Facebook Phishing Scams Hit Livestreamed Concerts

Nearly two months into California’s shelter-in-place orders, livestreamed concerts via YouTube, Instagram and Facebook have turned into a lifeline for musicians whose gigs have evaporated. Some Bay Area artists are earning more than $1,000 per show with weekly performances.

But that silver lining is attracting online predators.

Last month, a Facebook-streamed concert by two well-known Oakland musicians was besieged by phishing scammers. Bombarding the Facebook event page with their own links, the scammers steered fans to another site posing as a livestreaming link where they sought to pocket fans’ donations. With Facebook’s April 28 announcement that musicians will soon be able to charge admission to their pages for events streamed on the platform, some musicians fear that security concerns will only grow in the coming months.

Pianist Steve Lucky and guitarist-vocalist Carmen Getit have been mainstays of the Bay Area music scene for more than two decades, putting their own playful spin on a vast repertoire of jump blues, vintage jazz tunes, piano boogies and vintage R&B. It’s not surprising that the fanbase they’ve cultivated has responded generously during their Saturday night performances from their living room. On April 25, they kicked off their set with their theme song “Don’t You Want to Get Lucky?” while their 13-year-old daughter Monique served as their iPhone tech crew.

Usually they stream from their band’s Facebook page for Steve Lucky & the Rhumba Bums featuring Miss Carmen Getit, but this night the concert went out from Lucky’s personal profile. When fans on the band page started asking where to find the livestream, several Facebook profiles bombarded the comments with fraudulent links.

“They were using the identical artwork I created for our actual Facebook event,” Getit said. “When users clicked on the fake links, they were asked to buy a membership to view the live feed. The imposters posted over 100 times in our Facebook event with fake livestream links.”

The couple estimates that the confusion cost them more than $500, judging by the drop off in contributions compared to previous weeks. When they tried to report the attack to Facebook, they found that “their interface leaves no room for explanations,” Getit said. “Facebook responded by saying my reports of ‘violating Facebook’s guidelines’ didn’t actually fall within their definitions.”

Adding insult to injury, the couple had just started advertising their concerts on Facebook, “and I suspect the worldwide promotion I selected for our livestreams via payment to Facebook invited these imposters from other countries and actually cost us money,” Getit said, noting that the attacks seemed to emanate from profiles in India and some Middle Eastern countries. “So essentially I paid Facebook to get scammed.”

A Facebook spokesperson told KQED that the company took action, shutting down three accounts and removing six posts that Getit brought to the company’s attention. “We immediately removed several posts when they were reported to us, as well as the accounts that violated our policies against spam,” said the spokesperson.

The company has numerous tools in place to help fend off unwanted incursions, particularly for events livestreamed from a band or venue’s page. (The company recommends using pages rather than personal profiles for streaming.) Page settings allow a musician to block certain keywords from the comments ahead of time, like “link” or “click,” so an artist doesn’t have to try to monitor a broadcast while performing. But scammers don’t only target performances in progress.

On May 2, the Facebook page for the Pittsburgh Bluegrass Festival was hit by some of the same profiles that disrupted Lucky and Getit’s livestream. While the festival was rescheduled due to shelter in place weeks ago, last Saturday several of the same people who posted links on Lucky and Getit’s page also posted bogus links on the Pittsburgh Bluegrass page, including one user who goes by Rahad Islam Nasim. His profile identifies him as a marketing assistant for AdCenter, a click-harvesting “cost per acquisition” (CPA) network based in Montreal that the company’s website says “connects you with advertisers you want or traffic you need to make money on the internet.” And that seems to be true.

A message to Nasim’s profile page asking about the link-bombing attacks went unanswered. But in response to a query about Nasim’s practices, an AdCenter company spokesperson wrote “Rahad Islam Nasim is not an employee, but an AdCenter affiliate/publisher who promotes our advertiser’s offer. The practice you describe is not tolerated, and goes against our terms and conditions and as such, Rahad’s campaigns have been shut down.”

Getit reported the attacks to the FBI via the agency’s Internet Crime Complaint Center. More than the disruption caused by the attacks, what frustrates Getit is the lack of response from Facebook. Two weeks after she reported the profiles that posted the fake links, they were still active. (After KQED’s inquiries, the profiles were removed.) The couple has set up their own security by deputizing a friend or relative to serve as a virtual bouncer during live performances “to watch our Facebook livestreams and delete scammers’ posts,” Getit said.

Part of the problem is that the same force that sparked the livestreaming explosion—the pandemic—has been keeping Facebook’s content monitors busier than usual, a Facebook employee who works in security told KQED on background. The particular fake-link scam that hit Lucky and Getit doesn’t seem to be spreading. But as more musicians turn to streaming to reach audiences, transparent and easily deployable security will become increasingly essential.

Streaming services may have habituated a generation of music fans to freely access just about any song they might want to hear, but it turns out that plenty of listeners are willing and even eager to support livestreamed performances.

That’s one delicate thread that might help musicians weather this unprecedented disaster.

This story was updated to include a response from Facebook.