Facebook Slow to Respond to Phishing Scam
The latest phishing scam on Facebook has raised the question yet again as to whether the social networking site is dropping the ball on security measures and properly responding to privacy complaints.
Facebook faced consumer fraud charges in 2007 for allegedly responding too slowly to user complaints about harassment, pornography, or nudity from the social networking site. The probe into the company’s safety procedures by New York state attorney general Andrew Cuomo resulted in a settlement requirement that Facebook respond to such complaints within 24 hours.
But in a recent string of phishing attacks in which hackers have broken into a user’s Facebook account and hit up his or her friends for money with the online chat tool, pretending to be stranded or robbed, complaints have emerged that the privacy team at Facebook hasn’t responded to users in a timely manner.
Mark Neely, a Sydney-based management consultant, became aware that his Facebook account was hacked when friends called him to see if he was all right–the hacker had contacted them via Facebook chat saying that Neely had been robbed at gunpoint in London and would need them to wire him money so he could return to Australia. Neely says he filled out two online complaint forms and e-mailed the privacy team at Facebook, but it took them more than 40 hours to respond to him. In the meantime, his friends continued to call him about being contacted by the hacker.
Neely wrote in an e-mail message, “[Facebook] only took action after I posted my email to a public discussion forum asking for help – that email was passed directly onto [Facebook chief privacy officer] Chris Kelly. If I had not “gone public”, who knows how long it may have been before Facebook took action.”
Cuomo’s settlement requires Facebook to “respond to and begin addressing complaints about nudity or pornography, harassment or unwelcome contact within 24 hours.” It’s not clear whether the phishing attacks fall under the terms of the settlement. An e-mail to Facebook was not immediately returned.
As for Neely, when he finally reached Facebook, he says he was told that Facebook could not disclose how the scammer got into his account or which of his friends have been contacted unless Facebook receivee a valid subpoena or court order. “I have no (current) way of telling if any of my friends fell for it and transferred $ without attempting to contact me first.”
Facebook spokesperson Barry Schnitt says that while this kind of phishing attack doesn’t happen very often, the potential impact is high, so the privacy team has it under investigation. He says that the rightful owner of a hacked account should contact the operations team by filling out the following form: http://www.facebook.com/help/contact.php?show_form=account_compromised.
“Our team has already detected various trends in the accounts of users who have been compromised,” Schnitt wrote in an e-mail message. “We’re using this data to quickly surface compromised accounts, ideally before the spammers have gotten very far. We’re reminding users to be very suspicious of anyone, even friends, who ask you over the Internet to send money.”
