Facebook, Instagram still unable to effectively combat simple phishing scams

Facebook and Instagram are still unable to combat even relatively simple phishing scams. NOS monitored a Nigerian gang of internet scammers who managed to steal log-in details from at least 3,200 victims, including 1,000 Dutch in half a year. The scams weren’t complicated at all - the gang used nothing more than a smartphone and didn’t even use a VPN to hide their location, the broadcaster reports.

Victims typically receive a message from one of their friends or followers on the social media platforms stating that they were taking part in a competition or challenge and needed a vote. The victim clicks on the link, which takes them to a site that looks like the social media platform’s log-in page. The victim types in their log-in details and sends them right to the scammers. The scammers then quickly log in to the victim’s account and change the email address and password, effectively locking the owner out.

NOS followed the trail of one such attack, which led to Lagos in Nigeria. With the help of security researcher Matthijs Koot, the broadcaster gained access to the gang’s systems and watched how they created new victims every day. In addition to Facebook and Instagram, they also targeted X and email accounts. About a third of the people who entered their details on a false page were Dutch.

The gang is not very advanced. They use smartphones and a mobile internet connection, without a VPN, for their scams. “Their technical expertise is very limited. So you don’t have to be a brilliant technician to create victims,” Koot said. The Nigerian scammer gang has at least 125 phishing websites to its name, of which 24 are actively used, according to the broadcaster.

It is unclear what exactly the scammers do with the hijacked account, except for sending phishing messages to their contacts. They also seem to spread cryptocurrency scams on the accounts.

Regaining access to a hijacked account is difficult for the victims. “Instagram doesn’t help you at all! The help desk didn’t want to help me either, because they were afraid I was the hacker. It’s a world upside down,” one victim told NOS.

Meta, the parent company of Facebook and Instagram, told the broadcaster that it was investing heavily in its security systems and “constantly improving” them. “We know that losing and regaining access to your accounts can be frustrating,” the company told NOS in a written response. It did not say why it found it impossible to prevent such simple phishing scams, only saying that scammers are constantly trying to circumvent its detection methods.