Security Social Media

How to Secure Your Facebook Login With a Security Key to Avoid Scams and Hacks

Joel Lee 26-07-2017

Those who fail to pay attention are often the first to succumb to new hacks and scams — and if you regularly use Facebook, which is more likely than not, then you may need to start paying more attention.


This is especially true if you prefer mobile to desktop.

How to Secure Your Facebook Login With a Security Key to Avoid Scams and Hacks global web traffic mobile phones
Image Credit: Statista

Scammers, having noted that mobile traffic is now greater than PC traffic on a worldwide scale, are starting to adapt their techniques to take advantage of mobile users. And seeing as how mobile devices tend to be less protected than PCs, this is a winning move for them.

Keep reading to learn more about how this new scamming technique works, what to look out for, and how you can stay secure going forward.

How the Facebook Login Scam Works

The scam uses a technique called URL padding. A typical URL is composed of three parts:

  1. A domain (required)
  2. A subdomain (optional)
  3. A path (optional)

As a mobile user, you’ve no doubt seen in your browser’s address bar while using Facebook. This is the subdomain + domain combination that shows you’re on the mobile version of Facebook’s site. When you see it, you feel safe.

URL padding is when a scammer creates a subdomain on an entirely different domain to impersonate some site, and “pads” the subdomain with innocuous characters to make users think they’re on the actual site.

Here’s an example URL from PhishLabs:

Visiting the site presents you with an exact replica of the actual mobile version of Facebook’s homepage, asking you to enter your credentials so you can log in. A knowledgeable-but-inattentive user might glance at the URL, see, consider the coast clear, and sign in.


Once you enter your credentials, the game is over. The site will present an inconspicuous error (e.g. password mismatch) but the damage will already be done: they’ve stored your username and password, and can now access your real Facebook account or use those credentials to try to break into your other accounts: Gmail, Amazon, PayPal, banks, etc.

Keen readers will note that the actual domain of this suspicious URL is and it has three nested subdomains under it:

  1. com----------------validate----step1
  2. facebook
  3. m

You’d probably see it as an obviously scammy URL if you were to encounter it on a PC, but here’s what a mobile user would see:

How to Secure Your Facebook Login With a Security Key to Avoid Scams and Hacks mobile facebook url padding scam


Padded URLs can be sent through all kinds of communication methods: email, text messages, messenger apps, and more.

The sad thing is, fake URLs are nothing new. Earlier this year, an exploit was discovered in Chrome (and other Chromium-based browsers) where URLs could be modified to appear as other URLs. Fortunately, the bug was patched before scammers could go to town with it but shows that trusting a URL is nothing but foolish.

How to Secure Your Facebook Account

The only way to guard against a padded URL is to learn how to spot phishing messages, and more importantly, only visit sensitive websites by typing domains directly into your browser’s URL bar.

It’s a minor inconvenience, but worthwhile. I do it all the time, especially when checking bank accounts and using e-commerce sites. Over time it’ll be second nature and your rate of being scammed will plummet.


What if you’ve already fallen for it? Or what if someone, by some other means, gets their hands on your Facebook login credentials? Here are a few extra things you can do to stay secure.

Use Unique Passwords

One of the worst password mistakes is using the same password for all of your accounts.

You know how most services require an email to sign up? Well, if you’re like most people, you use the same email address for all services. In that case, if someone figures out your password for one account, then they now inadvertently have access to all of your accounts.

By using a separate password for every account and never repeating them, you can limit the damage considerably. Don’t think you can keep all of those passwords straight in your head? Start using a password manager like LastPass 5 Best LastPass Alternatives to Manage Your Passwords Many people consider LastPass to be the king of password managers; it's packed with features and boasts more users than any of its competitors -- but it's far from being the only option! Read More  and you’ll never have to worry about passwords again.

Use Login Approvals and Codes

Perhaps the best thing you can do for your Facebook security is to enable two-step verification How to Set Up Two-Factor Authentication on Your Social Accounts Here's how to protect your social media accounts by setting up two-factor authentication on them. Read More . With two-step verification enabled, you can add extra layers of protection with Login Approvals and Code Generator.

With Login Approvals, Facebook sends an SMS text message to your phone whenever someone tries logging in to it. The text message contains a numeric code that must be entered to grant access. Even if someone has your password, they won’t be able to log in if they don’t have your phone as well.

Code Generator is a similar feature that exists in the Facebook mobile app. The app itself generates a code that must be entered to log into Facebook from another device. It’s a good alternative when you don’t have an internet connection or SMS texting.

Use U2F Security Keys

A U2F security key The Pros and Cons of Two-Factor Authentication Types and Methods Here are the pros and cons of two-factor authentication methods to see which is the best for you. Read More is a physical device that resembles a USB flash drive. Instead of tying two-step verification to your phone (as with Login Approvals and Code Generator), you confirm logins by plugging the U2F key into the device you’re logging in with.

Facebook isn’t the only site that supports U2F — others include Gmail, YouTube, WordPress, GitHub, and the list is growing — but you’ll need to use Chrome or Opera for it to work.

Thetis U2F Security Key is an affordable one that you can grab off Amazon (you only need one key per person), but there are more expensive ones with more features. For example, the YubiKey NEO supports NFC so you can just tap it (good for smartphones and tablets).

Yubico - YubiKey NEO - USB-A, NFC, Two-Factor Authentication Yubico - YubiKey NEO - USB-A, NFC, Two-Factor Authentication Buy Now On Amazon

Note: Be careful when using Login Approvals, Code Generator, and U2F security keys. If you ever lose your second-step authenticator (i.e. your phone or U2F key), here’s how to recover your Facebook account login How to Recover Your Facebook Account When You Can't Log In Forgot your password? Were you hacked? Here's how to recover your Facebook account using proven Facebook account recovery options. Read More .

More Tips for Avoiding Scams on the Web

URL padding is just the latest in the history of Facebook flaws and breaches. For utmost safety, know what to do if your Facebook account is hacked 4 Things to Do Immediately When Your Facebook Account Was Hacked If you suspect that your Facebook account has been hacked, here's what to do to find out and regain control. Read More . Malware is a big risk too, so stay on top of preventing and removing Facebook malware and viruses How to Prevent & Remove Facebook Malware or Virus Facebook malware is a threat, but you don't have to worry about it if you follow this advice. Here's how to avoid the nasty side of Facebook. Read More .

Have you encountered URL padding on Facebook? How do you keep your Facebook account secure? Share with us in a comment below!

Image Credit: Brian A Jackson via

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Archer Jackson
    July 27, 2017 at 5:29 pm

    Thanks to my father who informed me about this website, this website is really awesome.

  2. Latisha Schonell
    July 27, 2017 at 4:23 pm

    I quite like reading a post that will make men and women think. Also, many thanks for allowing me to comment!

  3. Doc
    July 26, 2017 at 8:25 pm

    I've also seen these "padded" URLs in the "from:" field of spam emails.