Presentation for the Web Managers Group – “Security & Privacy” – 16 May 2013, Wayra, London
This morning I woke up to an email from a friend of mine that had come via Facebook. The message listed me and a whole other group of names.
I duly clicked thinking that I may have been tagged in a photo or similar, because I know the person socially as they run an art group.
On logging into Facebook I discovered my message wasn’t alone and that a similar message had been sent to a number of people a number of times. This immediately made me (and I’d hope most people) suspicious. At the top was a posting saying: ‘Do you remember this photo?’. Due to the context I had to to a double take and really examine the link. It immediately didn’t ring any bells that I’d associate with my friend, the context or Facebook, but unlike similar Twitter scams it did look fairly genuine, just not quite enough. His account had been phished*.
One person had already commented on the page that it looked like our mutual friend’s account had been hacked.
I immediately emailed my friend with the following advice, which also covers Twitter, should a similar thing happen to you.
It looks like your Facebook account has been phished and you’ve mistakenly gone to a site with a fake Facebook login page and given them your login details.
It has then put a message on your profile and tagged your friends, sending them a message. On logging in you see your name and ar the top a post that reads ‘do you remember this photo?’. This sends people to a fake site etc.
What to do…
Change your password
Delete the messages
Update your profile with message about the problem :-(
Check to see what other changes may have taken place with your profile, including apps and pages
Check your security/privacy settings.
Twitter users also note
It’s worth visting your Settings/Applications page to check who has access to your account. Most of these will be legitimate and enable Twitter tools such as Tweetdeck, Bitly and Echofon to operate. Check to see if there are any you don’t recognise. If you are at all worried simply ‘revoke access’ to either the ones you can’t remember adding or to all of them. The worse that will happen in doing so is that you’ll be required to give permission next time you try and use one of these tools.
*“Phishing is a way of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.”