Facebook Class Action email - it looks like a phish but it's the real deal

Filed Under: Featured, Law & order, Phishing, Social networks

The news that Facebook is turning facial recognition back on in photo tagging has a silver lining.

Many of our readers have been inspired to revisit their privacy settings and to make sure those settings really are what they intended.

Reviewing what the cyberlifestyle gurus call your security posture is something well worth doing once in a while.

Like regular trips to the dentist, or routine prostate examinations, it can save you a lot of unexpected grief in the future - but it doesn't leave you numb in body, mind or wallet.

This, in turn, has led a number of you to ask about a Facebook-related email that's doing the rounds lately.

It certainly has some of the hallmarks of a phish:

There's an arresting headline:


There's the assurance that this email is lawful, objective, legitimate and, indeed, important:

A federal court authorized this Notice. This is not a solicitation from a lawyer.

There are millions of dollars up for grabs, if only you are willing to join in:

Facebook will pay $20 million into a fund that can be used, in part, to pay claims of Class Members who appeared in a Sponsored Story.

Got your attention? Good. Because there are some worrying things, too.

Like the sender's email address, which seems unusual for something with the imprimatur of a federal court:

From: legalnotice <legalnotice@facebookmail.com>

Or the online call to action, asking you to click a link the in the email:

Please visit www.xxxxxxxxx..com (if clicking on the link does not work, copy and paste the website address into a web browser)

If you're worried about web links in unsolicited emails (and you should be!), you can fall back to the good old telephone.

But you have to a phone number given by the sender, which is usually a no-no.

That number is always going to terminate where the sender wants it to, so a bogus sender can answer to make you believe you've reached a company with any name they like:

You may also contact Class Counsel, Robert S. Axxx of the Axxx Law Firm, by calling 1-555-555-5555

Or you can send an email, though interestingly to an address quite different from the already-unusual one used by the sender.

Oh, and there's just a touch of bait-and-switch, if you read carefully:

Each participating Class Member who submits a valid and timely claim form may be eligible to receive up to $10.

That's it, I'm afraid.

That $20 million pot will give you a maximum return of $10.

If you dig further, you might find even more curious facts that aren't immediately obvious. You'll need to click the link and drill down into a number of documents, including a 46-page PDF entitled:


The bottom line, roughly speaking, is that the lawyers are hoping to claim approximately $8 million in fees. So there'll be $12 million left to pay all the possible claimants.

→ You'll get $10 if there are 1.2 million claimants or fewer. But if there more than 2.4 million claimants, your share would be below $5, and the court might decide that it's too hard and expensive to distribute that many payouts. In that case, a named charitable fund may end up scooping the whole pot. After the lawyers' fees.

Fact is, however, that this isn't a phish.

It's a genuine class action, with a genuine proposed settlement for Facebook's disputed Sponsored Story system.

So the lawyers are entitled - indeed, I suspect they're probably obliged - to try to contact you to advise you of your involvement (whether you expect it or wish it), because your own legal rights are affected by this matter.

There isn't a simple opt-in here.

You can opt in, and you might get $10, but you waive the right to sue Facebook independently if you do. You can opt out, get nothing now, but maintain the right to take your own legal action later.

Or you can do nothing. Then you automatically waive your right to sue Facebook later, as well as any claim on that $20 million mountain of moolah.

Since this is the default, "neither in nor out", you can see the legalistic purpose of the initial email.

And, to be fair to the lawyers, there probably isn't any other reasonable way they could contact you, since most Facebook users are little more than an email address, at least as far as Facebook can reliably tell.

In short, this email, and others like it against other internet companies, aren't phishes. They're lawful communications that couldn't be done in an efficient, timely and effective fashion any other way.

First problem is, I think they look sufficiently phishy to teach us bad standards once we realise they're legitimate. If this one's OK, why not similar emails that are utterly bogus?

Second problem is, I can't think up a way they could be made clearer from a security point of view without making them ineffective in getting the underlying message across of what your options are, and why.

How would you approach this sort of communication in order to make it set higher security standards without losing clarity and completeness?

Share your ideas in the comments below...

, , , , ,

You might like

17 Responses to Facebook Class Action email - it looks like a phish but it's the real deal

  1. Brendan · 977 days ago

    Maybe the official representative, in this case Facebook, should post this on verifiable locattns such as their own Facebook page or on the Facebook homepage.

    • Paul Ducklin · 977 days ago

      I guess that asking FB to do the job of the lawyers whom FB has already as good as agreed to pay as part of the settlement (which is not an admission of fault) might be considered both unobjective and uunfair.

      Anyway, what if as a "wronged party" you had decided not to login to FB any more?

  2. fifilatourdefrance · 977 days ago

    What's to stop the lawyers dipping into their massive fees, to set up a temporary joint venture with a known legitimate and trusted organisation, for the purposes of getting this right and reaching the maximum number of wronged individuals?

    You're right: it's not easy to do all this *on the cheap*. If the lawyers are really worth that level of fees they should be prepared to lay out some of it on a quality service.

    • Paul Ducklin · 977 days ago

      Actually, the fees are made up of professional fees, bonuses and costs. So you can imagine that the postage would go on top of the fees, not come out of them :-)

      Anyway...how else to reach FB users independently of FB other than to send an email?

      • fifilatourdefrance · 977 days ago

        An email from a trusted legitimate charity, say, with which it had set up a well-publicised joint venture organisation for the purpose, would enable them to use email but with the credentials the attempt featured in this article lacked.

        That's how.

      • I agree email is the most efficient, however it should have come from a legitimate and verifiable source address, with the notice (which apparently was authorised by a federal court) should appear on the dept of justice website or some similarly authoritative location, rather than any old random website.

        This is also a prime example of why PGP signing should be standardised in all email clients in this day and age. A digital signature using public-private key pairs could be easily verified to ensure that the source is who it claims to be, and thus the content legetemised. The technology exists for this whole process to be automated as well, I can't understand why the major mail clients and sites like gmail and outlook.com don't incorporate this as an option.

  3. GGG · 977 days ago

    The format and content of this notice are standard in a US class action lawsuit. I don't think the lawyers representing the class and bringing this suit can legally just change either aspect w/o court approval. Unfortunately, what looks like a normal legal document when received by mail looks like phishing in an email.

  4. "Or you can send an email, though interestingly to an address quite different from the already-unusual one used by the sender."

    I've always been firmly of the opinion, having previously been the postmaster for an "enterprise" scale organisation, that if you want people to respect your (bulk) email, you should at the very least accept replies to the sending address, i.e no "do not reply to this message. It's been sent froma n unmonitored adress, yada, yada...". Yes, I know the signal-to-noise ratio will be low, but it's just what you have to accept for the benefit of being able to bulk-email (IMHO).

    Additionally, it should *always* come from an address in your own domain. If your outsourced, cloud-based, CRM, mail-marketing provider cannot manage these, then you shouldn't be using them (though it may take an incident like this to persuade the big-hats as to why... ;-)

  5. Richard · 977 days ago

    How long will it take the scammers to start using variations of this email for their own purposes? Especially as Sophos says it's not a scam!

  6. susan · 977 days ago

    I received this email too, and was wondering.

    I agree with @SiliconRag above - it SHOULD have been sent from an email address from the domain of the actual law firm. Also they could also have a page on their website. If the email is coming from "smithandjoneslawfirm.org:, for example, then I could go to smithandjoneslawfirm.org and research the company and discover that in fact they are a real law firm, discover how long they have been practicing and where.

    Personally I am not interested in suing FB (certainly not for a payout of $10) and am simply going to ignore.

  7. Alidu · 977 days ago

    There needs to be a global utility to "certify" communications like this. In the interest of getting things going, why not get a group of key players in the tech industry in some of the G-20 countries to start this up? They could pitch it to law firms as a service and ask for a small portion (presumably a fraction of a % of a settlement of a suit) to support cases like this.

    Okay - not do-able on tight timelines, but there's a bigger problem here with internet communications that needs to be solved with something other than a one-off solution.

  8. Soxlade · 977 days ago

    1) Have a less phishy phone number to call - the 1-555-555-5555 number just looks dodgy (ditto 1-234-567-8910)

    2) Use a company email address: "legalnotice@facebookmail.com" or "facebookclassaction@barkerparkerandperkins.com" which one seems less dodgy to click on?

    3) Host further information on the lawyers own website as a sub site. That gives users a chance to sniff around the top level URL and see if there appears to be a legitimate company behind this. Even if a scammer goes to the bother of producing a complete website for their fictitious company, they will screw up somewhere - usually the Ts & Cs, or there will be a typo or duff image of some description, or the addresses won't match the buildings shown (yay for Google Street View).

    Most lawyer websites look like scam sites anyway, so they don't help themselves really. It also is not the work of hundreds of hours to set up a dedicated email address, phone number and web sub site which, when you're hoping to rake in $12m seems a small price to pay...


  9. Nigel · 977 days ago

    "How would you approach this sort of communication in order to make it set higher security standards without losing clarity and completeness?"

    Make the lawyers hand-carry a hard-copy of the message to each recipient.

    OK, I'm kidding...er, sort of. It's just irritating that no matter what else happens, the lawyers always win. I suppose the existence of the legal system makes lawyers a necessary evil. But whenever I encounter the phrase "necessary evil", it always makes me wonder whether the thing that necessitates the evil is ITSELF necessary. Replacing the legal system with something that doesn't necessitate such evils is (apparently) unthinkable. Perhaps that's the first clue that we need to check our assumptions.

  10. GrampaIT · 977 days ago

    Duh - the lawyers don't want you to join the claim. They keep what you don't take.

    • Paul Ducklin · 977 days ago

      I think you'll find it's entirely the other way around. The members of the class action get what the lawyers don't take.

      The lawyers get their fees+costs+bonuses up front out of the $20 million. (They petition the court for just how much that should be - that's the 46-pager I mentioned above, in which they argue the worth of their work.)

      Everyone else gets some, all or nothing of what's left.

  11. Craig B · 977 days ago

    How about:
    a) Publish details on the lawyers website
    b) Obtain an EV certificate for the site
    c) Redirect all HTTP traffic to the HTTPS site
    d) Tell people to validate on their website
    e) Reference the legal case at a 'trusted' site


    Replicate the above, but with a website run by the courts system.

    I may not trust the website, but if you tell me to enter (no link!) an obviously government run website address, and search for a case, I'm more likely to do that and believe.

  12. Billy · 976 days ago

    What about contacting users through a FB message from Mark Zuckerberg's profile?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog