Today I will concentrate on what users should do to minimize the danger to themselves and others if they have fallen for these scams, and what they can do to stop falling for similar ones in the future - or at all.
So, you fell for a Facebook scam...
Don't beat yourself on the head too much. It can happen to anybody - all it takes is a moment of distraction.
But what to do now, you ask? Well, it depends on the scam.
If it's a survey or a "get something for free" scam, you've probably been asked to share your email address and/or phone number. This typically means that you have opened the door - and likely consented to - receiving spam in your email inbox or via SMS/MMS/phone calls.
There's not much you can do about it now except to trust in your email provider's anti-spam filters, create some of your own, equip yourself with a mobile anti-spam solution so that you can blacklist or block spammy phone numbers, and delete any spam message on sight.
It's a bit worse if by giving out your phone number you have also inadvertently signed up for pricy mobile services. This often happens to children and other inexperienced users, as they regularly fail to read the small print (often "hidden" in plain sight).
If this is the case, contact you mobile phone provider and ask them to block any such services and charges. In the meantime, try to contact the firm offering the service and rescind the agreement. If they refuse, tell them you will report them to organizations that deal with scammy businesses, notify law enforcement, sue them - it will likely make them more amenable to your request.
If you fell for a phishing scam, and you shared personal information (name, home address, date of birth, and so on), you have upped the chance of being victim of identity theft at one point in your life. This information might never be misused, but you can be sure that it will forever be contained in some database exchanged or sold by scammers.
If you got tricked into sharing credit card information or - even worse - online banking credentials, notify the bank about it as soon as possible in order to prevent huge charges. You'll get a new card and new credentials, and be asked to be more careful next time.
If you inadvertently shared your Facebook or email account login credentials, check whether you are still able to access the accounts. If yes, change your password immediately, consider turning on the two-factor authentication option (if possible), and check thoroughly your account settings for suspicious changes and your Timeline for scammy posts.
If you have already been locked out of the account, report the compromise to Facebook and let them help you regain control of it. Email providers have similar mechanisms in place, so you need to find them and use them.
If you believe that a scam made you inadvertently download malware disguised as YouTube plugins, video player updates, and similar legitimate software, you'll have to use an anti-virus solution to find it and remove it. As it happens, Facebook has partnered with a number of security vendors and has opened an AV marketplace, where users can download for free six-month licenses to full versions of popular anti-virus software.
Rogue apps that keep messing with your posts and keep contacting your friends are easy to deal with. Go to your Facebook Account Settings, go to the Apps menu, and click the "x" on the right of any app you'd like to remove.
That doesn't mean that the information the app has already collected about you is deleted from their database (you can ask the developer to do that), or that any posts it made on your behalf will be automatically deleted (you'll have to do that manually), but at least your account won't be at the app's mercy from that point on.
When it comes to instructions on deleting/removing apps and answers to any other question concerning them, Facebook's Help Center is a great source of information (look for the "Apps, Games & Credits" tab in the column on the left).
Deleting scammy messages posted by those apps to your Timeline is also easy: simply hover over the story, click on the pencil icon when it appears and select the "Delete" option. Do this for yourself and to prevent your friends from falling for the scams you have already fallen for. Reporting scammy content to Facebook is also helpful.
An ounce of prevention is better than a pound of cure
Not falling for Facebook scams in the first place is, undoubtedly, the preferred outcome when faced with one. In order to become successful at avoiding them, you should train yourself to notice a few things.
First things first: be aware when a message triggers strong emotions and states in you.
It doesn't matter if it's curiosity, anxiety, urgency or greed, because the one thing they all have in common is that they prevent you from thinking rationally and correctly identifying a scam attempt.
If you notice yourself becoming excited for any of these reasons, carefully examine the baiting message.
Facebook scammers are intent on reaching as many users as possible in as short a time as possible, so they usually don't tailor messages to one specific user or a small group. These malicious messages are usually short, generic (users are never addressed by name), and are perfectly crafted to pique most users' interest.
So even if you receive a message from a friend, consider how it's written before following links contained in it. If the friend addresses you by name, references and event or idea you talked about before or one that he knows would be of specific interest to you, you can assume he was the one who sent it.
By the same token, if the message come out of the blue, is unsolicited, seems very impersonal, supposedly leads to free things, "OMG! Amazing!" videos or news, you should definitely not follow the offered link before asking the friend whether he has actually sent the message himself or whether his account was hijacked.
A similar rationale should be employed for status messages, as many rogue applications get permission from its victims to post on their behalf. Once again, too-good-to-be-true offers and "funny" videos should definitely be suspect.
If you, by any chance, make the mistake of following a malicious link, in the great majority of instances it's still not too late to go back. If you're faced with instructions to do something - to "earn" the right to access the wanted content, to share information, to prove that you are over 18, that you're not a bot (an account operated by scripts, trying to pass itself off as human), approve an app, and so on - simply press the "Previous page" button on your browser or any of the links that will take you to any other part of Facebook.
I have lately noticed a few rogue apps that gain permission from the victims to contact their friends and say that they've had their birthday date added to the victims' calendar. Always on the lookout for scams, I followed the link to see what that was all about. I was faced with a screen asking me to "Allow" the app, but when I wouldn't (I pressed "Don't Allow"), the Facebook screen went softly grey, and a message popped up saying that I should add the app to my account.
This time it was giving me only the "Allow" button, and doing any of the aforementioned actions didn't work. I simply wasn't allowing me to move back or on, so I did something that I knew the app couldn't stop me from doing: I closed the browser. After opening it again, I logged into Facebook and simply wasn't pestered by the app any more. Still, I can see why inexperienced users would be bullied into pressing the "Allow" button in order to regain control of their account (or so they believe).
Lastly, check out the offered links' URL. If it's extremely long, full of random numbers and lower- and upper-case letters, contains mistyped versions of the word "facebook", is a shortened link whose destination you can't check before following it, and so on - just don't go there. It's as simple as that.
Here is also some random advice on what to do to prevent yourself from stumbling into scams (or at least considerably minimize the possibility):
- If you know that you have a soft spot for funny videos, don't search for them and watch them on Facebook. There are plenty of websites out there that are dedicated to aggregating that kind of content and various trivia, so do yourself a favor and visit them to get your daily "fun fix" instead.
- Don't be "click-happy" on Facebook. Consider carefully each link you want to follow, and don't do it unless you're 95 percent sure that you won't regret it. Conversely, you should apply the same advice to your behavior on the Internet in general. Don't click any "OK", "Allow" or "Yes" button if you're not sure you know what you're saying yes to.
- If not sure whether something is a scam or not, consider using Google for opinions about it. But remember that even if you don't get explicitly told something is a scam, it doesn't mean that it isn't. It could simply mean that nobody spotted, flagged and wrote about it before.
- Carefully review the permissions each app asks of you. Steer clear of those who want your permission to be able to change things on your account, to post in your name, to contact your friends directly, and similar things you wouldn't want a stranger to be able to do (and possibly even most friends).
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.