Would you fall for this Meta phishing DM?

Do you manage a Facebook page or Instagram account? Be careful and watch for scam messages that are crafted to scare you out of your password.

Here’s an example that was sent to a page I help manage. It was one of a number of scam messages that came in all at once.

This scam attempts to phish away your Meta/FB/Instagram credentials. The attacker then holds your account for ransom.

I know of one company that paid that ransom in cryptocurrency to get their high-profile, high-worth Instagram account back. For the rest of us, here are the lessons in social engineering that this messenger DM gives us.

Cultivating a state of fear

Most phishing attacks are designed to put you in a state of fear. As such, there are some key triggers to watch for.

1. You lost something.
2. You did something wrong. A guilt trip further elevates anxiety and fear. 
3. Take action immediately or you lose forever. Time pressures elevates anxiety.
4. Fake sense of authority. Many of us automatically get into fear state when you see authority. Remember the last time you saw flashing lights behind you when driving? Logos and names are easy to fake, creating a false sense of authority. 

Um, that domain name. But if you’re already in a state of heightened fear and anxiety, you don’t think about the domain name, do you. They load up the fear, anxiety, guilt and power trip first, then they drop the suspicious domain name. 

Follow up messages

Additional messages were sent to this page after the scam, possibly by the same attacker. It was odd that so many came in at once. These additional messages were harshly critical of the brand, product, and business. Coupled with the original message, they would have put an unwitting page manager into a fearful & anxious mindset, lowering defenses for the attacker’s first message.

Protect yourself

Keep your cool, stay calm, ask questions. And if you have two-factor authentication on your Facebook/Instagram/Threads accounts, even if they phish your password away from you, the 2FA is there as another factor to protect you. Unless, of course, you get tricked into giving that up, too.

There’s something really powerful about your mindset here. As you can see, these attacks are maliciously designed to reduce your defenses by putting you into fear, anxiety, guilt, and submission. Live in your power and claim your ownership over your mental state when faced with anyone and everyone who might try to take that from you.

That includes scammers and jerks. It also includes everyone else out there who might try to make you feel small, unworthy, or less than.

Protect your mindset, protect your digital life. These things go hand in hand.

Better authentication is coming

As passkeys come to web applications (as they are already available for Google, PayPal, Github and others), we will have better security to protect our authentication to our digital homes online.

Until then, stay vigilant, stay in your power. Every phishing attempt can be foiled with some discernment and that buffer zone between stimulus and response. Cultivating a mindset that cannot be tricked into fear state will serve you not only in protecting yourself online, it will serve you in other areas of your life, too.

This is apparently also happening on LinkedIn accounts. Add 2FA to all of your accounts.