It might be time to alert clients to a new, old scam

It’s surprisingly easy—and fun—to give up information you might use in a password. Sandwiched among innocent questions are common questions for password retrieval.

It’s surprisingly easy—and fun—to give up information you might use in a password. Sandwiched among the above are common password retrieval questions.

Informing clients helps reduce risk and adds value to the brand.

When it comes to finding ways to fill time, sequester-induced boredom is hands-down the mother of invention. No small number of people turn their newfound spare time to activities like gardening, Netflix binging, exercise, yard work, house cleaning, learning a new skill, games, walks, Candy Crush, or finally getting around to writing—or reading—that epic novel.

And, of course, there are those fun Facebook surveys you once glossed over because at the time you were too busy for them. Suddenly, you have the time. Why not take that quiz and find out what percentage of love your spouse has for you, what city you should live in, or what food matches your personality? Then invite your friends and invite them to find out what food matches their personality.

And now, to answer my own rhetorical question: There are plenty of reasons not to take that quiz. The newest reason arrived only a few days ago, in the form of two Ukrainian hackers. According to CNN, the hackers used …

“… seemingly innocuous online quizzes and surveys, with titles like ‘What does your eye color say about you?,’ to gain access to private Facebook user data and to target users with ‘unauthorized’ advertisements” … 

Working out of Kiev, Ukraine, Andrey Gorbachov and Gleb Sluchevsky allegedly lured Facebook users to connect their accounts to a range of online quiz apps with names like, “Do you have royal blood?, “You are yin. Who is your yang?” and “What kind of dog are you according to your zodiac sign?” 

Once users connected their Facebook and other social media accounts they were asked to install what Facebook described as “malicious browser extensions” that essentially allowed the alleged hackers to pose as the affected users online.

The hacking incident refocused attention on a known, related scam. Way back in 2017, ABC News cautioned:

You’ll want to think twice the next time you’re about to enter your best friend’s first name in one of those Facebook quizzes. Law enforcement officials are warning social media users that those seemingly harmless questionnaires on Facebook and other social media platforms could be furnishing identity thieves with all they need to steal your personal information …

“Please be aware of some of the posts you comment on,” warned the Sutton Police Department in Massachusetts, in a Facebook post. “The posts that ask what was your first grade teacher, who was your childhood best friend, your first car, the place you [were] born, your favorite place, your first pet, where did you go on your first flight, etc. …Those are the same questions asked when setting up accounts as security questions.” You are giving out the answers to your security questions without realizing it.”

Even posting a high school graduation photo is not without risk, warns the Better Business Bureau. With a person’s name, high school, and graduation year—all found in many grad pics—hackers have enough to find more information for fraudulent purposes. The BBB adds:

Other recent viral personal list posts include all the cars you’ve owned (including makes/model years), favorite athletes, and top 10 favorite television shows.

It’s not necessary to click on a survey to hand information to hackers. Simply copying and answering questions posted by a friend—Favorite pie? Pepsi or Coke? How many tattoos?—can inadvertently post the basis of a password. Echoing Sutton’s warning, the BBB says:

What most people forget is that some of these “favorite things” are commonly used passwords or security questions. If your social media privacy settings aren’t high, you could be giving valuable information away for anyone to use.

It’s great that CNN, ABC News, and the Better Business Bureau are doing what they can to spread information on data security—but financial institutions should be leading the charge. Pop-ups and email offer low-cost vehicles. Budget permitting, public service announcements and paid advertising could be part of the mix.

Informed clients are safer clients, a valuable service worth providing for its own sake. And it goes without saying that financial institutions benefit at the same time.

Not to be overlooked is the opportunity to strengthen the brand. All financial institutions care about customers, so that much hardly makes for a unique brand claim. But whereas banners that say “we care” only claim, arming clients with information demonstrates. Hackneyed as “we care” and  “we’re secure” are as brand values, it is still possible to own them—not through word but through deed.

Comments are closed.