In recent months, three friends have told me they received at least one SPAM email that was sent from someone using my first and last name, but not a recognizable email address that they knew to be mine. I figured it must have something to do with Facebook because it was the only common denominator between myself and each friend.
A quick search on Google and I was able to confirm my suspicions:
Forbes: Facebook Says 'Misconfiguration' Allowed Spammers To Impersonate Users
CNET: Spam from 'friends' is actually result of Facebook hole
Facebook has fixed the problem and says spammers are using friend lists they scraped before the fix to send new e-mails.
Turns out last August (2012) there was a breach that allowed ne'er-do-wells to access the names of all of your friends on Facebook if your friend list wasn't set to private. In turn, the spammers were able to learn your email address then proceeded to use the names of people they knew you know to send virus laden messages to your inbox.
How to protect yourself in the future? Set your friend list to private like this:
Go to your profile page and hover over the upper right corner of your friends section until the small "Edit or Remove" box appears. Click on it.
Next it will ask you if you want to edit "Sections" or "Privacy." Choose "Edit Privacy."
Next change your settings to "Only Me" so that no one else can see your friend's list.
The only reason I'd already set my list to private was because someone I knew, who I accepted a friend request from, went on to use my friend's list to hit on at least one of my friends. Seriously. As soon as I finished apologizing to her I unfriended him and set my list to private to avoid it happening again in the future.
And these are some additional good tips shared in the articles (some I slightly modified) linked to above:
- Review your security settings and consider enabling login notifications.
- If the subject line reads "For Your-name-here" and the email address is one you wouldn't associate with your friend, they are signs it may be part of this scam.
- Don’t accept Facebook friend requests from unknown parties.
- Don’t click on strange links, even if they’re from friends, and notify the person if you see something suspicious. How do you determine if a link is "strange"? Hover over a link without clicking on it. You'll see the full URL of the link's true destination in a lower corner of your browser.
- Don't use the links in an email, instant message, or chat to get to any web page if you suspect the message might not be authentic or you don't trust the sender. Instead, navigate to the website directly.
- Be suspicious of any email with urgent requests for login or financial information, and remember, unless the email is digitally signed, you can't be sure it wasn't forged or spoofed.
- If you come across a scam, report it so that it can be taken down. Facebook earlier in the month introduced a dedicated email address for reporting phishing scams: email@example.com.
- Don’t download any applications you aren’t certain about.
- Visit Facebook’s security page.
As Facebook updates their site from time to time I check my privacy settings to make sure they weren't reset to the default which is usually something more public than private.
So if you get an email from me but the email address isn't one of my website urls be very suspicious and don't click on any links contained in the message. Also utilize whatever reasonable privacy options you can on your social media accounts as they may protect you from spammy attacks like this one in the future.