Over and over again, I hear the same stories.  Another person has had their Facebook or other social media account taken over or used against them to install some type of malicious software. 

According to their regulatory filing in 2012, Facebook claimed to have over 900 million unique and active accounts.  I would estimate that less than half of those users have read through Facebook’s security options or are even aware of the other dangers that can occur while using Facebook or any other social media in an insecure fashion. Here are just a few examples of insecure user behavior that could potentially lead to trouble.

Clicking on a link, picture, or video: One of the commonly seen social engineering techniques used by nefarious individuals to trick users into visiting a malicious website is to post a link, picture, or video that compels the user into clicking on it. The link, picture, or video will appear to take a user to a known or innocent looking website, when in fact, the website the user is visiting is very dangerous and fraudulent in appearance. This malicious website could be:

  • Installing software into the user’s browser that records all of their keystrokes
  • Stealing the user’s username and password for their social media accounts, financial institutions, or ecommerce websites

For users to defend themselves against this type of attack, they should browse directly to the known and trusted website where the link, picture, or video appears to be located.   For example, if a video shown on Facebook  appears to be from YouTube, it’s much safer for a user to browse directly to YouTube and then search for the video.  This also applies to any other links, pictures, or articles that have been posted on other social media websites.

Believing that your private data is actually private:  Facebook and other social media companies make a large chunk of their income from sharing their users’ data with third party application developers. There is no way to tell if these developers are scrupulous or not.  So as a defense, it’s a best practice for users to assume that ANY information they enter into Facebook will be seen by everyone.  This includes the very common behavior of a user posting their current physical location, such as when they are on vacation or are out having dinner.  There is no way to tell who else has access to that information.  Other pieces of data that are often included in a user’s account are their home address or phone number.  This data could be used by malicious parties in many ways.  

Not Understanding Security Settings:  Each time Facebook or any social media website updates their security functionality, it is the user’s responsibility to learn how to protect their data and their account. Once an update occurs, there are usually many trustworthy websites that will describe to non-technical users how to change their settings.  As long as a user is following advice from a recent article, they are mitigating the chances of their account becoming insecure. For example, the AARP (American Association of Retired Persons) recently published an article to help their users set their Facebook security correctly after news of the new Facebook Graph Search tool was released. This article can be visited here:  http://blog.aarp.org/2013/01/16/prepare-your-facebook-security-settings-for-new-search/. It’s important to remember that while websites like Facebook are extremely useful for keeping in touch with friends and family, these websites are not perfect and can be used by malicious individuals in many ways the social media creators never expected.