Is this Facebook email real or phishing?

  • I received this email from what is supposedly Facebook today. Here's a screenshot: email

    I was not aware I had credits or credits existed on Facebook and apparently I have $2.30 worth. It looks legitimate at first glance, the email address looks like all the other Facebook emails I get but I have a few reasons to believe this is fake and a phishing attempt.

    1. All of the links on the page, which I haven't clicked on by the way, when hovering over and getting a preview of the link in the bottom left corner, aren't actual URLs, just directories I think. The Facebook header link points to setting?tab=payments. The review your balance link is the same thing. The app center link is just appcenter. Perhaps a failed phishing attempt or the email team messed up, not something Facebook would do.

    2. The email style of the header, and background doesn't look anything like the legitimate emails I get from Facebook. To see what I mean, take a look at this email I got a couple days ago.two

    As you can see, the top blue bar is a solid blue bar, unlike the gradiented bar on the first email. The background is white not grey like the first one. And it's not full width like the first one. The styles are similar but the first one looks a little older than the one I got a couple days ago which has a flatter look.

    Is this email legitimate or is it some sort of failed phishing attempt?

    Edit: here is the source code:

    Delivered-To: [email protected]
    Received: by with SMTP id mc3csp215958iec;
            Mon, 28 Jul 2014 11:18:02 -0700 (PDT)
    X-Received: by with SMTP id ha2mr5567506pbc.143.1406571481784;
            Mon, 28 Jul 2014 11:18:01 -0700 (PDT)
    Return-Path: <[email protected]>
    Received: from ( [])
            by with ESMTPS id bg5si3360342pdb.468.2014.
            for <[email protected]>
            (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
            Mon, 28 Jul 2014 11:18:01 -0700 (PDT)
    Received-SPF: pass ( domain of [email protected] designates as permitted sender) client-ip=;
           spf=pass ( domain of [email protected] designates as permitted sender) [email protected];
           dkim=pass [email protected];
           dmarc=pass (p=REJECT dis=NONE)
    Received: from (f2hk/PLxoaEIT/fBlhT+zd5nnjzhUaEeZHCH61uLXXqwZpYsw2Ru1XBNzDHLgndM
     by with Thrift id 8297627c168311e4a87a0002c992c8ec-5c5fb400;
     Mon, 28 Jul 2014 11:18:01 -0700
    X-Facebook: from ([MTI3LjAuMC4x]) 
        by with HTTP (ZuckMail);
    Date: Mon, 28 Jul 2014 11:18:01 -0700
    Return-Path: [email protected]
    To: Milo Gosnell <[email protected]>
    From: "Facebook" <[email protected]>
    Reply-to: noreply <[email protected]>
    Subject: You have $2.30 in your Facebook account
    Message-ID: <[email protected]>
    X-Priority: 3
    X-Mailer: ZuckMail [version 1.00]
    Errors-To: [email protected]
    X-Facebook-Notify: payment_credits_to_lc_balance; mailid=a409107G5af3188d358eG0G28eG21014dad
    X-Auto-Response-Suppress: All
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;
        s=s1024-2013-q3; t=1406571481;
    Content-Type: text/plain; charset="UTF-8"
    Content-Transfer-Encoding: quoted-printable
    Hi Milo,
    Facebook has changed from credits to local currency. You have $2.30 in =
    your account. You can review your balance or use this money on apps or =
    games in the App Center.
    The Facebook Payments Team
    This message was sent to [email protected] If you don't want to receive =
    these emails from Facebook in the future, please follow the link below to =
    Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA =
    Content-Type: text/html; charset="UTF-8"
    Content-Transfer-Encoding: quoted-printable
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional =
    //EN"><html><head><title>Facebook</title><meta http-equiv=3D"Content-Type" =
    content=3D"text/html; charset=3Dutf-8" =
    /><style>body{background:#e0e1e5;font-family:'Helvetica =
    Neue',Helvetica,'Lucida Grande',tahoma,verdana,arial,sans-serif;font-weigh=
    t:300}a{color:#333;text-decoration:none;white-space:nowrap =
    !important}#email_table{width:100% !important}#email_content{padding:0 =
    !important}#profile_pic =
    img{border:0}*[class].usercard{background:#fff}@media all and =
    (max-device-width: 720px){a{white-space:pre-wrap =
    !important}table[bgcolor=3D"#e9eaed"]{background:transparent =
    !important}*[id]#body_container{border-bottom:1px solid #e5e5e5 =
    able-layout:fixed}*[id]#cta_outer{border:none !important}*[id]#header_prof=
    ile>table>tbody>tr>td:not(:nth-child(4)){display:none =
    adius:3px !important;-webkit-border-radius:3px =
    !important;border-radius:3px !important;border-width:0 =
    !important;overflow:hidden}*[id]#header_title{width:auto =
    !important}*[id]#header_profile{width:24px}*[class].bio{display:none =
    !important}*[id]#main_content{width:100%}*[class].content>div =
    a{display:block;overflow:hidden;text-overflow:ellipsis;white-space:nowrap =
    !important;width:160px}*[class].ext{padding-right:20px}*[class].image =
    y:block}*[id]#email_cta>tbody>tr>td[width=3D"100%"]{display:none}}@media =
    all and (device-width: 720px){table[width=3D"610"],*[id]#body_container,*[=
    id]#footer_container{width:340px}*[id]#email_filler td{height:12px =
    !important}*[class].usercard{width:300px !important}}@media all and =
    (max-device-width: =
    480px){*[id]#cta_container>table>tbody>tr>td[height=3D"15"]{display:none =
    !important}}@media all and (device-width: 320px){table[width=3D"610"],*[id=
    ding:0 10px}*[class].content>div a{width:182px}}</style></head><body =
    style=3D"margin:0;padding:0;" dir=3D"ltr"><table cellspacing=3D"0" =
    cellpadding=3D"0" id=3D"email_table" =
    style=3D"border-collapse:collapse;width:98%;" border=3D"0"><tr><td =
    id=3D"email_content" style=3D"font-family:&#039;lucida =
    ckground:#e0e1e5;"><table cellspacing=3D"0" cellpadding=3D"0" =
    width=3D"100%" border=3D"0" =
    style=3D"border-collapse:collapse;width:100%;"><tr><td =
    -bottom:none;"><table cellspacing=3D"0" cellpadding=3D"0" width=3D"100%" =
    style=3D"border-collapse:collapse;"><tr><td =
    style=3D"padding:0;width:100%;"><span style=3D"color:#FFFFFF;display:none =
    !important;font-size:1px;">Hi Milo, Facebook has changed from credits to =
    local currency. You have $2.30 in your account. You can review your =
    balance or use this money on apps or games in the App Center . Thanks, The =
    Facebook Payments Team</span></td></tr><tr><td =
    style=3D"padding:0;width:100%;"><table cellspacing=3D"0" cellpadding=3D"0" =
    width=3D"100%" bgcolor=3D"#435E9C" style=3D"border-collapse:collapse;width=
    :100%;background:#435E9C;background-image:-webkit-linear-gradient(top, =
    #5c77b5, #435e9c);border-color:#0A1F4F;border-style:solid;border-width:0px =
    0px 1px 0px;box-shadow:0 1px 1px rgba(0, 0, 0, 0.25);height:47px;" =
    id=3D"header"><tr><td style=3D""><center><table cellspacing=3D"0" =
    cellpadding=3D"0" width=3D"610" height=3D"44" =
    style=3D"border-collapse:collapse;"><tr><td align=3D"left" =
    id=3D"header_title" style=3D"width:100%;line-height:47px;"><table =
    cellspacing=3D"0" cellpadding=3D"0" =
    style=3D"border-collapse:collapse;"><td style=3D""><a =
    href=3D"/settings?tab=3Dpayments" style=3D"color:#FFFFFF;text-decoration:n=
    one;font-weight:bold;font-family:lucida grande,tahoma,verdana,arial,sans-s=
    ign:left;text-shadow:0 1px 0 rgba(0, 0, 0, 0.24);"> facebook </a></td><td =
    width=3D"10" style=3D"width:10px;"></td><td style=3D""><font =
    color=3D"white" size=3D"3"><a =
    style=3D"color:#ffffff;text-decoration:none;font-family:Helvetica =
    Neue,Helvetica,Lucida Grande,tahoma,verdana,arial,sans-serif;font-size:16p=
    x;font-weight:bold;text-shadow:0 -1px rgba(34, 59, 115, =
    0.85);vertical-align:middle;" href=3D"/settings?tab=3Dpayments"></a></font=
    td style=3D"padding:0;width:100%;"><table cellspacing=3D"0" =
    cellpadding=3D"0" width=3D"100%" bgcolor=3D"#e0e1e5" id=3D"table_color" =
    style=3D"border-collapse:collapse;"><td style=3D""><table =
    cellspacing=3D"0" cellpadding=3D"0" width=3D"100%" id=3D"email_filler" =
    style=3D"border-collapse:collapse;"><td height=3D"19" =
    style=3D"">&nbsp;</td></table><center><table cellspacing=3D"0" =
    cellpadding=3D"0" width=3D"610" =
    style=3D"border-collapse:collapse;"><tr><td align=3D"left" =
    id=3D"body_container" style=3D"background-color:#ffffff;border-color:#c1c2=
    bkit-border-radius:5px;-moz-border-radius:5px;box-shadow:0 1px 1px rgba(0, =
    0, 0, 0.10);overflow:hidden;"><table cellspacing=3D"0" cellpadding=3D"0" =
    width=3D"100%" style=3D"border-collapse:collapse;"><td =
    style=3D"padding:15px;"><table cellspacing=3D"0" cellpadding=3D"0" =
    style=3D"border-collapse:collapse;width:100%;"><tr><td =
    -serif;padding-bottom:10px;">Hi Milo,</td></tr><tr><td =
    -serif;padding-top:10px;padding-bottom:10px;">Facebook has changed from =
    credits to local currency. You have $2.30 in your account. You can <a =
    href=3D"/settings?tab=3Dpayments" =
    style=3D"color:#3b5998;text-decoration:none;">review your balance</a> or =
    use this money on apps or games in the <a href=3D"/appcenter" =
    style=3D"color:#3b5998;text-decoration:none;">App =
    Center</a>.</td></tr><tr><td style=3D"font-size:11px;font-family:LucidaGra=
    nde,tahoma,verdana,arial,sans-serif;padding-top:10px;">Thanks,<br />The =
    Facebook Payments Team</td></tr></table></td></table></td></tr></table></c=
    enter></td></table></td></tr><tr><td =
    style=3D"padding:0;width:100%;"><table cellspacing=3D"0" cellpadding=3D"0" =
    width=3D"100%" style=3D"border-collapse:collapse;" =
    id=3D"footer_table"><tr><td style=3D""><center><table cellspacing=3D"0" =
    cellpadding=3D"0" width=3D"610" =
    style=3D"border-collapse:collapse;"><tr><td style=3D""><table =
    cellspacing=3D"0" cellpadding=3D"0" width=3D"610" border=3D"0" =
    id=3D"footer" style=3D"border-collapse:collapse;"><tr><td =
    style=3D"font-size:12px;font-family:Helvetica Neue,Helvetica,Lucida =
    Grande,tahoma,verdana,arial,sans-serif;padding:18px 0;border-left:none;bor=
    t:300;line-height:16px;text-align:center;border:none;">This message was =
    sent to <a href=3D"mailto:myEmail&#064;" =
    style=3D"color:#6a7180;text-decoration:none;font-family:Helvetica =
    Neue,Helvetica,Lucida Grande,tahoma,verdana,arial,sans-serif;font-weight:b=
    old;">myEmail&#064;</a>. If you don&#039;t want to receive these =
    emails from Facebook in the future, please <a href=3D"https://www.facebook=
    5af3188d358eG0G28eG21014dad" =
    style=3D"color:#6a7180;text-decoration:none;font-family:Helvetica =
    Neue,Helvetica,Lucida =
    Grande,tahoma,verdana,arial,sans-serif;font-weight:bold;">unsubscribe</a>. =
    Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA =
    /tr></table></td></tr></table><span style=3D"width:100%;"><img =
    88d358eG0G28eG21014dad" style=3D"border:0;width:1px;height:1px;" =

    Google `` and you will find a lot of results questioning mails coming from this domain.

    You may find this article or this article, and especially this question useful for differentiating between real facebook messages and phishing attempts. The first email appears to be a phishing scam but I can't be completely sure. I would suggest simply going to and logging in to see if you actually have $2.30 in your acco

    can you post the source code of the email?

    @tim I posted the source.

    except for the two points you mentioned, I cannot find anything wrong with it (but I'm not a phishing expert; definitely seems legit, and all the received fields seem to check out). When you log in to facebook, do you have $2.30 in your account? And you can always contact facebook ([email protected]), maybe they'll even reply

    I suggest you something different. let the hacker hack your account first. We will deal with him later. :)

    @TheJoker yeah I'm not doing that

    FWIW, Facebook Credits are real. It's the currency used to pay for Facebook games and other apps. Occasionally you'll get credits as a prize or sponsored offer.

  • I wouldn't put it past Facebook to "mess up".

    From the headers, it appears that Google's servers saw the request as coming from IP address, which is indeed part of the domain. The Google server verified the DKIM signature on the email, relatively to the public key found in the DNS as a TXT record for this is a 1024-bit RSA key and, right now, the signature still matches. 1024-bit RSA are still beyond the technologically feasible (current breaking record is 768 bits), unless one invests a significant number of millions of dollars into building a dedicated machine, but it would be improbable that such an investment would be done for hacking into Facebook accounts.

    Therefore it seems plausible that the email really exited from the machines associated with the domain. It is documented that this domain really belongs to Facebook, and they really use it to send notifications to users. For instance, this article states that:

    Confusingly, Facebook notifications come from the domain and include a suspicious-looking sender's name. The long, complicated URL might also look suspicious, but this notification is a legit one from Facebook.

    I totally agree with the "confusingly".

    Now, that the email comes from Facebook does not mean that it is legit; it just means that if the email is fake, then the attacker compromised some machine within the Facebook internal network and sent the email from that machine.

    As you notice, the email is weird; it does not "look like" a normal Facebook notification; moreover, the clickable links in the email are broken (since they are relative links, without a protocol or server part, they won't send you anywhere if you click on them -- if you read the email from a Webmail, they might send you on some page on that Webmail server, here

    My overall assessment is that the email is not an attack, but a technical blunder from the people at Facebook, who were testing some prototype notification for something related to Facebook Game Payments, and triggered the system for the wrong account (yours, in this case).

    Anyway, for all emails, the usual rule must be maintained: DO. NOT. CLICK.

    If the email is legit, then you can log in the relevant site and see for yourself. You do not have to follow a clickable link from the email itself. The simple rule of never clicking on email links will keep you safe from phishing attempts.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM