Scams can be found anywhere, and Facebook is no exception. And, with the holiday season just around the corner, and the world still weathering a pandemic, it pays to know what Facebook scams you, those close to you, and those you have professional relationships with could potentially encounter.

We’ll look at those that pose a notable risk to either your banking account or your personal information in this two-part series.

"How do I scam thee, let me count the ways"

Plain, ol' data mining schemes

According to Vade Secure, a company specializing in email defense, Facebook ranks second in its list of most impersonated brands in phishing campaigns, which it details more in its annual Phishers’ Favorites Q1 2020 report.

Facebook phishing campaigns can take many forms—including Facebook apps and SMS messages—and can come via many avenues. It could be a link on Messenger from a connection or stranger, an email asking you to verify your “legal ownership” of your Facebook account, or a simple public post designed to either entice or scare recipients to act, which usually involves the handing over of data.

Take, for example, a campaign where recipients are told their account has been reported for abuse, thus in violation of Facebook’s standards. This is then coupled with a link to a page that tells users to enter their credentials to prove that the account in question is theirs.

If you look really close, it doesn’t make any sense for Facebook (supposedly) to alert you of a potential rules violation, and then ask for an account verification. (Courtesy of Vade Security)

One thing to keep in mind is that when it comes to phishing campaigns on Facebook, it doesn’t matter whether it first appeared 10 years ago or 10 days ago. We see similarities in past and present campaigns because phishers find them effective against users as they continue to fall for the same tricks.

Here’s a tip: If you find it difficult to spot a phishing attempt, a password manager could help you by not automatically pre-filling credentials on sites you know it’s supposed to pre-fill. Once this happens, report this to your password manager support team so they can investigate. Meanwhile, avoid manually entering information to the site that your password manager refuses to pre-fill, as it might likely be a phishing page.

Scam ad campaigns

Although this may sound new to the average consumer, those who have established an online business presence on Facebook are quite familiar with scam ad campaigns.

Scam ads are, essentially, false or fake ads designed to reel people in to con them out of their money. This type of campaign has made Facebook their home by hijacking business, community, or “public figure” accounts and buying ad campaigns to run.

Hackers and fraudsters particularly target Facebook accounts that can run ads as everything is already set up for them to use and abuse. And while some cybercriminals deliberately create and leave Facebook accounts to “mature” over time—we’re talking about years here—before they get sold, most scammers just couldn’t wait that long.

Why do they do this? Because Facebook’s system is on the lookout for scammery involving new accounts. Leaving accounts to mature is a way to circumvent the system.

Running scam ads can net fraudsters huge sums of money, even if they only run for a few hours before getting shut down. In fact, a few hours are all they need to see a return on their investment of time and effort.

Last year, Henry Lau, co-founder of Privolta, a company that specializes in privacy focused ads, had his Facebook ads account compromised by hackers via a third-party, who then used it to run a 13-second video campaign of a red toy wagon that was seen by Facebook users in Australia, North America, and Mexico. Interested users who clicked it were taken to a sale site with card skimmer code embedded in it.

The Facebook ad of a red toy wagon for children, which is actually a fake item, had reached more than 60,000 people on Facebook before it was shut down. (Courtesy of CNET)

Although Facebook had raised a red flag on his account when the fraudsters set a campaign budget of 10,000 USD, the social network didn’t notify Lau and allowed the campaign to play out anyway. Wilson said that Facebook’s model is "approve first, ask questions later".

On the radar: After compromising and installing ransomware on the systems of Campari Group, a well-known Italian beverage maker, the Ragnar Locker ransomware group took to Facebook’s ad campaigns to further pressure the company. The account the group used to run the ad campaign belongs to a deejay based in Chicago. Read more about it in this KrebsOnSecurity post.

Live stream and music festival scam

The current pandemic has pretty much made every form of contact with the outside world virtual—including attending concerts. Yes, live stream concerts are indeed a thing today, but unfortunately, concert tickets scams that have plagued such music gatherings have evolved with the times, too.

There are several types of this scam that have been observed in the wild. According to Celebrity Access, fraudsters have set up several Facebook pages with a list of fake live streaming events to come. This, apparently, is a front for a phishing campaign as those who are interested in attending these streams would have to register with their PII.

This is a Facebook page that lists fake upcoming events. To register, interested fans are asked to hand over their personally identifiable information (PII). (Courtesy of Celebrity Access)

Another flavor of the live stream scam involves fake donation links. Since local musicians have migrated their live performance events online, cybercriminals have bombarded their official pages with fraudulent links in the hope of directing stream attendees to a site where fans are asked for "donations". This was what happened to Steve Lucky & the Rhumba Bums featuring Carmen Getit, popular mainstays in the Bay Area music scene, when they announced a Saturday live stream in April.

Several music festivals in the UK were also victims of scammers who employ similar tactics. Kevin Tate, the Festival & Events UK editor, has uncovered nearly a hundred fraudulent links to legitimate events, such as the Reading and Leeds Festivals, the Love Saves the Day Festival in Bristol, and the Noisily Festival. These links, Tate said, were created a few days before the event, and charges interested parties with varying amounts to view content that is, essentially, free.

Fake concert ads are also pushed out via ad campaigns on Facebook.

PayPal fund transfer scam

Facebook Messenger is no stranger to messages containing a copious level of fakery. From across the pond, county police in North West England issued a warning in August about a spate of messages sent via Facebook from accounts that were believed to have been hijacked by hackers.

According to detectives, once scammers take over a legitimate Facebook account, they then proceed to contact friends and family of the account owner, asking them to receive payment from a buyer for an item—usually a camera, based on collected reports—they have purportedly sold on eBay.

They then claim they couldn’t receive the payment themselves because their PayPal account isn’t working, or they don’t have one. They instruct the family or friend that once they receive the cash into their own PayPal account, they are to transfer it to their own bank account before forwarding it to an account controlled by the fraudster.

After the family member or friend arranges a money transfer from their bank account to the scammer’s, the scammer then reverses the PayPal transaction. So no money reaches the family member or friend’s PayPal account, and they have just knowingly given part of their savings to fraudsters.

In part 2, we’ll be moving forward with our list and include tips on how to keep yourself and your loved ones safe from these Facebook scams, too. Until then: eyes open, and stay safe!