We’ve talked about using stories to teach security topics in the past. Today, we have one that shows how a social network site uses safeguards to prevent someone from accessing your account.

Dear Facebook,

I love you.  Two nights ago I checked my e-mail one last time before turning in for the night and I saw a notification from who?  From you.  You told me that someone had requested a password reset.  Whoa.  Stop right there.  That. Wasn’t. Me.  My suspicion gears started moving.  I sat up in bed.  I squinted at the e-mail on my phone.  I wasn’t sure if it was you or a hoax.

I touched the “from” address that simply said “Facebook”, and my iPhone popped up a new contact window and showed your address to be <something>@facebookmail.com.  

(I had to turn the screen sideways to see the full address.)

A quick search of your help site told me this e-mail address was legitimate.  Still, my training in cyber security awareness kept me from clicking on the link even to disavow the password reset request. 

Did someone just mistype my e-mail address when they went to change THEIR password?  Boy, that seems unlikely as my e-mail address isn’t exactly common.  I closed my eyes and began some deep breathing exercises.  It’s OK.  Facebook, you have my back.  Someone would need access to my e-mail address in order to reset my password, AND you would have followed that up with an e-mail to notify me that the password was successfully changed. 

I slept normally that night.

In the morning I woke up and no, there was no “your password was reset” notification.  Just to be extra cautious, I logged in to your website from a browser on my laptop.  The browser was brand new so your login approvals kicked in.  You told me you didn’t recognize my computer and asked me to enter in the code from the Code Generator on my phone app.  You even gave me helpful instructions for how to do so on that page.  My heart swelled.

I love you, Facebook, for taking the security of my information seriously and giving me plenty of options to help protect my account even if someone phishes (steals) my e-mail credentials.