Skip to main content

Social Engineering: The Harmless-Looking Facebook Quizzes That Steal Your Security Answers

Most people know to watch out for the big, scary phishing emails that promise a lottery win or threaten to shut down a bank account. You hear about those high-stakes scams all the time. However, the most successful security threats are often the ones that don't feel like a threat at all. They hide in plain sight on social media, especially Facebook, disguised as a fun way to connect with friends.

The Most Common Facebook Scams

To provide context for the stealthier threat, it's worth a brief reminder of the most common, high-urgency scams currently circulating:

  • The Hacked Friend / 2FA Code Scam: You get an urgent message from a friend saying they are locked out of their account and need you to send a code that was just texted to you. Do not send it. That code is your Two-Factor Authentication (2FA) code, and the scammer is trying to take over your account.
  • The Malicious Clickbait Link: Posts or messages pop up saying, "OMG, is this you in this video?" or some other sensational claim, prompting you to click a link. This link leads to a fake login page designed to steal your password. I recently wrote about the problems with clickbait and sensationalism, and this is a dark version of that problem, weaponized to steal your credentials.
  • The "Click Fix" Account Recovery Process: This is the complicated, multi-platform recovery ordeal you are forced into after falling for a malicious attack. It involves manual execution and complicated steps to regain control of your compromised system or account, that we covered last weekend.
  • The Prize or Giveaway Scam: You are told you have won a contest you never entered and need to pay a "shipping" or "tax" fee (usually with a gift card or wire transfer) to claim your non-existent prize.

The Stealthiest Threat: Data Harvesting Disguised as Fun

While those scams use fear and urgency, the most dangerous tactic relies on nostalgia and trust. Scammers create content that is not meant to steal money right now, but rather to collect the answers to your security questions so they can steal your entire identity later.

The Full Quiz Method

You have undoubtedly seen the circulating lists of questions that encourage you to post 20, 30, or 50 facts about your past.

  • "What was the name of your first pet?"
  • "What city did you meet your spouse?"
  • "What is your mother's maiden name?"

These quizzes are not harmless fun; they are pre-made data harvesting forms. Every question is an entry on the list of most common security questions used by banks, email providers, and other secure websites. By filling out the quiz, you are publicly creating a free database of your password reset answers for a scammer to find and use.

The Nostalgia Bait Method

The other subtle tactic is the "Prove you remember this" post. It uses an element of local pride or shared history to solicit a single, crucial piece of information.

Take the post I saw recently: "Prove you remember this restaurant -- post your date of birth." The potential problem here is enormous.

Most people already have their month and day of birth set to public on Facebook to get the "Happy Birthday" reminders. The only thing missing is the year. By asking for the year, the scammer gets the complete date of birth, which is a powerful tool for identity verification, password guessing, and answering security questions. The same applies to asking for a childhood pet's name or a high school mascot, as those are frequent password components.

Any personal detail that could be used as an answer to a security question -- your pet's name, your birth year, your high school -- is a piece of your password in the eyes of a cybercriminal.

My Simple Rules to Protect Yourself

If you want to protect your personal information, adopt this simple mindset: Treat every security question answer as a password.

  1. Stop Before You Post: If a quiz or post asks for any detail that could be used to verify your identity on a non-Facebook site (pet's name, birth year, mother's maiden name, first car), do not post it.
  2. Harden Your Profile Settings: Use Facebook's Privacy Checkup feature, which is the fastest way to lock things down. Specifically, go to your About section and set the visibility for your Birth Year to "Only Me." You can keep the month and day public if you like the birthday wishes, but hide the year.
  3. Enable Two-Factor Authentication (2FA): This is your ultimate firewall. Enable it on Facebook, email, and any financial accounts. If a scammer gets your password and all of your security answers from a quiz, they still cannot log in without that one-time code generated on your phone.
  4. Limit User Privileges: On your computer, avoid operating under an account with administrator privileges for day-to-day use. Mac and Linux operating systems are designed with stronger privilege separation, but Windows is particularly vulnerable to malware being installed if the user account has full administrative rights.

My Streaming Life includes making security and privacy an everyday habit, because the convenience of streaming services is only worth it if my online presence is secure. We occasionally post security and privacy tips on weekends.

Comments

Post a Comment

Your comments are welcome. Abusive or off-topic comments will be removed.