Facebook Scam Exploits Friendship For Money

Earlier this week, I was logged into Facebook and received a chat message from Elizabeth Collins, an attorney in Gainesville, Florida, who attended high school with my brother. Though we're friends on Facebook, we hadn't really interacted much since graduation. So I was somewhat surprised that she was now asking me for emergency financial assistance.

"i am really freaked out right now and i need your urgent help," she wrote. "i was mugged at a gun point in london last night cash,credit cards and cell phone was stolen. it was a brutal experience but i am ok and i still have my passport."

But it didn't really add up. Of all the people she could contact on Facebook, why me? And it certainly seemed a little strange that her Facebook status updates said nothing about a trip to London.

It was at this point, though, I remembered a blog post from TechCrunch earlier this year about people gaining access to Facebook users' accounts and then hitting them up for emergency cash via wire transfer. Of course, it was entirely possible that Elizabeth was really in trouble, so I was placed in the awkward position of probing her for more information.

"I hate to do this, but there have been people hacking FB accounts and asking for financial assistance," I wrote. "Can you tell me how we know each other?"

For a minute or two there was no reaction, but then she wrote back: "What? Same high school."

Unfortunately, that wasn't good enough. "I know it's terrible for me to ask," I continued, "but this has been a reported problem. Just please say a bit more that goes beyond what's on your FB profile. Again, my apologies."

And with that, she ended the chat. "Elizabeth" had nothing else to say to me. So I tracked down her e-mail address and asked her if she just tried to contact me, and if everything was okay. It turns out my hunch was correct - the chat messages were coming from someone else. Not only had her Facebook account been compromised, she said, the perpetrator had attempted to reach out to some of her other friends as well.

"I simultaneously received a call from a high school (and Facebook) friend that I hadn't spoken to in 20 years, who called my office to see if I really was stranded in England, and an inquiry from a young staff member who remains signed into to Facebook all day, who knows I was sitting down the hall, regarding the message he received," the real Elizabeth Collins told me. "When I first signed in to see what was happening, I watched the chat windows pop up with the hacker cutting and pasting and sending the message to several of my online friends."

Realizing what was going on, Elizabeth put the word out to her friends. "I immediately changed my status post to advise everyone that my account had been compromised and to advise them regarding the messages the hacker was s ending," she said. "I then changed my password.... I also am changing the passwords for any other accounts for which my login is the same email address and that use the same or a similar password."

"I am grateful that my friends notified me so quickly," she added. "I am always very cautious of monitoring credit accounts and the like. I believe that having a very common name makes me a good candidate for identity fraud."

Exactly what happened to Elizabeth is hard to pinpoint, but she might have been a victim of phishing. This is when you receive an email with a link to a Web site you normally trust, but the link actually goes to another website with a similar URL. When you try to login there, it grabs your account information.

I contacted Facebook to get a sense of how widespread the problem is.

"The scale of this type of attack is extremely small, and only a tiny fraction of a percent of users have ever been affected," explained Simon Axten, from Facebook's privacy and public policy team. "We've developed a number of complex automated systems to help detect this type of suspicious behavior and block it wherever possible. These systems rely mostly on anomalous account activity. For example, if we notice that a user who typically only posts to a couple friends' Walls per day is suddenly posting to 30, we assume the account is compromised and shut it down or reset the password. Attacks of the type this person experienced, where a human being, as opposed to a script, accesses the account and uses social information to fool others, can be harder to detect. We're constantly working to improve our systems, but we need users' help, too."

Elizabeth was lucky that her Facebook friends weren't willing to take the requests for money at face value. "I think the great majority of my friends have enough common sense to recognize a scam when they see one," she said. Nonetheless, it's easy to grow complacent when you think you're just interacting with real-life friends, so Facebook's Simon Axten offered some basic tips to lessen the chances of this happening to you:

• Use an up-to-date browser that features an anti-phishing blacklist. Some examples include Internet Explorer 8 or Firefox 3.0.10.
  
• Use unique logins and passwords for each of the websites you use.
  
• Check to see that you're logging in from a legitimate Facebook page with the facebook.com domain.
  
• Be cautious of any message, post or link you find on Facebook that looks suspicious or requires an additional login.
  
• Become a fan of Facebook's Security Page, which contains other tips and sends out security-related updates.
  

Perhaps the best way to approach situations like this is to trust, but verify. In the rare chance that a friend is actually contacting you for financial assistance, ask some probing questions that only your real friend would know - especially information that isn't posted on Facebook or elsewhere. It may annoy your friend, but at least you'll both be protected by it.