I have already discussed several phishing cases on the blog that seek to steal Facebook passwords, such as those that pretend to be direct messages, people who add you or security applications that load false forms in iframes.
The one who commented todaypretends to be a notice for an alleged posting on the wall, it is a very particular message as you can see in the following screenshot (click to see larger):
The first thing that caught my attention was the name Sofia Vergara, I couldn't resist googling it and what I found in Google Images was even more striking. Obviously it is an invented name: P
Taking this fake email as an example, the following are some signals that allow you to easily detect that it is a deception.
Strange url: when you hover over the link you can see that the destination is not facebook.com, in this case it is a false page –login-facebookin.webcindario .com– which pretends to be the Facebook one for the victim to enter their password. It is hosted in a free hosting service, without entering or clicking it is already a clear sign to distrust.
Sender: the message seems to be sent by Facebook, it is what can be seen in the From field, however the address from which it is sent is email@example.com. Facebook will never use a Gmail address to send this type of message, another clear sign to be suspicious of.
I think it is a design error that Yahoo shows the sender in this way (see image), it does so by default, at first glance the email address is not shown which lends itself to many tricks. If you use Yahoo, be careful with that.
Content: the message format could be confused with a legitimate one, but it is strange that the victim is a firstname.lastname@example.org and below all say email@example.com (orange arrows), the attacker apparently did not pay attention to what he was doing: D
As we see, it is not difficult to detect a phishing attack, simply you have to pay a little attention before clicking and using common sense.
A good security measure is to enter the wall directly from www.facebook.com, it may not be the most practical for some, but when in doubt, it is always better go directly to the page of a service avoiding clicking on the links received.
See also: Fake mobile phone checks on Facebook (watch out).