Recently, our team has observed numerous sponsored Facebook phishing ads that impersonate legitimate financial institutions to offer scam loans. These scammers are trying to deceive people by posing as a verified banking institution that pays for Facebook ads to create an illusion that they are indeed a trustworthy page.
Our team believed that the coming holidays prompted these scams to come out of their closets since people would be willing to loan extra income for the festivities.
Why do these scammers utilise Facebook ads as their vector for phishing?
One of our analysts discovered that Facebook ads, especially in India, have several loaning advertisements that try to bait users into clicking them to inquire on the requirements they need to loan.
However, baited users who click the “Apply Now” button found in the ads will be redirected to a phishing site or a compromised domain instead of getting a direct response to the ad operator.
In other instances, the phishing website’s URL is found in the ‘About’ section of the Facebook ad’s account page. This method indicates that scammers can easily input their phishing websites on Facebook without being checked or detected.
Fortunately, savvy users will quickly detect these phishing websites in the ‘About’ section since the URL is not identical to the authenticated website that scammers are trying to spoof. But, those users who are not competent enough with the internet will be prone to these kinds of scamming techniques.
What does this discovery tell us about Facebook in terms of Ads approval and identity confirmation?
As of now, Facebook’s Ad approval and ID verification can be described as “lenient” since small-time accounts and non-political sponsors can freely pay for an advertisement so they can advertise any form of product, service, or even promotional items.
However, this leniency that Facebook gives to all users has paved the way for scammers to exercise their will upon uploading malicious ads accompanied by phishing websites.
In addition, Facebook does not seem to fully commit to phishing detection to their ads because there is an abundant source of phishing materials existing right now in their ad pages.
What should users do to remain safe against phishing attempts from Facebook Ads?
We at the iZOOlogic urges everyone to be more vigilant in identifying suspicious Facebook ads. Also, we want to remind users always to check the redirected sites’ URL since a legitimate sponsor will have identical website addresses as their company. Users should take a moment to research if the site they will access is the same as the company’s or firm’s official website. Lastly, do not engage in any suspicious transactions to stay safe from any form of scam.