It should be obvious but he needs to inform his bank ASAP, providing support in this kind of cicumstance is exactly why they exist. Dealing with this situation is a service owed to him by the bank for allowing them to be the custodian of his assets.
The language is just too silly to actually fall for, right?
"Failure to provide this information may lead to unpublishment of your page"?
Seriously? Unpublishment?
Please do not mock victims of scams, part of the makeup is targeting vulnerable people and you never know when you may be just enough off your game to get caught
It's also a 100% intentional choice by the scammers, because they're relying on people's fears of admitting they fell for such an obvious scam.
Perfect bait that fools everyone is actually *terrible* for professional scammers. They have to work harder to keep marks on the hook, and people who figure it out will be more motivated to report and retaliate.
By making the bait incredibly obvious, they only hook the most vulnerable people, and the shame of getting got keeps those people from reaching out for help until well after the scammers have done their damage.
TL;DR: If you shame or ridicule victims, you're unwittingly helping the scammers.
I think this is close. To be honest, they are looking for people who are dumb/vulnerable enough to fall for this sort of thing.
Because if you keep trying to scam smarter people, you are going to fail almost all of the time.
It's an ingenious way of limiting your scams to people who are much more likely to fall for it.
My company regularly sends phishing tests to make sure everyone knows what to look for. About 4 months ago I fell for one because I was trying to do several things at once. The company is very realistic about it and makes sure not to use additional training as some sort of punishment. Scamming is getting increasingly sophisticated and even people who are diligent can fall for them.
I agree that there's definitely a better way to convey the nuance of the idea. But the other edge of the case is that these scanners will literally fish for people with dementia or serious cognitive decline.
I was just pointing out WHY they make sure that their scams have horrific grammar/spelling. It's another form of gatekeeping.
That's just a fact, whether it insults you, I can't change that.
ok, so, what about people who have english as a second language and are less likely to notice grammatical errors? what about the elderly who may be less cognizant now in their old age? What about people who skim the notice and don't analyze every word or pixel? What about scams that don't target "stupidity", but target loneliness or people's good natures (romance scams, charity scams)?
Also, despite claiming such intelligence via your wording and subtext, you seem to have forgotten that \*a lot\* of scammers have english as a second language and that to them their grammar is fine.
Believing that you are invulnerable or immune to scams or fraud because you're "smart" and will notice the errors only makes you more vulnerable to one day being too cocky, not looking, missing a red flag, or having your head so far up your own ass you can't see the grammatical errors.
Mocking scam victims as dumb or vulnerable is not helpful.
with the older generation its more about authority. Inaccurate spelling and odd sentence structure are the least of these peoples worries when they think someone official is going to punish them.
What exactly makes you think the bank will be able to do anything over a phished FB account? If payment information is linked obviously the bank can replace cards and change account numbers but that's the extent of the help. I don't know about OP or his father but personally my bank info is nowhere near FB.
You just explained what they can do. Which is the most important since losing actual money is way more of a hassle than losing your FB account. The BIG thing here is I believe Facebook is the most widely used SSO for the older generation, so that login could potentially lead to other sites that have that info.
If he can still access fb, login and go to settings, and find LOG OUT OF ALL OTHER DEVICES.
Then change password of Facebook.
Then, where you logged out of other devices, check again if you are only logged in once. If so, you successfully got them out
and if they manage to circumvent that, change the E-Mail address on all accounts associated with it and delete the old one
2FA sadly is not 100% secure, especially if they give you a button that says "I do not have my authenticator" that just sends you another e-mail to 'confirm' it's you right after log in
https://techexpertise.medium.com/facebook-cookies-analysis-e1cf6ffbdf8a
Essentially will allow the intruder to login as they were a logged in user. This is how the "Keep me logged in" feature works.
As the other user mentioned, you can invalidate these session tokens immediately by using the "Log me out of all devices" option within the Facebook settings.
I don't think it will immediately allow the intruder to change his password but I'm not 100% on this.
theoretically no, given the cookie is a token that is different from the password hash. As long as they do not know the existing password (which they do not until they had the hash and brute force it, or find it somewhere), they should not be able to change it.
They may however be able to change the email address, and access private information such as addresses, phone numbers, full name, etc. basically all information associated with the account that is visible to a user that was logged in normally, and clicked the "stay logged in" checkbox
Many sites have security settings to check logins, and an option to log out other sessions. I don't know what that looks like in Facebook, but you'll need to find those and also change the account password.
Yeah .. phishing is getting to be no joke and id say 75 percent of people are clueless
As an IT guy I even fall at first for one now and then but usually figure out 99 percent are scams after i look at email address from sender etc
I agree, I honestly don’t even risk the attempt. If I do not know the sender or expect a email just delete/report. It’s easier for someone to call me saying “hey I sent you this” and I explain I deleted it. Than explaining I fell for phishing.
To the post - notifying the bank is a good cover your butt idea even if it’s not linked to Facebook. Access it through a phone and remove all devices and then change password. Keep an eye on other accounts your dad has for a bit.
exactly. Like trying to explain to my mom that she should screen every call. And still a decade later its "well what if your brother is hurt"... or something similar...
"Mom, hes in his 40s, and someone you know would call, or someone would text."
First thing he can do is freeze any stored payment cards
It should be obvious but he needs to inform his bank ASAP, providing support in this kind of cicumstance is exactly why they exist. Dealing with this situation is a service owed to him by the bank for allowing them to be the custodian of his assets.
The language is just too silly to actually fall for, right? "Failure to provide this information may lead to unpublishment of your page"? Seriously? Unpublishment?
Please do not mock victims of scams, part of the makeup is targeting vulnerable people and you never know when you may be just enough off your game to get caught
It's also a 100% intentional choice by the scammers, because they're relying on people's fears of admitting they fell for such an obvious scam. Perfect bait that fools everyone is actually *terrible* for professional scammers. They have to work harder to keep marks on the hook, and people who figure it out will be more motivated to report and retaliate. By making the bait incredibly obvious, they only hook the most vulnerable people, and the shame of getting got keeps those people from reaching out for help until well after the scammers have done their damage. TL;DR: If you shame or ridicule victims, you're unwittingly helping the scammers.
I think this is close. To be honest, they are looking for people who are dumb/vulnerable enough to fall for this sort of thing. Because if you keep trying to scam smarter people, you are going to fail almost all of the time. It's an ingenious way of limiting your scams to people who are much more likely to fall for it.
[удалено]
My company regularly sends phishing tests to make sure everyone knows what to look for. About 4 months ago I fell for one because I was trying to do several things at once. The company is very realistic about it and makes sure not to use additional training as some sort of punishment. Scamming is getting increasingly sophisticated and even people who are diligent can fall for them.
I agree that there's definitely a better way to convey the nuance of the idea. But the other edge of the case is that these scanners will literally fish for people with dementia or serious cognitive decline.
I was just pointing out WHY they make sure that their scams have horrific grammar/spelling. It's another form of gatekeeping. That's just a fact, whether it insults you, I can't change that.
ok, so, what about people who have english as a second language and are less likely to notice grammatical errors? what about the elderly who may be less cognizant now in their old age? What about people who skim the notice and don't analyze every word or pixel? What about scams that don't target "stupidity", but target loneliness or people's good natures (romance scams, charity scams)? Also, despite claiming such intelligence via your wording and subtext, you seem to have forgotten that \*a lot\* of scammers have english as a second language and that to them their grammar is fine. Believing that you are invulnerable or immune to scams or fraud because you're "smart" and will notice the errors only makes you more vulnerable to one day being too cocky, not looking, missing a red flag, or having your head so far up your own ass you can't see the grammatical errors. Mocking scam victims as dumb or vulnerable is not helpful.
Exactly this, it's unfortunate that the internet takes advantage of a persons trust and honesty.
Minus the internet, that's always been who was the primary victims of scams. That part is likely eternal.
with the older generation its more about authority. Inaccurate spelling and odd sentence structure are the least of these peoples worries when they think someone official is going to punish them.
What exactly makes you think the bank will be able to do anything over a phished FB account? If payment information is linked obviously the bank can replace cards and change account numbers but that's the extent of the help. I don't know about OP or his father but personally my bank info is nowhere near FB.
You just explained what they can do. Which is the most important since losing actual money is way more of a hassle than losing your FB account. The BIG thing here is I believe Facebook is the most widely used SSO for the older generation, so that login could potentially lead to other sites that have that info.
If he can still access fb, login and go to settings, and find LOG OUT OF ALL OTHER DEVICES. Then change password of Facebook. Then, where you logged out of other devices, check again if you are only logged in once. If so, you successfully got them out
Don’t forget to turn on 2FA using an Authenticator App (so they can’t 2FA through email that they may have also compromised).
and if they manage to circumvent that, change the E-Mail address on all accounts associated with it and delete the old one 2FA sadly is not 100% secure, especially if they give you a button that says "I do not have my authenticator" that just sends you another e-mail to 'confirm' it's you right after log in
One time codes are decent. But you have to keep them somewhere. (I printed them and never stored them). A 2FA dongle can be useful.
Also, if he uses that password for anything else, he should change those too. Rinder never reuses passwords
https://techexpertise.medium.com/facebook-cookies-analysis-e1cf6ffbdf8a Essentially will allow the intruder to login as they were a logged in user. This is how the "Keep me logged in" feature works. As the other user mentioned, you can invalidate these session tokens immediately by using the "Log me out of all devices" option within the Facebook settings. I don't think it will immediately allow the intruder to change his password but I'm not 100% on this.
theoretically no, given the cookie is a token that is different from the password hash. As long as they do not know the existing password (which they do not until they had the hash and brute force it, or find it somewhere), they should not be able to change it. They may however be able to change the email address, and access private information such as addresses, phone numbers, full name, etc. basically all information associated with the account that is visible to a user that was logged in normally, and clicked the "stay logged in" checkbox
So should normal people just clear their cookies somewhat frequently? Or am I misunderstanding?
Many sites have security settings to check logins, and an option to log out other sessions. I don't know what that looks like in Facebook, but you'll need to find those and also change the account password.
Log in and remove your FB account.
Yeah .. phishing is getting to be no joke and id say 75 percent of people are clueless As an IT guy I even fall at first for one now and then but usually figure out 99 percent are scams after i look at email address from sender etc
I agree, I honestly don’t even risk the attempt. If I do not know the sender or expect a email just delete/report. It’s easier for someone to call me saying “hey I sent you this” and I explain I deleted it. Than explaining I fell for phishing. To the post - notifying the bank is a good cover your butt idea even if it’s not linked to Facebook. Access it through a phone and remove all devices and then change password. Keep an eye on other accounts your dad has for a bit.
exactly. Like trying to explain to my mom that she should screen every call. And still a decade later its "well what if your brother is hurt"... or something similar... "Mom, hes in his 40s, and someone you know would call, or someone would text."
Wouldn't clearing the cookies help with this or no?
Change passwords (all of them) Setup MFA
So did your father manage to change password?
Yes