Security Awareness Training Alert: ‘Farcing’ a Significant Threat on Social Media
Last updated: October 14, 2016
Back in 2014, Consumer Affairs released an article highlighting the rise in incidents of “farcing,” a social engineering scam that threatened users of sites like Facebook, Google+, LinkedIn, and other social networking sites.
Most people I talked to at the time were unfamiliar with the term “farcing,” though most were acquainted with the social engineering principles behind it. The primary vehicle in a farcing scam is a phony social profile, which a scammer creates and then uses to connect with strangers. An accepted request can be an open door to a plethora of private information (full names of individuals and their family members, birthdays and anniversaries, work histories, photos, and more — sometimes even home addresses and phone numbers).
More in-depth farcing scams don’t stop with a connection request. Often, these social engineering efforts involve private messages in which the scammers attempt to obtain additional personally identifiable information (also known as PII). Some social engineers have even been able to obtain credit card numbers and other financial info through farcing.
How Aware Are You?
It wouldn’t be surprising if you are in the dark about “farcing the term” — but are you also in the dark about “farcing the action”? It's important to get up to speed; the issue is so widespread that Facebook is actively fighting imposter accounts.
When dealing with applications that are designed to connect people to one another, it can be difficult to understand that the mere act of accepting a friend request can be dangerous. Unfortunately, that is the case. Identity thieves, hackers, and others who want to harass you (or worse) are hard at work in cyberspace, thinking of new and effective ways to fool you.
The threats on social media are many. A 2012 Facebook Social Media Survey by the Identity Theft Resource Center (ITRC) gathered information about habits and expectations of 446 respondents. Following are some of the results:
- Approximately 70% of survey participants had been asked to visit a scam website through a private message
- 60% had received spam through a private message or wall post
- 54% indicated they had been the target of an identity threat
- 20% had been approached via chat and asked to visit another website
- 15% had their account accessed without their permission
- 14.2% indicated that someone had accessed their profile through the account of someone on their Friends list
- 13.4% had been socially engineered to disclose their password or other sensitive information
Though the ITRC study is a little dated, we can apply some of those metrics to today's users to gauge the potential impact to the Facebook community as a whole. According to Statistic Brain data from August 2016, there are more than 1.7 billion monthly active Facebook users, with 48% of all users logging in to their accounts on any given day — effectively putting this app in the “No Brainer” category for scamming efforts. If the ITRC numbers would hold true for the Facebook population at large, we would be looking at
- 918 million identity threats
- 255 million instances of unauthorized account access
- 227+ million attempts to social engineer passwords and private information
Staggering numbers — and likely to be conservative given that social media scams have only climbed over the past few years. Consider this: Even if only 1% of those potential social engineering attempts were to bear fruit, that could result in more than 2.2 million account breaches. (And if you’re of the mind that Facebook account access has little value, this post should be your next read.)
Why Security Awareness Training Is So Important
Not to diminish the wisdom of G.I. Joe, but knowing is more than half the battle. Security awareness and training informs and empowers individuals, giving them the tools they need to
- Understand that threats like farcing exist
- Recognize potential scams when they encounter them
- Take the appropriate actions to keep their data, their accounts, and their devices secure
All three of these security awareness training steps are critical to combating the threats employees and employers are facing, both in the workplace and beyond. Defense at the desktop can keep scammers and hackers from accessing private data, networks, and systems.
Want to learn more? Check out a demo of our Social Engineering Training.
Subscribe to the Proofpoint Blog