Magic Mommas<\/a><\/cite>), and that my \u201cadvertisement will be disabled\u201d if I didn\u2019t verify my identity and request a review.<\/p>\r\nSo I clicked the button in the email, which took me to a page that said something about my account being locked for copyright violations, and then to a site labeled \u201cMeta Business Help Center.\u201d It asked me for my email address and phone number and various other info, which seemed a little odd but not too far out of the ordinary for corporate hoop-jumping.<\/p>\r\n
So I filled out the form and clicked the Submit button, and then it asked me to sign in. I rolled my eyes and started to enter my password\u2014<\/p>\r\n
\u2014and then the suspicious part of my brain finally woke up and started paying attention.<\/p>\r\n
Do I know for sure that that was a real email?<\/cite> I thought to myself.<\/p>\r\nAt some point, it had said my account was locked. So I went and looked at the FB page for Constellation Press. There was nothing there to indicate that anything was wrong.<\/p>\r\n
Over the next few minutes, I looked at various other things, and found several suspicious aspects. None of these are in themselves a certain indication that the email is phishing, but each of them is a partial signal of something not quite right, and they all add up to smell like a scam.<\/p>\r\n
Some specifics:<\/p>\r\n
\r\n - The email address that the original mail was from was an outlook dot com address. (But Apple Mail hadn\u2019t shown me the full address in its default interface, so I hadn\u2019t seen that that was the domain it was from.)<\/li>\r\n
- There was a typo in the first line of the email: \u201cDear, Constellation Press\u201d.<\/li>\r\n
- The email said I didn\u2019t comply with their policies, but the first page it took me to said something specifically about copyright violations, but the next page it took me to was back to talking about policy compliance.<\/li>\r\n
- The page it took me to was hosted at firebaseapp dot com.<\/li>\r\n
- The Meta logo at the upper left of that page wasn\u2019t clickable; I would usually expect that such a logo would take me to a main Meta site. The page had a standard-looking corporate page footer at the bottom, including text that would normally be links (\u201cGet Started\u201d, \u201cAbout\u201d, etc)\u2014but none of those items were clickable either.<\/li>\r\n
- Both the email and the destination page had low-quality\/low-budget design.<\/li>\r\n
- The form asked for info that FB shouldn\u2019t have needed to ask for, such as my email address.<\/li>\r\n
- The form page used the phrase \u201cterms of services\u201d (instead of \u201cterms of service\u201d), and didn\u2019t have a period at the end of a sentence.<\/li>\r\n<\/ul>\r\n
The domain names are the really big signals here. And the unclickable links. Everything else could plausibly just be sloppiness on Meta\u2019s part, but I think it\u2019s extremely unlikely that Meta would use Outlook to send support email, and that they would use Firebase to host their support app, and that they would use a version of their page footer where the links weren\u2019t clickable.<\/p>\r\n
I stopped before submitting my password to the scammers, so I think I\u2019m probably safe.<\/p>\r\n
But just in case, I\u2019ve now changed my FB password (it wasn\u2019t the same as any of my other-sites passwords, so I don\u2019t have to change those), and I told FB to sign me out of almost all of the devices that are currently signed in to my account (except for a couple that are very clearly the devices I\u2019m currently using). (And yep, I manually went to the Facebook site to make those changes.)<\/p>\r\n
The scammers already had my CP email address (that\u2019s where they had sent the mail to), and it\u2019s possible that they got my personal email address (but that\u2019s been all over the web for 25+ years now) and my cell phone number (unfortunate, but probably not a big deal). But I don\u2019t think they got anything that will cause me major problems.<\/p>\r\n
But it was a close call. I\u2019m generally really suspicious about this stuff, and I\u2019ve been posting publicly about scam email and such for 25+ years, but this one still got to the point where I was about to give them my password.<\/p>\r\n
I\u2019ll be extra-careful for a while, in case they follow up with even better attempts.<\/p>\r\n\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":5,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[67],"tags":[],"class_list":["post-20832","post","type-post","status-publish","format-standard","hentry","category-spam"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.kith.org\/jed\/wp-json\/wp\/v2\/posts\/20832","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kith.org\/jed\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kith.org\/jed\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kith.org\/jed\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kith.org\/jed\/wp-json\/wp\/v2\/comments?post=20832"}],"version-history":[{"count":2,"href":"https:\/\/www.kith.org\/jed\/wp-json\/wp\/v2\/posts\/20832\/revisions"}],"predecessor-version":[{"id":20834,"href":"https:\/\/www.kith.org\/jed\/wp-json\/wp\/v2\/posts\/20832\/revisions\/20834"}],"wp:attachment":[{"href":"https:\/\/www.kith.org\/jed\/wp-json\/wp\/v2\/media?parent=20832"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kith.org\/jed\/wp-json\/wp\/v2\/categories?post=20832"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kith.org\/jed\/wp-json\/wp\/v2\/tags?post=20832"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}