Protect Yourself Against Social-Network Scams

Are you spending more and more time these days on one or more social networking sites, such as Facebook, Twitter, and MySpace? Your family and friends certainly are. And so, unfortunately, are hackers, identity thieves and other digital ne'er-do-wells.

After years of harassing the teeming masses of computer users who run Windows PCs, cybercrooks have recently turned their attention to the big social sites. They're attractive targets because they're rife with potential victims--Facebook alone has more than 400 million members--and the threats are still new enough that many folks haven't given much thought to how to defend themselves.

Consequently it's a rare for more than a few weeks to pass without news of a major attack against a social-networking site, like the assault against Twitter users that occurred just this week. The worst examples, such as scams that involve grifters stealing Facebook accounts and using them to fast-talk strangers out of money, are downright scary.

Social networks run on distant computers, not your PC, so bad guys can't get direct access to personal information stored on your computer. Just about all such attacks involve a layer of "social engineering"--old-fashioned con jobs designed to trick you into handing over a password, installing a piece of dangerous software, or otherwise putting yourself at risk. In a perverse way, that's good news: The savvier a user of social networks you are, the less chance there is that you'll get fooled.

In the end, protecting yourself against new social-networking scams isn't that different from fighting off more traditional cyberattacks. Technology can help, but common sense and healthy skepticism are even more essential.

A few specific tips:

Run the right software. If you're on Windows, run a security package--a free security package, at the very least. Use a modern browser, such as the current versions of Internet Explorer, Firefox, and Chrome, all of which have built-in measures for protecting you against the fraudulent sites used by social-network scammers. And make sure you've got the current version of your operating system, since it'll have the latest patches for security leaks.

Judge messages carefully. Particularly any message that suggests you click off the site to perform an action such as watching a video or seeing a photo. If you get a cryptic note from an acquaintance that looks fishy, send a note to the person who sent it asking what's up. If it turns out that a hacker has gained control of the account in question, you'll be doing your pal a favor.

Click with care. Social sites are rife with "short URLs" such as "", which forward you to a page with a longer address when you click. (They're particularly pervasive on Twitter, whose 140-character limitation makes every character count.) Trouble is, there's no way to tell where those short URLs really lead without clicking on them.

The vast majority of these links are harmless--useful, even--and services such as Twitter are instituting measures to shield you from dangerous destinations. But it still pays to have your wits about you. If you click off Twitter onto another site that requests your Facebook or Twitter or Facebook password, leave. Right away. Even if the site looks exactly like Facebook or Twitter.

Protect your passwords. If a hacker breaks into one of your friends' social-network accounts and uses it to spam you with scammy messages, it's annoying. If the same hacker tampers with your account and launches attacks on your family and friends, it can be deeply embarrassing, or even dangerous. So protect your passwords like the valuable information they are.

Start by choosing cryptic passwords with random characters, numbers, and punctuation marks. Change them periodically--and immediately if there's the slightest evidence that someone may have broken into your account. Assume that all unsolicited requests for your user name and password are hoaxes, no matter where you come across them.

Share cautiously.  Lately, people have started to fret about social networking dangers seeping from the virtual world into the physical one. Foursquare, a popular app for the iPhone and other smartphones lets you alert your friends to your whereabouts by "checking in" at restaurants, nightclubs, and other venues--which is another way of telling the world that you're not at home. So some pranksters launched a site called Please Rob Me, which was nothing more than a continuous stream of Foursquare users' check-ins, indicating that their possessions might be unwatched and up for grabs.

Whether Foursquare is particularly risky is up for debate: It seems to me that burglars are more likely to rely on classic telltale signs such as driveways without cars in them. Still, it makes sense to think before you share--especially now that even Facebook now defaults to sharing your information with the world, not just your circle of confidants. When you're about to set off on a three-week vacation, for instance, you might not want to broadcast that fact to everyone on the planet who has access to your Facebook wall or Twitter tweets.

If anyone reads this column and concludes that social networking is too hazardous to deal with, I'll be depressed. Even at it's worst, it's vastly less dangerous than the real world we venture into every day. So be careful out there--but don't forget to have fun.

Harry McCracken blogs at Technologizer, his site about personal technology. He's also the former editor in chief of PC World. Follow him on Twitter as @harrymccracken.