Last November, Crystal Murdock, a 44-year-old social worker from Weeki Wachee, Fla., received a message from an account belonging to one of her Facebook Messenger friends. The two had chatted in the past, so she had no reason to suspect it was a scam.
“He asked me how I was doing,” Murdock says. “I said I was doing great. And then he said, ‘Oh, I'm doing really great.’ He told me he had won this grant for $150,000 from a company called Global Greengrants Funds and that he saw my name on a list of people who qualified for it.”
Global Greengrants Fund is real. It provides small grants to grassroots organizations to support environmental action worldwide. It’s even listed on Guidestar, an online database that records the names of nonprofit organizations.
And so Murdoch texted the phone number she’d been given to ask for more information. After providing some personal data, she was informed she’d need to pay $1,500 to get the funds. That’s when she backed off.
Good thing, too, because she was on the verge of falling for a common Facebook Messenger scam. In addition to fictitious grants, cybercriminals have been using the platform to peddle fake loans, lottery winnings, and requests for charitable donations.
Alex Grossman, a company spokesman for the Global Greengrants Fund, says the organization has been helping victims report the problem to Facebook. “The scammers are in no way related to Global Greengrants Fund,” he adds.
A Facebook spokesperson says the company is working to protect users—online and on the Messenger mobile app—employing “technology, reporting tools, and human review” to remove malicious accounts. But there also are steps that consumers can take to protect themselves (see below).
According to Facebook’s latest Community Standards Enforcement Report, the company removed 3.2 billion fake accounts from its social media platform between April and September 2019, up from 1.5 billion during the same period in 2018. “Most of these accounts were blocked within minutes of their creation,” Facebook says.
But that still leaves some Facebook Messenger users exposed to thieves. The use of the popular messaging app is particularly pernicious, according to security experts, because the scammers appear to be people victims know and trust.
“It seems a bit more personalized,” says Ashlee Benge, a threat researcher at the Baltimore-based internet security firm ZeroFox. “Gone are the days when attackers could send out emails with the same generic content body and hope people fell for it.”
Murdock agrees. “If it had been a total stranger, I would have ignored it all together,” she says. “But since the message came from somebody I've talked to before, it made me more interested."
Never Hand Over Money or Data
According to the Federal Trade Commission (FTC), the government agency that polices the internet, consumers have grown savvy in recent years about phishing scams. So cybercriminals have developed more complex attacks, using spoofed phone numbers, text messages, and social media platforms to pose as neighbors, friends, and family members.
While the number of victims is falling, the money lost to such scams is increasing, the FTC says.
Murdock escaped that fate. But she did surrender personal information that could prove valuable to criminals engaged in identity theft.
“They wanted my full name, my mother's full name, full home address, whether I would want the money in check or cash, my age, my gender, marital status, phone number, email address, and whether I was employed or still on disability,” she says.
"That information she gave is terrifying," says Danny Jenkins, CEO of Threatlocker, a Florida-based digital security firm. "Yes, the scammers could get it online if they dug deeper, but they are always about speed. They don’t want to dig for your data."
Using the info Murdock provided, Jenkins says, a thief could arrange for a SIM card swap via a cell-phone service and claim her phone number. And once in control of her phone line, they could request a password reset on her online banking account and drain her funds.
"Scams like this are particularly scary," says Zack Allen, director of threat operations at ZeroFOX. "Scammers for grants typically start with information that isn't as sensitive and build up rapport to work their target for more sensitive information."
Facebook recently launched a privacy and safety hub, where Messenger users can learn more about features designed to help them report concerns and halt unwanted interactions. The company says it works with law enforcement, including the FBI, to find and prosecute scammers.
How to Protect Yourself
Here are a few steps you can take to protect yourself from cybercriminals.
Beware of anyone requesting or offering money. Scammers have dreamed up lots of ways to empty your wallet. They may impersonate a relative in an emergency, for example. Or request a gift card or fee in return for a loan or a prize. If you think you may have interacted with a scammer, block him or her and report the account to Facebook at email@example.com.
Guard your financial information. Be wary of texts or email asking for account numbers, credit card numbers, and wire transfers as well as alerts about failed transactions. There’s no reason to share such info via message or an unsecure site.
Don’t open attachments. They may contain malware. And you should never type confidential information into a form attached to an email. The sender can potentially track the info you enter.
Double-check the link. Before you click on a link in an email or on the internet, try hovering your mouse over it. This will reveal the full address, which can expose signs of fraud. A “.ru” on the end, for example, means the site was created in Russia; “.br” means Brazil.
Misspellings are another good tip-off to a fake website. If the URL says globallgrants.com, it's best to avoid it. Search for the company on Google and access the website that way instead.
Don’t assume that a website is legitimate just because its URL starts with “https.” Criminals like to use encryption, too.
Change your password. “We're all guilty of not changing our Facebook password often enough,” says Jenkins. “Using a more secure password reduces the risk of someone hijacking your account.” That doesn't protect you from imposters, but it does prevent scammers from using your profile to defraud others.
Enable two-factor authentication. If you’ve ever had to use a six-digit verification code texted to your cell phone to log in to a digital account, you have some idea of how 2FA works. Once you turn on the setting, you have to provide a password and another unique identifier to access your account from an unverified device or location. This protects you if a stranger steals your password.
Turn on auto updates. This goes for your computer, smartphone, and tablets. Up-to-date security software goes a long way toward stopping malware.
Use security tools. Install an antivirus program on your device and keep it up to date. You can also use a website reputation rating tool, which comes in the form of a browser plug-in, to warn you if you try to go to potentially dangerous websites. Cybersecurity companies such as McAfee, Kaspersky, and Norton offer them. But keep in mind that these tools aren’t foolproof.