You may have seen news about the recent Facebook Messenger hacks or seen the repeated ‘My account has been hacked’ message on your Facebook feed.
You may have also seen the suggested solution is to use multi-factor authentication (MFA)—also known as two-factor authentication (2FA)—for increased protection against the scams hitting FB Messenger.
Though MFA certainly plays a critical role in protecting user accounts, it may not be enough to fend off today’s crafty fraudsters.
This is not a problem unique to Facebook, either. Companies everywhere are struggling to manage these attacks.
Let’s look at what happened with Messenger, why it happened, and most importantly, how you can go beyond MFA solutions to protect and build trust with your customers.
Recently 10 million people fell victim to a simple Facebook Messenger phishing scam, creating chaos for both the users of the social media giant and Meta as a whole.
Phishing is when fraudsters send deceptive messages, in this case via FB Messenger, dressed up to appear valid. When recipients fall victim to a phishing message, thieves often steal information such as banking or credit card details or infect their device with malware.
In the most recent Facebook Messenger phishing scam, victims were lured to illegitimate websites where they were prompted to enter their Facebook credentials.
After doing so, the scammers gained control of the user’s accounts, where they then sent messages to the victim’s contacts and stole private financial information.
It’s unclear how much these scammers gained in illegal earnings, but it’s estimated to be at least $1 million USD.
The question on a lot of people’s minds is why didn’t Facebook have systems in place to prevent the scam from happening to begin with? The answer is that they did, but the scammers figured out a unique way to circumvent their security.
The first deceptive breach occurred as the scammers bypassed Messenger’s built-in security to detect unauthorized hyperlinks. The fraudsters shortened the URLs they were sending out, which tricked the system into allowing the messages to be sent to victims.
Once the user’s account became compromised, it turned into an automated hub which sent out phishing messages to all of the victim’s contacts, creating a chain of exponential fraud in a short period of time.
Experts are recommending MFA as the solution to stopping these types of phishing accounts. Had the victims of the Facebook Messenger scam had MFA enabled, this particular scam would not have been successful.
For example, once the fraudster obtained the user’s password, they logged into the account to send out more phishing messages. A password and username alone would not have given access if MFA was on, because it would require a further step which the fraudster likely wouldn’t be able to complete.
MFA certainly remains a critical building block for any modern security stack, but a more robust, scalable solution is required to keep up with today’s sophisticated fraudsters.
MFA protects the customer and gives them a chance to receive a one-time passcode (OTP) to avoid losing access to their account. But it does little to verify the person behind said phone number.
The Facebook Messenger phishing scam could easily have circumvented users with MFA as well, simply by gaining access to other intimate details of their victims and employing SIM swap attacks, which let the fraudster receive OTPs to their own smartphones.
Implementing risk scoring as part of your onboarding process adds the extra layers of protection you need to keep your customers safe. Risk scoring gives companies a way to be alerted about any suspicious behavior concerning an account and the phone number or other data it has provided.
Telesign’s Intelligence uses sophisticated AI tailored to your platform to deliver risk assessments and recommendations, allowing you to protect your customers while maintaining current fraud prevention workflows.
The Facebook Messenger phishing scam cost millions of dollars while negatively impacting customer loyalty and trust, all of which may have been avoided if the scammers were shut down at onboarding. Read more about how risk analysis is a superior solution to shutting down these types of attacks before they spread.