A new phishing campaign is targeting Facebook users with fake security alert emails designed to steal account credentials.
The scam email asks users to confirm whether the login was theirs by clicking on a link that says “It wasn’t me.” Once clicked, the link redirects victims to a website that perfectly imitates Facebook’s password reset page.
The fake page first asks users to enter their username and password, but even if the details are correct, it displays an “incorrect password” error.
It then requests the two-factor authentication (2FA) code, giving attackers full access to the victim’s account.
To make the trick even more convincing, the fake page then presents a password reset form.
After entering a new password, users are redirected to the real Facebook login page, leaving them unaware that their original password, 2FA code, and even the new password have already been stolen by cybercriminals.
Experts recommend that users never click on links in suspicious emails. Instead, they should check account activity directly by opening the official Facebook app or visiting facebook.com.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Users are also advised to verify the sender’s email address, enable two-factor authentication only from Facebook’s official security settings, and report phishing attempts through the platform’s Help Center.
