Everybody, it seems, is on Facebook, and the numbers back it up, with over 1 billion members worldwide. So naturally, anytime you get a crowd of people this large, the cyber-criminals are going to be all over it.
Don’t even get me started with the oversharing of personal information. Please stop telling me and the crooks that you will be out of town for a week on a Vegas vacation, and your house unguarded. Show me the photos when you return!
Let’s take a look at Facebook scammers and how they operate. Facebook scams have a lot in common with email phishing scams. There is usually a story designed to arouse your interest and get you to take some sort of action. Often news that is strange or sensational, or natural disasters, are used as bait. If you click through, you may end up sharing this story with all your friends, and this spreads the exploit. You may be asked to participate in a survey (for which the scammers get paid) or fill in a form with personal information, or even your user name and password.
Let’s look at some common tactics:
- Famous deaths – When celebrities such as Amy Winehouse, Steve Jobs, or Whitney Huston died, there were Facebook scams the offered secret information or video of the final moments of the celebrity.
- Shocking headlines – Watch out for stories that start out with “Shocking” or “OMG.” Scammers lure you in with ridiculous or crazy headlines or promises of steamy videos. Usually this ends with a survey or a video that requires a special “codec” which is disguising a malware installation.
- Celebrity stories – Kim Kardashian may be doing something incredibly stupid, but Facebook is unlikely to have the news. Scammers use sensational stories to attract new victims, who share the posts without verifying the story.
- Breaking news – Ditto. Don’t you have an online news site you prefer? Read your news there!
- Free iPads and other stuff – If your mom didn’t love you enough to get you that iPad or iPhone for Christmas, what is the likelihood a total stranger does? This goes for cruise or airline tickets and Caribou coffee cards. This is just a naked ploy to get your personal information, or trick you into doing something stupid.
- Whose looking at my profile? – Apps that promise to reveal who is looking at your profile or blocking you never work because Facebook does not give app developers that kind of access. But it is an app – so what exactly is it doing to your computer?
- Fake friends – You may get an email purporting to be a friend request, but the button or link will take you to a fake replica site and get you to download malware or login again, and steal your password.
- Game credits – This scam tricks gamers into paying for game tokens. You pay with real money, but never get anything in return. And you just gave the bad guys your credit card number, too.
- Phishing for logins – You may get a message with a link that takes you to a replica site where you need to “login into Facebook again” for security reasons. This is an easy method to steal your credentials and later impersonate you using your account.
- I’ve been mugged – I’ve seen this in email form many times, but there is a Facebook version, too. After the scammer has stolen your password, they can send a plea for money to all your friends. These stories often involve a mugging or other financial disaster in a foreign location, but sometimes may hinge on a fake medical or other financial emergency.
- Special Facebook features – The granddaddy of this scam is the “Dislike button,” but there are others. Here again, installing any program from an unknown source can have unfortunate consequences.
The techniques we have discussed to uncover phishing emails work for Facebook scams, too. The best protections against Facebook scams are:
- Use common sense – Sound too good to be true? Then it is.
- Check links – Clicking blindly can get you into trouble. Hovering the cursor over a link will often reveal a box with the actual destination. If it looks hinky, you are probably heading for trouble. Or check the link on VirusTotal.
- Check email addresses – If you are getting email friend requests from Facebook, the sender will be @Facebook.com and not someone else. And they will address you using the name in your Facebook profile, using English if that is your language.
- Healthy skepticism – Part of being a savvy computer user is employing a healthy dose of skepticism when things seem unusual.
- Friends may be wrong – Don’t be too willing to trust something just because it came from a trusted friend. They may have been scammed, or their account may have been hijacked and the message is really from a scammer.
- Anti-malware software – And it goes without saying that you ought to be using a good anti-malware product to detect and remove any malware that you inadvertently install through a scam. For Windows 10 users, Windows Defender can be enough, otherwise top products are available from BitDefender, Kaspersky, and similar companies, except anything from McAfee. We are still not recommending any version of that product.
About the Author:I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com