“I can’t believe he’s gone. I’m gonna miss him so much.” 

If you see a submit on Facebook with these phrases (and even on this vein), be careful—your pal’s account is getting used to unfold a phishing rip-off.

Here’s the way it works: An attacker steals an account. Then they submit this imprecise however worrisome message, together with an internet site hyperlink that appears reliable. (It’s often an URL that begins with the Facebook area or seems like an embedded video from BBC News.) The hyperlink redirects to a phony web site that asks in your Facebook login data to proceed. If you enter it, the web page captures your credentials. Afterward, you’re redirected but once more—Bleeping Computer, which reported on this concern earlier this week, says cellular customers get punted to Google, whereas these on a desktop PC get pushed off to different scummy web sites selling browser extensions, VPNs, or affiliate websites. 

If your Facebook account will get taken over, your account will get used to unfold this scheme to your community.

While this specific rip-off isn’t new—its preliminary look was a few 12 months in the past, in line with Bleeping Computer—it nonetheless has recent legs. I noticed this phishing try within the wild simply final week when an acquaintance’s account posted the Facebook redirect variant of the message.

Bleeping Computer

To defend your self from this marketing campaign (and any others that depend on a compromised password), you possibly can take a number of steps. First, in case you suppose you’ve fallen for one in every of these unhealthy hyperlinks, change your password as quickly as attainable. Pick one which’s sturdy, distinctive, and random—you should use a password manager to generate and retailer it.

Next, allow two-factor authentication (2FA) in your account. It provides a second layer to the login course of, by which it’s a must to enter a six-digit code or use a {hardware} token along with your password. More safe types of 2FA (software program tokens or a {hardware} key) ought to cease would-be hackers of their tracks since they received’t have entry to the app producing the tokens or the {hardware} key. (Note: 2FA codes despatched over SMS are riskier, since an attacker could hijack your phone number to get these textual content messages routed to them.)

Finally, you should use an antivirus program or browser extension that detects and blocks malicious hyperlinks. It’s not foolproof, but it surely provides to your general security internet. Online safety is about layers—having greater than only a password helps safeguard you extra totally.