Hi,<p>I have a business facebook account and got a message from them to verify the business. The only link in the email was going to facebook.com/support, which I typed into the browser and it really showed a message (supposedly) from the Facebook support team. Basically, asking for company info, most of which can be obtained from public resources online. Here's a screenshot:<p>https://bigosaur.com/fb/request-company-info.png<p>Interesting thing is that they never mention my company name, but I only have one company registered with them, so I guess that was it. So, I replied to that since the info is public anyway.<p>This was about 2 weeks ago. Today, I get a new message claiming that I applied for "Facebook fundraising tools". Of course, I never applied to that, my company isn't even a non-profit, which seems to be a requirement. At first I though someone must have typed in my company name wrong, but there's a peculiar thing: Now they did include the company name, and it's IN THE SAME THREAD as the first message.<p>The request wants a copy of ID card for "Ana Petrovic". I have no idea who that is. It's a very common name, like Jane Smith in US. Here's a screenshot, note the same item_id:<p>https://bigosaur.com/fb/request-ana-petrovic.png<p>This looks like a phishing attack, but I'm trying to figure out how it works. How did they manage to initiate the conversation as if Facebook is contacting me? If I send any info back, does the attacker get it?<p>What if I reply, "I don't know Ana Petrovic, my name is XXX", will they then ask for my ID documents?<p>If anyone from Facebook is reading this and needs more info, please feel free to contact me via the email in my HN profile.
Update: I looked at various settings, and found an account Ana Petrovic listed as Payment Account Admin. I have removed it now and set 2FA requirement for all the changes.