Eight out of ten of Facebook accounts claiming to be connected to a selection of the UK's best-known FTSE 100 brands are unauthorised and almost certainly bogus, an analysis by security firm Proofpoint has discovered.
The figure for Twitter isn't much better with four out of ten branded accounts being unauthorised. Very few of the firms involved - not to mention their customers and followers - seem to be aware of the scale of the problem.
During January, the firm studied social accounts connected to ten large FTSE 100 firms in finance, media, retail, pharma and manufacturing, uncovering an astonishing 3,800 accounts connected to them across Facebook, Twitter. Google+ and YouTube, an average of more than 300 each.
Accounts could in theory be one of three types: verified legitimate accounts, unverified legitimate accounts (i.e. set up by employees without permission), and unauthorised, exploitative accounts using the brands for nefarious purposes such as generating traffic or pushing malware. A fourth type of account - legitimate hacked accounts - was also possible but presumably very rare.
In practice, the number of bogus or unauthorised accounts seemed to form the majority, with Facebook and Twitter presenting the biggest problems for the ten firms looked at.
The question is how much the firms involved know about the scale of the problem and its effect on the users who find it hard to distinguish real from bogus - the images above (fake) and below (genuine) provide examples. Both look plausible even though one is completely fake
It can be inferred from the size of the problem that few of the firms studied have any idea that hundreds of bogus Facebook and Twitter accounts have borrowed their brands or they'd attempt to do something about it.
"It's what we call social sprawl. Organisations are trying to figure this out. Most start with manual process and struggle to get a sense of the footprint," suggested Proofpoint's Devin Redmond.
In his view very few firms have any automated way of detecting social account abuse, which is why Proofpoint is keen to push its Social Threat Center, a product acquired last October as part of the Nexgate acquisition. This functions as a sort of console for monitoring accounts across a range of services and incorporates a function to simplify the reporting of non-legitimate accounts.
"Social has happened so quickly outside the traditional realm of fraud monitoring. Most organisations are just becoming aware of how to deal with the problem. They tend not to know a lot about social media," he said.
The problem was being compounded by the culture of large UK firms, which tend to hand social function to non-technical people. At the same time, the more technical people who do understand security tend not to be skilled at understanding social media.
Sign up for CIO Asia eNewsletters.