Wow, I just almost fell for what I now assume was a phishing scam.
It was an email that claimed to be from “Facebook Ads Team”; I didn’t (at first) look at the email address that was attached to that name.
It told me that FB had received complaints about my ad (I’ve been running a FB ad for the Russ book that I just published, Magic Mommas), and that my “advertisement will be disabled” if I didn’t verify my identity and request a review.
So I clicked the button in the email, which took me to a page that said something about my account being locked for copyright violations, and then to a site labeled “Meta Business Help Center.” It asked me for my email address and phone number and various other info, which seemed a little odd but not too far out of the ordinary for corporate hoop-jumping.
So I filled out the form and clicked the Submit button, and then it asked me to sign in. I rolled my eyes and started to enter my password—
—and then the suspicious part of my brain finally woke up and started paying attention.
Do I know for sure that that was a real email? I thought to myself.
At some point, it had said my account was locked. So I went and looked at the FB page for Constellation Press. There was nothing there to indicate that anything was wrong.
Over the next few minutes, I looked at various other things, and found several suspicious aspects. None of these are in themselves a certain indication that the email is phishing, but each of them is a partial signal of something not quite right, and they all add up to smell like a scam.
- The email address that the original mail was from was an outlook dot com address. (But Apple Mail hadn’t shown me the full address in its default interface, so I hadn’t seen that that was the domain it was from.)
- There was a typo in the first line of the email: “Dear, Constellation Press”.
- The email said I didn’t comply with their policies, but the first page it took me to said something specifically about copyright violations, but the next page it took me to was back to talking about policy compliance.
- The page it took me to was hosted at firebaseapp dot com.
- The Meta logo at the upper left of that page wasn’t clickable; I would usually expect that such a logo would take me to a main Meta site. The page had a standard-looking corporate page footer at the bottom, including text that would normally be links (“Get Started”, “About”, etc)—but none of those items were clickable either.
- Both the email and the destination page had low-quality/low-budget design.
- The form asked for info that FB shouldn’t have needed to ask for, such as my email address.
- The form page used the phrase “terms of services” (instead of “terms of service”), and didn’t have a period at the end of a sentence.
The domain names are the really big signals here. And the unclickable links. Everything else could plausibly just be sloppiness on Meta’s part, but I think it’s extremely unlikely that Meta would use Outlook to send support email, and that they would use Firebase to host their support app, and that they would use a version of their page footer where the links weren’t clickable.
I stopped before submitting my password to the scammers, so I think I’m probably safe.
But just in case, I’ve now changed my FB password (it wasn’t the same as any of my other-sites passwords, so I don’t have to change those), and I told FB to sign me out of almost all of the devices that are currently signed in to my account (except for a couple that are very clearly the devices I’m currently using). (And yep, I manually went to the Facebook site to make those changes.)
The scammers already had my CP email address (that’s where they had sent the mail to), and it’s possible that they got my personal email address (but that’s been all over the web for 25+ years now) and my cell phone number (unfortunate, but probably not a big deal). But I don’t think they got anything that will cause me major problems.
But it was a close call. I’m generally really suspicious about this stuff, and I’ve been posting publicly about scam email and such for 25+ years, but this one still got to the point where I was about to give them my password.
I’ll be extra-careful for a while, in case they follow up with even better attempts.