• United States




Just say no to Facebook quizzes

Aug 07, 20175 mins
Data and Information SecurityFraudInternet

Clickbait by any other name is just the same. These quizzes take your personal information, and leave with cookies and malware.

In June, I wrote about the 1 thing clickbait sites don’t want you to know will leave you breathless. The problem with clickbait is that the reader is always being manipulated, according to Jake Beckman, creator of @SavedYouAClick; a Twitter feed devoted to “saving you from clickbait.” Clickbait is insidious as users are treated as stupid.

Another clickbait method is via Facebook quizzes. Spend a few minutes on Facebook and you will invariably find friends sharing the fact they did well in a quiz. Simply put, these quizzes are not about testing intellectual capabilities, but are glorified clickbait methods.

First off, most of the tests are horrendously written. There is actually a field dedicated to writing tests known as psychometrics. Which is the science of measuring mental capacities and processes. Reputable testing firms employ psychometricians who are responsible for test development. As to the disreputable ones, nothing makes this point clearer than Meaww, one of the larger quiz sites with this eminently clear disclaimer: all content is provided for fun and entertainment purposes only.

It takes a psychometrician roughly 100-200 person-hours to create a test question. This includes ensuring the answer is correct, that the other answers are indeed incorrect, grammar issues, creating an appropriate answer, checking for myriad nuances, checking the statistics about how questions were answers in the past, and much more. The function of testing is to measure knowledge and capabilities. The function of Facebook quizzes is for advertising and getting your personal information.

Effective testing requires competent psychometricians to develop them. Simply put: every quiz offered to you on Facebook is ruse to get your personal data and perpetuate the quiz. These quizzes are designed by advertising agencies, not psychometricians. They evaluate nothing but how vulnerable you are to bogus quizzes.

Many of these quizzes require you to login with Facebook to take the quiz. Giving these firms complete access to your public profile, email, friends list and more is a privacy perfect storm.

Some quizzes want your mobile number to obtain the results. If you read their privacy policy and terms of service, you are entering into a world of pain, as your number is going to be shared and resold, and you will quickly be the recipient of spam texts, and not infrequently additional cell charges.

It’s not just mobile numbers, many of the quizzes request your date of birth, gender, and other password reset information that when aggregated, creates a large dossier of personal information about the user.

Which brings us to these quizzes. Those on Facebook often find ones such as:

  • Only a genius can answer all 20 questions correctly.
  • I scored 94% How well do YOU know M*A*S*H? Take the quiz to find out!
  • Only 1 in 50 Fans Can Get 10/15 On This Sound Of Music Test. Can You?
  • Can You Answer 16 Questions Every Dirty Dancing Fan Should Know?

After completing the test, one is encouraged to share the results on social media. With that, there is an incentive to make the tests easy to pass, as one doesn’t want to share the fact that they failed a test. The tests may be fun and entertaining, but they serve no other purchase than to have you click on ads.

The tests are notoriously easy to pass. Especially since many of them will only have 2 or 3 answers. As to the Only A Music Major Can Get 10/15 On This quiz. I am not a music major and I got 100% on the quiz. But you are hearing this first, as I didn’t share it on social media.

The hyperbole didn’t end there, as the results stated: WHOA!! You are not only a music major, but you’re a music expert! A music magician!! You know everything about music theory, and if you don’t pursue a career in music, you’re seriously wasting your talents! Congratulations on such a great score! SHARE this amazing score with your family and friends!

As you can see, it’s about sharing with family and friends to continue the clickbait.

With that, when it comes to Facebook quizzes, here’s are a few tips:

1. Don’t take the bait

void any and all Facebook quizzes. You likely share way too much personal information on Facebook in the first place, so why add to it. Because if you do, you become the data.

2. Install anti-virus software

Some of these sites are flagged by the AV vendors and will protect you from the malware and ransomware that is not uncommon on clickbait sites.

3. Don’t take quizzes

Just say no to these quizzes. They do absolutely nothing to test your knowledge, and are based on the premise that victims will take them.

4. Blacklist sites

Sites such as BrainFall, BuzzFeed Quizzes and similar have no redeeming value and you should consider blacklisting them, in case you AV vendor hasn’t already done so.

5. Facebook privacy settings

If nothing else, make sure you are maximizing the Facebook privacy settings. The Privacy Checkup helps you review who can see your posts and information from your profile, like your phone number and email address. It also shows you your settings for apps you’ve logged into with Facebook.


Ben Rothke, CISSP, CISM, CISA is a senior information security specialist at Tapad and has over 16 years of industry experience in information systems security and privacy.

His areas of expertise are in risk management and mitigation, security and privacy regulatory issues, design and implementation of systems security, encryption, cryptography and security policy development.

Ben is the author of Computer Security - 20 Things Every Employee Should Know (McGraw-Hill). He writes security and privacy book reviews for Slashdot and Security Management and is a former columnist for Information Security, Unix Review and Solutions Integrator magazines.

He is a frequent speaker at industry conferences, such as RSA and MISTI, holds numerous industry certifications and is a member of ASIS, Society of Payment Security Professionals and InfraGard.

He holds the following certifications: CISM, CISA, CGEIT, CRISC, CISM, CISSP, SMSP, PCI QSA.

The opinions expressed in this blog are those of Ben Rothke and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.