Many major news organizations have recently reported about the FACEBOOK website being attacked by would-be identity thieves, who went phishing for passwords.  The general scam seems to be that a compromised account sends a malicious link to friends on facebook. If the friend follows the link, it takes them to a fake log in page. If the friend is foolish enough to log in again, then the thieves harvested his username and password. Meanwhile, the friend's account is now compromised and it automatically sends out the same malicious link to all his friends...

Facebook was quick to shut down the scam and sweep their databases for the malicious notes. They report that the phishing site has now been blocked and should not pose a problem. They also reset any passwords that they felt might have been compromised and sent a note to the users telling them what happened.  End of story...?

Not necessarily.  Not if you have been careless.  According to some reports, the thieves know that many people don't like keeping track of all their passwords - that, in fact they tend to use the SAME PASSWORD for many different accounts, such as online shopping services or even bank accounts.  So even if Facebook has shut down their operation, they might still cash in with the passwords they stole...

One Symantec article put it this way, "Get one password for the right person and it’s like having their wallet handed over..." 

SO... Of course you don't reuse passwords (me neither, I would never do that...) but just in case you have a very foolish friend who might make such a mistake, There are a few things you (your friend, I mean...) should do:

    1) Use unique passwords for each site. Yes, it's more work for you to remember, but it's a great way to defeat phishing scams like the one mentioned above.

    2) Some people use a password template.  For example use the first letter of the website name and the rest of the password is a standard sequence.  (like if my password template is 'abc123', then my Facebook password would be 'Fabc123' and my Twitter password would be 'Tabc123', etc.)   I won't say you should never do this.  I WILL say, you should NOT use this idea for your personal banking web site, or your credit card account website.

    3) Use security software on your PC.  I don't care which. There are many good ones to choose from. 

    4) Make sure your browser is up to date. 

    5) When you click a link to a site, double-check that you really have arrived at your intended destination BEFORE logging in. When clicking over to Facebook (or any site) make a habit of looking at what appears in the address line. You might not always be able to spot a fake site, but in the case of this particular scam, it’s obviously not www.facebook.com.

    6) Be suspicious of ANY EMAIL who tells you that something is wrong with your account at (... fill in the blank...) and you need to follow their link to log in and confirm your information.  Particularly if they don't use your name in the email. It has been my experience that most legitimate companies with which you have an account, will:
                a) know your name and address you by it in the email
                b) tell you to go to their website and log in rather than giving you a link in an email.
                c) not have made such a blunder as to require you to confirm your account information in the first place.
If you suspect an email is fraudulent, contact the company being defrauded. They have more time, resouces and incentive to catch these theives. For specific information on how to do that, check out their HELP section or contact their Tech Support staff.

Some scammers are pretty good. In the case of the Facebook phishing scam above, they probably got a lot of responses before Facebook shut down the scam. They may well have used some of those passwords elsewhere to steal from their victims. I hope not, but it happens... It happens because people like you and me like to take shortcuts with our passwords.

Let's agree to NOT become a victim. Protect your money, Protect your identity.

Protect your passwords.

Dana