As a regular and long time Facebook user, I’m often surprised at some of the behaviour that goes on there. I’m not just talking about the harassment and ridicule of people, the cat videos and all that, but there are a number of things which are putting you and other users at risk. I’ll going to explain what some of those risky behaviours are here. 

If it sounds too good to be true, it probably is…

1. Competitions where you simply have to “Like” and share a page to enter in order to win a free Maserati or holiday to Bora Bora, things like that. I talked about this in my previous article, but it’s worth reiterating. You have access to Facebook, Google etc for free, and the price you pay for that free access is that your data is shared with their partners. You then start to receive targeted advertising for products they know you’re likely to want. When you “like” one of these targeted adverts that decision also gets added to the data they hold on you, which gets sold on. Have you ever personally known anyone win one of these contests? The advertisers are paying the likes of Facebook and Google because you clicked a link and what do you get? More and more adverts! 

If all you get is more adverts, that’s harmless though, isn’t it? I’m afraid not. Some unscrupulous businesses will use this as a means to target you with scams, with malware, with all sorts of things with the aim of ripping you off, infecting your machine or getting access to all your contacts. 

2. Images of starving or sick children and animals, asking you type “amen” etc rather than scroll by. This is just another way of getting your details, for the same reasons as above. Click on enough of these and your changes of being sent some sort of scam mail asking you to donate money to help prevent starvation etc increase. 

This may sound cruel and heartless, but for the bad guys this is just a numbers game, it’s just business to them. They. Don’t. Care. The more people they can sign up, the more money they can make. Manipulation is the name of the game. 

3. Lists where you have to fill in details like have you ever been in a police car, had a tattoo, been whale watching etc. Part of the information you give up (and the fact you participated) feed into 1 above, with the attendant consequences. You’ve just given advertisers a good idea of the sort of things you like to do, or are prepared to participate in. They can work out what level of risk you’re prepared to take, what sort of person you are – and that means they can target your vulnerabilities and weaknesses and work out what you’re likely to fall for.

Some of these lists can be quite long and hidden within them are questions which you may have used for your security information with your bank or other online services. These include questions like what your first pet’s name was, what your first school was etc. These can then be used to try to steal your identity, get access to your accounts, open credit cards in your name and so on.

4. Offers of free software or add-ons to existing products, which I’ve seen more and more often on LinkedIn. Even seasoned security professionals are clicking to “like” the post, or reply with “yes”. This is no different from 1 above, and these people should know better. I often feel like chiming in to remind them of what they’re doing –  but my responses would also be captured and I’d be targeted in a different way! 

It’s worth pointing out here that 1-4 are sometimes known as “click baiting”, because it’s a bit like fishing. The bad guys put bait on their hook, cast it out into the water and see who or what bites. 

5.  Adverts for products you may be interested in may just be the advertisers confirming what they think they know about you. Or, it could be less subtle with the adverts taking you to fake sites in order to obtain your credit card details, or offering you goods which don’t appear or are substandard. The links you click on may contain malware, or may take you to a site which is infected. If you really want that product, go to a reputable web site that you know to be genuine and buy from there. 

6. Another favourite is when you get a friend request on the likes of Facebook or LinkedIn. What do you to do to verify that the request is from who they say they are? What happens if you’re already friends with that person? Could their account have been cloned? Do you check by another route to see if the request is legitimate? Do you just accept the request because they’re connected to other people you know? This is all potentially dangerous and may leave you open to a variety of different attacks, from the click baiting sort of thing we’ve seen above, to social engineering and requests for money / other assistance. 

Hopefully this hasn’t all scared you, but has made you more aware of the risks of doing the things listed above. Think before you click on that link, or before “liking” that post. One of the things the bad guys do is try to elicit a reaction from you by preying on your emotional responses. So leave your computer, tablet or mobile device for a minute or two and give yourself a chance to think. Just remember the adage: “if it sounds too good to be true, it probably is”. 

Advertisements