How to avoid Facebook phishing scams in real estate

With over 2.8 billion users, Facebook offers a tempting landscape for cybercriminals. While Meta has made strides in securing personal Facebook Profiles, scammers have shifted their focus to Business Pages. Here’s how to spot and avoid Facebook phishing scams targeting your real estate business.

If you manage the social media pages for your real estate business, you’ve likely witnessed a significant surge in messages that look from the outset to be official Facebook warnings but turn out to be someone unrelated to Meta phishing for your data or trying to scam you. It’s become so prevalent that it is now one of the top issues our real estate clients contact us about.

So, how do you distinguish legitimate messages from the shady ones? Read on as I walk you through the common messages cybercriminals use to target real estate professionals and help you identify fake messages from fraudsters.

Common Facebook scams exposed

The most common phishing messages currently advise that your account has some form of problem. This may include:

1. a copyright violation
2. a Facebook/Meta policy violation
3. your page details need confirming
4. a technical problem with your page.

You might get the message in a few different ways:

1. via Messenger
2. on a post on your page
3. by being tagged in a post on the scammer’s page
4. email.

What scammers want to achieve with these messages

These people commonly use ‘phishing’ to gain control of your accounts/pages. Click a link in their message and you are taken to a ‘Facebook’ appeal form. In reality, it goes to a fake Facebook page controlled by the scammer, which seeks to steal your account credentials.

Once you enter your username and password, the scammers can gain full access to your Facebook profile and any business accounts/pages that are connected.

They can then use your accounts for malicious purposes such as:

• identity theft
• spreading malware
• accessing personal data
• messaging your friends or clients with more scams
• posting fake news/reviews
• running ads to sell non-existent products
• reselling your login details on the dark web
• holding your accounts hostage for a ransom.

Spotting phishing attempts on Facebook Messenger

Here are some real-life examples of Facebook scam messages we’ve encountered recently, sent via Messenger, and what clues they contain that point to ingenuity.

In the above message, the scammer’s goal is to get you to click on the link to appeal if you believe your page has been flagged by mistake. The link looks genuine because it contains the words ‘metabusiness_help’. However, the URL is coming from bio.link which tells us this is a scam.

Other phishing links are more obvious because they don’t include any Facebook or Meta wording, or they are very long. Like these ones below

These fake messages create a sense of urgency by implying that failing to act quickly will result in your Facebook account or page being disabled, deleted, or blocked. This urgency is designed to bypass your rational thinking and lead you to click without consideration.

Any request to take action immediately or in a very short period of time, like the ones below, should set off alarm bells for you.

Another red flag is receiving a message from an individual who claims to be from Facebook or Meta support. Meta’s staff do not share their names, nor do they have user profiles.

Facebook scam posts, tags and emails

In addition to direct/private messages, scammers can also contact you by posting directly on your Facebook page, sharing one of your posts on their page or tagging your page in one of their posts (you can disable these options in the settings of your Facebook business account to prevent this happening).

Below are two examples of these scamming tactics. Once again, notice how the scammer’s goal in each instance is to alarm you and get you to click on the links provided quickly.

Most fraudulent messages are easy to spot using the URL or poorly written English. This example below is a little more sophisticated. It asks the page owner to set up 2-factor verification. It uses a real Facebook URL (a page name) to redirect you out of Facebook to a website where they will extract even more personal information. When I clicked the link, in this instance I got a warning from Facebook that I was following a link external to their site, and then Google showed a warning that this page was fraudulent.

When it comes to email, it can be even more challenging to determine whether the message is real or fake. Cybercriminals work very hard to make their email messages look like they came from Facebook/Meta themselves. However, the signals of authenticity are the same regardless of how the message has reached you. Check the URL before clicking.

Besides incorporating Meta terminology into their email designs, scammers also use real graphics or duplicate things like actual Meta email footers in an attempt to get you to click their link or download their files, like in the example below.

In this case, they have even gone to the effort of including how to protect your account!

This scam email appears deceptively official. It uses elements like a case number, “Meta for Business” in the reply address, and familiar colours to mimic legitimate Meta communication. However, the telltale sign is the email address ending in “@outlook.com.” Meta will never use a non-company domain for official business.

When you inevitably receive an email like this, check the email address. If it comes into your business’s public inbox address, such as info@myrealestatebusiness.com, rather than the email address you use to log into Facebook you should be able to disregard it as a phishing attempt instantly.

Pretending to be a real estate customer

Another common tactic Facebook scammers use is contacting you as if they are a prospective or existing customer. As in the example below, our real estate clients often receive messages asking for help buying and selling properties.

Once you engage with the fraudsters about the property they seek, they will ask you to click a link. That should be an immediate warning to you: ring ding, ding, ding!

In another case received by one of our real estate clients, the ‘customer’ claims to have received a damaged product and asks the recipient to review a file. As real estate agents who don’t sell products, this should immediately be disregarded as a phishing attempt. Another glaring, obvious concern is that the name of the file sent does not match the information in the message.

Spotting a scam message can be tricky

Scammers are constantly upping their game, making it difficult to distinguish a genuine customer or Meta support request from a fake one. If you receive a message about your Facebook Page, have reviewed it closely, and think it may be legitimate, check out the profile/page of the person who sent it before rushing into actioning any instructions. Tell-tale signs that it is a bogus profile or page include:

Low engagement: Does the sender’s profile have minimal friends, followers, or page likes?

Brand new presence: Was the account created recently, and has it contacted you out of the blue?

Incomplete profiles: Look for sparse information. Does the profile lack contact details, a cover photo, or a complete bio?

This page is an example that shows the signs of being a phoney.

These fabricated profiles/pages may also have:

• Weird/strange profile/page names
• Spelling and grammatical errors
• Odd graphics.

The page below is an example that has all of the above!

My top tips for avoiding Facebook scams

Tip #1: It is rare for Meta to contact you asking you to contact them

Any message you receive like that should be treated with a grain of salt. For example, if Meta has issues with copyright-infringing content on your page, they will remove the problematic item.

Tip #2: Take your time before taking any action

Any legitimate request will give you an adequate period of time to complete what is required. If someone asks you to do something immediately or within a very short period, it is most likely a scam. If you receive a request for action and cannot check it thoroughly at that moment, don’t rush into doing what is asked. Leave it until you have the time to review the request and the sender’s credentials properly, looking out for the clues outlined in this article.

Tip #3: If you get an email claiming to be from Facebook or Meta, check the address

The only domains from which Facebook or Meta will email notifications are listed on their websites. If you receive a Facebook or Meta email notification, check the sender address against this list. Don’t open the email or click any links if they are from any other address.

You can also check your Facebook settings to see whether it genuinely came from them. They log all their recent communications with you in your Facebook Accounts Centre so you can double-check their authenticity, as shown in the screenshots below.

Tip #4: Avoid clicking links received from someone you don’t know

As a general rule of thumb, DO NOT click on a link in a message unless you are 100% certain it is safe. If you’re unsure whether the sender is genuine, use a website safety checker such as Google Safe Browsing to quickly identify if a site or a specific URL is legitimate. Copy and paste the URL you’ve been sent to the page, and Google will test the link and report on its legitimacy and reputation in seconds.

Tip #5: Don’t respond to messages asking you to provide confidential information

For example, your Facebook or other passwords, personal or financial information (such as your birthdate or credit card number) or copies of ID documents.

Tip #6: Ensure you have two-factor verification enabled for all your online accounts

Facebook two-factor authentication requires you to enter a code when an unauthorised device attempts to access your account. If you have enabled two-factor authentication on your account, even if a scammer has your account access details, they still won’t be able to gain access your accounts without the extra verification step.

What to do if you have fallen for a Facebook scam

Even the savviest of us can fall victim to a scam. If you’ve recently clicked a suspicious link and shared personal information to someone you thought was Facebook, don’t panic! Here’s how you can mitigate the damage and protect yourself moving forward.

1. Reset your Facebook password to log scammers out of your account.
2. Contact Meta help via the help panel within their website/app.
3. Check your Facebook activity log and ad accounts for suspicious activity from the scammer and delete where needed.
4. Scan your computer for malware.
5. Reset your passwords on other accounts if you reuse the same password across multiple online platforms.
6. Monitor all your online accounts closely for suspicious activity.

Need an expert on your team?

Hoole is a specialist digital marketing agency with over 20 years of real estate industry expertise. If you’d like to secure quality clients and increase your property listings to grow your business’s profits, then contact me, Melanie Hoole. I offer a free one-hour consultation, during which I’ll review your current brand marketing activities and recommend the best next steps for you.

Written by Melanie Hoole

My team and I specialise in helping real estate and property professionals perfect their personal brand, build a first-class digital profile and implement inbound marketing activities to attract leads. If you are unsure which direction to take with your digital marketing contact me for help.