Facebook grant scams

As soon as Facebook announced grants for coronavirus-hit businesses, scammers went phishing.

Phishers use Facebook grants for COVID-19 victims as bait

Facebook is offering $100 million in cash grants to businesses affected by the coronavirus pandemic. Eligible applicants can receive a grant worth about $3,300, announced the company’s official blog, and, picked up by major media outlets, the news quickly spread. Unsurprisingly, cybercriminals wasted no time hatching schemes to exploit this largesse.

Knowing many had heard about the grants but banking on few having absorbed the details, cybercriminals presented the news as if Facebook was handing out money to all users of the social network affected by COVID-19.

The bait

Potential victims see an article seemingly from CNBC, a world leader in business news with a monthly audience in the hundreds of millions, saying Facebook is giving grants to users hit by COVID-19 and including a link to apply for a grant. The grammar should give away the game, and the URL, which does not start with cnbc.com, is another suspicious element.

The news on the fake CNBC website

Those who turn a blind eye to the clumsy English and wrong URL are taken to another portal that bears more than a striking resemblance to the official site of Mercy Corps, a charity that helps victims of natural disasters and armed conflicts. However, the only topic on this one is Facebook grants, and the victim is asked to specify how many years they have been a user of the social network. The grammar on the website still stinks, and most of the links don’t work. It’s especially sad the that job announcement for the Facebook Grant CEO position is also unclickable — perhaps it could have been someone’s chance to land a job with a decent paycheck! And, of course, the site URL does not contain facebook.com, so it clearly has nothing to do with Facebook.

If you persist in ignoring the blatant oddities and decide to apply, first you’ll be asked for your Facebook username and password. If you enter them, they’ll go straight to the cybercriminals. Then, to accept your application, the site requires a lot more information, supposedly to verify your account: your address, social security number (for US citizens), and even a scan of both sides of your ID. No fields can be left blank, and the site diligently prompts you about any omissions.

When the form is filled out and submitted, the site displays a confirmation message that your application has been accepted and you will be contacted shortly.

Don’t hold your breath. The verification procedure is simply a ruse to gain access to your Facebook account, which the cybercriminals can then use to try to trick your friends and extract money from them. Moreover, the form fields provide the crooks with enough personal information to steal your identity. Armed with this and scans of your documents, they will likely be able to get into any of your accounts, including online banking.

The real CNBC site does indeed have an article about Facebook grants, but for businesses — the real beneficiaries of the program. And it was written by someone with a better grasp of the English language. As for the fake CNBC news, its only purpose is to fool you into believing that Facebook is now a charity for its users.

The news on the real CNBC website

How to avoid getting phished

To keep safe from phishing, you need, first, vigilance and, second, a reliable security solution that won’t let you anywhere near phishing sites. And although the latter is straightforward (simply install the solution and you’re done), staying vigilant at all times requires a bit of effort:

  • Look carefully at the URLs of the sites that you visit. If just one letter looks out of place, or if the usual .com has been replaced with .com.tk or something along those lines, your gut should tell you it’s phishing. Never enter personal information on such a site.
  • Pay attention to grammar and layout. If something smells phishy, it probably is.
  • Be naturally wary of any forms that want personal information. If you are asked for a passport scan, triple-check that you really are on the official site — and even if you are, think again about if the offer is really worth sending such sensitive data.