Can you spot a Facebook phishing attempt?
E-mail notifications are an important part of social networking services like Facebook. If you have to continually visit a web site to see what's new, you lose much of the excitement that comes with comments on your photos or other shared items. You might miss invitations to events or opportunities to connect with a long-lost friend who's in town for a day or two.But e-mail notifications are also a potential security risk. If a potential attacker can create a realistic-looking imitation of a Facebook notification, you might find yourself clicking on a link that can lead to malware or attempt to steal your login credentials.Spotting a fake isn't as easy as it seems. I've assembled four Facebook notifications that arrived in my e-mail inbox recently. Which are real, and which are fake? Answers are in the caption beneath each screen shot.
This is a reasonably convincing fake, but a fake it is.
The word photo should be plural. That's the only typo in this message, which otherwise looks very similar to a real Facebook notification.
This one's real.
If you thought it was fake, that's understandable. The link, filled with random strings of numbers and letters, doesn't exactly lend itself to easy parsing. In fact, many phishing attackers use long, complicated links like this one to disguise their true domain.
This one's real.
Oddly, in this example, Facebook uses buttons to provide navigation to comments on items you've posted. In the previous example, you'll recall they used a long, complex URL.
How do you know whether that button goes to a safe place?Without inspecting it more closely, there's no way to tell.
This one's a fake, but it looks real enough.
The message offers three separate ways to navigate to its target. A Sign In button that matches the Facebook style, a text link next to the envelope icon, and a long URL at the bottom of the page.
Every one of these elements should look familar to a Facebook user. Without caerful inspection, it's very difficult to tell that this one isn't legit.