Can you tell a real Facebook e-mail from a phishing attempt?

Can you tell a real Facebook e-mail from a phishing attempt?

Summary: Notification e-mails from social networking sites like Facebook can be dangerous; if you're fooled by a phisher, you can click your way into big trouble. Here are four Facebook notifications that arrived in my e-mail inbox recently. Can you tell which are real and which are fake?

SHARE:

E-mail notifications are an important part of social networking services like Facebook. If you have to continually visit the site to see what's new, you lose much of the excitement that comes with comments on your photos or other shared items. If you forget to check for a day or two, you might miss an invitation to an event or an opportunity to connect with a long-lost friend who's in town for a day or two.

But e-mail notifications are also a security risk. If an attacker can create a realistic-looking imitation of a Facebook notification, you might find yourself clicking on a link that can lead to malware or attempt to steal your login credentials.

Unfortunately, phishers are getting better at what they do, and spotting a fake isn't as easy as you might think. I've assembled four Facebook notifications that arrived in my e-mail inbox recently. Can you tell which are real and which are fake? (Click any image to see it at full size, or visit the accompanying gallery to flip through all four screens at full size.)

Here's one that arrived last week. As with all the images, I've blurred personal information but otherwise these messages are shown in full, as they appear in Microsoft Outlook's preview pane.

If you guessed that one was a fake, congratulations. It led to a website that was flagged as dangerous by Microsoft's SmartScreen Filter, by Google's Safe Browsing feature, and by Safari. If you were using an outdated browser such as Internet Explorer 6 or 7, you would have seen an attempt to install a fake Flash update that was actually a password-stealing Trojan.

OK, let's try another. Real or fake?

Do you think that odd e-mail address indicates a fake? Confusingly, Facebook notifications come from the facebookmail.com domain and include a suspicious-looking sender's name. The long, complicated URL might also look suspicious, but this notification is a legit one from Facebook.

OK, here's a third test. Real or fake?

 Hmmm. The previous, real notification included a long complicated URL. This one has a pair of buttons that you're supposed to click to see the comments a friend supposedly added to your shared link. That's a favorite trick that phishers and spammers use to disguise misleading links. Surprisingly, this one is legit.

OK, last one. Real or fake?

This is a particularly convincing fake. The graphics, fonts, button design, and links are all indistinguishable from a real Facebook notification. This particular phishing attempt led to a fake online pharmacy, but it could just as easily have led to a malware installer.

One of these fakes was good enough to slip past my spam filters. In that case, the only way to determine that it wasn't legit was to allow the mouse pointer to hover over a link or button to see what its true destination was. Here's what it looked like:

That's certainly not a legitimate link. Here, by contrast, is what a link from a real Facebook notification looks like:

It's a challenge to get nontechnical users in the habit of checking links before they click, but the results are well worth it.

Topics: Security, Collaboration, Social Enterprise

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

62 comments
Log in or register to join the discussion
  • RE: Can you tell a real Facebook e-mail from a phishing attempt?

    And that's why I use notifications only as a "notification" to go to fb and check for updates. I never click on email links unless I signed up for a website and it's a verification link
    mike2k
    • RE: Can you tell a real Facebook e-mail from a phishing attempt?

      @mike2k ... Agreed. I turn off all notifications to email, and I only enable select notifications to my phone via text, since I also use FB services on my phone. It's not like it's really a hassle to go to the web site or open the app to check.
      GoodThings2Life
    • RE: Can you tell a real Facebook e-mail from a phishing attempt?

      @mike2k
      +1
      Ram U
  • RE: Can you tell a real Facebook e-mail from a phishing attempt?

    I can always tell very easily without checking the email address..because they send them to the wrong email that used to be my FB email in 2007 lol...
    ChrispyCritter
    • RE: Can you tell a real Facebook e-mail from a phishing attempt?

      @ChrispyCritter
      Exactly... but even if they manage to send it to the correct email address, it's not going to show up because only the correct fb address will get through. All others are discarded.
      FranC.
  • It's not going to happen unless email encryption is mandated

    The only true fool-proof way to ensure the authenticity of an email is with PGP or GnuPG encrypted email.

    The fact is, by and large every email gets sent as 'clear text' across all MTA intermediaries.

    Putting it another way:

    Would you put a paper letter in the mail without first placing it in a privacy envelope?

    The answer is no you wouldn't unless you were sending a postcard.

    If 'envelopes' are a mailing convention for privacy, why not make GnuPG or PGP the 'envelope' for all email correspondence?

    Mandated use would solve many problems:

    o ISPs could test the header of emails for signed certificates and if not present simply shunt the email offline
    o Spam would be largely eliminated
    o Users of the Internet would gain the privacy right they deserve

    What say you Ed?
    Dietrich T. Schmitz *Your
    • Message has been deleted.

      GoodThings2Life
      • Clearly, you demonstrate ignorance.

        @GoodThings2Life
        Digitally signing messages with GnuPG has nothing to do with domains.

        Read:
        h-t-t-p://en.wikipedia.org/wiki/GNU_Privacy_Guard
        Dietrich T. Schmitz *Your
    • RE: Can you tell a real Facebook e-mail from a phishing attempt?

      @Dietrich T. Schmitz * Your Linux Advocate
      Encryption doesn't have anything to do with verifying the identity of another individual. It prevents a third party from viewing the email sent between two parties. If a spammer is sending me an email, I don't care if anyone else can intercept that email or not. It does nothing to resolve the issue of spam or phishing. GT2L's point about falsifying the identity portion of GPG is also valid. You set up your identity and GPG hashes a digital signature based on the information you gave it. Nothing more. There's a reason PGP is an abbreviation for Pretty Good Privacy, not Perfectly Great Privacy.
      swmace
      • You are incorrect.

        @swmace <br>It has everything to do with verifying the identity of another individual and as I stipulated in my opening thread, ISPs can shunt email's off-line which are not compliant with GnuPG and are not signed (spam).<br><br>If a user is not in your 'web of trust', then you can safely assume the email was totally unsolicited.<br><br><br>h-t-t-p://en.wikipedia.org/wiki/E-mail_privacy

        The case for email encryption:
        h-t-t-p://luxsci.com/blog/the-case-for-email-security.html
        <br><br>Reading is fundamental.
        Dietrich T. Schmitz *Your
    • RE: Can you tell a real Facebook e-mail from a phishing attempt?

      @Dietrich T. Schmitz * Your Linux Advocate
      <i>If a user is not in your 'web of trust', then you can safely assume the email was totally unsolicited.</i>
      True, but an unauthorized user can get into your "web of trust". That's the problem. The GPG uses information that the user gives it to create a digital signature. I could create a digital signature today identifying myself as Dietrich T. Schmitz * Your Linux Advocate. That doesn't make me you...thankfully.

      <i>Reading is fundamental</i>
      So is understanding concepts you pretend to know about.
      swmace
      • Straw Man

        @swmace <br>Nobody can get into your WOT. You've never used GPG/PGP encrypted email have you?

        h-t-t-p://hygelac.cas.mcmaster.ca/courses/SE-4C03-07/wiki/zagorajm/#HowWOT
        Dietrich T. Schmitz *Your
    • RE: Can you tell a real Facebook e-mail from a phishing attempt?

      @ this thread

      OMG, you're all nuts.

      Let's get a few things straight:

      - The flagging system of ZDNet is for spam and abuse, not for disagreement.
      - Encryption prevents people from reading your email without the right key.
      - Digital signatures are for confirming identity.
      - Encryption technologies are used for digital signing - they're the same technology used in different ways.

      "Afterall, I can register a fake domain, and a certificate for my domain that claims to be Facebook or anyone else."

      Sure, you can claim to be facebook, but your domain name will never be facebook.com, and your digital signature will never work with facebook.com. If you try to send email from facebook.com using your digital signature, it will fail because the digital signature does not match the domain name.

      ONLY the digital signature given to the domain name facebook.com will EVER match the digital signature of facebook.com. This makes it a lot harder to pretend to be somebody else.
      CobraA1
      • RE: Can you tell a real Facebook e-mail from a phishing attempt?

        @CobraA1 <br>"Let's get a few things straight:<br>- The flagging system of ZDNet is for spam and abuse, not for disagreement."<br>//<br>What do you expect them to do when posting something they can't disagree with? Expect them to sit back and take it? What do you thing they are? Adults?
        rmhesche
    • RE: Can you tell a real Facebook e-mail from a phishing attempt?

      @Dietrich T. Schmitz * Your Linux Advocate One problem would be getting ordinary users to to download, install and use GnuPG:

      http://howto.cnet.com/8301-11310_39-10434684-285/want-really-secure-gmail-try-gpg-encryption/
      "The bigger problem with encrypted mail is convincing others to install the software and use it. Until then, you'll be like the proverbial owner of the world's single fax machine: nice technology, but there's nothing you can do with it until someone else gets one.

      Also, if someone within a web of trust can be socially-engineered, a miscreant can forge a fake web of trust. In this case, would most individuals perform the due diligence required to identify the fake web of trust? More here (see 'signatures and webs of trust do not guarantee trustable keys'):

      http://cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html

      And, finally, someone within a web of trust could have their PC or user account pwned. Thus, providing a miscreant with access to their private key. Would most users create a revocation certificate and choose to store it in a safe place? Would they know how to create a revocation certificate? And how to apply it?
      Rabid Howler Monkey
      • RE: Can you tell a real Facebook e-mail from a phishing attempt?

        @Rabid Howler Monkey

        I would submit, dual-authentication combined with email would tighten up email security--I already use it with my gmail accounts.

        BTW, I didn't say using GnuPG would be easy--but if such a mandate were to come into play, Federal monies offsetting development of software that would ease usage should be offered well in advance of any compliance date.

        Ubuntu comes with SeaHorse, but it's not currently easy.

        But the encryption technology is and has been there for quite some time.

        PGP Corp. has a good implementation.
        Dietrich T. Schmitz *Your
    • RE: Can you tell a real Facebook e-mail from a phishing attempt?

      @Dietrich T. Schmitz * Your Linux Advocate This is possible but you wouldn't use PGP to do it. You'd use SPF records for the domain.
      http://www.openspf.org/FAQ/What_is_SPF
      Bucky24
      • Doesn't solve the current gaping issue

        @Bucky24 <br><br>Anyone can currently forge the sender's id with MIME format.<br><br>GPG or PGP would lock that down.

        I understand SPF, but it doesn't address the underlying specification which didn't go far enough or see the potential for abuse of forging the sender's id.

        Encryption is the only long-term solution, but the software to make it easy is behind. Agreed?
        Dietrich T. Schmitz *Your
    • RE: Can you tell a real Facebook e-mail from a phishing attempt?

      @Dietrich T. Schmitz * Your Linux Advocate

      Would you have a phone conversation without encryption? The entire planet has been doing it for decades with no real issues.

      You don't even understand your own example. Would you open an envelope that comes from a person you know? Can you verify the contents are not junk (spam) or dangerous (trojans) before opening?

      And 'clear text' is not at all the issue here. Nobody's email is being intercepted and modified, so encryption is irrelevant. Funny how you always jump into a conversation and change the subject.
      aep528
    • RE: Can you tell a real Facebook e-mail from a phishing attempt?

      @Dietrich T. Schmitz * Your Linux Advocate

      You know, I'm not your 'biggest' fan in many respects, but that doesn't mean I can't respect your intellect. Well said.
      TechNickle