The Ed Bott Report

Ed Bott
Home / News & Blogs / The Ed Bott Report

Can you tell a real Facebook e-mail from a phishing attempt?

By | August 28, 2011, 2:59pm PDT

Summary: Notification e-mails from social networking sites like Facebook can be dangerous; if you’re fooled by a phisher, you can click your way into big trouble. Here are four Facebook notifications that arrived in my e-mail inbox recently. Can you tell which are real and which are fake?

E-mail notifications are an important part of social networking services like Facebook. If you have to continually visit the site to see what’s new, you lose much of the excitement that comes with comments on your photos or other shared items. If you forget to check for a day or two, you might miss an invitation to an event or an opportunity to connect with a long-lost friend who’s in town for a day or two.

But e-mail notifications are also a security risk. If an attacker can create a realistic-looking imitation of a Facebook notification, you might find yourself clicking on a link that can lead to malware or attempt to steal your login credentials.

Unfortunately, phishers are getting better at what they do, and spotting a fake isn’t as easy as you might think. I’ve assembled four Facebook notifications that arrived in my e-mail inbox recently. Can you tell which are real and which are fake? (Click any image to see it at full size, or visit the accompanying gallery to flip through all four screens at full size.)

Here’s one that arrived last week. As with all the images, I’ve blurred personal information but otherwise these messages are shown in full, as they appear in Microsoft Outlook’s preview pane.

If you guessed that one was a fake, congratulations. It led to a website that was flagged as dangerous by Microsoft’s SmartScreen Filter, by Google’s Safe Browsing feature, and by Safari. If you were using an outdated browser such as Internet Explorer 6 or 7, you would have seen an attempt to install a fake Flash update that was actually a password-stealing Trojan.

OK, let’s try another. Real or fake?

Do you think that odd e-mail address indicates a fake? Confusingly, Facebook notifications come from the facebookmail.com domain and include a suspicious-looking sender’s name. The long, complicated URL might also look suspicious, but this notification is a legit one from Facebook.

OK, here’s a third test. Real or fake?

 Hmmm. The previous, real notification included a long complicated URL. This one has a pair of buttons that you’re supposed to click to see the comments a friend supposedly added to your shared link. That’s a favorite trick that phishers and spammers use to disguise misleading links. Surprisingly, this one is legit.

OK, last one. Real or fake?

This is a particularly convincing fake. The graphics, fonts, button design, and links are all indistinguishable from a real Facebook notification. This particular phishing attempt led to a fake online pharmacy, but it could just as easily have led to a malware installer.

One of these fakes was good enough to slip past my spam filters. In that case, the only way to determine that it wasn’t legit was to allow the mouse pointer to hover over a link or button to see what its true destination was. Here’s what it looked like:

That’s certainly not a legitimate link. Here, by contrast, is what a link from a real Facebook notification looks like:

It’s a challenge to get nontechnical users in the habit of checking links before they click, but the results are well worth it.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “The Ed Bott Report”

Topics

Facebook, Intro, Ed Bott, Phishing, Cyberthreats, E-mail, Spam, Viruses And Worms, Security, Spam And Phishing, Online Communications

Ed Bott is an award-winning technology writer with more than two decades' experience writing for mainstream media outlets and online publications.

Disclosure

Ed Bott

Ed Bott is a freelance technical journalist and book author. All work that Ed does is on a contractual basis.

Since 1994, Ed has written more than 25 books about Microsoft Windows and Office. Along with various co-authors, Ed is completely responsible for the content of the books he writes. As a key part of his contractual relationship with publishers, he gives them permission to print and distribute the content he writes and to pay him a royalty based on the actual sales of those books. Ed's books are currently distributed by Que Publishing (a division of Pearson Education) and by Microsoft Press.

On occasion, Ed accepts consulting assignments. In recent years, he has worked as an expert witness in cases where his experience and knowledge of Microsoft and Microsoft Windows have been useful. In each such case, his compensation is on an hourly basis, and he is hired as a witness, not an advocate.

Ed does not own stock or have any other financial interest in Microsoft or any other software company. He owns 500 shares of stock in EMC Corporation, which was purchased before the company's acquisition of VMWare. In addition, he owns 350 shares of stock in Intel Corporation, purchased more than two years ago. All stocks are held in retirement accounts for long-term growth.

Ed does not accept gifts from companies he covers. All hardware products he writes about are purchased with his own funds or are review units covered under formal loan agreements and are returned after the review is complete.

Biography

Ed Bott

Ed Bott is an award-winning technology writer with more than two decades' experience writing for mainstream media outlets and online publications. He's served as editor of the U.S. edition of PC Computing and managing editor of PC World; both publications had monthly paid circulation in excess of 1 million during his tenure. He is the author of more than 25 books on Microsoft Windows and Office, including the recently released Windows 7 Inside Out.

Talkback Most Recent of 61 Talkback(s)

  • RE: Can you tell a real Facebook e-mail from a phishing attempt?
    And that's why I use notifications only as a "notification" to go to fb and check for updates. I never click on email links unless I signed up for a website and it's a verification link
    ZDNet Gravatar
    mike2k
    28th Aug
  • RE: Can you tell a real Facebook e-mail from a phishing attempt?
    @mike2k ... Agreed. I turn off all notifications to email, and I only enable select notifications to my phone via text, since I also use FB services on my phone. It's not like it's really a hassle to go to the web site or open the app to check.
    ZDNet Gravatar
    GoodThings2Life
    28th Aug
  • RE: Can you tell a real Facebook e-mail from a phishing attempt?
    @mike2k
    +1
    ZDNet Gravatar
    Rama.NET
    29th Aug
  • RE: Can you tell a real Facebook e-mail from a phishing attempt?
    I can always tell very easily without checking the email address..because they send them to the wrong email that used to be my FB email in 2007 lol...
    ZDNet Gravatar
    ChrispyCritter
    28th Aug
  • RE: Can you tell a real Facebook e-mail from a phishing attempt?
    @ChrispyCritter
    Exactly... but even if they manage to send it to the correct email address, it's not going to show up because only the correct fb address will get through. All others are discarded.
    ZDNet Gravatar
    FranC.
    29th Aug
  • It's not going to happen unless email encryption is mandated
    The only true fool-proof way to ensure the authenticity of an email is with PGP or GnuPG encrypted email.

    The fact is, by and large every email gets sent as 'clear text' across all MTA intermediaries.

    Putting it another way:

    Would you put a paper letter in the mail without first placing it in a privacy envelope?

    The answer is no you wouldn't unless you were sending a postcard.

    If 'envelopes' are a mailing convention for privacy, why not make GnuPG or PGP the 'envelope' for all email correspondence?

    Mandated use would solve many problems:

    o ISPs could test the header of emails for signed certificates and if not present simply shunt the email offline
    o Spam would be largely eliminated
    o Users of the Internet would gain the privacy right they deserve

    What say you Ed?
    ZDNet Gravatar
    Dietrich T. Schmitz * Your Linux Advocate
    28th Aug
  • Message has been deleted.
    ZDNet Gravatar
    GoodThings2Life
    29th Aug
  • Clearly, you demonstrate ignorance.
    @GoodThings2Life
    Digitally signing messages with GnuPG has nothing to do with domains.

    Read:
    h-t-t-p://en.wikipedia.org/wiki/GNU_Privacy_Guard
    ZDNet Gravatar
    Dietrich T. Schmitz * Your Linux Advocate
    29th Aug
  • RE: Can you tell a real Facebook e-mail from a phishing attempt?
    @Dietrich T. Schmitz * Your Linux Advocate
    Encryption doesn't have anything to do with verifying the identity of another individual. It prevents a third party from viewing the email sent between two parties. If a spammer is sending me an email, I don't care if anyone else can intercept that email or not. It does nothing to resolve the issue of spam or phishing. GT2L's point about falsifying the identity portion of GPG is also valid. You set up your identity and GPG hashes a digital signature based on the information you gave it. Nothing more. There's a reason PGP is an abbreviation for Pretty Good Privacy, not Perfectly Great Privacy.
    ZDNet Gravatar
    swmace
    29th Aug
  • You are incorrect.
    @swmace
    It has everything to do with verifying the identity of another individual and as I stipulated in my opening thread, ISPs can shunt email's off-line which are not compliant with GnuPG and are not signed (spam).

    If a user is not in your 'web of trust', then you can safely assume the email was totally unsolicited.


    h-t-t-p://en.wikipedia.org/wiki/E-mail_privacy

    The case for email encryption:
    h-t-t-p://luxsci.com/blog/the-case-for-email-security.html


    Reading is fundamental.
    ZDNet Gravatar
    Dietrich T. Schmitz * Your Linux Advocate
    29th Aug
  • RE: Can you tell a real Facebook e-mail from a phishing attempt?
    @Dietrich T. Schmitz * Your Linux Advocate
    If a user is not in your 'web of trust', then you can safely assume the email was totally unsolicited.
    True, but an unauthorized user can get into your "web of trust". That's the problem. The GPG uses information that the user gives it to create a digital signature. I could create a digital signature today identifying myself as Dietrich T. Schmitz * Your Linux Advocate. That doesn't make me you...thankfully.

    Reading is fundamental
    So is understanding concepts you pretend to know about.
    ZDNet Gravatar
    swmace
    29th Aug
  • Straw Man
    @swmace
    Nobody can get into your WOT. You've never used GPG/PGP encrypted email have you?

    h-t-t-p://hygelac.cas.mcmaster.ca/courses/SE-4C03-07/wiki/zagorajm/#HowWOT
    ZDNet Gravatar
    Dietrich T. Schmitz * Your Linux Advocate
    29th Aug
  • RE: Can you tell a real Facebook e-mail from a phishing attempt?
    @ this thread

    OMG, you're all nuts.

    Let's get a few things straight:

    - The flagging system of ZDNet is for spam and abuse, not for disagreement.
    - Encryption prevents people from reading your email without the right key.
    - Digital signatures are for confirming identity.
    - Encryption technologies are used for digital signing - they're the same technology used in different ways.

    "Afterall, I can register a fake domain, and a certificate for my domain that claims to be Facebook or anyone else."

    Sure, you can claim to be facebook, but your domain name will never be facebook.com, and your digital signature will never work with facebook.com. If you try to send email from facebook.com using your digital signature, it will fail because the digital signature does not match the domain name.

    ONLY the digital signature given to the domain name facebook.com will EVER match the digital signature of facebook.com. This makes it a lot harder to pretend to be somebody else.
    ZDNet Gravatar
    CobraA1
    29th Aug
  • RE: Can you tell a real Facebook e-mail from a phishing attempt?
    @CobraA1
    "Let's get a few things straight:
    - The flagging system of ZDNet is for spam and abuse, not for disagreement."
    //
    What do you expect them to do when posting something they can't disagree with? Expect them to sit back and take it? What do you thing they are? Adults?
    ZDNet Gravatar
    rmhesche
    29th Aug
    • Flagged
  • RE: Can you tell a real Facebook e-mail from a phishing attempt?
    @Dietrich T. Schmitz * Your Linux Advocate One problem would be getting ordinary users to to download, install and use GnuPG:

    http://howto.cnet.com/8301-11310_39-10434684-285/want-really-secure-gmail-try-gpg-encryption/
    "The bigger problem with encrypted mail is convincing others to install the software and use it. Until then, you'll be like the proverbial owner of the world's single fax machine: nice technology, but there's nothing you can do with it until someone else gets one.

    Also, if someone within a web of trust can be socially-engineered, a miscreant can forge a fake web of trust. In this case, would most individuals perform the due diligence required to identify the fake web of trust? More here (see 'signatures and webs of trust do not guarantee trustable keys'):

    http://cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html

    And, finally, someone within a web of trust could have their PC or user account pwned. Thus, providing a miscreant with access to their private key. Would most users create a revocation certificate and choose to store it in a safe place? Would they know how to create a revocation certificate? And how to apply it?
    ZDNet Gravatar
    Rabid Howler Monkey
    29th Aug
View More Comments

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources