Beware of “your account will be deactivated” Facebook Phishing scam (2022)

Published by Reza Rafati on

In this post I will explain why you need to be aware of the “your account will be deactivated” scam, and I will share with you some actual phishing domains that are being used in the “your account will be deactivated” Facebook scam.

Taking a look at the “your account will be deactivated” scam

The facebook scam tries to lure Facebook users into providing credentials at the fake Facebook website.

The "your account will be deactivated"  Facebook scam
The “your account will be deactivated” Facebook scam

The first page of the Facebook scam

On the first page, the scammers try to trick the users by stating that some unusual activity had been detected, and because of that activity, the security team decided to deactivate your Facebook account.

The first page of the Facebook account deactivation scam
The first page of the phishing scheme

Your Account will be deactivated soon
We detected unusual activity on your account. Someone may have reported you in non-compliance with our terms of service. We have already reviewed this decision and the decision cannot be changed. To avoid having your account disabled, please verify your account.

Text used on the first page of the Facebook scam

The second page of the scheme

The Facebook user is requested to go to the next page. There the user will be prompted with a form that will request the birthday information of the user.

The final page of the scheme

The final step of the “Your account will be deactivated soon” scam, the scammers try to inform the Facebook user that all needed information has been received and that the account will not be deactivated. In reality, the scammers have received all of the information they wanted.

Fake page telling the Facebook user that everything is OK

The scammers that are operating these types of attacks will keep close track to the data they have received. The scammers will then simply forward the unaware Facebook user towards the official Facebook site.

Facebook informs via your profile

The Facebook Security team always informs Facebook account issues via the official Facebook website (facebook.com), they do this in such a matter, that you cannot miss the warning or information Facebook wants to share with you.

Some advice:

  • Don’t provide your Facebook credentials to anyone
  • If you get a message claiming to be from Facebook, simply start your Facebook as you would always do, and look for any messages from Facebook in your Facebook account

“Your account will be deactivated soon” phishing domains

The scammers which run this scheme utilize multiple domains to host their phishing content. I used the URLscan service to find these domains. This URLscan query quickly provided 21 versions of the phishing attack:

  1. app-bosco[.]dtqhn3ddnq-jqp3vn1ky650[.]p[.]runcloud[.]link
  2. app-kozey[.]mwwh1mboa9-xmz4qm5dx62o[.]p[.]runcloud[.]link
  3. app-baumbach[.]dtqhn3ddnq-jqp3vn1ky650[.]p[.]runcloud[.]link
  4. app-brakus[.]dtqhn3ddnq-jqp3vn1ky650[.]p[.]runcloud[.]link
  5. app-conn[.]dtqhn3ddnq-jqp3vn1ky650[.]p[.]runcloud[.]link
  6. app-berge[.]dtqhn3ddnq-jqp3vn1ky650[.]p[.]runcloud[.]link
  7. app-kilback[.]dtqhn3ddnq-jqp3vn1ky650[.]p[.]runcloud[.]link
  8. app-bogisich[.]dtqhn3ddnq-jqp3vn1ky650[.]p[.]runcloud[.]link
  9. app-bergstrom[.]dtqhn3ddnq-jqp3vn1ky650[.]p[.]runcloud[.]link
  10. app-kertzmann[.]3gotbtia9n-pxr4k0p053gn[.]p[.]runcloud[.]link
  11. app-gutmann[.]3gotbtia9n-pxr4k0p053gn[.]p[.]runcloud[.]link
  12. app-wunsch[.]3gotbtia9n-pxr4k0p053gn[.]p[.]runcloud[.]link
  13. app-bayer[.]3gotbtia9n-pxr4k0p053gn[.]p[.]runcloud[.]link
  14. app-yost[.]3gotbtia9n-pxr4k0p053gn[.]p[.]runcloud[.]link
  15. app-beier[.]kezunlxgra-ewl6n1jmj352[.]p[.]runcloud[.]link
  16. app-schmeler[.]kezunlxgra-ewl6n1jmj352[.]p[.]runcloud[.]link
  17. app-klocko[.]kezunlxgra-ewl6n1jmj352[.]p[.]runcloud[.]link
  18. app-morissette[.]kezunlxgra-ewl6n1jmj352[.]p[.]runcloud[.]link
  19. app-tillman[.]kezunlxgra-ewl6n1jmj352[.]p[.]runcloud[.]link
  20. acnrcvry[.]kezunlxgra-ewl6n1jmj352[.]p[.]runcloud[.]link
  21. scrtypages[.]kezunlxgra-ewl6n1jmj352[.]p[.]runcloud[.]link
Share this information

Reza Rafati

Founder of Cyberwarzone.com.