Checkpoint Research recently warned that criminals are exploiting the COVID-19 crisis with a wave of attempts to trick people into sharing their security credentials with fake emails.
To catch a phish
Apple, the research claims, is the most widely impersonated brand.
Phishing is the practice of impersonating legitimate messages from a brand in an email or other message in an attempt to trick people into accessing that service via insecure servers, sharing their login passwords and credentials when they do.
Criminals can then use this information to undermine account security, dig deeper into your identity to get even more confidential data, or even sell your details on the black market to other hackers.
This is a threat to every user’s personal security, but this wave of attacks also threatens your business, employer and other security protections.
Sophisticated attackers have been known to study target enterprises to find weak points across multiple employees in order to break into secured systems.
What’s the best defense?
Education, of course.
Employees (and employers) need to learn how to spot a phishing attack. It’s good for them and also for business. The FBI’s Internet Crime Complaint Center reported $57 million was lost to phishing scams in 2019.
It’s useful to invest the time it takes to understand how these scams work, and to take a few simple steps to protect against them.
How do these usually work?
The scenario usually involves an unexpected email from a known brand. It might invite you to check your account, could be an invoice for an item you did not purchase, or can take other forms – even an innocuous seeming message with a click here link may have some kind of payload.
The most frequent phishing emails purport to come from a trusted brand and might take one of the following forms:
- Unexplained suspension or block of your account.
- A request for payment for something you didn’t purchase.
- A web address that’s a little different than you’d normally expect.
- A request private information, such as bank details.
- Poor grammar or spelling errors.
- Purportedly from a company or service you already know you do not use.
What should you do?
- If you receive an unexpected email, purporting to be from Apple or anyone else you’d usually trust, you should first check the sender’s email. Does this seem normal? Is it slightly different than the email address you usually receive things from? If it seems suspicious, it probably is.
- It’s worth checking the greeting used in the message: If it uses something generic, such as “Hey dear,” or offers a link to update your payment details, it’s very likely to be a scam.
- Unless you are completely confident the link in an email or message is trustworthy, don’t click it.
The best protection is never to click a link to your account that is contained in an email. Think about it, in most cases any genuine problems relating to your account will be flagged up in your account settings if you access it online using your browser.
It takes a few additional moments to open Safari, manually visit your account page and login yourself (not using a link in an email) and verify whether you’ve received notification of a problem. If you don’t find any such warning, it’s more than likely the message your responded to is an attempted phishing attack – but you can also contact customer service to compare this.
How to protect yourself
There are steps you can take in order to secure your digital existence against such attacks:
- Never share your Apple ID password or verification codes with anyone. Apple never asks for this information to provide support.
- Use unique and complex passcodes for all your accounts, particularly the most important accounts.
- Use multi-factor authentication wherever you can, particularly for often-targeted services such as iCloud, Google, and social media.
- Always keep your operating system on your mobile devices, PCs and Macs updated. Set these to update automatically.
- Keep Safari updated.
- Always check the domains – never enter confidential information into a website with a URL that does not begin with https. Always check for a closed lock icon near the title bar.
- Back up your data. Business users should insist remote employees backup data daily – ideally to a system that is not connected to their network, or to your own highly secure online archiving system, if you have one.
- Audit your online accounts to ensure no one is quietly abusing them.
- Always check Safari’s Passwords feature to ensure you are using unique passcodes for every site or service you use.
What can I do if I have fallen for a phishing scam?
If you’ve fallen for a scam and know you have shared important confidential information, the first thing is not to panic. The second is not to ignore it.
- If your Apple ID has been compromised, or you might have entered your password or other personal info on a scam website, change your Apple ID password.
- Visit Identity Theft and take the recommended steps for whatever form of data you may have shared.
- If you think you may have been tricked into downloading harmful software, you should run a malware checker and update your system.
- If you receive phishing emails you can forward them to firstname.lastname@example.org. You can also report these attacks to the FTC.
- If you receive a suspicious email that pretends to be from Apple, forward it to email@example.com.
I’m on a mission to try to develop useful resources for Apple-using enterprises and individuals as our working lives change in response to the pandemic. Please explore these additional reports:
Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.
Copyright © 2020 IDG Communications, Inc.