For those unaware, Trusted Contacts is a recovery feature created by Facebook, which allows you to choose 3-5 friends who you trust to help you gain access to your account if you forget your password or your account is locked.
According to a public security alert published by AccessNow, the phishing attack is carried out by someone who has already taken over the Facebook account of your friend. The attacker sends a message saying that he/she is having difficulty in accessing the account and asks you to check your email to verify a recovery code and share with the attacker, as you are listed as one of his/her Trusted Contacts on Facebook.
At this point, they try to log into your account using the “Forgot my password” button. The idea is that when you check your email to get your “friend” information, you end up passing the password recovery code of your own Facebook account to the attackers, thereby granting them access to hijack your account.
“The new attack targets people using Facebook, and it relies on your lack of knowledge about the platform’s Trusted Contacts feature,” Access Now warns.
The best way to keep yourself safe is to contact the person and check if he/she has genuinely sent you a recovery message or email asking for help. Also, it is worth remembering that when you get locked out of your account, your “Trusted Contacts” don’t just send you a recovery code — each of them send a part of a recovery code. In order to get back into your account, you need a part from all of your Trusted Contacts that you have chosen.