Phishing Prevention as Social Computing
Phishing has been around for a long time (by internet standards), but a new batch of phishing attempts on Facebook has been seeming to spread like wildfire. Facebook is attempting to prevent some phishing scams, but many URLs, often with spaces in the middle, sneak through.
You can recognize these attempts because they often appear as Facebook messages to you and 19 (or so) others, from someone you probably haven’t talked to in years. They direct you to look at some link that requires a bit of extrapolation on your part – at least eliminating a space in the middle of the URL, or changing (dot) to an actual period.
Clicking through is exactly what you’d expect – a website looking like Facebook in all easily discernible ways, asking for your account name in password. Since these URLs (seem to) come from friends, we’re likely to not spend an extra moment thinking about them. One friend even got such a message from his advisor. Statistically speaking you’re much more likely to click these links if they come from friends.
Research points to the most effective phishing teaching moment to be right after someone has fallen victim to a scam. On Facebook, with instant notifications of these messages and the ability to possibly prevent new victims, there is a new social component to teaching. I have a copy-and-paste-able message that I respond with by default:
You got phished! Don’t click the link. Just to re-articulate – whenever you’re asked for a name and password to log in to something, check the domain name very carefully, even if the website looks right. something like facebook.com.com is not actually facebook, for instance! People are incredibly likely (statistically speaking) to fall victim to phishing scams like this one when they’re sent through friends, so treat these as carefully as you’d treat emails from mysterious Nigerian princes.
Simply acting as one person alone, however, we can’t make as much of an educational dent as would be ideal. There have got to be social computing ways to handle this. Perhaps routing suspicious URLs to a few trusted – or even random – friends first, with the express skepticism required to catch these phishing attempts? What do you think?
i totally agree with this, we always advise people to make sure they have up-to-date security software that detects fraudelent sites. Without this you will definetly fall victim.
Damn, that sound’s so easy if you think about it.
Recently Facebook has been victimized and the emails of the members have been compromised. I know this from firsthand experience.
All of my contacts, their emails, were phished from Facebook and sent emails from me, that were not from me.
Somehow the site was attacked and all or many of the members passwords were found, giving the scammers access to the database that contained all of the contacts information.