Forget those phishing emails that attempt to get your credit card or bank sign-in information. When crooks want to know how to get into your bank account, they post a message on Facebook. These messages appear so innocuous and so appropriate in the Facebook setting that you are likely to not only get conned, but pass on the scam.
| More from CBSMoneyWatch.com: |
• 6 Things Never to Post on Facebook
Is This $197 Million Yours? How to Find Missing Money
• 5 Ways Facebook Could Get You Fired
Facebook is the new frontier for fraud, says Tom Clare, head of product marketing at Blue Coat, an Internet security company that does annual reports on web threats. In just this past year social networks have soared to 4th from 17th most treacherous web terrain -- behind porn and software-sharing sites, which you probably know to avoid.
What makes Facebook so treacherous? Us.
It starts with the fact that we are inundated with requests to set up passwords to get into our work computers, our online bank accounts, Facebook and every other web-based subscription. So what do we do? We use the same password.
"Crooks understand that most users use the same password for everything," says Clare. "If they can get your user credentials for your Facebook account, there's a good chance that they have the password for your bank account."
If you are smart enough to have separate passwords for Facebook and your financial accounts, crooks get at you through a variety phishing attempts that you might think are Facebook games and widgets. But look closely and you'll realize that they deliver answers to all of your bank's security questions -- and possibly clues to your passwords -- right into the hands of the crooks.
Think it couldn't happen to you? Let's see if you recognize any of these recent Facebook messages that jeopardize your security. All of these came from my Facebook friends in just the past few weeks:
1. Who knows you best?
The message reads:
Can you do this? My middle name __________, my age ___, my favorite soda _______, my birthday ___/___/___, whose the love of my life ______, my best friend _____, my favorite color ______, my eye color _______, my hair color ______ my favorite food ________ and my mom's name __________. Put this as your status and see who knows you best.
How many of these are the same facts your bank asks to verify your identity? Put this as your status and everybody -- including all the people who want to hijack your bank account and credit cards -- will know you well enough to make a viable attempt.
2. Your friend [Name here] just answered a question about you!
Was it possible that an old friend answered a question about me that I needed to "unlock?" Absolutely. But when you click on the link, the next screen should give you pause: 21 Questions is requesting permission to ... (a) access your name, profile picture, gender, networks, user ID, friends and any other information shared with everyone ... (b) send you email ... (c) post to your wall ... and ... (d) access your data any time ... regardless of whether or not you're using their application.
Can you take that access back -- ever? It sure doesn't look like it. There's no reference to how you can stop them from future access to your data in their "terms and conditions." Worse, it appears that to "unlock" the answer in your friend's post, you need to answer a bunch of questions about your other friends and violate their privacy too. I didn't give 21 Questions access to my information, but the roughly 850 people who joined "People Who Hate 21 Questions on Facebook" apparently have and can give you insight into just how pernicious this program can be.
3. LOL. Look at the video I found of you!
This is the most dangerous of all the spam messages and it comes in a variety of forms, says Clare. It's actually a bid to surreptitiously install malware on your computer. This malware can track your computer keystrokes and record your sign-in and password information with all of your online accounts.
How does it work? When you click on the link, it says that you need to upgrade your video player to see the clip. If you hit the "upgrade" button, it opens your computer to the crooks, who ship in their software. You may be completely unaware of it until you start seeing strange charges hit your credit cards or bank account. Up-to-date security software should stop the download. If you don't have that, watch out.
Better yet, if you really think some friend is sending you a video clip, double-check with the friend to be sure before you click on the link. When I messaged my high-school classmate to ask if she'd really sent this, she was horrified. Her Facebook account had been hijacked and anyone who clicked through was likely to have their account hijacked too. That's how this virus spreads virally.
4. We're stuck!
It started out as an email scam, but now the "We're stuck in [Europe/Asia/Canada] and need money" scam has moved to instant messages on Facebook, where it can be more effective. Most people have learned not to react to the email, but instant messages help crooks by forcing you to react emotionally -- They're right there. They need help, now. A friend got one of these messages last week from the parents of a close friend. Her reaction was the perfect way to deal with it: She immediately called her friend and said "Have you talked to your parents lately?" The response: "Yeah. They're right here."
Facebook has launched a security system to combat account hijacking that allows crooks to send messages and posts through your account. You can get updates on what they're doing at Facebook's security page, where they've also got a nice little security quiz that's definitely worth taking.