As we become ever more comfortable in our digital world we can become complacent and forget that the internet does still harbour many scams which are as easy to fall for as clicking an email and this is mainly due to the increased attention to detail and sophistication of the scammers’ efforts.
Earlier on I received on my work email a message purporting to be from Facebook, saying someone had added a picture of me to an album. I know this isn’t real without opening it because there’s no mention of my work address on my Facebook account but some people would believe it and click on it excitedly. I did however use Outlook to view the email’s properties and could see from that that the message originated from facebookmail.com. The question is this: why can’t email services providers be forced to reject attempts to obtain addresses like this one that clearly are pretending to be the real service and are only likely to be used for malicious purposes? You only need a list of major targets say Facebook, outlook, yahoo, Gmail etc and you filter those regardless of the prefix or suffix. If someone wants todaysoutlook.com for a weather site then that can be manually allowed but facebookmail.com can only conceivably be used for malicious mail, not even for fair parody. Organisations like Facebook would take a company to court for trademark infringement over such an address if they were simply trying to trade on the name but as such addresses are so often scams by the time it comes to light the damage is done.
FastCompany has looked into this particular domain extensively: the email links to a fake Facebook login that steals your credentials. As the article points out the proliferation of “log in with facebook” buttons and hence users familiarity with them could increase the number of these fake logins as all someone needs to do is place a fake login button on a spoof site offering celebrity pics or special offers and they’ve got your details and could log into other sites with Facebook login buttons.
The takeaway lesson is to be familiar with what real messages from sites you’re signed up with look like and consider whether you would be receiving emails from them at all.