Eight out of ten of Facebook accounts claiming to be connected to a selection of the UK’s best-known FTSE 100 brands are unauthorised and almost certainly bogus, an analysis by security firm Proofpoint has discovered.

The figure for Twitter isn’t much better with four out of ten branded accounts being unauthorised. Very few of the firms involved - not to mention their customers and followers - seem to be aware of the scale of the problem.

rollsroyce fake1

During January, the firm studied social accounts connected to ten large FTSE 100 firms in finance, media, retail, pharma and manufacturing, uncovering an astonishing 3,800 accounts connected to them across Facebook, Twitter.  Google+ and YouTube, an average of more than 300 each. 

Accounts could in theory be one of three types: verified legitimate accounts, unverified legitimate accounts (i.e. set up by employees without permission), and unauthorised, exploitative accounts using the brands for nefarious purposes such as generating traffic or pushing malware. A fourth type of account – legitimate hacked accounts - was also possible but presumably very rare.

In practice, the number of bogus or unauthorised accounts seemed to form the majority, with Facebook and Twitter presenting the biggest problems for the ten firms looked at.

The question is how much the firms involved know about the scale of the problem and its effect on the users who find it hard to distinguish real from bogus - the images above (fake) and below (genuine) provide examples. Both look plausible even though one is completely fake

It can be inferred from the size of the problem that few of the firms studied have any idea that hundreds of bogus Facebook and Twitter accounts have borrowed their brands or they’d attempt to do something about it.

“It’s what we call social sprawl. Organisations are trying to figure this out. Most start with manual process and struggle to get a sense of the footprint,” suggested Proofpoint’s Devin Redmond.

In his view very few firms have any automated way of detecting social account abuse, which is why Proofpoint is keen to push its Social Threat Center, a product acquired last October as part of the Nexgate acquisition. This functions as a sort of console for monitoring accounts across a range of services and incorporates a function to simplify the reporting of non-legitimate accounts.

“Social has happened so quickly outside the traditional realm of fraud monitoring. Most organisations are just becoming aware of how to deal with the problem. They tend not to know a lot about social media,” he said.

The problem was being compounded by the culture of large UK firms, which tend to hand social function to non-technical people. At the same time, the more technical people who do understand security tend not to be skilled at understanding social media.

As for the users, telling some of the bogus accounts from the real McCoy is not easy on casual inspection. Bogus accounts can have large numbers of users and likes and look perfectly legitimate.

Previous research by the firm showed that US firms have about the same size of problem but have been quicker to buy automated tools to detect and remediate problems, and face more social governance regulation. This is despite the fact that big UK brands are around 20 percent more active in terms of social media use, Redmond said.

By sector, UK finance was the best policed, media firms easily the worst.

But is monitoring perhaps a luxury? According to Redmond, not so. Constant vigilance was now essential with even harmless-looking social accounts able to spring into malevolence quite unexpectedly should a particular event start to trend.

At the very least, firms unable to monitor social accounts faced brand pollution, at worst potentially thousands of their customers could quickly be drawn to malicious links and malware.