Facebook users are being warned of a phishing campaign that tries to break into accounts, disguised as a Facebook Messenger chat from a friend.
Finland's National Cyber Security Centre (NCSC-FI) has raised the alarm about an active campaign seen in the country, but presumably equally capable of working elsewhere in the world, where Facebook users are duped into handing over credentials that would allow a complete stranger to break into their account.
The attack works like this:
In some cases, according to NCSC-FI, the scam has extended to request credit card or banking information with the pretence that it will help transfer a prize payment into the victim's account.
In a screenshot shared by NCSC-FI, messages are shown coming from an attacker which ask for a mobile number to enter a competition, and to expect a verification code to be sent via SMS. A minute later, the attacker says that an 8,100 Euros prize has been won by the pair, and that the code is required to receive the funds.
So what's the advice? I'm afraid you may not like it: you shouldn't trust Facebook messages from anyone, including people you know. Because whenever you receive a message, you cannot be sure that it really was from the person who claims to have sent it - all you might know (and this isn't even always the case) is that it was their account that sent the message.
So, if someone says something to you that is out of character, or asks you to do something or for personal information that they wouldn't normally request, then treat the communication with suspicion. Maybe make contact with the person you believe is contacting you via a different method to seek reassurance that it is who you think it is who is contacting you.
And if someone asks you to forward a security verification code you should always refuse.
Although these particular attacks have been reported as occurring in Finland, there is no technical reason why they couldn't be taking place in other parts of the world, and using different languages.
On occasion, users have fallen into a false sense of security when being scammed in their own language because they are so used to phishers and identity thieves concentrating on major languages such as English.