Facebook scams and dodgy ads – a grumpy old man’s perspective

I’ve just spent a happy hour dealing with a Facebook scam encountered by a family member on their business account. The process is depressing and has reinforced my personal antipathy towards Facebook. Let me explain …

Fake[?] Facebook warning message

The scam

The scam in question threatens to suspend your account if you don’t follow a link to confirm some account information. So far, so classic, and my scamtenna immediately screamed ignore the message. As a business user however the recipient was naturally worried that their account could disappear and they would be cut off from their “fan base”. Further investigation was necessary to reassure them that the message was false; call Google (or Siri if you prefer).

The message is definitely a scam with variations of it discussed on scam/hoax busting sites across the web so time to get Facebook involved. This proved to be impossible on the iPad, device of choice for couch surfing, even following the advice in the help centre. Hauling out a “proper” computer we were able to report the message as spam and hopefully it gets attention because of that. However the GOM in me can’t leave it at that; there are a couple of things that I needed to follow up on.

Firstly the iPad difficulties.

As mentioned it’s the device of choice for many internet users (up to 50% now on some areas of our web site), and to have a missing function when you are trying to deal with such a dodgy event is bloody annoying. I’m “Mr always reads the manual” & couldn’t report it on their app. Maybe it’s possible, I didn’t see it.

Another problem on touch screen devices is the difficulty of inspecting anything. This is particularly bad on the iPad, with Apple’s aversion to user control but I’d bet I’d have the same problem on my Nexus. On a desktop I’d immediately hover and see the underlying link in the status bar or right-click and check. Unfortunately, in this case, that wouldn’t have helped because what you see is a genuine link to somewhere on the facebook.com domain.

I’m going to reproduce the link but for your safety I’m directing it to a safe destination:

https://apps.facebook.com/notifyforfanpages

/notifyforfanpages Facebook “app”

Secondly the link bait issue.

So the link is genuine and on the facebook.com domain so it’s easy to see how the less aware might be tempted to click through. If they do, as a good scam it now displays a convincing “Security Center” page. I followed it this far but left it at that. Various scam/hoax sites describe what happens next: give us your intimate details and some financial information “just for confirmation”. And the scammers have enough to fleece you and use your Facebook account for nefarious purposes.

How does an app masquerading as an official Facebook system get through the verification process?

Dodgy Facebook ads

Another annoyance are the right column ads which seem to be an endless stream of dodgy dating sites, nutritionally suspect diets and other link bait. As part of experimenting with the profile I added a fair amount of (hopefully) innocuous information and watched as these ads changed from mostly suspect diets and other products to mostly dodgy dating sites as Facebook found out I was a mid 50s UK male. It’s almost insulting and certainly irritating to be bombarded with this sh*t!.

Goodbye Facebook, hello less intrusive sites!

Most people just post child and animal pictures, stalk their older children and like other users’ cat posts so are unaffected by these scams. I’m particularly sensitive to security issues so I’m easier to drive away which is what happened with my personal account. I found myself feeling queasy about what was being shared where. I still can’t picture where the various items could end up or how, and grew fed up of having to review my settings every time Facebook changed something. The abiding picture I do have is of Randi Zuckerberg’s reaction to some new Facebook feature which in the ultimate irony ended up all over the internet. In spite of her resources it’s still around.

So I retired and now have a “professional” account I use as a kind of DEV system.

I’m far more comfortable Twittering and posting on WordPress where the intention is to share with everyone and you behave accordingly. For limited posting I’m experimenting with Google+ although I admit to not having mastered that to my entire satisfaction yet so could encounter similar problems (so far though no diet & dating dross).

I’ve posted the message I sent to Facebook as an aside below. I don’t expect a reply but I feel better having flagged it for some robot to categorise, auto-respond and shred.

Message to Facebook

A family member just received a threatening message about abuse and termination of her business pages within 24h for "violating policies".
In spite of reassurance (and evidence from Google searches that this is a known scam) she is still concerned so hopefully Facebook are too.
The particular cause for concern is the link embedded in the message which purports to be https://apps.facebook.com/notifyforfanpages. Naturally we have not clicked the link & being on the iPad it is difficult to investigate whether it is a true link (problem 1).
Assuming it to be spam I tried to report it on the iPad but even following the help center advice I was unable to find the icon to click (forward/share) and was unable to do so (problem 2).
At this point I decided to investigate on a "proper" computer & found they the link was not false; in other words https://apps.facebook.com/notifyforfanpages exists and looks very convincing, titled "Security Center on Facebook". Naturally seeing a page like this on the Facebook.com domain many people would assume that they have to follow instructions to confirm their details (problem 3).
I don't have the sandboxed system I'd need to test further - and am already uncomfortable opening the above page which has who knows what running in the browser trying to infect my device - so can't say what may be extracted from the unwary. I leave it to Facebook to investigate further.
I realise you cannot stop every dumb user from clicking through to links which may harm them or their bank balance but the above message is particularly worrying because of its use of the Facebook.com domain. I therefore expect you to take prompt action to close the /notifyforfanpages "app" for the protection of the unwary, and at least investigate how you can stop app developers using them to lull users into following link bait.
A good proportion of your user base is business engaging with their clients/customers on Facebook which is now embedded in our daily lives. Not all businesses have highly qualified technical security teams they can rely on to catch this abuse and, like my family member, are vulnerable to it. I believe it is therefore in Facebook's interest to move rapidly on this one.
Regards Nigel Boor
(Infrequent but concerned user)