Facebook Class Action email – it looks like a phish but it’s the real deal

The news that Facebook is turning facial recognition back on in photo tagging has a silver lining.

Many of our readers have been inspired to revisit their privacy settings and to make sure those settings really are what they intended.

Reviewing what the cyberlifestyle gurus call your security posture is something well worth doing once in a while.

Like regular trips to the dentist, or routine prostate examinations, it can save you a lot of unexpected grief in the future – but it doesn’t leave you numb in body, mind or wallet.

This, in turn, has led a number of you to ask about a Facebook-related email that’s doing the rounds lately.

It certainly has some of the hallmarks of a phish:

There’s an arresting headline:


There’s the assurance that this email is lawful, objective, legitimate and, indeed, important:

A federal court authorized this Notice. This is not a solicitation from a lawyer.

There are millions of dollars up for grabs, if only you are willing to join in:

Facebook will pay $20 million into a fund that can be used, in part, to pay claims of Class Members who appeared in a Sponsored Story.

Got your attention? Good. Because there are some worrying things, too.

Like the sender’s email address, which seems unusual for something with the imprimatur of a federal court:

From: legalnotice <legalnotice@facebookmail.com>

Or the online call to action, asking you to click a link the in the email:

Please visit www.xxxxxxxxx..com (if clicking on the link does not work, copy and paste the website address into a web browser)

If you’re worried about web links in unsolicited emails (and you should be!), you can fall back to the good old telephone.

But you have to a phone number given by the sender, which is usually a no-no.

That number is always going to terminate where the sender wants it to, so a bogus sender can answer to make you believe you’ve reached a company with any name they like:

You may also contact Class Counsel, Robert S. Axxx of the Axxx Law Firm, by calling 1-555-555-5555

Or you can send an email, though interestingly to an address quite different from the already-unusual one used by the sender.

Oh, and there’s just a touch of bait-and-switch, if you read carefully:

Each participating Class Member who submits a valid and timely claim form may be eligible to receive up to $10.

That’s it, I’m afraid.

That $20 million pot will give you a maximum return of $10.

If you dig further, you might find even more curious facts that aren’t immediately obvious. You’ll need to click the link and drill down into a number of documents, including a 46-page PDF entitled:


The bottom line, roughly speaking, is that the lawyers are hoping to claim approximately $8 million in fees. So there’ll be $12 million left to pay all the possible claimants.

→ You’ll get $10 if there are 1.2 million claimants or fewer. But if there more than 2.4 million claimants, your share would be below $5, and the court might decide that it’s too hard and expensive to distribute that many payouts. In that case, a named charitable fund may end up scooping the whole pot. After the lawyers’ fees.

Fact is, however, that this isn’t a phish.

It’s a genuine class action, with a genuine proposed settlement for Facebook’s disputed Sponsored Story system.

So the lawyers are entitled – indeed, I suspect they’re probably obliged – to try to contact you to advise you of your involvement (whether you expect it or wish it), because your own legal rights are affected by this matter.

There isn’t a simple opt-in here.

You can opt in, and you might get $10, but you waive the right to sue Facebook independently if you do. You can opt out, get nothing now, but maintain the right to take your own legal action later.

Or you can do nothing. Then you automatically waive your right to sue Facebook later, as well as any claim on that $20 million mountain of moolah.

Since this is the default, “neither in nor out”, you can see the legalistic purpose of the initial email.

And, to be fair to the lawyers, there probably isn’t any other reasonable way they could contact you, since most Facebook users are little more than an email address, at least as far as Facebook can reliably tell.

In short, this email, and others like it against other internet companies, aren’t phishes. They’re lawful communications that couldn’t be done in an efficient, timely and effective fashion any other way.

First problem is, I think they look sufficiently phishy to teach us bad standards once we realise they’re legitimate. If this one’s OK, why not similar emails that are utterly bogus?

Second problem is, I can’t think up a way they could be made clearer from a security point of view without making them ineffective in getting the underlying message across of what your options are, and why.

How would you approach this sort of communication in order to make it set higher security standards without losing clarity and completeness?

Share your ideas in the comments below…