‘Tis the season to be jolly, but Facebook is a serious threat to your enjoyment of the festivities.
No, we’re not moaning about how the social network gobbles up time or depresses you by showing you how well everyone else is getting on. Instead, you should be concerned about how cybercriminals are using Facebook in order to scam you — and, in two cases, are even making you complicit in the crime!
1. Secret Sister Scam
What seems like the latest festive fad is actually festive fraud.
The “Secret Sister” probably finds its origin with Secret Santa. You give $10 for one gift, and receive between six and 36 in return. What could possibly go wrong?
Well, quite a bit actually. The old rule — “if it sounds too good to be true, it probably is” — is especially relevant here. The wording of the post varies, but it generally states that “ladies of any age” can give $10 or more to donate a present, and then get at least six times their item in return, as part of a “Secret Sister pre-holiday gift exchange.” Christmas can be a stressful time, so getting a random batch of stocking fillers might seem like a great idea.
Sure enough, you can give $10… but you won’t get anything back. If this all sounds familiar, it’s because a similar strategy hit Facebook last year, and before that, pyramid schemes have been conning people for decades.
Aside from damaging your bank account, the hoax could have serious consequences — as it’s technically illegal, depending on your province. A representative from the Cookeville Police Department explains:
The gift exchange is a modern version of the chain letter scheme and is illegal. Chain letters are essentially forms of gambling and sending it through the mail violates Title 18, United States Code, Section 1302, the Postal Lottery Statute.
Starting out in the United States, it’s quickly spread across the globe. It wouldn’t be a surprise to find iterations of it on different social media services like WhatsApp.
my sister doing secret santa for the six of us in our family: "what if I get someone I don't like?"
— Meredith Scroggin (@mlscroggin) November 24, 2016
What can you do? Facebook does know about the scam, so if you spot it on your newsfeed, report it. All you have to do is click on the downward arrow to the top right-hand corner of the post, then click Report Post — from there, select your reason, and follow the instruction.
And the only other advice is obvious: do not send any money!
2. Malicious Messenger Extension
Most of us trust a link or attachment sent from a friend or family member, but a recent scam plays on this false sense of security.
The scam entails an infected account sending a photo saved as a Scalable Vector Graphics (SVG) image: this XML-based image and animation format has been in development since 1999, and is supported by all major browsers. Clicking on the photo (which doesn’t display a preview) redirects you to a fake YouTube page, and further informs you that you can’t watch the video without an extension for Google Chrome.
Once you download that extension, it quietly sits in the background, consuming your data, including but certainly not limited to: your usernames, passwords, online banking details, emails, websites your frequent, and any other Personally Identifiable Information (PII). It may falsify versions of PayPal, Amazon, or other services that require payment details.
It also piggy-backs on your Facebook account and sends the SVG file to all your contacts. Needless to say, it spread throughout the network incredibly fast, so it’s no surprise if you have already seen this scam.
Facebook has addressed the issue, filtering SVG files, and the malicious extension has been removed from the Google Store, so, in theory, the problem has been fixed.
Oh, But It’s Ransomware!
Except this is actually a variation of the Locky ransomware which plagued the internet earlier this year. It typically locks your computer (hence the colloquialism), encrypts all your files, and demands payment through Bitcoin. Victims really are held to ransom as there’s no free decryption software. Your other option is to completely wipe your hard drive, and lose all your files.
Thus, Locky is a form of malware that can’t easily be defeated, having reared its ugly head in May and June 2016. It came back via the Nemucod malware downloader, disguised as a SVG image, and was only noticed again this month. It would be naïve to think cybercriminals won’t find a way around the efforts of Facebook and Google.
What can you do? First of all, do not click on SVG files. This scam fortunately stood out because it wasn’t accompanied by any text — no personalized message, nothing frivolous. That should alert you that something’s wrong. Contact whoever is supposed to have sent it, and alert them that their account is likely infected. This shouldn’t really be a problem anymore, but we expect Locky to morph into another form imminently.
If you’re worried that you’ve already fallen victim, you can uninstall the extension by clicking Menu > More Tools > Extensions, then locate the fraudulent extension and select Remove from Chrome.
It’s not just Facebook either: reports of images infected with malware have come in from LinkedIn, so trust your instincts. If something doesn’t feel right, don’t click it.
3. The Blessing Loom
Here’s another example of the evolution of hoaxes.
You get an invitation to a messenger app — it might be Facebook Messenger or more often than not, WhatsApp. You’re shown a loom, with one name right at the center, then further names branching out. The first person recruits two others. Each of them recruits two more. And this goes on, and on.
A place in the loom will generally only cost you $100. That money, paid into a PayPal account, goes to the person in the middle of the loom. Once you recruit two more people, you get $800. Lovely. You advance a level when all the places have been filled.
However, you actually don’t receive a single cent. Different looms offer different payments, so you might lose $25, $50, or $100; so-called rewards are typically 8 times the amount you put in. Attorney General, Bill Schuette says:
[I]f a program begins with one person who recruits two people, each one of whom recruits two more people, and so on, in only 28 levels practically the entire population of the United States — every man, woman, and child — would be involved.
In fact, he says that 268,435,455 participants would have to be involved on the 28th level.
If this feels related to the Secret Sister scam, that’s because they’re both the latest versions of pyramid schemes, an unsustainable business plan which ultimately ends in heartbreak. This, too, is viewed as a criminal offence, depending on where you live.
My blessing loom is filled out. I should be rich any minute now… pic.twitter.com/QD2TNkthRI
— The Ostrich (@ALostrich) November 22, 2016
What can you do? Don’t take part in such a scheme. You will lose out. Facebook and PayPal both have policies against pyramid schemes, so again, it’s worth reporting the post. Nonetheless, search Facebook for the Blessing Loom, and too many results will come up.
If someone invites you to a different messenger, refuse. And don’t forget to warn your friends: the only way to beat these scams is by spreading the word.
Have You Spotted Any Other Scams?
However tempting these posts seem, don’t fall for them.
Scam free safe Christmas
— Trading Standards (@SuffolkTS) November 24, 2016
Remember that these are just the latest in a long, long line of Facebook scams. They’re always evolving, so abide by some basic security measures, like not taking conversations to different platforms, and definitely not sending any money. Don’t download anything or click on a link from someone you don’t trust. And even if you do trust them, stay skeptical.
Have you fallen foul of any scams on Facebook? Do you have any further advice to offer?
Image Credits: Anton Watman/Shutterstock