Platforms as Phish Farms: Deceptive Social Engineering at Scale

• In Event: Scams, Frauds, and Fakes

Abstract

Phishing is most often linked with deceptive spam email, text, or other electronic communications in which an individual is tricked into providing their personal information. This information is then used for taking over social media accounts, defrauding bank accounts, and installing malware on the computers of the unsuspecting, among other things. The “Spam King,” Sanford Wallace, for example, sent more than 27 million unsolicited Facebook messages, which allowed him access to more than 500,000 accounts to earn money from traffic directed to URLs embedded in the messages. As a term, phishing dates back to the early 1990s. Hackers seeking AOL accounts without a subscription would attempt to dupe AOL users out of their passwords. The accounts – phish – were then traded.

But while phishing is usually linked to individuals or collectives targeting account holders to deceptively acquire personal information, I argue that by their very nature, social platforms like Facebook, Twitter, and others, are large scale phishing operations designed to collect information about users surreptitiously. Though providing terms of service and privacy policies, an individual has no way of knowing all the ways and points of personal data that platforms collect. Further, like the hacked AOL, Facebook, and bank accounts mentioned earlier, it is the users themselves that are things of value.

This paper reconsiders platforms as organizational phishing, and just as harmful as that done by hackers or others seeking unjust enrichment.

Author

• Jasmine McNealy, University of Florida