How to avoid getting caught by Facebook phishing


Perhaps you have received unwanted Facebook messages with innocuous links. Or worse your account has been compromised sending embarrassing messages to your unsuspecting friends.

“Dear Facebook user, due to Facebook policy changes, all Facebook users must submit a new, updated account agreement, regardless of their original account start date. Accounts that do not submit the updated account agreement by the deadline will have restricted. Please unzip the attached file and run ‘agreement.exe’ by double-clicking it,” reads a Facebook message. Messages like this, if opened, would introduce malware into your computer exposing your personal information to unknown persons. What these untrusted spammers are attempting to collect are your usernames, passwords, bank information, social security numbers among other details.

Another phishing attempt is made when you receive a Facebook message with a video link: “Wow! Is that really you in that video?” Opening the link is a sure way to introduce malware into your computer. C-Net reports:

Once a computer is infected, it hijacks the Facebook account and sends messages to other friends of the victim, enticing them to click on a link. The link redirects to a Web site where they are prompted to download software ostensibly to watch a video. However, there is no video; only malware that infects the system, blocks access to security sites, and can be used to steal sensitive information from the computer, such as credit card numbers. Infected machines can then be used to spread the worm to others on Facebook, send spam and distribute fake antivirus alerts, said Rik Ferguson, a security researcher at Trend Micro. Koobface now can automatically create new profiles using infected machines, he said.

A December report by Trusteer, a company that tracks phishing attacks found that “50 percent of the time, users enter and submit their login information to phishing websites they visit. This means that for every one million users, 4,700 login details are lost to criminals each year.”

The surest way to protect yourself from spam is to know how to identify a phishing web address. The Anti-Phishing Working Group (APWG), an anti-phishing website advises consumers on protecting themselves from phishers.

Always ensure that you’re using a secure website when submitting credit card or other sensitive information via your Web browser

• Phishers are now able to ‘spoof,’ or forge BOTH the “https://” that you normally see when you’re on a secure Web server AND a legitimate-looking address. You may even see both in the link of a scam email. Again, make it a habit to enter the address of any banking, shopping, auction, or financial transaction website yourself and not depend on displayed links.

• Phishers may also forge the yellow lock you would normally see near the bottom of your screen on a secure site. The lock has usually been considered as another indicator that you are on a ‘safe’ site. The lock, when double-clicked, displays the security certificate for the site. If you get any warnings displayed that the address of the site you have displayed does NOT match the certificate, do not continue.

The good news is that there is a law that attempts to protect you from spammers. According to the Federal Trade Commission, the government agency responsible for protecting consumers, the CAN-SPAM Act “sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have you stop emailing them, and spells out tough penalties for violations.” This law covers not just emails, but other commercial electronic messages including Facebook messages. Twice Facebook has been awarded millions of dollars following judgments against spammers.

If someone has accessed your account your first step should be to change your password and send a message to privacy [at] facebook [dot] com. Next, send a message to all your friends asking them not to open the link. Good luck stamping out Facebook scammers.