You’ve seen your friends fall prey to Facebook scams before: They engage with something promising free products, services, or access, and end up with an infected computer.
“We’re constantly trying to make detection better,” says Herve Robert, engineering manager on Facebook’s antispam team, “because we know that spam and malware are bad for everyone: the site, the content, the users, and the advertisers.”
Although Facebook has ramped up efforts to eradicate spam—adding a security checkup tool, partnering with security companies to give users free malware cleanup software, and notifying people when it suspects that their accounts have been compromised, among other things—cybercriminals find ways to evade controls. Through posts designed to get people to click or submit personal information, they are seeking to profit.
“Malware is just another way for bad actors to make money,” Robert says. “They might use language that makes you want to click through.” Spam takes form in a variety of ways on Facebook, “and it’s always changing.”
There are many signs that a Facebook post isn’t legitimate, Robert says. “Be wary if a post is making an usual request, or a friend is posting spammy pictures.”
Here are four ways cybercriminals often try to entice you to click and reveal yourself.
AN INSIDE SCOOP ON SHOCKING NEWS
Following the death of actor Robin Williams, Facebook posts reading “ROBIN WILLIAMS SAYS GOODBYE WITH HIS PHONE VIDEO BEFORE SUICIDE” promised exclusive content.
People who clicked on a link in the post were asked to share it on their wall and complete a survey before they could watch the footage, but there was no footage to watch.
Scams like this are designed to drive traffic to various sites; the higher the traffic, the more money the scammer makes, says Graham Cluley, cybercrime researcher and computer security analyst.
“By tricking thousands of people into taking a survey, in the misbelief that they will watch the final moments of a comedy legend whose life ended tragically, the scammers aim to make affiliate cash,” Cluley wrote in a blog post in August.
DOWNLOAD OF UNRELEASED SOFTWARE
Facebook confirmed in October that it was testing Reactions—not quite the rumored “dislike” button, but rather a set of emoticons aimed at more accurately portraying users’ feelings toward posts.
The news reignited an old scam: a post that claimed it could help you install the dislike button before it launched. It asked people to take multiple actions before downloading the button: After clicking on a post link, you are instructed to share it with your friends, then send it to five groups to which you belong. Ultimately, the post takes you to sites that goad you with promises of get-rich-quick schemes in exchange for your personal information.
“That’s the main way you know that this, or any other Facebook link of this sort, is crooked, and that you should stay away: You can’t possibly recommend something without knowing what it is,” Paul Ducklin, senior security adviser at Sophos, wrote in a blog post. “Until you actually end up with a dislike button, as promised [by the post], you can’t recommend the posting.”
AN IMPROBABLE GIVEAWAY
“If something looks too good to be true, it probably is,” Facebook’s Robert says. That’s the case with bogus Facebook pages that offer a chance to win free merchandise—such as airline tickets—so long as you like or share the content, and submit some personal information.
In the last few months, two such scams flooded users’ news feeds: one promoted a Virgin Airlines giveaway, the other a British Airways giveaway. The Facebook pages promoting these giveaways were bogus.
“It’s never a good idea to like scam pages, or share them with friends, or leave a comment,” Cluley says. “If you do, you’re helping the fraudulent page spread further across your social network and opening up opportunities for the fraudsters to send you a message attempting to send you a fraudulent link, or trick you into handing over private information.”
Last year, Bitdefender researchers discovered a Facebook post luring people to view a sex video featuring actress Emma Watson. The post, which read, “Emma Watson leaked video? I waited for this!” displayed an image of the half-clothed actress.
This type of scam, which features salacious content and enticing text, preys on people keen to see the latest leaked videos and photos of celebrities, Cluley says.
Clicking the link redirected users to a bogus YouTube page, which prompted them to update their Flash Player. This download installed malware on users’ devices that changed browser settings and sent messages to victims’ Facebook friends on their behalf, Bitdefender says.
“If you’re the kind of person who gets a kick out of watching leaked videos and photos of celebrities,” Cluley says, “then you’re precisely whom cybercriminals are targeting.”