Thursday, October 27, 2011

Thousands Scammed by Facebook Starbucks App

Guest Blog Post by Brittany Lyons ~ 

For many Facebook users, the offer of free Starbucks gift cards is simply too much to pass up. Recently, many users clicked on just such a link that popped up in their friends' status updates, after those friends had “liked” the page. Instead of taking them to a legitimate corporate website, the users were directed to a fraudulent website, where they gave up their private information in order to receive the non-existent gift cards.

Facebook scams like these are not a new occurrence. In August of 2010, the statuses of users' Facebook pages were flooded with messages letting people know that Justin Bieber was giving away free concert tickets. When users clicked the link, they went to a Facebook application page that asked for the user’s mobile phone number in order to enter a contest to win £50,000 (80,000 USD). The catch is that it was also a premium service that charged £4.50 (7 USD) to the mobile phone bill once a week.

The one thing that Justin Bieber and Starbucks have in common is an extremely large fan base, and thus more potential victims who scammers can target. This is also why scams will often be disguised as popular services like online PhD programs. That large number of potential victims is then multiplied by the number of friends that these fans have, and scams like these get passed along from friend to friend like wildfire. It is possible that thousands of people may have given up their personal information before the Starbucks scam app was removed by Facebook.

This connection between friends is what makes Facebook scams different than the email spam messages of the past. Email spam would just get sent to random people, typically by unknown senders, which made them relatively easy to block, filter or just ignore. Facebook scams, on the other hand, rely on trusted connections between friends in order to spread. Once someone has clicked on the link, the app re-posts that same link on their status, sending it out to all of their connections. Since a Facebook user would not be as suspicious of a message or link from a friend as they would with a random sender, there is a better chance of them opening the scam link or message and passing it on.

To avoid scams like this, it's important to know the posting habits of your friends. For example, if friends are posting links when they normally do not post links, or they are linking to something you don't think they are a fan of, there is a good chance that they have been scammed and didn't even post the link in the first place. Most of these links are actually rogue Facebook apps installed on a user’s Facebook page. If you are ever taken to a Facebook application install page, pay attention to whether or not the application asks for authorization to post on your wall, and think carefully before granting that authorization—your friends will thank you.

Users should also avoid giving out personal information as a rule, especially in the case of promotional offers. Check the security setting on your Facebook profile, so that you are using “secure browsing”--that means there is an “https://” in front of the page URL rather than the “http://” that's more common. Secure browsing has a tendency to block all apps, rather than just the scams, but the extra step it takes to open a link will prompt you to think twice about how secure it is. Finally, users can also keep track of ongoing scams and frauds by checking the Facebook page of Sophos, a company that monitors and reports scams, viruses and frauds that are spread throughout the Internet.

Overall, the best mentality to have when seeing promotions that offer gift cards and other goodies on Facebook is this: if something seems to be too good to be true, then it probably is.

------------------------
Brittany Lyons aspires to be a psychology professor, but decided to take some time off from grad school to help people learn to navigate the academic lifestyle. She currently lives in Spokane, Washington, where she spends her time reading science fiction and walking her dog.

Monday, October 3, 2011

Guest Blog Post ~ Shredding Documents

Today we have a guest blog post to share with you from Chris at http://www.shreddingmachines.co.uk/

My parents and I were recently talking about ID theft and shredding over dinner. My father’s company purchased a Cross-cut Office Shredder from ShreddingMachines.co.uk to shred all sensitive information on site. This sensitive information includes corporate information such as invoices and pre-printed company letter paper but also the personnel files of his employees.

My mother works in the HR department for a much larger company so a vast majority of the documents that needed to be shredded relate to individuals who work at the company. This includes their names, addresses, home telephone numbers, bank account details and many other pieces of information that you wouldn’t want to fall into the wrong hands. I asked how this information was shredded and expected one of 3 answers:

1. Each member of staff has their own personalised shredder
2. There was a large centralised shredder for each department
3. A specialist company comes and does the shredding for them on site

The actual answer left me stunned. They got another company to shred all of her documents FOR FREE! They put all of the documents that need to be shredded into bags and then these are left in a room for the company to collect. The company would arrive every Friday to collect the bags and take them away with them.

I asked why the company didn’t charge any money for this service and was told that it was because they make their money from selling the paper. I asked how she knew that the paper had been shredded and she very proudly told me that they received a certificate through the post a few weeks later confirming that the paper had been shredded!

I could not believe what I was hearing. Sensitive information is left for over a week in bags marked “to be shredded” and are then collected by a company who makes money from the contents of these bags.

There are two problems that I can see:

1. Imagine someone broke into the property overnight and saw these bags. It wouldn’t take a genius to realise that bags marked “to be shredded” contained sensitive and potentially valuable information.
2. What is to stop the company who collects these bags from selling them to someone else and then providing you with a false certificate?

That is not to say that this particular company acts in this way. I have no idea of their name and they may be the most ethical company in the World. However why take the chance? If they could collect the paper and get $5,000 for the recycled value or sell the information for $20,000 then unfortunately there are some members of society that would choose the latter.

Do you know what happens at your company? In the UK companies must comply to the Data Protection Act. The important part is the 7th Principal that states that “Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data”. This is clearly not the case if your information is taken off site. In the US there is no equivalent legislation, however companies are encouraged to self regulate this to ensure that data does not fall into the wrong hands.

This has hopefully made you think about what your company’s shredding policy is.
IT IS OKAY TO ASK!!

It is your personal information that could be at risk and it is your identity that could be stolen so you are allowed to know what the process is. All companies should have a shredding policy in place. If they don’t then why don’t you put yourself in charge of creating one? If your Company has their information shredded off-site then show them this article and see if you can get them to change how they do things.
The golden rule applies in this case as it does with most things in life. If something sounds too good to be true then it usually is!