Facebook's popularity makes it a prime target for hackers and malicious users who try their best to steal account information and data from Facebook users.
One of the main attack vectors is the Facebook login account itself, which is subject to many different attacks including phishing and social engineering. All of those attacks have the goal to steal the user's login information in order to download data and misuse the account.
A common practice, for instance, is to notify all friends of the user whose account was hacked about financial needs of that user asking them to transfer money to a bank account.
Phishing, which means Password fISHING, is a common attack form on the Internet. It is usually initiated by email but can also be experienced in chats, messengers, and other programs and services where user interaction is enabled.
Phishing emails are often security related or event related. Security related phishing emails might inform the user about a new security update that needs to be downloaded by following the link in an email while event related phishing might pose a new friend or chat request.
All have in common that at least some of the links in the email lead to a look-a-like Facebook clone that will steal the user's account information if he/she is entered in the login form on that website. The phishing emails look like they have been sent by Facebook. They use a Facebook email address and often display the Facebook logo to earn additional trust.
One indicator of phishing is to see if the displayed link leads to Facebook or another website. This can be done by hovering the mouse over the link (without clicking). The link destination should be displayed in the email client's status bar.
It is relatively easy to avoid phishing. All that basically needs to be done is to avoid clicking on links in emails, messenger applications, and other programs.
You can always visit Facebook directly to avoid clicking on those links. Everything that is important enough should be displayed right after logging into the Facebook homepage directly.
You can also contact support in case you are not sure about the contents of an officially looking email.
You need to know three parameters for a successful Facebook login, they are:
- Official Facebook login page: http://www.facebook.com/
- Facebook username: can either be one of the registered emails of the Facebook account or the Facebook username
- Facebook password: selected by the user during setup of the email account
The first two parameters are generally known which indicates how important the Facebook password is. We suggest to use a very secure password consisting of at least 12 chars with a combination of upper and lower case letters, numbers and special characters.
Those passwords are hard to remember. A password manager like Last Pass can store the password securely in the web browser of choice so that it does not need to be remembered. The password manager will automatically fill out the username and password on sites that have been added to it.
General Security Tips
General security tips apply to all web services and websites.
- Never share your login information with anyone
- Use a secure password (see above) for every account
- Never share your email account information with anyone
- Never log into a website if you believe something is not right
- Always check the url of the website before logging in
- Never click on links in emails
- Update your web browser and operating system regularly to secure it
- Use antivirus software and firewall to protect the computer
Facebook added a new feature recently that allows users to configure notifications for unauthorized accesses to their accounts.
Open the Facebook homepage and log into your account. Click the Account link in the upper right corner of the screen and then account settings in the context menu.
This opens the My Account configuration menu. Locate the Account Security setting under the settings tab.
Click on the change link on the right of Account Security to display the options directly on the same page. The setting reads:
To help keep your Facebook account as safe as possible, we can notify you when your account is accessed from a computer or mobile device that you haven’t used before.
The default value is set to no. Select yes and submit to activate the notifications.
As you can see it does not take much to protect a Facebook account from unauthorized access.