6% of all phishing attempts in the first quarter of the year targeted social network accounts. That isn’t surprising, since so many people use social media, so many users have identical login information for their social networks and their ecommerce accounts, and so many users feel that social networks are a “safe” place.
To combat such attacks, Facebook has set up a reporting email address and encourages users to forward any suspicious messages to this account. Companies using a shared mailbox will be preferred over individual emails, because preference will be given to the number of people affected. The inference is that they will follow up and take some sort of disciplinary action against the guilty parties. We see a few problems with this:
- It’s important to get ahead of the hackers, not trail behind them with thinly veiled threats and cautions.
- This is a perfect example of perceived rather than actual security. Reporting phishing emails might make some people feel better, but it doesn’t even slow the problem.
- Even if Facebook were addressing each instance of phishing (which they aren’t), and even if action after the fact could do any good (which it can’t), this sets up a faulty expectation on the part of the consumer: throw caution to the wind, because this social network will protect me – they’re on my side!
What we need isn’t an efficient reporting system. It’s a login system that defies phishing attempts. Any time user login name and password are transmitted together, the user is vulnerable. Any time the user inputs their password using a keyboard, the user is vulnerable. Let’s not trail behind the hackers with a megaphone telling them they’ve broken the rules. Let’s get out ahead of them. Let’s change the game so that they’re the ones scrambling to keep up.