You’ve probably heard of Phishing — the concept of sending an email that contains a link or an attachment that leads you to a web site with a counterfeit sign in screen, where you enter your credentials, only for the owner of that site to get your user name and password, which they can then use to access your content and personal information.
The first step in getting phished is that you’ll receive an email or other message pretending to be legitimate — maybe from your bank, your ISP or your friends. It may something like this — your password has expired, your profile has been updated, or other such information.
They’ll usually contain some kind of link, directing you to sign in to update information. Here’s an example: But there’s a bunch of red flags in a mail like this:
– Red Flag One – There’s no personal information in it. It doesn’t say ‘Dear Laurence’, but ‘Dear Customer’, it also doesn’t know my email address (it claims ***@icloud.com)
– Red Flag Two – It tells my that my Apple ID is ***@icloud.com, but this email didn’t go to that address
– Red Flag Three – I sign in with my Apple ID all the time, and I know that it is not an @icloud address.
– Red Flag Four — Who is the email from? It says ‘Apple Support’, but you can usually inspect the sender to see.
Yep, even thought they claim to be apple support, the email is from firstname.lastname@example.org – That’s a fake.
So, when you get an email like this — other than the link asking you to go to a site to update your details, there are going to be lots of red flags. So watch out. So, let’s see what happens if you click on the link.
I’m taken to a site that looks a lot like Apple’s, but look closely. Can you see the red flags?
First of all there’s the address of the site — it’s http://cctvtangerang.web.id/<something> — and not Apple.
Next, take a look at what happens when you do click on Apple’s site:
Can you see the difference? Look at the address bar on your browser. The real one has a green icon on the left, with a little lock beside it telling you that this is an Apple site. Just about any legitimate business will have this set up. The fakes will not.
You’ll also notice the subtle alert Icon on the fake site. Look what happens when you click on it:
In this case Chrome has detected that this site doesn’t use encryption, doesn’t have a certificate to validate it’s identity, but it’s still asking for a user name and password.
Another think you’ll notice on a fake site — and this one is a great example — that clicking around will do nothing. On Apple’s site, if you are clicking ‘mac’, it will take you to the ‘mac’ page. On this site…nothing.
So, for fun, I’m going to enter an obviously fake username and password:
But instead of rejecting me as an obvious fake, it takes me to the next screen anyway! And what is that screen? ‘Confirm your ID’
And in this case, confirming my ID means entering name, address, date of birth, credit card etc. If you haven’t realized the obvious trickery by now….
So, please realize:
- It’s easy to create a site like this – as soon as it gets shut down, another can be spun up in minutes
- It’s easy to craft a fake email
- It’s easy to send an email like that to millions of people
- If just a tiny percentage of people fall for it, and get all the way to the final confirm, it’s still profitable for the scammer
To Protect Yourself
- Don’t use free email services with poor spam filters. If there’s too much spam in your inbox, then these emails will get through too, and sooner or later you’ll be caught by one.
- I honestly believe Gmail has the best filters for this. I’ve mostly moved my personal email there, and I get orders of magnitude less spam, and zero phishing attacks.
- Never click on a link in an email that claims to be there to help you, or need you to sign in to verify something. If your bank, your isp, or any other identity holder claims to need you to sign in via email, open another tab on your browser and visit their site directly. Do not click on the link
- Always look for the green lock icon in the address bar as shown here
- If in doubt, do not enter your details — trust no one
- These scams don’t just come in email. They can be in chat rooms, IMs, texts, you name it. The best way to protect yourself is to have a little knowledge. Hopefully this post helps.