A relatively harmless fake email disguised as an email from Facebook Support provided a primer on signs to look for in identifying emails of the annoying variety, like this one, as well as more serious ones that lead to malware, phishing, or other cyber-security issues.
The email, pictured below, looks like an authentic communication from Facebook Support at first glance, but upon further examination, red flags fly.

• Sender’s email address: Communications from Facebook would come from a Facebook or fb.com email address, not from: FACEBOOK Inc [christopherbetit@reagan.com]
• Recipient’s email address: This email came to an email address that is not associated with a Facebook account, bringing to mind emails that attempt to phish users’ banking information, which result in spam emails fashioned to appear as if they come from actual banks, sent to users who have no accounts at those banks.
• Details at the bottom: These spammers could have done a better job than, “Attention: Department,” not to mention the fact that Facebook’s headquarters are in Menlo Park, Calif., and not nearby Palo Alto.
• URLs: Email recipients who are suspicious of communications of this sort should always examine the URLs that are linked to. Hovering the mouse cursor over either the “Go to Facebook” or “See All Notifications” buttons did not yield Facebook URLs, but did yield this URL, which has nothing to do with the social network: http://iphotoplay.com/pomerania.html.

As it turned out, this email was neither malware nor a phishing attempt, but an annoying way to drive recipients to a site for Canadian Family Pharmacy offering the traditional drugs of spam emails (and we will not vouch for their authenticity, for obvious reasons): Viagra, Cialis, Levitra, and Propecia.
The moral of the story: Look for signs like those listed above if there is the slightest reason to be suspicious of emails that appear to be from Facebook but seem a little off.

You are probably aware that going online puts you at risk of catching viruses or malware, even if you don’t visit questionable websites. And if you are a careful person, you most likely have a decent antivirus program installed on your computer. Do you believe with all your heart that your computer is safe and your antivirus can protect it against any threat that tries getting through? Think again! 
There are certain conditions or circumstances, which may lead to a major security breach that may result in an infection or data loss. Even if you believe you are well protected, read on to see the top 5 reasons your antivirus may fail to protect your computer.
1. License Expired ​

A recent Google Phishing scam hit headlines after a number of Gmail users had their accounts compromised by a worryingly sophisticated email scam. Users were tricked into clicking an email that took the user to a real Google account selection screen, and after selecting their account, a “Google Docs” window would appear, requesting permission to read, write and access emails.
By granting “Google Docs” permission, the document was revealed to be published by a random Gmail account, and the holder of the account would now have access to the affected account. What they thought was “Google Docs” was in fact a malicious third-party web app, and scammers now had access to user emails, and could send more scam emails from the victim’s account.
The most worrying aspect of this phishing scam was that the scam worked within the existing Google login system, it bypassed the two-factor authentication and was only noticeable as fake after clicking the link. The scam took advantage of the fact that fake applications named “Google Docs” can be created, and since the scam didn’t require victims to type in their passwords, the usual anti-phishing measures didn’t block it.
The scam exploited Open Authorisation (OAuth). OAuth notifies a resource provider that the resource owner grants third-party access to their information. An example of this would be Facebook (resource provider) being notified that you (resource owner) are allowing a third-party (a Facebook application) to access your information (your friend list). There are a multitude of online services that use OAuth, and it’s impossible to vet all the third-party applications that use it.
Fortunately, the scam was detected and dealt with quickly by Google within an hour. A company statement assured users of the following:

• Offending accounts had been disabled
• Fake pages and applications had been removed
• Updates were being pushed through Safe Browsing, Gmail, Google Cloud Platform, and other counter abuse systems

The scam ultimately affected around 0.1% of Gmail users, which equates to about one million users out of Gmail’s one billion active users.
Phishing scams of this scale are relatively rare, and therefore make headline news. However, phishing attacks are all too common and it’s worth taking preventative measures to ensure that your account isn’t compromised.
How to Protect Yourself from a Phishing Scam
Phishing emails are typically designed to fool the victim into giving away their personal information, or installing malicious software. Luckily, there are a few easy ways to spot a phishing scam:

1. Bad spelling and grammar is often seen in phishing emails, and a legitimate company with hired copyeditors would never release such an email. Big brands care about their reputations, cyber criminals don’t.
2. Never click an unknown link. If the email encourages you to click on a link to ‘fix’ a problem or to ‘claim’ a prize, hover your mouse over the link and look at the address. If the link looks unusual, a way to test the legitimacy of the link would be to manually type it into the address bar in a new window—if the URL takes you to a different address from the one you’ve typed, it’s fake
3. Analyse how the sender addresses you. Legitimate companies like to be as personable as possible and often will address you by your name, not by vague titles like ‘Valued Customer’.
4. If the language is threatening or urgent, and claims that your account has been suspended, has had unauthorised logins attempts, or will be closed if you don’t act, it’s most likely a scam. Scammers often try to inject a sense of urgency to make you act before thinking.
5.  Always scrutinise email attachments. While you might be expecting a file from someone, make sure to check the attachment for anything suspicious. It’s very easy to download malware that damages files on your computer, steals your passwords or spies on you without your knowledge.
6.  Make sure to check the address bar. Even if you’re sure the sender is legitimate, make sure to check the address bar if you click on a link. While a scammer can create a convincing login page to trick you into giving away your password, a quick glance at the address bar should tell you if the website you’re on is genuine.
7. Double check, if you can. While you may be able to recognise a phishing scam at home, recognising one at work is just as important. Scammers can easily pose as a highly ranked member of an organisation and send fake emails to employees asking for personal information. This kind of personal information can easily be used for fraud, so try to check if the email is genuine by contacting the sender themselves if possible.
8.  Don’t trust email headers. An email header can be forged with a brand name, and scammers can easily make a fake ‘From’ address similar to a real company.
9.  If the message asks for personal information, never give it up. No matter how official or genuine an email may look, companies would never ask for personal information via email. Asking for account numbers, passwords, or the answer to a security question would never happen with a trustworthy company.
10. A lack of information about a sender can be a tell-tale sign of a fraudulent sender. Companies tend are keen to hear from their customers and always leave contact details.

This list is by no means exhaustive—phishing scams have become increasingly convincing, and scammers are always evolving new ways to hit unsuspecting users. Email phishing is the number one delivery vehicle for malware, and in 2015, 85% of organisations were victims of phishing attacks and 30% of phishing emails were opened! Having the intuition to spot scams is an excellent way to protect yourself and others from losing personal information and other sensitive data.
But regardless of how vigilant you might be when inspecting your emails, mistakes do happen and the most convincing scams often fool even the savviest of tech users. Our next post will cover the next steps should your system fall prey to a phishing scam, with tips on how to locate the affected account, and investigate what data has been accessed.