Earlier this month, Access Now’s Digital Security Helpline began to get reports of hacked Facebook accounts that allowed us to identify a new method for targeted “phishing,” also known as “spear phishing.” Today, we’re publishing details of the attack so that users are better informed and able to identify this attack.

Phishing is a method of obtaining unauthorized access to an account or service by tricking an authorized user into providing their credentials. This is usually done through mass spam messages. Spear phishing is an attack that targets a particular person and uses special messages that are more likely to appear genuine to a specific person. Read more about a recent spear phishing attack here.

The new attack targets people using Facebook, and it relies on your lack of knowledge about the platform’s “Trusted Contacts” feature. Trusted Contacts is a system created by Facebook to help you gain access to your account if you forget your password or your account is locked. If you enable Trusted Contacts, Facebook will ask you to identify three to five people. If you need access to your account, Facebook will send part of a code to each of these users that can be combined to gain access to your account.

Anyone who has a Facebook account could fall victim to the attack, but so far we’re seeing the majority of reports from human right defenders and activists from the Middle East and North Africa.

How the attack works

Here’s how the attacker attempts to exploit your trust in order to extract the information needed to steal your account:

1. You get a message from an attacker on Facebook Messenger, who is using the compromised account of someone on your Friends list.
2. The attacker asks for your help recovering their account, explaining that you are listed as one of their Trusted Contacts on Facebook, and tells you that you will receive a code for recovering their account.
3. Then the attacker triggers the “I forgot my password” feature for your Facebook account and requests a recovery code.
4. In an effort to help, you send the code you’ve just received to your “friend.”
5. Using the code, the attacker can now steal your account from you, and use it to victimize other people.

For visual learners, see here.

In the cases we have observed, the attacker doesn’t stop after compromising just one account. It’s replicated across users’ social networks. When a message comes from a “friend,” people tend to trust it. That makes it an especially effective attack vector.

How to defend yourself against the attack

To help you stay safe, we encourage you to follow these recommendations:

• Treat urgent, unexpected messages with suspicion: Phishing messages often appear to come from a trusted friend. But if you get an odd message, ask yourself, are you already aware of being on a list of “Trusted Contacts” for any of your Facebook friends?
• Confirm with your friend: Try to verify your friend’s identity by telephone or in person.
• Act slowly and with caution. Attacks are always evolving. In general, try to stay calm when you get a message where the sender appears to want to trigger a strong emotional reaction, like anger or fear. This might make you think you have to hurry, and it could impair your ability to evaluate the situation objectively. Don’t panic. Figure out what is really happening before you take action.
• Learn how “Trusted Contacts” actually works: It doesn’t work the way the phishing message in this attack suggests. We explain the details below.

How Facebook’s “Trusted Contacts” feature really works

Here are the basics:

What is the Trusted Contacts feature?

It’s an account recovery feature in Facebook that’s aimed at helping you regain access to your Facebook account and the email accounts and phone numbers linked to it.

How does the Trusted Contacts feature work?

To activate this feature, you select three to five of your Facebook friends. If you lose access to your account, these friends can generate codes from their Facebook account and forward them to you. Note: Facebook does not send these text messages to your friends. It’s your friends who need to generate the codes for you, as shown in the screenshot below:

What to do if you get a message like the one we describe

If you get a message like the one we describe, asking you to send a message with a code from Facebook, don’t send anything to your “friend.” Instead, report the account here as soon as possible.

If you need any help because your account has been hijacked, through this or any other attack vector, we encourage you to contact us at the Digital Security Helpline. We’re here every day, and no matter when you reach out, one of our incident handlers will reply to you within two hours. Here’s a step-by-step guide for contacting us, and you have the option of sending an email, encrypted if you desire, to help @ accessnow . org.

Here’s a visual to help illustrate the attack. Please spread the word!