I have a business facebook account and got a message from them to verify the business. The only link in the email was going to facebook.com/support, which I typed into the browser and it really showed a message (supposedly) from the Facebook support team. Basically, asking for company info, most of which can be obtained from public resources online. Here's a screenshot:
https://bigosaur.com/fb/request-company-info.png
Interesting thing is that they never mention my company name, but I only have one company registered with them, so I guess that was it. So, I replied to that since the info is public anyway.
This was about 2 weeks ago. Today, I get a new message claiming that I applied for "Facebook fundraising tools". Of course, I never applied to that, my company isn't even a non-profit, which seems to be a requirement. At first I though someone must have typed in my company name wrong, but there's a peculiar thing: Now they did include the company name, and it's IN THE SAME THREAD as the first message.
The request wants a copy of ID card for "Ana Petrovic". I have no idea who that is. It's a very common name, like Jane Smith in US. Here's a screenshot, note the same item_id:
https://bigosaur.com/fb/request-ana-petrovic.png
This looks like a phishing attack, but I'm trying to figure out how it works. How did they manage to initiate the conversation as if Facebook is contacting me? If I send any info back, does the attacker get it?
What if I reply, "I don't know Ana Petrovic, my name is XXX", will they then ask for my ID documents?
If anyone from Facebook is reading this and needs more info, please feel free to contact me via the email in my HN profile.