The other night I was noshing on nachos and catching up on Only Murders in the Building when I got a weird email from Facebook.
417392 is your Facebook account recovery code, read the subject line. Ack! Anyone who’s been on the socials for long enough has received an email like this – it usually means that someone has been trying to get into your account.
This email looked super legit: it was all in Facebook/Meta branding, purportedly came from the email address <security@facebookmail.com> , and followed the typical format of these kinds of security emails. There was even a big blue button saying “Change password”, which is typically what you want to do when you get an email like this.
Then my husband got the same email. And a whole bunch of my clients started texting me freaking out because they’d got them too and were worried that their accounts had somehow been compromised.
The good news is that this email is what’s called a “phishing” scam, and your account is safe!
UNLESS YOU CLICKED ON THE LINK IN THE EMAIL. FRIENDS, HEAR ME WHEN I SAY: DO NOT CLICK THE LINK!!!
Basically, what happens if you click on the “reset password” link through an email like this is that scammers will use logging software to log the new password that you set for FB – and can use this to break into your account (and others, if you reuse your passwords). This can also happen outside of email, so don’t click on links in text messages or DMs either – especially if they seem to come from your bank! (Big money-saving tip here!)
There are cases when sites will send you a legit password reset email, but that’s ONLY after you’ve requested one. An unsolicited password reset? Generally we’re talking sketchtown. If you’re not 100% sure an email like this is legit, browse over to the website in question instead, and reset your password from there. DON’T click on the email link to get there.
The good thing about FB is that you actually can see whether the site has sent you an email. Go to your FB/Meta homepage, then click the down arrow in the top right corner. Click Settings and Privacy, then Settings. Click Security and Login. Then scroll down to the See recent emails from Facebook and click View.
If FB hasn’t sent you an email, then you know for sure the one sitting in your inbox is a scam. You can click “I didn’t do this” or “Secure your account” to give Zuck a heads up that someone is being dodgy. Then you can go back to watching Only Murders secure in your knowledge that you just out-crimed the criminals.
Argh! I clicked on a phishing link! What now?!
Oof. It happens to the best of us. First things first: money. Make sure that the at-risk account isn’t connected to any kind of financial stuff like bank accounts or credit cards. If it is, call up to get a stop put on any associated accounts, and monitor your statements for any weird stuff. The good news is that your bank is generally pretty good about spotting unusual activity, so they may be ahead of the game.
If you’ve clicked a dodgy link and someone texts or calls saying they’re from your bank, DO NOT GIVE THEM YOUR PASSWORD OR TWO-FACTOR CODES OVER THE PHONE. Make sure you’re the one calling the bank so that you know you’re actually talking to a legit rep. You need to be in full paranoid mode here!
After you’ve made sure that your bank accounts haven’t been wiped out, go in and reset your passwords on the affected account (and any others where you’re using that same password, which hopefully isn’t any, because you use strong passwords and Google Password Manager, right, right?). Next up, harden your accounts with two-factor authentication, backup phone and email addresses, and an authenticator app. These are generally safer than 2FA, and you can use the same app for multiple accounts.
Facebook has some helpful walk-throughs on what to do if you suspect you’ve been hacked. You can also check out our post about how to recover your account if you’ve been hacked. Oh, and now might also be a good time to review your app permissions.
If you’re feeling anxious about the security of your accounts, you’ll be happy to know that the Oh Snap! team takes web safety seriously, and that we’re super careful about how and when we access accounts. If you’re looking to work with a team who can help you knock your social media presence out of the park while keeping your security questions top secret, get in touch!