Skip to Content
Security & privacy

New Facebook phishing scam looks so convincing it can fool even the most savvy user

Let’s face it, cybercriminals are always on the hunt for your credentials, and they keep coming up with more convincing attacks all the time. The more realistic the scheme, the better chance they have at duping unsuspecting victims.

That’s why you need to stay abreast of the latest ploys floating around so you know what to watch out for. This is something that we keep reminding our dear readers — you always need to be informed about the latest scams.

Now, the latest Facebook phishing scam that’s making the rounds looks very realistic, there’s a chance it could dupe you into giving out your username and password.

Facebook sign-in pop-up is not what it seems

A new Facebook phishing scam was recently spotted and this new ploy looks so convincing, it’s good enough to fool anyone.

Here what’s happening. Scammers have started to create realistic clones of Facebook’s “Log in With Facebook” pop-up window.

You’re probably familiar with these “Log in With Facebook” pop-up windows, right? They’re used by tons of third-party websites so you can use your Facebook account to use their services, rather than creating a new account with them each time.

Logging in with Facebook legitimately for every website you use has its own privacy issues (Cambridge Analytica, anyone?), but security researchers from Myki discovered that scammers have started replicating these pop-ups for their phishing schemes too.

Cloning at its finest

How does it work? With the help of clever design and HTML coding, these scammers were able to replicate the Facebook sign-in pop up in remarkable detail. From Facebook’s real address, the status bar, the navigation bar, down to the shadow effects, the login popup is accurately reproduced.

Fake Facebook Login Pop-Up page

Then if you visit a website that’s infected with the malicious code, you’ll be prompted with the fake login prompt to proceed. On the surface, it looks perfectly legitimate. You can even drag the window around as if it’s the real deal.

However, as soon as you enter your Facebook username and password, instead of logging you in with your Facebook account, your information is immediately sent to the phishing scammers. This means that if you don’t have two-factor authentication enabled, they can take over your Facebook account immediately. Yikes!

How to spot the fake Facebook sign-in pop-up

Thankfully, as perfect as it looks, there are still telltale signs that this is a fake.

Here’s a simple trick you can do to spot this fake Facebook sign-in pop-up — try dragging it out of the main browser window.

If you can’t and it stays within the window (part of the pop-up disappears on the edges of the main window), then it’s most likely fake since it’s part of the malicious page. Real sign-in pop-ups from Facebook and Google are rendered separately and they can be dragged beyond the main browser window.

Another sign that you’re looking at a forged Facebook log-in page is if your password manager is not auto-filling it as it should. Although the fake pop-up appears to be displaying a legitimate Facebook address, its actual URL destination is not.

Here’a video of the latest Facebook phishing attack in action:

Did you fall for it? Here’s what you need to do next

Do you recognize this latest Facebook phishing scam? If you think you were already victimized by it recently, here’s what you need to do.

1. Log out of all your Facebook sessions

To ensure that no unauthorized parties are logged in to your Facebook account, you can log out of all devices in one click. Here’s how to log out of all your Facebook sessions.

Desktop: Click the upside-down triangle on the top right then click Settings >> “Security and Login.”

Mobile: Go to your profile page by tapping the “hamburger icon” (three horizontal lines) on the lower-right corner of the screen. Scroll down, tap Settings >> Account Settings >> Security Login.

Here, there’s a section called “Where You’re Logged In” where you can see all the devices with your active Facebook sessions. To log out of these places all at once, scroll down the list then tap Log Out of All Sessions. This will reset all your current access tokens.

Obviously, you’ll need to log back into each gadget you want to access your Facebook account from.

2. Change your Facebook password

Next, better change your Facebook password immediately. To reset your Facebook password, go back to Settings >> Account Settings >> Security and Login then tap or click on Change Password. Note: Make sure it’s a unique password so crooks can’t use it for password reuse attacks.

3. Important: Turn on two-factor authentication

Here’s another layer of security you can employ on your Facebook account — turn on Two-Factor authentication. In fact, it’s such an essential step in online security, you should enable it on every website and service that offers it.

Here’s how you do this in Facebook. Stay on Settings >> Account Settings >> Security and Login >> then scroll down to Use Two-Factor Authentication. Click Edit >> choose the method you want to use. You can either chose “Text Message” or “Authentication App.”

Komando Community background

Join the Komando Community!

Get even more digital know-how and entertainment with the ad-free Komando Community! Watch or listen to The Kim Komando Show on your schedule, read Kim's eBooks for free, and get answers in the tech forums.

Join Now