Question: I fell for one of those Facebook scams. How do I make sure none of it is left on my Timeline and avoid that kind of mistake in the future?
Answer. This question most recently came from a friend who, in a moment of weakness, tried to claim an alleged offer for two free tickets on Southwest Airlines.
First, this person reported seeing the free-tickets ad on the profile of a trusted friend. A click on that opened a tiny browser window (unnoticed at first) and then copied the same scammy ad to my friend's profile.
It also opened a normal-sized browser window asking for personal information to claim the free tickets; my friend was suspicious enough by then to provide an incorrect birthday and back out after being asked to pay $9.99 a month.
But at that point, the bogus ad had littered the profiles of many Facebook pals. Later on, my friend also received telemarketing calls, spam text messages (if you get those, ask your carrier to waive any charges you'd pay to receive them), and about 50 more junk e-mails a day than before.
What happened here? The scam worked by exploiting a form of temporary authentication Facebook (like other sites) uses to avoid asking users to enter their passwords all the time.
Frederic Wolens, a Facebook security manager, explained that "user access token" hijacking enables the scammer to impersonate the victim. "They can act as if they were the user until that access token has been invalidated by Facebook," he wrote. "Most of the time we try and invalidate these tokens as soon as we detect a scam."
Facebook's cleanup advice began with advising my friend to visit facebook.com/hacked, which will reset your password and walk you through ways to further secure your account.
Once you've regained control over your account - always the first step in recovering from an attack like this - you should delete every copy of the scam post. Go to your profile, click the "Activity Log" button, and then look for the offending ads. Steer the cursor just above and to the right of each one, click on the pencil icon that should appear, and select "Delete..." from that menu.
Sophos's Jones advised checking the apps that Facebook lists as recently installed. If you neither recognize one nor remember adding, it, remove it. And if you don't recognize pages that your profile says you like, they could have been added with the "likejacking" technique described earlier; remove them too.
There's no better defense against this than skepticism. Taking a minute to search for, say, "Southwest free tickets" before clicking on an ad that defied economic logic would have revealed that this scam has been circulating for years. As far back as May 2011, Southwest itself was trying to warn Facebook users, and last year the scam got a write-up on the Snopes mythbusting site.
As we say in newsrooms: "If your mother says she loves you, check it out."
Tip: Put Facebook and other social-network notifications on a diet
Many social-media sites operate as if you have a deep and abiding fear of missing out: They will e-mail you and pop notifications on your smartphone every time something of consequence happens.
That can be helpful when you're getting the hang of a new network, but after a few months most of these notices only gum up your inbox and your phone's screen. Turn off alerts about anything that doesn't require immediate action - for instance, Facebook friend requests and new status updates from pals you've added to your "Close Friends" list there, or new followers on Twitter or Tumblr.
On Facebook, go to your account-settings page and click "Notifications" to control what that network bugs you about on e-mail and on its site; open Facebook's mobile app to adjust its nags there. In Twitter, sign in at its site, click the gear-icon settings button at the top right and select "E-mail notifications." On Tumblr, click its own gear-icon settings button and choose "e-mail."
Rob Pegoraro, USA TODAY