In the digital age, social media accounts, especially Facebook, are not only a tool to connect the community but also a "digital asset" containing a lot of personal information, transactions, and even income of users. Understanding this, scammers are increasingly sophisticated, using the trick of sending fake emails to lure users to "hand over" their accounts.
The Panic Trap
According to Long An Provincial Police, a new online fraud campaign with extremely sophisticated tricks is targeting Facebook users, taking advantage of a legitimate Google service to bypass email protection systems.
Specifically, cybercriminals used Google's code-free Google AppSheet software to send out a series of phishing emails. Because they were sent from Google's "@appsheet.com" address, these emails easily bypassed Microsoft's domain reputation and authentication mechanisms (such as SPF, DKIM, DMARC) as well as Secure Email Gateways (SEGs), making them appear as legitimate messages in the victim's inbox.
Each email is also created with a unique ID, making it difficult for traditional detection systems to detect. The content of these emails pretends to be a notification from Facebook, informing the user that the account has been infringed on intellectual property rights and will be deleted within 24 hours. To avoid being banned, the user is asked to click on the "Submit an Appeal" button.
When clicked, the victim is taken to a fake landing page designed to look exactly like the Facebook login page.
What's more, the fake page is hosted on Vercel, a reputable platform, adding credibility to the entire scam.
Here, if the user enters their login information and two-factor authentication (2FA) code, all this data will be sent directly to the attacker.
The trick is even more sophisticated when the first login on the fake site often reports "wrong password" for the victim to re-enter to confirm the information.
More dangerously, the 2FA code, once provided, will be used immediately by criminals to seize the session token from Facebook, allowing them to maintain access to the account even after the victim has changed the password.
Ms. Nguyen Thi Thu H. ( Hanoi ) received an email notification that “Your Facebook account has violated community standards and will be locked within 24 hours”. Fearing that she would lose the account she was using for online business, she immediately clicked on the link in the email to “complain”.
The website appeared to be identical to the Facebook interface. Without any doubt, she entered her username and password. Within minutes, her account was hacked. The hacker changed all her security information and sent messages to dozens of her friends asking for loans, along with pictures and very credible information. A close friend of hers transferred 10 million VND before discovering the incident.
Caution is self-protection
Faced with the current scam situation, the Information Security Department recommends that email users be vigilant. Absolutely do not click on strange links, and do not provide personal information to websites of unknown origin.
According to the Department of Cyber Security and High-Tech Crime Prevention - Long An Provincial Police, users need to be extremely cautious with emails asking for urgent action or providing personal information, even if they appear to come from a trusted source. Always check the sender's address carefully and do not click on suspicious links.
Speaking to reporters of the Knowledge and Life Newspaper , lawyer Nguyen Ngoc Hung - Head of the Ket Noi Law Office (Hanoi Bar Association) said that in the digital age, the control of social network accounts, especially Facebook, through tricks such as fake emails is becoming more and more common. In many cases, after taking over an account, the crooks impersonated the account owner to scam relatives and friends in order to appropriate property.
According to current legal regulations, when an individual has their account hijacked via a fake email, the user is the victim, not an accomplice or abettor. Therefore, if there are no signs of intent or serious fault on the part of the account owner, this person will not be prosecuted for criminal or civil liability for the fraudulent act committed by the fraudster. However, if the user knows that the account has been hijacked but does not promptly warn, does not report the incident, or is negligent or irresponsible, leading to damage to others, he or she may be considered for indirect civil liability - according to the principle of compensation for non-contractual damage stipulated in the 2015 Civil Code.
As soon as you realize that your account has been hijacked, you need to take some actions to prevent damage to yourself and others as well as to protect your legal position. You need to report that your account has been hacked. This helps Facebook temporarily lock your account to prevent the attacker from continuing to use it. At the same time, record videos of unusual signs such as fake emails, strange login notifications, fraudulent messages sent from your account... by recording videos, taking screenshots. This evidence is very important if there is a dispute or need to report a crime. Use another account or ask someone you know to widely announce that your account has been hacked, and advise everyone not to transfer money, not to provide OTP codes or personal information if you receive suspicious messages. Contact and report the incident to the local police for reception, investigation and handling according to the law. After regaining access, users should change their passwords to strong ones, check and log out of all unfamiliar devices to ensure account security. In case the account is used for fraud or spreading illegal content, it is necessary to coordinate with the authorities to handle violations, avoiding causing damage to others.
Thus, the person whose Facebook account is stolen via fake email is the victim and is basically not legally responsible for the actions of the scammer. However, proactively reporting, warning and cooperating with the authorities not only helps protect your own rights but also contributes to preventing illegal acts and minimizing damage to the online community. In all cases, users need to stay calm, not arbitrarily respond or transfer money to scammers and always coordinate closely with the authorities to handle the case legally and effectively.
The Anti-Phishing Project has just updated its website to a new version, adding a chatbot and an AI tool to identify scam sites on the Internet.
Users can access the website chongluadao.vn and enter the link to be checked. The system will compare the link with the Anti-Fraud database and third-party partners, then return the result if the website is safe, dangerous or has no clear data.
If you want to use AI, just click Analyze more with AI. At this point, the tool will analyze the website based on many different factors such as suspicious domain names, illegal content, containing risky links, using unusual hosting...
From the above data, AI will synthesize the factors and give a risk assessment on a 10-point scale. Suspicious details about information and images on the website are also analyzed and displayed on the results page.
The Anti-Phishing Project was co-founded by cybersecurity expert Ngo Minh Hieu in 2020, to support reliability checks and warnings when accessing unsafe websites. Users can contribute data by reporting malicious links on the chongluaodao.vn page.
Source: https://khoahocdoisong.vn/lua-dao-qua-email-nham-chiem-quyen-kiem-soat-facebook-post1550633.html
![[Photo] Cuban artists bring "party" of classic excerpts from world ballet to Vietnam](https://vphoto.vietnam.vn/thumb/1200x675/vietnam/resource/IMAGE/2025/6/26/797945d5d20b4693bc3f245e69b6142c)
Comment (0)