June 25, 2011, 8:00 AM — "There's a sucker born every minute." That quotation, widely attributed to P.T. Barnum, originally referred to deceptive carnival sideshow attractions, but it's just as relevant to online scams--in particular, Facebook scams--today.
None of the common Facebook frauds--the "Facebook dislike button," the "stalker tracker" (which purports to tell you who's visiting your profile), and "watch this video" tricks, for instance--are new, says Chris Boyd, senior threat researcher for UK-based GFI Software. "You'd think that people wouldn't continue to fall for them," he says. But of course, they do.
Resisting the urge to click can be difficult, and scammers know it. They prey on a combination of users' curiosity and trust, and on their own ability to disguise scams as legitimate online promos. Fortunately, you have some clues to watch for.
One ploy that Facebook scammers use is to encourage people to click a compelling URL. But instead of seeing the promised site, the deceived person inadvertently spams friends with links to the same URL. Some messages are so persuasive that victims may provide personal information such as credit card or phone numbers, which the scammer can then exploit to run up unauthorized charges.
The key element in a successful scam is its ability to exploit the victim's trust, says Dr. Robert D'Ovidio, associate professor of sociology at Drexel University in Philadelphia. Many scams pose as links in posts from people you know. "These schemes are coming from people in our network, and our guard is already down; that's a very tough thing to police against."
If a friend posts a link to what appears to be a video on your wall with the comment, "Is this you? LOL!", you'll probably click it. But it may be a scam or a link to a malicious site posted by a crook using a hijacked Facebook account.
Here are two red flags to watch for when you click a link: It doesn't take you to the page promised; or it takes much longer to load than you'd expect. A delayed load may mean that you're being bounced between proxy servers to hide a hacker's location, instead of being sent directly to the destination.