With e-mail and IM spam and Internet scams, the whole social-engineering game is to get you to trust a stranger. But social networks are different. The goal there is to get you to believe the fraudster is a friend whom you already trust.
If you're on Facebook, you've no doubt got a bunch of friends. And if you're like most Facebook users, you're certain those friends are exactly who they say they are. And you might be right. Or you could be wrong. They could be scammers posing as your friends.
How hard is that, exactly? It turns out to be hideously easy to do.
If this kind of false-identity fraud hasn't been attempted against you in the past, I can assure you it will be in the future. Scammers are quickly realizing that posing as another person is a foolproof way to get around the age-old trust issue that can ruin a good con.
How to steal friends and influence people
I'm going to tell you exactly how someone can trick you into thinking they're your friend. Now, before you send me hate mail for revealing this deep, dark secret, let me assure you that the scammers, crooks, predators, stalkers and identity thieves are already aware of this trick. It works only because the public is not aware of it. If you're scamming someone, here's what you'd do:
Step 1: Request to be "friends" with a dozen strangers on MySpace . Let's say half of them accept. Collect a list of all their friends.
Step 2: Go to Facebook and search for those six people. Let's say you find four of them also on Facebook. Request to be their friends on Facebook. All accept because you're already an established friend.
Step 3: Now compare the MySpace friends against the Facebook friends. Generate a list of people that are on MySpace but are not on Facebook. Grab the photos and profile data on those people from MySpace and use it to create false but convincing profiles on Facebook. Send "friend" requests to your victims on Facebook.
As a bonus, others who are friends of both your victims and your fake self will contact you to be friends and, of course, you'll accept. In fact, Facebook itself will suggest you as a friend to those people.
(Think about the trust factor here. For these secondary victims, they not only feel they know you, but actually request "friend" status. They sought you out.)
Step 4: Now, you're in business. You can ask things of these people that only friends dare ask.
"Let's meet for drinks -- bring your new car!"
"I'm in Nigeria on vacation, got robbed and need $500 to get home!"
"I see you'll be away for the holidays, but I want to send you a Christmas card anyway. What's your home address again?"
Facebook represents a perfect storm of fraud factors. The whole "friend" system creates trust, but the reality of social networks prevents verification that people are who they say they are.
How to meet new people and rob them blind
While some Facebook fraud involves strangers posing as existing "friends," other types involve making new "friends."
I'm being "scammed" right now by someone on Facebook (I won't give you names or other details because, truth be told, I'm only 95% sure it's a scam). Here's how it's going so far.
Some pretty young woman in Indonesia sent me a friend request two weeks ago. I've been researching Facebook scams for this article, so I assumed it was a setup, played along and added her as a friend. Checking her profile, I found exactly what I expected to find: All her friends were male and most closer to my age than hers; her profile was brand-new; photos showed her only with a bunch of other women. (After a fellow male dupe posted on her wall that it was strange she had only male friends, suddenly a couple of female friends emerged -- probably from other fraudulent profiles set up by the scammer.) Every few days, I get a wall post or a chat session.
This profile was almost certainly set up by someone out to steal something, and who has probably set up dozens of such scam profiles all over Facebook. He's (statistically speaking, it's most likely a "he") using flattery to make friends and generate interest, and innocuous chit-chat to establish trust, which will be cashed in later when the real scam hits. The "girl" will eventually need to borrow money or something like that. Or it could just be a way to establish and maintain a "friend" connection so the scammer can target my friends. Who knows? I'm not planning to find out. I've now reported my new "friend" to Facebook, and will unfriend "her" as soon as I submit this column.
While pretty women can be dangled in front of thirtysomething and fortysomething men in order to separate them from their money, Dateline NBC 's Chris Hansen can tell you that men target girls for crimes far worse. A growing number of police investigations are targeting men with fake Facebook profiles and fake photos, which always show the perp to be closer to the age of the victim. They strike up "friendships" with underage girls. One 32-year-old Canadian man is currently being investigated for targeting 146 girls (most between the ages of 11 and 15), and trying to get them to agree to an in-person meeting.
Similar to this is stalkers of all stripes who use fake profiles to keep tabs on their victims. There's even a tongue-in-cheek "Stalkers" application on Facebook.
How to wreck Facebook
One reason people enjoy Facebook is that e-mail has become polluted with spam, and it's more pleasant to converse without unsolicited garbage. That's why purveyors of unsolicited garbage find Facebook so appealing as well.
This week, Facebook won an $873 million judgment (filed under the CAN-SPAM Act) against a spammer. Hooray for Facebook! But this high-profile legal victory points to the sudden attention being paid to Facebook by spammers large and small. For every big fish caught, a thousand little fish get away. Of course, the spam on Facebook comes in the form of "groups" and "gifts" and "applications," as well as wall posts and other such communication.
Facebook is also becoming a focus point for hate speech. After a South Park episode where a character claims all redheads are evil, some Canadian teenager created a group on Facebook called "National Kick a Ginger Day." Which led, of course, to actual kids getting kicked at school. This passes for a hate crime in Canada.
In Italy, someone or some group posted a series of "neo-Nazi" Facebook pages that reportedly called for violence against gypsies.
All of these malicious activities, from fake friends to spam to hate speech, are aggressively dealt with by Facebook once people complain. But the Internet is always Darwinian. As Facebook's defenses evolve, the spammers will find a way to deceive. And deception is oh so easy on Facebook.
Eventually, I predict that fraud will become so widespread that signing up for Facebook will require a verified cell phone number. But in the meantime, difficult-to-detect fraud is exploding on Facebook, and you would be well-advised to verify every friend.
Mike Elgan writes about technology and global tech culture. He blogs about the technology needs, desires and successes of mobile warriors in his Computerworld blog, The World Is My Office . Contact Mike at email@example.com , follow him on Twitter or his blog, The Raw Feed.
This story, "Who Needs 'Friends' Like These?" was originally published by Computerworld.