Have you ever come this close to just accidentally clicking on a phishing link?
We’ve had some surprises, for example when we bought a cell phone from a click and collect store a few years ago.
Having previously lived outside the UK for many years this was our very first purchase from this particular company in well over a decade…
…but the very next morning we received an SMS claiming to be from this very shop telling us that we had overpaid and that a refund was awaiting.
Not only was this our first interaction with Brand X in ages, it was also the very first SMS (real or otherwise) we’ve ever received that was mentioned in Brand X.
What is the probability of THAT happening?
(Since then we’ve made a few more purchases from X, ironically another cell phone too after realizing that phones don’t always do well at Fahrradprangs, and we’ve received several more SMS scam messages targeting X but they did I’ve never made myself so credible.)
Let’s do the arithmetic
Annoyingly, if you do the math, the odds of scam-meets-real-life coincidences are surprisingly good.
After all, the chance of guessing the winning numbers in the British lottery (6 numbered balls out of 59) is an almost infinitesimally small 1 in 45 million, calculated by the formula called
59 choose 6which is
59!/6!(59-6)!what comes out as
59x56x55x54x53x52/6x5x4x3x2x1 = 45,057,474.
That’s why you have never won the jackpot…
…although quite a lot of people haveover the many years it has gone.
In the same way, phishing crooks don’t need to target or trick shebut only to trick someoneAnd one day, maybe, just maybe, that someone could be you.
We had a strange memory of it just last night as we sat on the sofa idly reading an article in a trade journal The registry about 2FA scams.
The first surprise was that at that very moment we thought “Hey, we wrote something like this about two weeks ago.” we reached the heel in the El reg Story that not only said exactly that, but linked directly to our own article!
What is the probability of THAT happening?
Of course, any author who says they don’t care if other people notice their work or not is almost certainly not to be trusted, and we’re willing to admit (err) that we took a screenshot of the relevant paragraph and sent it via Emailed ourselves (“Pure PR documentation purposes” was the explanation we opted for).
Now it gets weirder
This is where the coincidence of coincidences gets even stranger.
After sending the email from our phone to our laptop, we walked to the left less than two meters and sat in front of said laptop to save the attached image only to find this during the few seconds we stood up…
…the SAME PREGNANT AS BEFORE sent us an email Facebook Pages 2FA scam containing almost identical text to the previous one:
What is the probability of THAT happening combined with the probability of the prior coincidence that just happened while we were reading the article?
It’s sad given the ease with which cybercriminals can register new domain names, set up new servers, and send millions of emails across the globe…
… the probability is high enough that it would be more surprising if such a coincidence NEVER happened.
Small changes to the scam
Interestingly, these crooks had made modest changes to their scam.
Like last time, they created an HTML email with a clickable link that itself looked like a URL, although the actual URL it linked to wasn’t the one that appeared in the body.
However, this time the link you saw when you hovered over the blue text in the email (the indeed URL destination and not the apparent) was really a link to a URL hosted on the
Instead of linking directly from their email to their scam page with their fake password and 2FA prompts, the criminals linked to their own Facebook page, giving them a chance
facebook.com Link to use in the email itself:
This one-extra-click-away trick gives the criminals three small benefits:
- The last shady link is not directly visible to the email filtering software, and will not appear when you hover over the link in your email client.
- The scam link is characterized by apparent legitimacy not appear on Facebook itself.
- Clicking on the scam link somehow feels less dangerous because you visit it from your browser instead of going straight there from an email, which we’ve all been taught to be careful about.
We caught the irony, and we hope you don’t either, that a completely fake Facebook page was set up to slam us for the supposedly poor quality of our own Facebook page!
From this point on, the scam follows exactly the same workflow as the one we wrote last time:
First, you’ll be asked for your name and other reasonable-sounding amounts of personal information.
Second, you must confirm your objection by entering your Facebook password.
Finally, as you might expect when using your password, you’ll be prompted to enter the unique 2FA code your mobile app just generated or received via SMS.
Of course, once you provide each piece of data in the process, the crooks use the phishing information to log in real-time as if they were you, allowing them to gain access to your account instead of you.
Last time it took the crooks just 28 minutes to create the fake domain they used in the scam (the link they included in the email itself), which we thought was pretty quick.
It was only 21 minutes this time, although as we mentioned earlier, the fake domain was not used directly in the fake email we received, but was instead placed on an online webpage, ironically hosted as Page on
We reported the fake page to Facebook as soon as we found it; The good news is that it has now been taken offline, breaking the connection between the fraudulent email and the fake Facebook domain:
What to do?
Don’t fall for such scams.
- Do not use links in emails to reach official “objection” pages on social media sites. Know where to go and keep a local record (on paper or in your bookmarks) so you never have to use email web links, real or not.
- Check the email URLs carefully. A link with text that itself looks like a URL is not necessarily the URL that the link takes you to. To find the true destination link, hover over the link (or touch and hold the link on your mobile phone).
- Don’t assume that all Internet addresses with a known domain are somehow secure. domains like
play.google.comare legitimate services, but not everyone who uses these services can be trusted. After all, individual email accounts on a webmail server, pages on a social media platform, or apps on an online software store are all hosted on platforms with trusted domain names. But the content provided by individual users is not created by this platform, nor is it particularly rigorously screened (no matter how much automated screening the platform claims).
- Check website domain names carefully. Every character counts, and the business part of each server name goes at the end (the right side in European languages running left-to-right), not at the beginning. If I own the domain
dodgy.examplethen i can put any brand name at the start, e.g
whitehouse.gov.dodgy.example. These are simply subdomains of my fraudulent domain and just as untrustworthy as any other part of it
- If the domain name is not clearly visible on your mobile phone, Consider waiting until you can use a regular desktop browser, which usually has a lot more screen real estate, to see the true location of a URL.
- Consider a password manager. Password managers associate usernames and login passwords with specific services and URLs. If you end up on a fraudulent website, no matter how convincing it looks, your password manager won’t be fooled because it recognizes the website by its URL, not its appearance.
- Don’t be in a hurry to enter your 2FA code. Use the disruption in your workflow (e.g. the fact that you need to unlock your phone to access the code generator app) as a reason to double check that URL, just to be sure.
- Consider reporting fraudulent sites to Facebook. Annoyingly, this requires you to have your own Facebook account (unfortunately non-Facebook users can’t submit reports to help the larger community), or have a friend submit the report for you. However, our experience in this case was that the report worked because Facebook soon blocked access to the offending page.
Keep this in mind when it comes to personal information, especially passwords and 2FA codes…
…If in doubt/Do not give it out.