Facebook is looking to its army of users to alert it to phishing attempts on emails sent to its users with Facebook email addresses.
Since Facebook changed everyone's email address to [User profile name]@Facebook.com it opened up its users to potential spam and phishing attacks. If you know the person’s Facebook profile name, you can send them an email from outside of Facebook.
This could be a spammers dream and a nightmare for Facebook if its user's accounts get compromised.
It is simple to scrape the Facebook user profile name, append @Facebook.com onto it and mass mail who you want to. Careless users can then introduce replicating worms and other malicious apps into Facebook just by clicking on the link in their email.
The trouble is that many Facebook users are not aware that their email address has been changed. Have a look at the profiles of your Facebook friends. All of my friends who do not work in technology display their Facebook address as their default email address.
Facebook delivers mails from people who are not your friends to the ‘Other’ email folder. If you have never seen this folder it can be found under the Messages folder on the left hand side of your Facebook page.
If the mail is received from a friend, then it appears in the Messages folder. Hyperlinks and images are hidden by default. The email initially appears as plain text. Clicking on the 'Show hidden text' link shows the fully formatted email, hyperlinks and embedded images.
Fortunately all of the non-techy friends that I asked were not aware that they had an ‘other’ folder. Hopefully these people would be unaware if they received external emails into this folder. But if they do, there is help at hand.
Facebook is asking its users to report any suspicious activity such as phishing attempts.
If users are suspicious about any messages they receive into their inbox, they can report the message by sending it to firstname.lastname@example.org. Facebook has set up a new reporting channel to complement its existing systems in place which are designed to detect attempts to steal Facebook user login information.
Facebook will then investigate and request 'browser blacklisting and site takedowns where appropriate’. Facebook also says it will work with its eCrime team to ensure they ‘hold bad actors accountable’
Facebook advises its users to:
- Be suspicious of any email with urgent requests for login or financial information, and remember, unless the email is digitally signed, you can't be sure it wasn't forged or 'spoofed'.
- Don't use the links in an email, instant message, or chat to get to any web page if you suspect the message might not be authentic or you don't trust the sender, instead navigate to the website directly.
The challenge is that Facebook has hidden this information in its Security notes. This is not an area where the average user is likely to visit. Facebook should place an alert at the top of the home page drawing user's attention to the importance being vigilant and careful.
Hiding this page away does not show the duty of care that Facebook should show to its users -- especially if it wants to avoid the potential consequences of a password or account breach.
It is only a matter of time before someone tries it…