New phishing scam goes unchecked by Facebook

A not-so-new scam on Facebook has many users forking over their personal information – including credit card numbers – in exchange for too-good-to-be-true deals on Keen shoes.

Some users who have attempted to place an order noted they received a “timed out” screen when finalizing their order, while others had their orders appear to go through (though they received no confirmation emails). In both cases, shoes never arrived at their doorstep — but their name, address, phone number and credit card information were unwittingly handed over to online hucksters.

The ads first began appearing on Facebook and Instagram April 15, if not sooner, and a large handful of unlucky users have had their newsfeeds overrun by these scam ads. Although each ad appears to come from a different (fake) company, they all share a few common features: they have a similar layout, and they boast highly discounted Keen shoes, free shipping and fast delivery. Most of the ads come from bogus accounts clearly created for the purposes of the ad – they have no posts, followers or profile pics – though a few appear to be hacked accounts from legitimate (but potentially defunct) businesses. They all claim to be from authorized Keen retailers, but as Keen has told concerned consumers on Twitter: “This is not a KEEN official site or authorized retailer.”

As a lover of Keen shoes, I admit the first time this ad appeared in my feed, I considered clicking the “Shop Now” link. But something just didn’t feel right. So instead, I took a peek at the comments, which were flooded with words like “Scam!”; “Don’t click!”; “Report this ad”; “Don’t buy!” and even “They stole my credit card information.”

(This is just a small sampling; many of the comments also had some pretty unkind words for Facebook.)

So I reported that first – and presumably last – ad as “misleading or scam” and went about my day, thinking the unpleasant experience was behind me. But instead: the ads kept coming. And coming. The faster I reported them, the faster they arrived until it got to the point where 80% of the ads in my newsfeed were scam ads for Keen footwear. A quick scroll in my newsfeed today – at least 11 days after reports of the fake ads first appeared on social media – and nearly 1 in 5 posts in my newsfeed was a fake Keen ad. And even worse: I accidentally clicked “Shop Now” once when scrolling.

(I closed my browser immediately, deleted my history and cookies and then restarted my phone, but who knows what villainy now lurks on my device.)

It’s enough to make a person want to abandon the platform altogether, which makes me wonder: is it possible THAT – and not the credit card thievery – is the scammer’s true objective? It’s also possible this is a consumer advocate group placing the ads merely to demonstrate a very large kink in Facebook’s scam-detecting armor, though all signs at present indicate a malicious scam with no end in sight. And let’s not forget how reporting the ads seems to make more ads appear in one’s feed: clearly something is awry with Facebook’s algorithms.

This DM from KEEN to a concerned consumer was more than a week old by the time this story was published.

For their part, Keen has been turning the sites over to their legal team, though it seems clear they have nothing to do with the ads, and the responsibility of having them removed from Facebook should rest squarely on Facebook’s shoulders.

Any yet: more than 11 days have passed, and the fake ads continue. In some cases, Facebook tells me they’ve removed the ads. But for most, their response is far more unsettling: thanks for reporting, but we’re keeping the ad up for now. As someone who has paid for ads on Facebook before, I know they claim to have an ad review process. I create an ad, I submit it to them, and between a few minutes to a couple hours later, the ad gets approved and is posted. Which makes me wonder: what is their ad review process, and why isn’t it catching these blatantly fake ads?

A representative for Facebook didn’t respond to questions concerning this specific scam but says their ad review process “relies primarily on automated tools.” They check to see if the ad violates any of their Advertising Policies, and they reject the ad if it does. These “automated tools” are reviewing the ad’s text, images and related landing pages for violations before it goes live, and if an ad gets reported, it gets kicked back into the system for another review. It’s unclear if/when human eyes ever enter into the process, because the majority of the comments on these ads indicate the lion’s share of human eyes can see the scam. But sadly: that isn’t the case for all users, and some have clearly fallen victim to the fake ads.

“While we continuously evolve our tools and improve enforcement,” explains Facebook, “Bad actors continue to find ways to game the system. This is why we also encourage people to report this kind of behavior.”

But if reporting a single ad that’s part of a larger scam doesn’t help Facebook see the big picture – even if you feel like you’re painting the picture for them by reporting similar ads over and over – reporting can feel like a Sisyphean task. Since Facebook appears to be addressing the fake ads one-by-one using an automated system, rather than stepping back and noticing a larger scheme at play, this scam will continue to go unchecked if they don’t reconsider their approach, revise their algorithms and hire a few more humans to review suspicious ads and detect trends.

In any event, purchasing solely from authorized retailers and reporting the fake ones appears to be our only recourse at the moment. Well, that, and writing a story about it and hoping – just hoping – that it will eventually make its way to someone who can actually make a difference.

NOTE: The below fake ads are a small sampling of what’s made the rounds on Facebook. As of 4/27/19, the scammers appear to be switching up their game and marketing Skechers — instead of Keen — in their ploy. They also now occasionally make it appear as though the ad links to Regardless of whatever brand (or product type) is featured in the ad, proceed with a dose of skepticism, and don’t divulge any personal information (including credit card number) until you’re 100% certain the company is legitimate. There are plenty of real ads on Facebook too, so if you’re unsure, check with the manufacturer. Or as my study hall supervisor used to say: “When in doubt: DON’T.”

If it’s too late and you fear you’ve already fallen victim to this or another phishing scam, the Federal Trade Commission recommends you take these next steps.