Skip to main content
Back to content
Get alerts

Help keep the internet open and secure

Subscribe to our action alerts and weekly newsletter

"*" indicates required fields

This field is hidden when viewing the form
This field is hidden when viewing the form
Name
This field is for validation purposes and should be left unchanged.

Your info is secure with us.

  • Follow Us
  • Like us
  • Follow us
  • Facebook
  • Twitter
  • Instagram
  • YouTube
  • LinkedIn
Access Now
  • News & Updates
    • Get the latest

      news
      Expert insights

      Get the latest analysis, issue explainers, and community updates

      Press releases

      Our announcements, open letters, and statements

      Access Now in the news
      In the news

      Find us engaging media outlets around the world

      publications
      Publications

      Read our expert reports and recommendations

      Events
      Events

      Join us in our community events on and offline

  • Take action
    • Featured campaigns

      #KeepItOn

      Fighting internet shutdowns around the world

      Election Watch

      Keeping watch around key elections around the world

      The #WhyID global campaign
      #WhyID

      Putting people first in digital ID systems

      More campaigns

      #MigrarSinVigilancia

      #FreeAlaa

      Transparency Reporting Index

      #ProtectNotSurveil

      More

      RightsCon: our digital rights summit

      Rightscon logo 2024
  • Our work
    • Featured

      Surveillance
      Surveillance

      Fighting the spread and abuse of dangerous spying tools

      Content governance
      Content governance

      Rights-based approaches to online content

      Data Protection
      Data protection

      Protecting people’s personal information online

      Internet shutdowns

      Fighting to #KeepItOn around the world

      More issues

      • Artificial intelligence
      • Cybersecurity
      • Digital identity systems
      • Digital security
      • Freedom of expression
      • Privacy
      • Protest and online organizing
      • Transparency
  • Get help
    • Get immediate help

      help
      Digital Security Helpline

      We provide 24/7 technical support for activists, journalists, and human rights defenders around the world.

      Recent guides

      Digital safety guide for LGBTQ+ activists in Africa

      Internet shutdowns and elections handbook

      Digital safety tips if you are disconnected

      All Guides

      Access Now Grants

      Grants
  • About us
    • Get to know us

      Our mission

      Defending and extending digital rights of people and communities at risk around the world

      Partnerships

      We bring together key stakeholders to catalyze engagement

      Our team

      Meet the experts leading our work around the world

      Access Now in the news
      Our board

      We value the diverse perspectives and guidance from our distinguished board

      Quick links

      Defend and extend digital rights around the world

      Support us

      Funding & financials

      Careers

      Legal

Home / Posts / PUBLIC SECURITY ALERT: New Facebook attack – watch out for phishy messages that say you’re a “Trusted Contact”

||

PUBLIC SECURITY ALERT: New Facebook attack – watch out for phishy messages that say you’re a “Trusted Contact”

PUBLISHED: 11 October 2017LAST UPDATED: 23 March 2023

Earlier this month, Access Now’s Digital Security Helpline began to get reports of hacked Facebook accounts that allowed us to identify a new method for targeted “phishing,” also known as “spear phishing.” Today, we’re publishing details of the attack so that users are better informed and able to identify this attack.

Phishing is a method of obtaining unauthorized access to an account or service by tricking an authorized user into providing their credentials. This is usually done through mass spam messages. Spear phishing is an attack that targets a particular person and uses special messages that are more likely to appear genuine to a specific person. Read more about a recent spear phishing attack here.

The new attack targets people using Facebook, and it relies on your lack of knowledge about the platform’s “Trusted Contacts” feature. Trusted Contacts is a system created by Facebook to help you gain access to your account if you forget your password or your account is locked. If you enable Trusted Contacts, Facebook will ask you to identify three to five people. If you need access to your account, Facebook will send part of a code to each of these users that can be combined to gain access to your account.

Anyone who has a Facebook account could fall victim to the attack, but so far we’re seeing the majority of reports from human right defenders and activists from the Middle East and North Africa.

How the attack works

Here’s how the attacker attempts to exploit your trust in order to extract the information needed to steal your account:

  1. You get a message from an attacker on Facebook Messenger, who is using the compromised account of someone on your Friends list.
  2. The attacker asks for your help recovering their account, explaining that you are listed as one of their Trusted Contacts on Facebook, and tells you that you will receive a code for recovering their account.
  3. Then the attacker triggers the “I forgot my password” feature for your Facebook account and requests a recovery code.
  4. In an effort to help, you send the code you’ve just received to your “friend.”
  5. Using the code, the attacker can now steal your account from you, and use it to victimize other people.

For visual learners, see here.

In the cases we have observed, the attacker doesn’t stop after compromising just one account. It’s replicated across users’ social networks. When a message comes from a “friend,” people tend to trust it. That makes it an especially effective attack vector.

How to defend yourself against the attack

To help you stay safe, we encourage you to follow these recommendations:

  • Treat urgent, unexpected messages with suspicion: Phishing messages often appear to come from a trusted friend. But if you get an odd message, ask yourself, are you already aware of being on a list of “Trusted Contacts” for any of your Facebook friends?
  • Confirm with your friend: Try to verify your friend’s identity by telephone or in person.
  • Act slowly and with caution. Attacks are always evolving. In general, try to stay calm when you get a message where the sender appears to want to trigger a strong emotional reaction, like anger or fear. This might make you think you have to hurry, and it could impair your ability to evaluate the situation objectively. Don’t panic. Figure out what is really happening before you take action.
  • Learn how “Trusted Contacts” actually works: It doesn’t work the way the phishing message in this attack suggests. We explain the details below.
How Facebook’s “Trusted Contacts” feature really works

Here are the basics:

What is the Trusted Contacts feature?

It’s an account recovery feature in Facebook that’s aimed at helping you regain access to your Facebook account and the email accounts and phone numbers linked to it.

How does the Trusted Contacts feature work?

To activate this feature, you select three to five of your Facebook friends. If you lose access to your account, these friends can generate codes from their Facebook account and forward them to you. Note: Facebook does not send these text messages to your friends. It’s your friends who need to generate the codes for you, as shown in the screenshot below:

What to do if you get a message like the one we describe

If you get a message like the one we describe, asking you to send a message with a code from Facebook, don’t send anything to your “friend.” Instead, report the account here as soon as possible.

If you need any help because your account has been hijacked, through this or any other attack vector, we encourage you to contact us at the Digital Security Helpline. We’re here every day, and no matter when you reach out, one of our incident handlers will reply to you within two hours. Here’s a step-by-step guide for contacting us, and you have the option of sending an email, encrypted if you desire, to help @ accessnow . org.

Here’s a visual to help illustrate the attack. Please spread the word!

 

Access Now Helpline Team
@accessnow
Nathan White
@NathanielDWhite
  • Digital Security
  • Global
  • account compromise
  • Attack
  • Facebook
  • Facebook Trusted Contacts
  • Phishing
  • Spear Phishing
  • Trusted Contacts
  • Contact
  • Careers
  • How we use your data
  • Media usage
  • Code of Conduct
  • Site Terms of Use

Crafted by Cornershop Creative

  • Facebook
  • Twitter
  • Instagram
  • YouTube
  • LinkedIn

Help keep the internet open and secure.

Subscribe to our action alerts and weekly newsletter

"*" indicates required fields

This field is hidden when viewing the form
This field is hidden when viewing the form
Name
This field is for validation purposes and should be left unchanged.

Your info is secure with us

  • X
  • Facebook
  • Instagram
  • YouTube
  • LinkedIn
  • TikTok