Facebook attempts to clean up its act.

Is it enough?

Watching Facebook these days as it pivots from diffusing one “rude development” to another seems a little like watching someone perform a combination plate-spinning and whack-a-mole act.

We’ll call it the Facebook Follies.  The question is … is it working?

Last month, Facebook issued its newest Community Enforcement Report – a document that updates the world about improvements the social media giant is making to its platform to enable it to live up to its stated community standards.

Among the improvements touted by the latest report:

  • Facebook reports now that ~5% of monthly active accounts are fake. (Still, 5% represents nearly 120 million users.)
  • Facebook reports now that its ability to automatically detect “hate speech” in social posts has jumped from a ~24% incidence in 2018 to ~65% today. (But this means that one-third of hate speech posts are still going undetected.)

Moreover, Facebook now reports that for every 10,000 times Facebook content is viewed by users:

  • ~25 views contain content that violates Facebook’s violence policy
  • ~14 views contain content violating Facebook’s adult nudity and sexual activity policy
  • Fewer than 3 views contain content violating Facebook’s policies for each of these categories: global terrorism; child nudity, and sexual exploitation

The community enforcement information is being reported as “wins” for Facebook … but people can’t be faulted for thinking that Facebook could (and should) be doing much better.

zm
Facebook CEO Mark Zuckerberg

On a different type of matter, this past week it was reported that Facebook has agreed to settle a class-action complaint that accused the social platform of inflating viewing metrics on Facebook videos by up to 900%.

Although details of the settlement haven’t been revealed, this development appears to close the book on criticisms that were lodged as far back as 2016, in which advertisers charged that Facebook hadn’t investigated and corrected errors in its metrics — nor allowed for third-party verification of the metrics.

It’s yet another agenda item that’s now been ticked off the list – at least in Facebook’s eyes. But now another controversy has now erupted as reported over the past few days in The Wall Street Journal.

Described in a front-page article bylined by veteran WSJ reporters John McKinnon, Emily Glazer, Deepa Seetharaman and Jeff Horwitz, Facebook CEO Mark Zuckerberg appears linked to “potentially problematic privacy practices” that date all the way back to 2012, when Facebook signed a consent decree with the Federal Trade Commission but that it may have violated subsequently.

Contemporaneous e-mail communications retrieved from the time period suggest that Zuckerberg was more than merely passively involved in deliberations about a particular app that claimed to have built a database stocked with information about millions of Facebook users. Purportedly, the app developer had the ability to display the Facebook user information to others — regardless of those users’ privacy settings on Facebook.  The e-mails in question detail speculation about how many other apps were stockpiling such kinds of user data, but the evidence shows little or no subsequent action being taken to shut down the data mining activities.

Another view.

These latest developments raise questions about the veracity of Facebook’s stated intentions to redouble its efforts to uphold community standards and focus more on user privacy, including moving toward encrypted and “ephemeral” messaging products that are better aligned with the European Union’s existing privacy laws that the United States may also be poised to adopt in the future.

Apparently Facebook recognizes the problem: It’s ramping up its global advertising spending to “rebuild trust” — to the tune of doubling its previous ad expenditures.  Here’s what Facebook’s marketing head Antonio Lucio is saying:

“There’s no question we made mistakes, and we’re in the process of addressing them one after the other.  But we have to tell that story to the world on the trust side as well as the value site.”

Ad-tracking company Kantar notes a big increase already in Facebook’s U.S. ad spending — up to nearly $385 million in 2018 compared to only around $50 million the year before.  As for the campaigns themselves, Facebook is relying on a number of big-name ad agencies like Wieden+Kennedy, Leo Burnett and Ogilvy for developing its various campaigns.

Another view.

There’s more than a little irony in that.

Considering the latest news items, what are your thoughts about Facebook? Are they on the right track … or is it “too little, too late”?  Are their intentions honorable … or are they simply engaged in “window dressing” to get people off their case?  Let us know your thoughts.

“By any means necessary”: China’s Huawei Technologies flies close to the sun in its quest commandeer proprietary technology.

Not all-smiles at the moment … Chinese leader Xi Jinping.

In China, it’s difficult to discern where private industry ends and the government begins. At some level, we’ve been aware of that conundrum for decades.

Still … opportunities for doing business in the world’s largest country have been a tempting siren call for American companies. And over the past 15+ years, conducting that business has seemed like the “right and proper” thing to do — what with China joining the G-8+5 economic powers along with incessant cheerleading by the U.S. Department of Commerce, abetted by proactive endeavors of other quasi-governmental groups promoting the interests of American commerce across the globe.

But it’s 2019 and circumstances have changed. It began with a change in political administrations in the United States several years ago, following which a great deal more credence has been given to the undercurrent of unease businesspeople have felt about the manner in which supposedly proprietary engineering and manufacturing technologies have suddenly popped up in China as if by magic, pulling the rug out from under American producers.

Nearly three years into the new presidential administration, we’re seeing evidence of this “new skepticism” begin to play out in concrete ways. One of the most eye-catching developments – and a stunning fall from grace – is Huawei Technologies Co., Ltd. (world headquarters: Shenzhen, China), one of the world’s largest makers of cellphones and high-end telecom equipment.

As recounted by NPR’s Weekend Edition reporter Emily Feng a few days ago, Huawei stands accused of some of the most blatant forms of technology-stealing.  Recently, the Trump administration banned all American companies from using Huawei equipment in its 5G infrastructure and is planning to implement even more punitive measures that will effectively prevent U.S. companies from doing any business at all with Huawei.

Banning of Huawei equipment in U.S. 5G infrastructure isn’t directly related to the theft of intellectual property belonging to Huawei’s prospective U.S. suppliers.  Rather, it’s a response to the perceived threat that the Chinese government will use Huawei equipment installed in U.S. 5G mobile networks to surreptitiously conduct espionage for military, political or economic purposes far into the future.

In other words, as one of the world’s largest telecom players, Huawei is perceived as a direct threat to non-Chinese interests not just on one front, but two: the demand side and the supply side.  The demand-side threat is why the Trump administration has banned Huawei equipment in U.S. 5G infrastructure, and it has also publicly warned the U.K. government to implement a similar ban.

As for the supply side, the Weekend Edition report recounts the intellectual property theft experience of U.S.-based AKHAN Semiconductor when it started working with Huawei. AKHAN has developed and perfected an ingenious form of diamond-coated glass – a rugged engineered surface perfectly suited for smartphone screens.

Huawei expressed interest in purchasing the engineered glass for use in its own products. Nothing wrong with that … but Huawei used product samples provided by AKHAN under strict usage-and-return guidelines to reverse-engineer the technology, in direct contravention of those explicit conditions – and in violation of U.S. export control laws as well.

AKHAN discovered the deception because its product samples had been broken into pieces via laser cutting, and only a portion of them were returned to AKHAN upon demand.

When confronted about the matter, Huawei’s company officials in America admitted flat-out that the missing pieces had been sent to China.  AKHAN enlisted the help of the FBI, and in the ensuing months was able to build a sufficient case that resulted in a raid on Huawei’s U.S. offices in San Diego.

The supply side and demand side threats are two fronts — but are related.  One of the biggest reasons why Huawei kit has been selected, or is being considered, for deployment on 5G mobile networks worldwide is due to its low cost. The Chinese government, so the thinking goes, “seduces” telecom operators into buying the Huawei kit by undercutting all competitors, thereby gaining access to countless espionage opportunities. To maintain its financial footing Huawei must keep its costs as low as it can, and one way is to avoid R&D expenses by stealing intellectual property from would-be suppliers.

AKHAN is just the latest – if arguably the most dramatic – example of Huawei’s pattern of technology “dirty tricks” — others being a suit brought by Motorola against Huawei for stealing trade secrets (settled out of court), and T-Mobile’s suit for copying a phone-testing robot which resulted in Huawei paying millions of dollars in damages.

The particularly alarming – and noxious – part of the Huawei saga is that many of its employees in the United States (nearly all of them Chinese) weren’t so keen on participating in the capers, but found that their concerns and warnings went unheeded back home.

In other words – the directive was to get the technology and the trade secrets, come what may.

This kind of behavior is one borne from something that’s far bigger than a single company … it’s a directive that’s coming from “China, Inc.”  Translation: The Chinese government.

The actions of the Trump administration regarding trade policy and protecting intellectual property can seem boorish, awkward and even clumsy at times. But in another sense, it’s a breath of fresh air after decades of the well-groomed, oh-so-proper “experts” who thought they were the smartest people in the room — but were being taken to the cleaners again and again.

What are your thoughts about “yesterday, today and the future” of trade, industrial espionage and technology transfer vis a vis China? Are we in a new era of tougher controls and tougher standards, or is this going to be only a momentary setback in China’s insatiable desire to become the world’s most important economy?  Please share your thoughts and perspectives with other readers here.

Boeing: Late to the reputation recovery party? Or not showing up at all?

Debris field from the Ethiopian Airlines plane crash (March 10, 2019).

It’s been exactly two months since the crash of the Ethiopian Airlines 737 Max 8 Boeing plane that killed all 157 passengers and crew on board. But as far as Boeing’s PR response is concerned, it might as well never ever happened.

Of course, sticking one’s corporate head in the sand doesn’t make problems go away — and in the case of Boeing, clearly the markets have been listening.

Since the crash, Boeing stock has lost more than $27 billion in market value — or nearly 15% — from its top value of $446 per share.

The problem is, the Ethiopian incident has laid bare stories of whistle blowers and ongoing maintenance issues regarding Boeing planes. But the company seems content to let these stories just hang out there, suspended in the air.

With no focused corporate response of any real coherence, it’s casting even greater doubt in the minds of the air traveling public about the quality and viability of the 737 planes — and Boeing aircraft in general.

Even if just 20% or 25% of the air traveling public ends up having bigger doubts, that would have (and is having) a big impact on the share price of Boeing stock.

And so the cycle of mistrust and reputational damage continues.  What has Boeing actually done in the past few months to reverse the significant market value decline of the company? Whatever the company may or may not be undertaking isn’t having much of an impact on the “narrative” that’s taken shape about Boeing being a company that doesn’t “sweat the small stuff” with proper focus.

For an enterprise of the size and visibility of Boeing, being reactive isn’t a winning PR strategy. Waiting for the next shoe to drop before you develop and launch your response narrative doesn’t cut it, either.

Far from flying below radar, Boeing’s “non-response response” is actually saying something loud and clear. But in its case, “loud and clear” doesn’t seem to be ending up anyplace particularly good for the Boeing brand and the company’s

What are your thoughts about the way Boeing has handled the recent news about its mode 737 aircraft? What do you think could have done better?  Please share your thoughts with other readers here.

E-Mail security breaches: A cautionary tale.

This past week, I heard from a business colleague who heads up a firm that operates in the IT sector. It isn’t a large company, but its business is international in scope and its entire employee workforce would certainly be considered tech-savvy.

Nevertheless, the company suffered a serious security breach affecting its e-mail system … and it took nearly one week of investigation, diagnosis and repair to deal with the fallout. Ultimately, the system was secured with everything restored and running again, but it took much longer than  expected.

What had happened was that an unknown attacker obtained the user ID and password for one of the company’s e-mail accounts, and used those credentials to log on to the mail system as the legitimate user. The attacker then changed the contact name on the account to a fake U.S. telephone number – we’ll call it “+1(4XX) 6XX-9XXX” – and launched a program from his/her/its host computer (hosted by Microsoft and located in in a different country than the affected user) which sent out thousands of e-mails having the subject “Missed call from +1(4XX) 6XX-9XXX” and an attachment that looked like a harmless audio file containing a voicemail message.

This type of phishing attack is well-known, and it would be dangerous to open the attachment (no one at the company attempted to do so). The company’s e-mail server eventually blocked the account because it exceeded the maximum outgoing e-mail limit, but strangely enough the administrator was never notified of this fact. The company only discovered the breach after the user called in to complain about receiving thousands of “failed delivery” messages. It took the better part of a full business day just to piece together what was going on, and why.

The attacker also installed a rule on the compromised account which moved all incoming email to an obscure folder. The rule was cleverly disguised, making it easy to overlook and hence more time-consuming to find and remove.

This friend advised that there are a number of “lessons learned” from his company’s experience, which should be considered for implementation by businesses of all sizes everywhere:

1. Implement security policies requiring strong passwords (big, long, hard-to-guess ones) and frequent password changes (once every 90 days or more frequently). In the case of this particular company, its password strength policy was up to snuff but it wasn’t enforcing rotation. That changed immediately after the breach.

2.  Require multi-factor authentication (MFA). This is where a user doesn’t merely enter a password to log on, but also has to enter a one-time code sent via SMS or a smartphone app. It’s inconvenient, but regrettably it’s the world we live in today. In the case of this particular company, it hadn’t been using MFA. They are now.

3.  Be vigilant in reminding users NEVER to click on links or file attachments embedded in received e-mails unless they absolutely trust the sender. Some larger companies have “drills” which broadcast fake phishing emails to their employees. Those who click are identified and sent to “dum-dum school” for remedial training.

Failing that, companies should adopt policies wherein any employee who receives anything via e-mail that looks like particularly clever or tempting phishing, to notify the company about it immediately for investigation.

4.  Discourage users from logging on to their mail accounts from public locations using unencrypted WiFi. It’s easy to sniff WiFi signals and it’s even easier to read the data in unencrypted signals, which appear as plain text. Typically, if the WiFi connection requires a passphrase to be entered in order to connect, then it’s encrypted WiFi. If not … watch out.

5.  Monitor the e-mail server at least once each day to discover any security breaches or threats, since those servers may not always notify administrators automatically. The sooner a problem is discovered, the quicker and easier it will be to contain and kill it.

6.  Require users to archive messages in their Inbox and Sent Items folders regularly.  The moment an attacker is able to access an account, he/she/it can easily retrieve and quickly download all the messages on the server, and those messages could contain confidential or sensitive data. Therefore, taking this action will move those messages to each user’s device and purge them from the central server.

I’m thankful that my friend was willing to share his experience and suggestions for how to avoid a similar breach happening at my own company. Based on the “lessons learned,” we performed an audit of our own procedures and made several adjustments to our protocols as a result – small changes with potentially large consequences.  I suggest you do the same.

New ways to pay: Consumers embrace contactless cards while eschewing mobile payments.

What’s up with mobile payments? They’re the epitome of convenience … and yet most people haven’t taken the plunge.

It’s not as if major retail establishments haven’t begun offering mobile payment capabilities. Apple Pay is now available at three-fourths of the top 100 merchants in the United States (and at two-thirds of all U.S. retail locations overall.)  The stats for Google (Android) Pay are much the same.

But just because the capability is available doesn’t mean that people will start using it. Juniper Research recently analyzed the payment behaviors of consumers in the United States and UK.  It found that just 14% are using mobile payments for in-store purchases.

And even before mobile payments have had much chance to get out of the starting gate, another payment option — contactless credit cards — appears to steal their thunder.

Contactless cards act very similar to the way a mobile device would — by simply tapping a terminal at checkout.

Actually, contactless technology isn’t exactly new; MasterCard introduced cards more than a decade ago, and a number of transit authorities like the Chicago and London subway systems were early adopters.

But a critical mass has now been achieved, and market consulting firm ABI Research projects that by 2022, 2.3 billion contactless cards will be issued annually. Companies such as Amex and Capital One are already in it in a big way, and Chase started sending out contactless cards towards the end of 2018.

For consumers, the “tap-and-go” process of these cards takes only a few seconds — in other words, far faster than EMV chip cards that are the most prevalent current practice. Although a few observers disagree, it’s generally believed that contactless cards are nearly as safe to use as chip cards.

Accordingly, the vast majority of card issuers have zero-liability guarantees against fraud, figuring that the faster speed at checkout is worth it to consumers and vendors when weighed against the marginally higher security risk.

What are your preferred payment practices … and why?

Bait for the phish: The subject lines that reel them in.

To those of us who work in the MarComm field – or in business generally – it may seem odd how so many people can get suckered into opening e-mails that contain malware or otherwise wreak havoc with their devices.

But as it turns out, the phishing masters have become quite adept at crafting e-mail subject lines and content that successfully ensnare even the most alert recipients.

In fact, the phishers actually exploit our concerns about security by sending e-communications that play off of those very fears.

To study this effect, cybersecurity firm KnowBe4 conducted an analysis of the most clicked-on phishing subject lines of 2018. Its evaluation was two-pronged – charting actual phishing e-mails received by KnowBe4 clients and reported by their IT departments as suspicious, as well as conducting simulated phishing tests to monitor recipient behavior.

What KnowBe4 found was that the most effective phishing e-mail subject lines generally fall into five topic categories:

  • Passwords
  • Deliveries
  • IT department
  • Company policies
  • Vacation

More specifically, the ten most clicked-on subject lines during 2018, in order of rank, were these:

  • #1. Password Check Required Immediately / Change of Password Required Immediately
  • #2. Your Order with Amazon.com / Your Amazon Order Receipt
  • #3. Announcement: Change in Holiday Schedule
  • #4. Happy Holidays! Have a drink on us
  • #5. Problem with Bank Account
  • #6. De-activation of [recipient’s e-mail address] in Process
  • #7. Wire Department
  • #8. Revised Vacation & Sick Time Policy
  • #9. Last reminder: please respond immediately
  • #10. UPS Label Delivery 1ZBE312TNY00015011

Notice that nearly all of them pertain to topics that seem important, timely and needing the attention of the recipient.

Another way that KnowBe4 analyzed the situation was by pinpointing the e-mail subject lines that were deployed most often in phishing e-mails during 2018.

Here are the Top Ten, ranked in order of their usage:

  • #1. Apple: You recently requested a password reset for your Apple ID
  • #2. Employee Satisfaction Survey
  • #3. Sharepoint: You Have Received 2 New Fax Messages
  • #4. Your Support Ticket is Closing
  • #5. Docusign: You’ve received a Document for Signature
  • #6. ZipRecruiter: ZipRecruiter Account Suspended
  • #7. IT System Support
  • #8. Amazon: Your Order Summary
  • #9. Office 365: Suspicious Activity Report
  • #10. Squarespace: Account billing failure

Commenting on the results that were uncovered by the evaluation, Perry Carpenter, a strategy officer at KnowBe4 had this to say:

“Clicking [on] an e-mail is as much about human psychology as it is about accomplishing a task. The fact that we saw ‘password’ subject lines clicked … shows us that users are concerned about security.  Likewise, users clicked on messages about company policies and deliveries … showing a general curiosity about issues that matter to them.”

Carpenter went on to note that KnowBe4’s findings should help corporate IT departments understand “how recipients think” before they click on phishing e-mails and the links within them.

How about you? Are there other e-mail subject lines beyond the ones listed above that you’ve encountered in your daily activities and that raise your suspicions? Please share your examples in the comment section below.

No End in Sight to the Challenge of Email Deliverability

When it comes to e-mail communications in the B-to-B world, yet another study is underscoring just how challenging it is to reach corporate inboxes.

A new report by cyber-security firm FireEye, Inc. reveals that fewer than one-third of e-mails sent are actually making it into corporate inboxes. The FireEye analysis was based on tracking more than a half-billion e-mails sent between January and June of 2018.

The majority of those e-mails were deemed to be spam or malicious in their intent. Nearly 60% were blocked by threat intelligence and around 10% more were halted by attack prevention tactics such as URL inspection and attachment detonation.

E-mails were deemed suspicious because they triggered one or more of the following “red-light” cautions:

  • Malware-less impersonations
  • Malware viruses
  • Phishing attacks
  • Ransomware
  • Spyware
  • Trojan horses
  • Worms

Interestingly however, it turns out that only a small fraction of the e-mails actually had malicious intent, meaning that the super-strict filters being employed by companies are capturing a huge number of perfectly legitimate e-mail messages in their dragnet and rejecting them out of hand.

On the other hand, the FireEye analysis also determined that impersonation attacks have undergone a shift from domain name spoofing to “friendly” domain name scams – ones in which an e-mail address is manipulated to impersonate a trusted source.

As the study cautions:

“This shift in tactics may be driven by how easily cyber criminals can ‘spoof’ the display name and username potion of an e-mail header. Instead of having to go through the process of buying and registering a domain similar to – or one that sounds like – the recipient’s domain, they can simply change the display/user name.”

The FireEye analysis is a reminder that because of its sheer pervasiveness, e-mail communications are also the most popular conduit for potentially significant cyberattacks. No wonder companies have their guard up.

The problem is, clearly a whole lot of wheat is being thrown out with the chaff.  And that makes e-communications hardly the slam-dunk communications tactic that many people assume it to be.