Cybercriminals are exploiting the "forgot password" feature on Facebook to hijack accounts, using only basic tricks derived from real-life scams.
The scam involves obtaining your email address or phone number under the pretence of adding you to a contact list, which they then use to initiate a password reset process for your account.
Once the scammers have initiated a password reset, they manipulate you into giving them the reset code, which they then use to gain access to your account.
Two-Factor Authentication (2FA) can protect your account if enabled, but there have been cases where victims have been tricked into sharing their 2FA codes with scammers, compromising their accounts.
The claims that an account can be hacked solely by obtaining a phone number are false. In these instances, victims have unknowingly shared their security codes with scammers. It's crucial to never share your security codes with anyone to maintain your account's security.
Cybercriminals turn Facebook's security features into exploits
Understanding how real-life scam techniques are being applied to hijack your Facebook accounts
At a glance
Scammers don't need advanced programming or hacking abilities. Their malicious minds and basic tricks, commonly employed in real-life scams, are all they need to gain control of your Facebook accounts. If you happen to forget your password, Facebook offers a convenient solution known as "forgot password." Unfortunately, cybercriminals are now exploiting this feature to steal the Facebook accounts of unsuspecting individuals.
Please exercise caution when someone requests your mobile number or email address with the promise to add you to their contact list. This could be a scam attempt to hijack your Facebook account. If you provide your number or email, this is the potential modus operandi of the scammer (refer to the provided screenshots for further details:
*1) The scammer initiates the password reset process by clicking "forgot password" on the Facebook login page.*
*2) They then enter the email address or mobile number you unwittingly provided.*
*3) Next, they'll perform a search by clicking on the "search" button.*
*4) If your account is tied to the email or phone number, the scammer will claim ownership by clicking "This is my account".*
*5) The scammer then opts to receive a reset code via SMS by selecting "Send code via SMS" and clicking "Continue". This is the point where cybercriminals may contact you under the guise of needing a confirmation code to add you to their contact list. Your account security will be compromised if you fall for this trick and give them the code.*
*6) Having obtained the code that you provided, they simply enter this security code. (Remember, it's your security code, so you should never disclose it.)*
*7) At this stage, they can change your password and gain access to your account. BUT!!!*
*8) If you've activated the Two-Factor Authentication (2FA), your account is safe, provided you do not share the 2FA notification code with the scammer. There have been instances where victims were tricked into sharing their 2FA codes with scammers, resulting in their accounts still getting hacked.*
There are claims that a scammer has only obtained a phone number, yet the Facebook account was hacked. This is NOT true. In these instances, the victims have actually given their security codes to the scammers, leading to the compromise of their accounts. To maintain your account's security, it is crucial never to share your security codes with anyone else.
Remember, these cybercriminals use a wide range of tactics, constantly evolving their methods to stay one step ahead. From phishing emails and fake login pages, they employ a diverse arsenal of tricks to deceive unsuspecting individuals and seize control of their Facebook accounts. It is essential to remain vigilant and stay informed about these various tactics to safeguard your online presence.