(Illustration: René Ramos)
Chances are you get dozens or hundreds of emails a day. How many of those are fakes, attempts to fool you into giving away sensitive personal or company information? Your employer may send you to training on the clues that reveal fraud in phishing emails. If you're observant, you've probably learned enough not to fall for most phishing scams.
If the sender’s email domain is not quite the same as the supposed sending company, that’s a red flag. A message from an address at paypal.com may very well be fine; one from paypal-acount-verefy.com probably isn’t. Messages telling you to click a link before some deadline or else lose access to your account are also highly suspect.
It's too bad Facebook seems to be sending legitimate mail that raises these flags. Just how do you determine if an email that seems to be from Facebook is legitimate? The best security suites are good at detecting phishing emails, but what if you want to check a particularly tricky message for yourself? I'll show you the process I went through with one such email, below.
A Strange Message From Facebook
I started looking into this problem when an old friend of mine asked about a slightly odd email he got, purportedly from Facebook. It noted that since his posts have “the potential to reach a lot of people,” he’s required to enroll in Facebook Protect. Not only that, but if he doesn’t do it within about three weeks, he’ll also be locked out of the account. There’s that pesky deadline. To top it off, the message was sent from the domain facebookmail.com—a variation on what you’d expect. That’s two strikes. Oh, and according to its own description, Facebook Protect was designed for “candidates, their campaigns and elected officials.” My friend doesn’t fit any of those categories.
And yet…the message is not asking him to send money, or give away his password, or anything nefarious. It’s insisting he increase his security. How would a scammer benefit from that? Also, strange as it seems, Facebook confirms it uses the facebookmail.com domain to send official emails. Could it be the message is legitimate?
How to Verify Whether an Email Is From Facebook
As it turns out, verifying an email came from Facebook is incredibly simple—but only if you know where to look. Here’s how.
Go to Settings. On your own Facebook profile page, click your face at top right, then choose Settings & Privacy > Settings to open the main Settings page.
Find Facebook's List. Near the top left you should find Security and Login. Click that and scroll down to the Advanced section. Click the item titled “See recent emails from Facebook.”
Match Your Message. If you see a match for the questionable message’s subject line, you can be pretty sure it’s legitimate. Be sure to look both in the list of Security-related messages and in the list titled Other. Note that Instagram has a very similar feature—not surprising, as both Facebook and Instagram are owned by Meta Platforms.
(Credit: PCMag)
Other Ways to Verify
If the message you’re wondering about doesn’t appear in the list of messages sent by Facebook, that should make a strong case for it being a fraud. By observation, though, this may not be the case. I shared the instructions above with my friend who received that suspect message. He reported no matches in the list of messages. On the flip side, he pointed out Facebook had extended the Facebook Protect program to a wider audience, including journalists. As it happens, he’s a journalist, living outside the US.
It's Surprisingly Easy to Be More Secure Online
At this point I was convinced that, despite its quirks, the message was probably legit. To further support this judgment, I combed through the original message and checked all the links. A scam message that uses deadlines or other scare tactics to make you click a link will almost certainly link to a dangerous page. All the links in this message went straight to facebook.com.
That left the very unlikely possibility that somebody spoofed the sending address, [email protected]. Nothing I’d learned thus far suggested any possible motivation for that sort of hack, but I checked anyway.
The Proof Is in the Header
Every email message comes with a collection of routing information and other metadata hidden away in its header. You don't normally see this data. It's not intended for you—it's for use by your email client. But if you want to check for signs of address spoofing, you must dig into that header data.
Just how you view an email message’s header data varies depending on how you get your mail. In Gmail, you click the More icon (three vertical dots) to the right of the Reply icon and select Show Original. This immediately showed that the message passed three tests designed to detect spoofing: SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting & Conformance). That’s all I needed to know; I didn’t bother clicking Download Original to view the precise details of header data.
Outlook isn’t quite as helpful as Gmail. You open the message, select File from the menu, and click the Properties icon. In the resulting dialog you get the full semi-incomprehensible details of the message header, in a small, awkward scrolling window. Carefully picking through the headers I found lines like
spf=pass (google.com: domain of [email protected] designates 69.171.232.140 as permitted sender)
That’s the unpolished text Gmail summarizes as “SPF: PASS”. Poring a bit more over the header data I confirmed that fields such as Return-Path and Errors-To all correctly contained the sender’s address. That cinched it. This was a legitimate email from Facebook.
Verify Messages From Facebook
If you get an iffy message claiming to be from Facebook, you can log into your account and view a list of recent messages sent to you by the service. Finding your message in this list pretty much guarantees it’s legitimate.
Not finding it should mean it’s a fake, but as we’ve seen, that isn’t always true. For a sanity check, search the web for information about the sending domain; facebookmail.com turned out to be legitimate. Check all links in the message to make sure they link to safe pages. And peruse the email header to make sure the sender's address wasn’t spoofed. If the message passes these tests, you can rely on its validity, even if it doesn’t show up in Facebook’s list.
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
