WESST Blog

Spam, scams and email phishing schemes seem to spreading like wildfire via Facebook lately. With more than 550 million users, it’s not surprising that fraudsters are targeting Facebook users. The potential payoff is huge. Since a lot of my Facebook friends have recently fallen victim, I thought it was a good time to write a blog post about how to spot some of these scams, deal with them if you’ve already been tricked, and avoid them in the future.

The bad news is some of these scams are downright malicious. Rogue Facebook applications and links can spread malware and viruses, steal data, and access everything from your email to your photos so that they can use your account (and your trusted identity) to send out spam to your contact list. By the time Facebook shuts the rogue apps downs, the cyber-crooks have already replaced them with new ones. The good news is that there are things you can do to protect yourself from spammers and phishers.

Tips to Help Spot Some Common Characteristics

Scammers tend to use some common tactics based on social engineering that have proven to work. Chances are you’ve seen some of these scams in your news feed or on your wall. You may have even unwittingly (and impulsively) clicked on a link not realizing it was a scam. Obviously, some scams are easier to recognize as suspicious than others. Here are some red flags that may tip you off:

1. Shocking, Unbelievable, Horrific, Hilarious Must-See Videos – These usually have sensational headlines to try to entice you into clicking the link, such as:

• “OMG!!! Amazing Video of Boa Eating a Hippo!”
• “Teacher Nearly Killed this Boy! Shocking Video!”

Here’s one recently posted on my wall:

2. App or “News” Links that Appeal to Your Sense of Curiosity – If you make the mistake of clicking on one of these links you may get asked to “Like” their fake group page (these usually have a fake Facebook header and, while they may have a lot of “fans,” they usually don’t allow you to post on their wall) or show you links to play games, which actually lead to ads, or, they might ask you to fill our survey before you can access the link (where they can collect your personal and contact list info.)

• “OMG! OMG! Now You Can Really Can See Who Views Your Profile”
• “Hey! You Have Got to See Yourself as a Cartoon Character! Check This Out!”
• “The Prom Dress That Got This Girl Suspended From School.”
• “This Mother Went To Jail for Taking This Pic of Her Son!”

Here’s an example:

3. Amazing Weight Loss Offers – Scammers prey on the Facebook demographic in the 35-54 range who would welcome an easy way to shed a few pounds. Here’s one that seems to be all over the place lately.

4. Free Product Giveaway Posts – These links from “friends” usually direct you to rogue Facebook apps which request permission to access your profile information and post on their walls or fill out a survey which lets them collect/steal your private data. Here’s a free iPad offer that appears to be endorsed by a friend:

5. Fake “Like” Ads – These usually utillize some type of free product giveaway: For example:

• “Click ‘Like’ to Get a Free Pair of Ugg Boots!”
• “Free iPad for Males 45-55” (This ad headline changed to target your specific demographic.)
• “Click Like to Get a $1000 IKEA Gift Card!”

6. Chat Scams – These are creepy because they pop up in your chat window and try to trick you into believing that you’re chatting with one of your friends. They use similar techniques to some of the above-mentioned methods and often, their goal is to get you to provide your cell phone number where they will sign you up for a premium texting service. Some examples:

• “Hey! I just took this IQ Test. Try it out plz, plz!”
• “Click this link and get a free iPhone!”

7. Email Phishing Schemes – These are often the most dangerous scams and they can catch even the most savvy users off guard because, unless you look closely, they appear to be official emails coming from Facebook, or, from a friend via Facebook.

A recent one claimed to be from “Facebook Service” telling you that your password had been changed because a spam message had been sent from your account. It then asks you to read the attached letter to gain access to your new password and requests that you change it to a “complicated one.” Opening the letter releases a Trojan virus. Others appear to come via friends, via Facebook.

Here’s a phishing email I recently received that tries to get me to log into my Facebook account via the email in a blatant attempt to steal my login information and collect my data.

Look closely at the link URL at the bottom on the email. Note that it directs you to Yahoo.

Tips to Avoid Becoming a Victim

1. Ask yourself if the post sounds out of character for a friend.

Would your conservative middle-age friend really use terms like “OMG!!!!” or “LMFAO!”? Would someone who’s a fitness freak and in perfect shape really ask you to try out a miracle diet pill? When it doubt, delete suspicious links and call or email your friend who purportedly sent you the link.

2. Be suspicious of links that include an urgent directive.

Spam and scams often include instructions to “Click this link.” Check out this video! “ or “Download now!”

3. If it sounds too good to be true, it probably isn’t true.

Any offer that’s giving something away of significant value should raise an immediate red flag.

4. Make sure that your Facebook account password is different from your email password.

A lot of people use the same password for both their Facebook and email accounts. This is a risky practice. If scammers hack your Facebook account, they can get your email address and do a lot more damage. You don’t want fraudsters getting access to your email and sending out spammy messages or phishing schemes to everyone in your email contacts as well as your Facebook friends.

5. Watch for misspellings.

Messages from fraudsters are often full of spelling and/or grammatical errors.

6. If a Group or Business Page doesn’t allow you to post on its wall, chances are, it’s a fake.

Another sign that it’s a fake Facebook page is that you can’t click on your Profile or Home page from the banner.

7. Look at the “from” address in emails from “Facebook “ very carefully.

Fake Facebook emails can look eerily similar to the Real McCoy. Study an email that you know is from Facebook (e.g, an email that informs you that someone has accepted a friend request) and compare it to the suspect email. Usually the “from” address contains a red flag. For more tips, visit this page on Facebook’s Help Center.

You should always check the URL of a web page you are logging on to – especially if you’re being asked to download something. Make sure it’s not an imitation. Attackers usually create sites like www.facebook-online.com that look very similar to the Facebook URL to try and fool you.

8. Avoid logging into your Facebook account from an unencrypted public wifi.

Facebook announced last week (January 26, 2011) that it has begun rolling out the option to use a secure HTTPS Facebook connection. It will be available as an opt-in option in your Account Security settings. For now, you’ll just have to keep checking to see if it’s available on your account.

9. Don’t click on or download anything unless you’re 100% sure of the source’s authenticity.

I haven’t fallen for a scam yet because, as a general rule on the internet, I don’t trust anyone. I’m not saying that everyone is out to get you, but these days, you need to be extremely cautious about opening links from anyone. Even if it appears to be from a friend or an “official” trusted source.

10. Read the Facebook Security page.

You’ll find tips and security news here to help you keep your information safe on Facebook and across the internet.

What to Do if You’ve Already Fallen for a Facebook Scam

Even internet savvy people can be fooled by some of the tricks used by scammers. All it takes is a simple lapse in concentration or placing your trust in the recommendation of a friend without thinking twice about clicking. If you’ve already been tricked and you have a bunch of angry friends wanting to know why you keep posting spam on their wall, here’s what to do:

1. Change your Facebook password. (If you have the same email password, change that to something completely different than your Facebook email.)
2. Delete the link on your wall so that others can’t click on the link.
3. Alert your friend who supposedly posted the link that their account has been hacked so that they can take appropriate action to remove the source.
4. Report your compromised account to Facebook.
5. Go to Account > Privacy Settings > Apps and Websites (located along the bottom left side of the page) > and click on Edit Settings. From there you’ll be taken to a page that lists all of the applications you’ve allowed. Delete any applications that look suspicious and/or unfamiliar.

You’ll probably be amazed at the number of applications you have allowed and the access privileges you’ve permitted. I’ve honed mine down to a bare minimum. Some applications require access to everything from your basic information to your photos and you friends’ info; others require minimal access and others let you pick and choose what you will allow the application to access.

My 2 Cents

Facebook would like you to believe that the more you share and the more you interact with various applications, the better your Facebook experience. I don’t think any third-party app should have the kind of unrestrained access that some apps require to “function properly.”

I welcome the beefed up security that HTTPS will offer. I will definitely opt in. Because, for me, the increasing security threats and lack of control users have over privacy issues is making social networking on Facebook downright unsociable.

I’d love to hear how you feel if you care to leave a comment.

Update From the Author

Today (Tuesday, April 19, 2011), Facebook introduced a suite of new privacy tools aimed at increasing security and safety for its users. In addition to redesigning its Family Safety Center, Facebook has also made improvements to its HTTPS secure browsing option launched at the end of January.

I myself opted in to this added security feature as soon as it was launched. If you haven’t already done so, I highly recommend enabling this option, especially if you frequently use Facebook from public Internet access points found at coffee shops, airports, libraries, schools, etc.

How to Enable Secure HTTPS Browsing on Facebook

To enable secure browsing, go to Account > Account Settings > Account Security, tick the Secure Browsing (https) option and hit Save.

Facebook launched its suite of new security tools the day after Sophos, an internet security firm, issued an open letter to Facebook that blasted the company for not doing enough to protect its users.

So, what do you think? Do Facebook’s new security measures ameliorate the problems pointed out by Sophos? Do you feel more secure using Facebook?

While I still see problems with un-vetted app developers, for me, the addition of HTTPS browsing alone was a step in the right direction.