Facebook phish claims " Someone tried to log into your account "

An article by Christopher Boyd a Malware analyst concerning fake emails from Facebook

Facebook phish claims “Someone tried to log into your account”

Posted: March 21, 2022 by [Christopher Boyd]

Watch out for bogus Facebook phishing messages winging their way to your mailbox. The ruse is quite simple: The mail senders are relying on the recipient’s sense of panic to respond without thinking about it.

The mail looks professional enough, and seeks to imitate what would be a fairly typical looking message from Facebook. As for the panic aspect, the phishers have pinned the hopes of this attack onto the old faithful “Someone is trying to login as you, so you’d better do something about it ASAP” routine.

The phish

The mail itself combines a fairly clean design with minimal messaging. There’s a tendency with some phish attempts to overstuff the mail with all manner of nonsense to look more convincing. When that happens, we often see increasing amounts of typos or broken mail design. This one simply gets to the point. It reads as follows:

Someone tried to Iog into Your Account, User lD

A user just logged into your Facebook account from a new device Samsung S21. We are sending you this email to verify it’s really you.


The Facebook Team

So far, so good. However, it goes a bit off the rails with the two clickable buttons presented. The first one says “Report the user” which makes sense. The second one just says “Yes, me” instead of something more plausible such as “Yes, it’s me” or even just “It was me”. This may set some alarm bells ringing.

The functionality

What happens when you click the button(s)? The expected process is to be whisked away to a phishing page and enter your details. Not here. This one follows the same pattern as a mail we covered a little while ago.

You may remember the phish attempt claiming to have detected unusual sign-in activity from Russia. That mail didn’t bother with phishing pages. Instead, it popped open a pre-formatted mail in your client of choice for you to respond to the creators. Anybody replying would likely receive additional requests for login details or much more besides.

This phish follows the same path, opening one of two pre-filled response styles depending on which button you select. “Report the user” is the most interesting one, pre-filling the subject line as “Send statement”.

What is sent back may be a booby-trapped document of some kind, or perhaps phishing done through a form. It’s also possible the dialogue will simply continue via mail. Whatever they’re up to, they should be treated with the cold shoulder they so richly deserve.

Go to the source

Always remember to navigate directly to the sender of supposed security alerts. If it’s genuine, you should be able to address whatever issue you’ve been sent. If there’s no sign of it, consider sending it along to them directly. It may be a scam sample they’ve not seen before, and this can in turn help them to protect a wider userbase. Above all else: don’t panic, because this is how attackers can trick you into doing something you’ll regret.

Report, block, and go about your day.


Yea, I get them, and I don’t even have a farcebook account, so no panic, just irritation!
The same irritation I experience when stuff like this turns up (as I was replying here)

Second Notice

I am still awaiting your Current Address & Phone Number in order to
remit the pending inheritance payment to you.

Your prompt response is being anticipated for expedient action.

Yours Faithfully,
Anthony Delsato
Finders International


Another mitigation is to have a great many email addresses. Unless the notification arrives at the correct email address for the platform, the notification is likely to be a scam (and the odds are stacked against the scammer).


The Shovel or Betoota Advocate had a great satire about a person missing out on $millions because he did not respond to what was a genuine email :rofl:

I suspect some who read that one always reply just in case :laughing:


Which is a very poor outcome for society?

It would be more reflective of the education, inability to discern satire, and a lack common sense of anyone who did that.

Yet The Shovel and its global peers continue to struggle to make satire more absurd or funnier than reality in recent years. I have written numerous complaints to The Shovel in that I support a satire site and they need to stop publishing real news before it happens!


Just Poe’s Law being potentially demonstrated.

1 Like

Sadly true.