Fake Facebook email invites you to tell 39 strangers you were duped

Graham Cluley
Graham Cluley
@[email protected]

Fake Facebook email invites you to tell 39 strangers you were duped

A reader got in touch with me regarding a suspicious email they had received claiming to come from Facebook, with the subject line:

“Someone tried to Iog in To Your Account, User lD : <random number>”

What made the reader suspicious? Well, amongst other things, they’re not actually a Facebook user. (Good for them.)

Let’s take a look at the email, which claims to be a warning that someone using an iPhone 11 Pro had tried to log into the account.

Fake facebook email

A user just logged into your Facebook account from a new device iphone 11 pro. We are sending you this email to verify it’s really you.

The email offers the users two options – “Report the user” or “Yes, me”.

Now, I was fully expecting that if anyone clicked on the “Report the user” or “Yes, me” options that they would be taken to a phishing page posing as Facebook, and designed to steal their login credentials.

To my surprise, however, neither option is actually a traditional web link.

Instead, if you were to click on the links (which use the mailto: URI scheme) your email client opens and you will find that you are sending an email to 39 different email addresses.

Here’s what you might see if you click on the “Report the user” button:

Report user email

So, what does this mean?

You’re not being taken directly to a phishing page as you probably would have anticipated. Instead, you’re one step away (you still need to press “Send” in your email client) to announcing to 39 complete strangers that you can be lured into responding to suspicious emails.

Sign up to our free newsletter.
Security news, advice, and tips.

Of course it’s always possible that one of these email addresses might respond to you, and could potentially ask you to confirm your password or invite you to click on a link.

But it certainly feels that whoever dreamt up this scheme has made a massive boo-boo by configuring their phishy email to forward victims to send a mail to multiple addresses which probably are not under their control, rather than take them to a conventional phishing page.

I almost wonder if whoever spammed out this email was playing with a phishing email construction kit, and somehow misconfigured it to cause such an odd outcome.

And, to be nerdy for a moment, it’s very poor form to send an email to so many recipients when a BCC: would respect their privacy much better!

I’ve redacted most of the email addresses on the list – although there are a couple which smell a bit fishy (I wouldn’t be surprised if [email protected] and [email protected] were up to no good.)

Of course, the very best defence is to know that any emails from Facebook *must* be bogus because you simply don’t have a Facebook account. :)

If you’re thinking of leaving Facebook, why not listen to this “Smashing Security” podcast we recorded:

Smashing Security #75: 'Quitting Facebook'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

9 comments on “Fake Facebook email invites you to tell 39 strangers you were duped”

  1. Nix

    This exact email was sent to me. I clicked report this user because my ex has an IPhone 11 and she is always asking me why I won't confirm her friendship request. She has gone through my bags, and phone while I slept. Before that I never worried about my password etc.
    That is why I pressed report user . I immediately had a bad feeling.

    1. Gab · in reply to Nix

      ahhhhh i sent them an email what do i do ????

  2. Jagdishdamor

    Did you use Facebook from somewhere new?

  3. Jon Galt

    I just received this email, and the disturbing thing is that I received it right after logging in to Facebook with an iPhone 11.

    Was it a coincidence, or is there some way they know I just logged in?

    1. Miken · in reply to Jon Galt

      Coincidence, I got it too but no iPhone 11

  4. Clare

    I received a similar email, but in the form of a newsletter from [email protected]
    It rang alarm bells because it isn't from Facebook itself, and it was sent to a different email address to which I have my Facebook account. I can't find any easy way of reporting it though.

    1. Katie · in reply to Clare

      That's weird , same for me also. It must track on your device which it creepy. I have the avg anti virus etc for my phone too. I'm hoping someone responds so I can figure out how it connected the other email… Eeek!

    2. Katie · in reply to Clare

      PS. The reply "send my email " to whoever… Was still in my sends so I reported those emails as phishing. It might help out a little 🙂

  5. Jax

    I clicked on the Report User & send details of my email & phone number in the email as I had locked myself out. I thought it was Facebook 😔, now I am paranoid about this person getting into anything with them having my email address & mobile number. This is a big wakeup call for me who thought I could not be scammed 🤤

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.