One of the most common tactics cybercriminals use when targeting small and midsize businesses in phishing attacks in the form of fake notifications. These are usually meant to try to scare you into some action with messages like “Your account will be suspended in 24 hours.”
These attacks rely on fake messages that the app or service doesn’t actually send. This Office 365 phishing email is an excellent example of that—Microsoft doesn’t actually send you any emails saying your account has been suspended (you WILL get notifications that your credit card has expired).
But cybercriminals are getting better. They’re paying attention to what notifications popular companies do send and duplicating those in phishing attacks. And they’re pretty tricky to spot. Let’s look at this example we were sent recently.
This one was posing as a security alert email from Facebook, claiming an account was logged into from another location. Facebook actually does have a security option to notify you if your account is logged in from a new computer or location (we do recommend turning this notification on for any service that offers it – Google does, too!).
Here’s the phishing email:
This looks pretty convincing. For comparison, here is a real security notification from Facebook (we’ve censored some of the identifying details):
When you look at them together, you can see there are some differences:
1. The phishing email doesn’t have the correct Facebook branding. It doesn’t use the full Facebook logo. The sender address is also incorrect (the real email came from email@example.com).
2. It’s missing identifying information. We’ve blurred it out for privacy, but the real email includes your profile picture next to the information, your first name in the greeting, and your email address in the footer.
3. It’s missing the footer. The real email includes a footer with more information including an unsubscribe link, and Facebook’s address information (yes, 1 Hacker Way really is their address).
Most phishing emails posing as alerts from real companies like Facebook or Microsoft get the footer wrong or omit it altogether. Get familiar with the footers of emails from companies you deal with! They’re typically required in automated emails like this, so no footer should be a big red flag.
3. There are a few grammar and spelling errors (for example, “Facebook Securitys Teams” instead of “Facebook Security Team”).
4. The phishing email is asking you to call a phone number. If you Google this number, none of the results are related to Facebook. Most actually say something about Kindle Support Number, but none of those websites are legitimate, either.
This is a good fake. Most of these differences are small and would be difficult to spot without a real email to compare it to. If you have the real version of these notifications turned on, you’d have almost no reason to suspect that something was up.
If you get an email notification asking you to call a number to fix an issue with your account, search the number before you call. Most sites like Facebook, Google, iTunes, etc won’t ask you to call them for any reason (in fact, it can be near impossible to even find a legit number to call them on). If you can’t find some outside validation from an official source verifying the number is real, don’t call (alternatively, you could call the company's main number and ask to be transferred to the appropriate department).
They also won’t call you (unless you use a phone call as part of two-step verification, but that will be automated call). There are variations of this scam where someone will call you pretending to one of these companies. They will tell you there is something wrong with your account (like your business’s Google Maps listing is messed up), and they need $200 to fix it.
If you get an email like this with a link to click instead of a phone number, don’t click the link. Get into the habit of logging into the website in your browser or app to handle any notifications—even if they’re real. That way, if you do get a phishing attack like this, you’re less likely to click a malicious link.
For the real version of this particular email notification letting you know if someone signs into your account on Facebook, you can choose how you want to receive the notification. Email is fine, but we recommend selecting the Facebook notification option, too. That can’t be faked.
As always, be cautious about any unexpected email trying to get you to take action. Be smart about what you click and take a couple of extra seconds to look for any red flags.