⚠️IMPORTANT MESSAGE: de Novo Marketing is telling you to be vigilant when monitoring your social media inboxes and comment sections. Failing to use caution and falling for a social engineering scam may result in the following:

• Complete Loss of Your Business’ Social Media Account
• Unauthorized Access to Sensitive Information
• Compromised Computer and Files
• A Multitude of Additional Scam Messages
• Embarrassment and Regret

BE CAREFUL AND TAKE CAUTION IMMEDIATELY. VISIT THIS LINK TO SPEAK WITH THE PROFESSIONALS. 

If you monitor the social media accounts for your business or organization, you’ll likely have seen alarming messages, similar to the one above. The messages in your inbox typically notify you that you’ve violated a policy and that your account is at risk of permanent deletion. The message will tell you to request a review if this is wrong and prompt you to follow a provided link if you want to have any chance of saving your account. The message is signed with “Meta Platforms,” so it must be legit, right? 

WRONG. You’re being targeted with a social engineering attack, and your page is not actually at any risk UNLESS you fall for the attack itself.

FACT: Facebook will NEVER comment on one of your posts to alert you of anything, including that your account is at risk of deletion. Facebook will also never ask you for your password in an email, comment, or message. 

What is a Social Engineering Attack? 

Social engineering attacks are defined by IBM as “[A]ttacks [that] manipulate people into sharing information they shouldn’t share, downloading software they shouldn’t download, visiting websites they shouldn’t visit, sending money to criminals, or making other mistakes that compromise their personal or organizational security.”

Essentially, a scammer is misrepresenting themselves in order to get you or someone in your organization to provide personal information. Instead of exploiting vulnerabilities in technology, they’re exploiting vulnerabilities in people’s ability to discern between legitimate inquiries and illegitimate and malicious threats.  

Here are some examples of common spam messages to help you understand the type of language and formatting used in these social engineering attempts. 

What is the Scam Trying to Accomplish?

To identify the malicious intent, we decided to follow one of these “Request a Review” links to see where it would take us. We do not recommend doing this yourself; we used an incognito window and activated a VPN to be as careful as possible. The link took us to a form that requested personal information, including the owner of the page, email address, phone number, a question about the country tied to credit/debit cards, and asked if we’d traveled or relocated within the last 60 days.

This scam message is trying to access personal information, likely to bombard our email address with even more scams. Now that they have personal information, they can craft even more specific requests under the guise of legitimacy, with the ultimate goal of eventually extracting money or bank account information.

Another scam we’ve seen through Facebook involves “logging in” through a link provided in the scam message. Rather than logging into Facebook, you’re actually giving a scammer your Facebook account credentials. From there, they can take over your account, change the password, and pretend to be you to scam your followers.

If a page sends you a file, think before clicking on it. We’ve even seen scammers pose as potential customers, sending a file they claim is an image of a product they want to purchase, when it is actually a potentially harmful .rar or .zip file. These files can compromise your device or your account if opened or extracted. 

We recommend never opening a file extension such as .rar, .zip, or .exe unless you know you’re speaking with someone you trust. If you are unsure about a suspicious message, you can click on the profile of the sender. If the user has very few posts that do not seem to be from a genuine user, you’re likely being targeted by a scam account. Err on the side of caution if you’re suspicious about any inquiry.  

Additional Spam & Scams

Illegitimate Reviews 

Fake Facebook reviews are a common form of spam. The vast majority of these reviews will mention how someone has changed their life with cryptocurrency and forex investments. They’ll leave an account, an email, and a number to contact if you’re interested in a similar life-changing opportunity. These spam reviews aim to trick users into getting involved in dangerous financial scams. This is such a common method because Facebook makes it difficult to remove reviews. That makes sense, as businesses shouldn’t be able to remove negative reviews of their business at their own whim; otherwise, businesses would ONLY have positive reviews. Scammers use this to their advantage by leaving sticky reviews. Or, they’ll give you a “recommended” review to entice you to leave the review on your page. The best thing you can do to combat this is report these reviews as spam. Keep in mind that it may take SEVERAL reports before a spammy review is removed. It should go without saying, but you do NOT want these reviews on your page. You want your online presence to remain professional and you want to mitigate the risk of your customers falling victim to a scam. If you’re only receiving spammy reviews, you may consider disabling the reviews feature entirely.

Fake Products

Another unfortunate method scammers may use to trick your followers is selling them products featuring your brand. It's not uncommon to see 20+ comments left on a multitude of previous posts. These comments will tag users who’ve commented on the post, letting them know they’re selling a clothing item with your business logo. Not only are they stealing your brand, they’re trying to sell items with your logo/image AND they’re directly targeting people who have engaged in your comments. The best course of action is to access your inbox within Meta Business Suite, identify the name of the account leaving these comments, search this name, and DELETE all their comments. Simply hiding or marking these comments as spam isn’t enough; delete them so that nobody can access the links and the tagged users won’t be able to see them. 

What You Should Do if You Receive a Suspicious Message

If you receive a message that’s asking you to click on a link or download a file, you should immediately be cautious. Virtually all inquiries you receive from legitimate customers or users who are engaging with your page will NOT ask you to take any sort of action. Here are a couple common red flags:

Typos or Strange Fonts. 

This is likely done to circumvent automated scam protection methods. Typos are a clear sign of illegitimacy, and a verified user will never use a strange font to reach out to you.

Hi, It’s Meta or Facebook (NOT).

If the account reaching out claims to be Meta or Facebook (or whichever social platform you’re using), you should instantly be suspicious. They may have the Meta logo as their profile picture, and their Account Name may be “Meta Business Support,” but this is typically fake.

If you receive a suspicious message, and you’ve decided that it’s a scam or social engineering attack, you should mark this message as “Spam.” Within Facebook’s Inbox Manager, you can click on the octagon with an “!” in the middle to mark the message as spam. This should remove it from your main inbox while letting Facebook know that this message is suspicious. 

How to Set Up a Spam Filter in Facebook Messenger  

Through inbox management in Meta Business Suite (business.facebook.com/latest/inbox), you can set up a filter to automatically flag suspicious messages as spam. This isn’t sure to block only and all spam, but it’s an effective method that can keep your inbox free of spam clutter. Here’s how to create an automation that marks messages as spam when the message contains suspicious phrases and keywords.

At the top of your inbox page, you should see a button for setting up automations that looks like an atom. 

After clicking on this, create an automation from scratch. Click on the blue “Create Automation” button in the upper-right corner, then click on the blue “Start From Scratch” button.

From here, you can name this automation something like “Spam Filter.” Under “Channel” is where you’ll select which inboxes will be using this automation. If your Instagram account is linked to your Facebook page, you should be able to select both your Instagram and Facebook Messenger here.

In this case, we want Facebook to automatically mark messages as spam if they contain suspicious phrases that are unique to most scam messages. 

• Under “When this happens,” you’re specifying what will trigger your automation. 
• For this automation, you’ll select “New message received.” 
• Then, select “add condition.” Enter one of the keywords or phrases you’d like to ban here.
• Make sure you select “Any of the following conditions” above your first condition when this option appears.

From here, you will add an individual condition for each phrase or keyword that you’ve decided will likely come from social engineering attacks, but not interested customers. We’ve included key phrases such as “copyright violation,” “permanent deletion,” and “last warning.”

Once you’ve entered all your keywords, you need to specify the action for the automation to take. In this case, it will be "Action">“Mark as”>"How do you want to manage your thread">“Move to Spam.” Once this is finished, click “Save Changes,” and this new filter should be automatically activated!

You can return to the automation menu later to turn this filter off, or edit it to add or remove other keywords that you’ve identified. See the images below for this setup.

What Real Support Looks Like

A recent interaction we had with someone in Meta’s advertising support department showed what LEGITIMATE support through Messenger can look like. 

Take a look at those screenshots. How can you tell that’s a legitimate message from Meta support? The small gray text that says “We may use your email and phone number to contact you…” and “Claudia has joined the conversation.” Those are bits of text that CANNOT be spoofed by a social engineering scam. You’ll notice that the legitimate Facebook support professional even sent us a link, which can often be suspicious. This link, however, is using the official facebook domain (www.facebook.com) as opposed to a strange third-party web address. Also, we requested and received confirmation that we’d be contacted shortly. This support message was not unsolicited, like most of the spam you may receive.

All This to Say: Be Careful   

It’s more about awareness than fear when it comes to spam.

Remember: be wary of messages that are asking for personal information or prompting you to click on a link or download something. Messages that ask you to take immediate action should be handled using caution. 

When in Doubt, We're Here to Help

Armed with the above information, you’ll be able to identify a spam message, understand how you can filter spam out of your inbox, and know what you should do in the event you receive spam. With that said, we're always here to talk through all things social media—from safeguarding your accounts to leveraging social to help tell your brand's story. 

Ready to discover more? Connect with us and let’s chat.