If you have a facebook page, you may have received an email saying that “You Have Been Reported for Copyright Content” – if it looks like what we’ve found, it is 100% definitely a scam.
The email claims that a notification was sent, but when we checked our Facebook “support inbox” and regular inbox, there was nothing there.
We then used an isolated computer to click on the links in the email and found one that went to a Facebook page help center which was … no help. We then clicked on the appeal link and it became immediately obvious that this was a scam intended to hijack our Facebook account.
Three things that set off alarm bells for us: The reply-to address in the email, the URL of the Facebook support page, and the information requested by that page.
First, we looked at the reply-to email address that came in the header of the email:
Facebook does not have an entire domain (facebooksupport.com) dedicated to support. They use a subdomain as most companies do (Facebook.com/help.) We then went to the domain to see what was there – shocker, not related to Facebook at all.
Second, Facebook will never request your password anywhere, ANYWHERE, other than to log in to the site. Secondly, since this is Facebook, why do they need me to provide my full name, email and birthday. These are personal details that should not be necessary to handle a support request. The email I want the company to use to handle notifications has already been specified in my settings, my birthday is irrelevant to the support request and my full name should already be known by the social media giant.
Secondly, the URL is for an app, not a page in the actual Facebook support area (facebook.com/help). Despite them using HTTPS which gives them the secure padlock, this is a page you should NEVER fill in and submit. This is their attempt to get admin access to your page and hijack it for their own use – likely propaganda, advertising or other activity restricted by Facebook.
As always, be careful when you receive an email purporting to be from a real company. Do due diligence and never give your password to anyone, anywhere on anything other than a login screen from the actual domain of the service you intend to use.