Day 24

How to Spot a Phishing Email or Fake Facebook Page


DAY 24: How to Spot a Phishing Email or Fake Facebook Page

Welcome to Day 24 of my 30 day security challenge, the month long challenge I created to help you gain control of your privacy and security online. You can follow along with the security challenge via my blog at, where you can skip ahead or download a checklist of the challenge. Each video will also be curated into a playlist so it'll be easy to follow along from Day 1 all the way through 30 here on Youtube.

Today we'll discuss how to spot fake emails or fake social network pages. There are several reason why you want to be able to spot these, most notably being social engineering or hacking. Fake emails could be used specifically to pry information out of you without your consent. These could look like fake shipping carrier emails, or fake banking emails that get you to click on a link and put in your username and password, fake bill pay requests, etc. Fake social networking pages are made to look like legitimate companies that offer freebies for likes, shares, or follows. You like the page and end up getting social engineered or the page eventually disappears and you find a different company in it's place.

But to understand how to watch out for them, first we must understand what phishing is. Phishing is a large scale attack where an attacker will create a forged email send to a whole series of email addresses they found in other hacks or from huge lists they found on the web. Their intent is to trick you into divulging information or download malware. They do this by making the email look incredibly realistic to the ones you'd normally see from a company you do business with. OR, they'll use a name of one of your friends and email you asking for money. Yet another reason to clean out those friends lists! To take it a step further, spear phishing is when you or a company are specifically targeted for more information. Facebook pages or twitter accounts are commonly made to create an emotional response in users. They want you to immediately reshare a page post, retweet a comment, and they want you to make them go viral. Alternatively, they could get you to like or follow their page, click on a link and divulge information, or invite friends to the page. These pages or accounts will either phish information out of you or eventually completely change the page to read and market something else entirely. Email clients and social networks have taken steps to keep this from happening (such as using spam folders and needing approval to change Page names), but phishing still gets through. So today, let's talk about how to spot them.

Keep your security software up to date on your systems or turn on automatic updating. Older security software might not catch newer malware, so downloading updates is a crucial step.

Take note of emails that are highly urgent or require immediate action. If you get a message from "eBay" asking you to pay a 200 invoice within 24 hours or your account will be suspended, and to "Click Here to pay!", it might not actually be ebay. Open a new tab in your browser, type into your address bar and log into your account. Then pay any bills required. Same with if you receive an urgent request from a friend. Call them up to confirm, send them a text message or direct message them on another platform. Verify it was them. If not, someone might be spoofing their email address or pretending to be them.

Misspellings or bad grammar? BIGGEST RED FLAG OF THEM ALL. Is an email address misspelled? Red flag. Companies should have editors checking public work before being sent out to customers, so this shouldn't happen in legit emails.

If you receive an offer for something that seems to good to be true, it probably is. Did you get an email saying you won a free iphone, or a free caribbean cruise, or a free trip to disneyland? Did you receive an email saying you won the lottery? It's fake. You never entered a giveaway but you won a free product? It's fake. By the way, you aren't gonna die if you don't forward that chain email about spiders on a plane. That's fake too.

Did you initiate the conversation? You just received some random unsolicited email from a company to reset your password or track a shipment? It's fake.

The display name could easily look legitimate, as well as the email address it comes from. Obvious red flags would include a misspelling on the name or email address that doesn't match the actual company name.

If links are included in the email, hover over them and see where they link to. If the actual link doesn't match the company's .com, then it's a fake.

If there aren't contact details for the company in the email, it's probably fake. And if they start the email with something like a wrong name, a "dear customer", or "my dear", weird stuff - then it's fake.

Never give out private information over email. Try to use another platform for this information, and in person is best. Be skeptical. And be careful about what info you share publicly on social network sites. Never click on links or attachments in emails, and always try to go directly to a company site via the web browser instead.

Google's Gmail is pretty good about catching these emails and sticking them in the Spam box, but they don't catch all. The best advice I can give in relation to email is trust no one, because phishing is getting more and more clever overtime.

When it comes to social networks, you can use much of the same triggers to find phishing attacks. Pages that are spelled wrong, use incorrect grammar, create a sense of urgency (like "we'll give away two free tickets in one day but you have to like our page to enter!" blah blah blah). Not only are some of these against the social network terms of service for contests and giveaways, but they're also phishing. If the page creates an immediate emotional response or anger, sadness, or hate, it could be using that against you to make you share the page's post. Double check, triple check information claiming to be factual. If it's not true, report it to the social network.

The best way to tell if a Facebook page is really a legit company is if it has a little blue circle with a white checkmark next to the name - that's Facebook's way of verifying a company or celebrity's page. For example, let's look at a couple of Disneyland pages. This page: is real. This one: is not real. Sometimes fan pages will include a "not associated with Disneyland" comment in their about section, but not always. Some of them will be used to phish personal information about of you. Some of these offer free tickets to a theme park to phish information. Of course, social networks recommend reporting fake pages or profiles immediately.

Day 24 is now complete! Tomorrow is all about how to spot fake support phone calls, scammers, and social engineering.. But first, make sure to subscribe on youtube and hit up for the downloadable checklist and to skip ahead on the 30 day security challenge. Again, I'm Shannon Morse and I'll see you tomorrow for day 25!