Social media juggernaut Facebook is the primary online fixture for a lot of folks (1.15 billion monthly active users as of June 2013, to be exact) – this is probably why it’s constantly under attack or serious scrutiny. The social network is not only plagued by lawsuits, viruses, catfishers, money lenders, and the government’s watchful eye… with the amount of people freely offering all sorts of pertinent details about their personal lives on Facebook, a rise in identity fraud on the site is bound to happen.
A report from The Japan News details many scenarios wherein Facebook users are duped into surrendering personal information through fake posts that solicit likes, votes, or link clicks. Messages have been found to lead to a page that asks users for contact details (like a phone number), and since these links are believed to be sent by a “friend,” they think nothing of it and acquiesce, ending up the unwitting victims of identity theft.
These fraudsters and hackers are known to take advantage of the relationships people build on Facebook, banking on the fact that most users mindlessly peruse their News Feed out of habit. Sometimes, scammers even take great lengths at fooling users by venturing out of Facebook and reaching out to targets via other methods. Greg Boyle, senior global product marketing manager for antiviral software company Trend Micro, recently wrote about his experience: He had received an email notification claiming a person (who was not on his Facebook friends list) tagged him in photos. At first glace, the email looked legitimate and similar to one that’s generated by Facebook when you have email notifications set up in your settings, but upon further investigation, Boyle found that the email he received was fraudulent and was actually an attempt at a Blackhole Exploit Kit (BHEK) spam run: Links in the email redirect the user to a different page, causing malware to be automatically downloaded into their system. “Evidence of past BHEK runs show they generally use financial institutions, e-commerce and global events as lures that get users to click on links and secretly install malware that steals banking credentials and personal information etc.,” Boyle wrote.
If you’ve seen the movie Catch Me If You Can, then you know it’s based on a true story about the person Leonardo DiCaprio portrays in it – conman turned FBI security expert Frank Abagnale. Earlier this year, Abagnale made an appearance at the Advertising Week Europe conference in London and spoke to The Guardian about the dangers of identity theft on Facebook.
“If you tell me your date of birth and where you’re born [on Facebook] I’m 98 percent [of the way] to stealing your identity,” Abagnale warned. “Never state your date of birth and where you were born [on personal profiles], otherwise you are saying ‘come and steal my identity’.” Additionally, he recommends never using a passport-style photo as your Facebook profile picture – group photos are deemed much safer – and refrain from making comments that reveal too much. “What [people] say on a Facebook page stays with them,” he said. “Every time you say you ‘like’ or ‘don’t like’ you are telling someone [things like] your sexual orientation, ethnic background, voting record.”
Abagnale also commented about U.K. privacy laws, which he has “tremendous amount of respect for” and believes to be more advanced compared to the laws in place in the U.S. This may be true, but it doesn’t stop the U.K. from experiencing its own troubles with identity fraud, which is still on the constant rise – 82 percent of all cases happen on the Web. Similarly, out of 700 U.S. teens surveyed, 75 percent have been found to be careless with their personal information, making themselves susceptible to online crime.
Be vigilant, keep your Facebook account safe
Should a user be locked out of his or her Facebook account, the social network has an advisory available on what could be done to confirm identity and recover access. Additionally, under Facebook’s Security settings, users have an option to add Trusted Contacts, or three “friends that can securely help you if you ever have trouble accessing your account”; these contacts will receive security codes which they need to send to the user, and if all codes are accurate, the user can confirm their identity and reset their password. While this may be a suitable fail-safe for some, any experienced hacker or fraudster may be able to easily pretend to be you and make contact with your trusted friends. We’ve reached out to Facebook and asked if this is possible and will update this story once we hear back.
In the end, the only person responsible for your information security is you. In the same way technology advances, so do the security issues that go with them. Apart from choosing a hard-to-crack password (which rules out birthdays, middle names, pet names, and the word “password”), there are other things you can do with your Facebook account settings to make it increasingly harder for identity stealers to target you.
Review your Privacy settings. Restrict your profile to Friends Only. Where it says “Who can see my stuff,” choose anything EXCEPT Public. Click on “Limit Past Posts” to change the setting of your old posts to Friends Only. This is important if you’re not sure if any of your old posts (which may contain personal information that can be used to steal your identity) were ever set to Public.
While you’re there, set “Who can contact me” and “Who can look me up” to Friends or Friends of Friends to limit the number of people who can find you using your email or phone number.
Check out your Security settings. Click on Secure Browsing and enable the option. Also enable Login Notifications so you can be told through email or text message whenever a new computer or mobile device is used to log into your Facebook account. Click on Login Approvals and check the option that requires a security code before giving account access on unknown Web browsers – this will pull up a step-by-step on how to set it up on your mobile phone (Note: For this to work, you need to have the official Facebook app installed on your phone).
As an added precaution, make a habit out of checking Active sessions. If you see any activity that wasn’t initiated by you, click End Activity.