Also how many confirmations does it take to be sure it is real?
I am curious how does someone send fake bitcoins?
Without mining, you can try a race attack where you spend from two nodes (say, node A and node B) with the same coin at the same time to two different merchants. It is possible that one merchant will see the spend from node A and another merchant will see the spend from node B. Of course, as soon as there is a block, whichever spend reached the miner first will be the one included in the block. If the merchant accepts as payment a transaction on 0/unconfirmed then that merchant has exposure to this race attack.
There is not yet a system developed to counter this but a solution to this is for the merchant's node to listen to many nodes especially those of pools to see if there was another attempt to spend. Within seconds the merchant can know that no other spend attempts were attempted and if a race attack were being attempted the chance of it succeeding drop to almost nothing.
While there are possible but not likely explanations that a double spend would be attempted, the risks to a brick and mortar merchant when accepting bitcoin on 0/unconfirmed are likely less than other risks faced (e.g., shoplifting, credit card chargebacks, etc.)
There is another attack if the attacker is mining. If a block is mined, the bad actor miner then makes a purchase with a merchant but then after securing the goods, announces the block which has that same coin spent to a different address -- likely one owned by the miner. This is called the Finney attack:
The bitcoin client doesn't "confirm" until 6 blocks. Waiting until 1/unconfirmed will lessen the risk to a Finney attack. Waiting for 6/unconfirmed will lessen to nearly zero the risk that a payment received will be lost to a double spend.