If you work for a company of any size that is even remotely online, chances are good you’ve had to undergo some training on how to spot phishing (fraudulent) emails. Even if you don’t, you may have gained a certain amount of expertise in how to spot phishing scams just by virtue of receiving tons of them.
If the sender’s email domain is not quite the same as the supposed sending company, that’s a red flag. A message from an address at paypal.com may very well be fine; one from paypal-acount-verefy.com probably isn’t. Messages telling you to click a link before some deadline or else lose access to your account are also highly suspect.
It's too bad that Facebook seems to be sending legitimate mail that raises these flags. Just how do you determine if an email that seems to be from Facebook is legitimate? The best security suites are good at detecting phishing emails, but what if you want to check a particularly tricky message for yourself? I'll show you the process I went through with one such email, below.
A Strange Message From Facebook
I started looking into this problem when an old friend of mine asked about a slightly odd email he got, purportedly from Facebook. It noted that since his posts have “the potential to reach a lot of people,” he’s required to enroll in Facebook Protect. Not only that, if he doesn’t do it within about three weeks, he’ll be locked out of the account. There’s that pesky deadline. To top it off, the message was sent from the domain facebookmail.com—a variation on what you’d expect. That’s two strikes. Oh, and according to its own description, Facebook Protect was designed for “candidates, their campaigns and elected officials.” My friend doesn’t fit any of those categories.
And yet…the message is not asking him to send money, or give away his password, or anything nefarious. It’s insisting that he increase his security. How would a scammer benefit from that? Also, strange as it seems, Facebook confirms that it uses the facebookmail.com domain to send official emails. Could it be that the message is legitimate?
How to Verify Whether an Email Is From Facebook
As it turns out, verifying that an email came from Facebook is incredibly simple—but only if you know where to look. Here’s how.
Other Ways to Verify
If the message you’re wondering about doesn’t appear in the list of messages sent by Facebook, that should make a strong case for it being a fraud. By observation, though, this may not be the case. I shared the instructions above with my friend who received that suspect message. He reported no matches in the list of messages. On the flip side, he pointed out that Facebook recently extended the Facebook Protect program to a wider audience, including journalists. As it happens, he’s a journalist, living outside the US.
At this point I was convinced that, despite its quirks, the message was probably legit. To further support this judgment, I combed through the original message and checked all the links. A scam message that uses deadlines or other scare tactics to make you click a link will almost certainly link to a dangerous page. All the links in this message went straight to facebook.com.
That left the very unlikely possibility that somebody spoofed the sending address, [email protected] Nothing I’d learned thus far suggested any possible motivation for that sort of hack, but I checked anyway.
The Proof Is in the Header
Every email message comes with a collection of routing information and other metadata hidden away in its header. You don't normally see this data. It's not intended for you—it's for use by your email client. But if you want to check for signs of address spoofing, you must dig into that header data.
Just how you view an email message’s header data varies depending on how you get your mail. In Gmail, you click the More icon (three vertical dots) to the right of the Reply icon and select Show Original. This immediately showed that the message passed three tests designed to detect spoofing: SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting & Conformance). That’s all I needed to know; I didn’t bother clicking Download Original to view the precise details of header data.How to Avoid Phishing ScamsIs That Instagram Email a Phishing Attack? Now You Can Find OutScammers Exploit COVID-19 Omicron Variant in New Phishing Attacks
Outlook isn’t quite as helpful as Gmail. You open the message, select File from the menu, and click the Properties icon. In the resulting dialog you get the full semi-incomprehensible details of the message header, in a small, awkward scrolling window. Carefully picking through the headers I found lines like
spf=pass (google.com: domain of [email protected] designates 220.127.116.11 as permitted sender)
That’s the unpolished text that Gmail summarizes as “SPF: PASS”. Poring a bit more over the header data I confirmed that fields such as Return-Path and Errors-To all correctly contained the sender’s address. That cinched it. This was a legitimate email from Facebook.
Verify Messages From Facebook
If you get an iffy message claiming to be from Facebook, you can log into your account and view a list of recent messages sent to you by the service. Finding your message in this list pretty much guarantees it’s legitimate.
Not finding it should mean it’s a fake, but as we’ve seen, that isn’t always true. For a sanity check, search the web for information about the sending domain; facebookmail.com turned out to be legitimate. Check all links in the message to make sure they link to safe pages. And peruse the email header to make sure the sender's address wasn’t spoofed. If the message passes these tests, you can rely on its validity, even if it doesn’t show up in Facebook’s list.
Sign up for Security Watch newsletter for our top privacy and security stories delivered right to your inbox.Email
Your subscription has been confirmed. Keep an eye on your inbox!