nothing jumped out at me, but, to be honest, my skimming was quick enough that I started to fill out the form.
I stopped just short of putting in my Facebook password. Why would Facebook be asking for my password again? This did not make sense. Wait, and what about this grammar error “We made abble this form for”?
Heart racing, I double checked again. It’s the real FB site. What is going on?
Hey, there are more typos on this form. There weren’t, however, any on the email. I guess the hackers only spell and grammar check emails!
BINGO! This is a SCAM!
I noticed the “From” did have a typo in the domain name:
“firstname.lastname@example.org.” Notice, there’s no “e” in the “facebook”!
I was on the verge of putting in my FB password!
I went back and double checked the email. Yes, all real Facebook links. The ONLY surefire clue on the email was the misspelled “From” domain name. I bet that is why Google threw this in my spam folder originally.
I forwarded the email to email@example.com. However, I didn’t get any reply. I hope they track the scammers down!
And today, I got the same hack attempt again! But no stress today.
Tips for You to Avoid Getting Hacked
I hope this article might help you avoid getting hacked. The most essential bits of advice I can give you are:
Two Factor Authentication (2FA) for sites that offer it, like Google, Facebook, Github, etc.
Use a password manager like LastPass.com, 1Password.com
Double and triple check from email address domains and links, and don’t click on links unless you’re sure they are legit.
Scammers for some reason don’t spell and grammar check, so look out for that!
If this article helped you, please consider how you can help me:
Check out hawaiichee.com if you’re considering looking for a vacation rental in Hawaii.