Last year Facebook Inc (NASDAQ:FB) decided that it had the right to use everyone’s photos for advertising, once again testing whether people would close their accounts rather than have their privacy trampled on (signs point to no). Now, Facebook’s privacy policy is the basis of phishing attacks that claim user photos are being used to advertise some embarrassing website.

Facebook Pishing Scam

New attack plays on privacy fears and Facebook’s ubiquity

But not only does this phishing attack play on the privacy fears that Facebook Inc (NASDAQ:FB) aggravates, it also plays on our comfort with using a single set of credentials (gmail, Facebook) to access lots of different websites.

Facebook Pishing Scam

“The scammers use some Javascript to bounce the victim from a Tumblr spam blog to a fake Facebook Inc (NASDAQ:FB) login which they’ll need to use to see the supposed photos,” reports Christopher Boyd at Malwarebytes. “Anybody filling in their details and hitting enter will of course have their username and password sent to the attacker.”

Signing in through Facebook Inc (NASDAQ:FB) doesn’t exactly work this way, but for someone who’s not paying attention (because they want to know what terrible pictures are being spread across the internet, perhaps) getting redirected to a website that looks exactly like the Facebook front page might be enough to get a few passwords. After all, if these tactics never worked you have to assume that phishers would stop using them.

Protect yourself from phishing attacks

As with any phishing attack, the key is to be skeptical any time you’re prompted to take immediate action, whether it be to earn a million dollars from a stranger or save your dignity from some anonymous website. If you’re redirected to a website, make sure the URL is correct. If it looks strange, go to the website on your own (this is the same as finding phone numbers for yourself instead of relying on the ones given to you if you suspect an offline scam). And of course, if you think your account might be compromised you should change your password immediately. With any luck you’ll save yourself the real embarrassment of having to explain to your friends that you still fall for internet con jobs.