Phishing: Hook, Line, and Sinker
As a follow-up to my last post about passwords, I'd like to address the type of scam that I've seen more people fall for than any other—phishing. Phishing emails are ones you get that pretend to be from legitimate people or companies but are actually sent by some Very Bad People instead. These Very Bad People are hoping that by either scaring you or fooling you, they can get you to give them information (usually login details for a website or credit card info) that'll let them rip you off.
While most people think they'd never fall for something like that, the truth is that the most sophisticated of phishing emails are very difficult to detect, and unless you have a well-tuned sense of paranoia, you're at risk. (And by the way, I highly recommend paranoia where online security is concerned.)
Then how do you avoid falling prey? Well, the most important advice I can give you is not to panic. No matter what an email you've gotten says is going to happen, let the fact that you're afraid set off warning bells in your mind! That fear is what scammers want you to feel. And in almost all cases, the threats are completely empty anyhow.
So you've gotten an email that has made you afraid, and you realize that you need to investigate further. To start, the easiest thing to do is to avoid clicking any links in the email and go directly to the website in question to check things out. For example, let's say the scary email says that your Bank of America account has been compromised. Instead of clicking the button within the email that says "Log In," you'll open your browser and go directly to the Bank of America website from there. Check and see if you have any alerts on your account, and if you're still worried, contact their customer support by calling the number on the back of your credit card.￼
The second thing you can do is search through the email itself. First, if there are any links or buttons with links, you can hover over them within Mail on your Mac to see where they lead without having to click them. As an example, here's a phishing email I got just this week:
Well, my first clue that this wasn't legit was that they said that they weren't able to authorize my "card_payment." I mean, great typography, guys. But if I were to investigate this anyhow, I'd start by hovering my cursor over that shiny button that's just daring me to click it.
See how when I do that, I get a link that'll send me to a site that has nothing to do with Wix? That's a clue, as well. I edited out most of the rest of that gobbledygook link, but I'm not sure why. To protect the identity of the scammers, I guess?
Anyhow, another thing you can do to investigate is to hover over the sending email address in the header of the message. When you do that in Apple Mail on your Mac and click the downward caret (or when you tap directly on the sender's name on your iPhone or iPad), you'll see which email address it came from.
So even though the name of the sender was listed as "WIX_donotreply," it was sent from Ryan at, again, a company that has nothing to do with Wix. Oh, Ryan. Why would you do this to me?
Note that this isn't always definitive; sometimes scammers will use email spoofing to pretend the email came from someone else, too. But it can still be part of your investigative process.
Finally, in addition to paying attention to emails that scare you and checking into their claims, you have to also be careful about emails with links or attachments that seem to come from friends. This is especially true if you're asked to log in to an account when you click the link or try to open the document. If you aren't expecting a Google Docs link from someone, best practice would be to contact the person and see if they actually sent you something before you interact with it. If they didn't send anything, then it's possible that your friend's email account has been hijacked, and they definitely need to change their password!
As always, feel free to get in touch if you have questions, and if you do receive (or accidentally click on) a malicious email, give us a buzz! We can help you figure out what happened…and maybe you won't have to be afraid at all. That's always the goal.