I got an email from Facebook with the subject “someone tried to login to your account”, but I’m a bit skeptical that it’s legit. How can I tell if this message is really from Facebook or not?
Props to you for being suspicious of an email security notification, whether it’s from Facebook, your bank, your school, or your city government. It is vanishingly rare that legit organizations send out notifications of this nature, and if they do nowadays it’s more likely to be a text message or notification from the company’s app itself. Of course, text messages can be spoofed or faked so you should be skeptical of those too. The basic approach for all of these is to ignore any links, phone numbers, or email addresses, and contact the company or organization directly instead.
But there are endless scams and so-called phishing attacks that are intended to trick you out of your login information so they can hijack your account. Based on that, my guess would be that if you’re skeptical enough to ask this question, odds are extremely good that what you received is indeed a scam. You can also apply some basic logic tests too; does it make sense? Is it internally consistent? Does the requested action make sense?
LOGGED IN TO MY FACEBOOK ACCOUNT??
To demonstrate how some of these scams work, let’s look at an email I got this morning with the subject of “Facebook: Someone tried to log in to your account”:
At first glance it looks like it might be legit, right? But look more closely at the message because there are quite a few clues that it’s a scam message, not authentically from Facebook. For example, the subject warns someone “tried to” log in, but the message body says that someone “just logged in”. Two entirely different situations; why wouldn’t they be consistent?
Did you also notice that one of the graphics didn’t load, so there’s a broken image icon instead? It’s incredibly unlikely that an organization as big as Facebook would have such a rudimentary error.
What’s really damning, though, is if you look closely at the email sender, easily done by clicking on the tiny black triangle in Gmail (or equivalent “view sender” information in other email programs):
Look at that From information! It looks like the cat ran across a computer keyboard more than any sort of legitimate organization or domain name. Then there’s that weird Reply-To information.
REPORT THE USER
This particular scam is utilizing what’s known as obfuscation to hide the address of the real scammer; by listing six email addresses, they hope to remain hidden behind one of those addresses. Odds are very good the other five are bogus and will fail, but the sixth? Maybe it really is the scammer…
Certainly, there is zero chance that any legitimate organization would ever use a message of this type.
But… let’s say you didn’t notice and clicked on either the “Report the User” button or the “Yes, me” button. Here’s what you would subsequently see:
Again, this should instantly create skepticism; why would Facebook want you to email a response to this ostensible account login warning? Click on “4 more” and it gets worse:
I would hope that even the most gullible person would at this point say “huh. that’s weird. I don’t know if it’s legit” and back away from the interaction. Indeed, you can even ask Gemini AI whether the message you received is legit or not. It gets it right:
Next time you get a questionable message, try asking Gemini if it thinks that it’s legit or not. But don’t forget to follow your instincts too, they’re probably even a better filter.
CHECK YOUR FACEBOOK LOGINS
In this particular instance, it’s worth noting that you could also skip all buttons and links in the message and simply go to Facebook, log in, and check where you’re logged in to the system. From the home screen, go to Settings and Privacy and choose Activity Log. Here’s what I see:
That’s exactly as I expect, a login on my computer, and a login on my phone. If there were any other logins shown, you could use the “•••” link to log ’em out:
Anything suspicious? Log out everywhere but the current device, then change your password and enable two-factor authentication (and save the emergency access codes it shows). Now log in again and keep an eye on things. Trouble avoided. But not because of some highly questionable email. 🧐
Pro Tip: I’ve been writing about online scams for many years. Please check out my spam, scams and security help area while you’re visiting. Thanks!