With all the cybercrime news involving IRS scams this time of year, there is something new out now to break up that “monotony.” A new scam that uses Airbnb to scam people out of their Facebook credentials has been spotted targeting users of Apple mobile devices. However, don’t think you’re safe and sound if you use the Android operating system. This one can very easily be adapted to take advantage of that system too... and this likely on the way. All it takes is being fooled by logging into the fake Airbnb site using your Facebook login credentials to give up those goods to criminals.
It works like this: The user makes his or her way to what they think is the Airbnb website. Like many websites, there is an option to login with Facebook credentials. The user does just that and Bammo! The criminals have your Facebook credentials and therefore full access to your Facebook page.
Let’s start with how one might end up on the fake Airbnb (or any other fake site) in the first place. It’s with…you guessed it…phishing. A link is sent around, typically en masse, in an email message that tricks people into clicking it with some big and fabulous offer they cannot refuse. The realistic looking, but fake, page comes up and then the link to login with Facebook is available. If that, also fake but realistic looking, button is clicked, the page to put in your user name and password appears. If the user does this, it’s all over.
So, don’t click links all willy nilly that appear in your email messages. If you are not expecting them, if they are from unknown persons, seem a bit strange, or tickle the hair on the back of your neck, don’t click them. If you cannot be 100% sure it’s OK to click it, don’t. Alternatively, pick up the phone and call the sender and find out if it was intended to be sent. If you are suspicious at all, you’ll find out if your spidey sense was correct very quickly this way.
In addition to just being phishing savvy, don’t use other logins to gain access to separate ones. If you have the option to use Facebook, Google, or anything else to login to a website other than Facebook, Google, or whatever, take that route. Yes, it is another set of credentials you have to remember, but think about the damage a criminal can do if they get access to your Facebook or Google account. It’s always advised that you have a unique, strong, password for each and every website you visit.
And don’t forget to use multifactor authentication (MFA) any time it’s available to you on a website. This extra step can prevent a hacker from gaining access to your accounts just using your user name and password. They’d also need your random code from your key fob or the one-time use code that gets sent to your phone when you have MFA active. Facebook does offer several different MFA options. Take a look and choose one that works for you.
While no link or attachment is ever truly 100% safe, you can eliminate a lot of the threats by using your noggin and not clicking if you cannot verify the security.