Phishing is a particularly nasty form of hacking because it preys on people who may be vulnerable or whose knowledge of technology isn’t particularly good. It’s usually carried out by email, but text messages, phone calls, and direct messages on social media are also used for phishing.
One of the things that makes attacks like Apple ID phishing so nasty and so difficult to guard against is that the emails used are designed to look like they come from an ‘official’ source. It could be designed to look like it’s a message from Apple telling you that you need to update your Apple ID details or the payment details on the App Store. Or it could be an email pretending to come from Google telling you that your security information is out of date or that someone has tried to access your account.
The objective of a phishing email is usually to persuade you to click a link that you think will take you to the website of the company the email is supposed to have come from. Instead, the link takes you to a website run by the hackers, usually set up to look like the website of the company they are imitating. Once you’re there, the hackers hope you will type in your user ID, password and even financial details, in order that they can steal them.
How to spot phishing emails
Most phishing emails are designed to attempt to access online accounts with banks, credit card companies or organisations that store personal data, like Apple, Facebook, and Google.
Recently, there have been Apple ID phishing email messages arriving in Mac and iOS users’ inboxes. These spoof Apple emails or fraud emails, to be more precise, claim that there is a problem with the user’s Apple ID and that their account will be closed if action isn’t taken.
While phishing emails have become more sophisticated and are increasingly difficult to spot, there are several things you can do to protect your Mac from phishing and spot, for example, Apple ID phishing.
1. Don't click the links in emails
Never, ever, click on a link in an email unless you are 100% sure where it’s come from. If you’re not expecting the email, check that it’s legitimate before you click anything. If it claims to come from an organisation with whom you have an account. Don’t click the link, go to their website or app and log in their instead.
2. Read the email carefully
Are there any spelling mistakes or grammatical errors? These are a common giveaway for phishing emails. Banks, big companies and governments departments don’t make silly spelling mistakes in emails.
3. Check the email for logic
Is it telling you there’s a problem with an account linked to an email address that’s different from the email address you use with that account? That’s another giveaway.
4. Check the email address of the sender
In modern Apple’s Mail app, and some other email clients, the sender field doesn’t display the email address by default, just the name of the sender, which can be whatever the sender wants it to be. However, if you mouse over the sender’s name and click the down arrow next to it, you will see the actual email address. Does it match the claimed identity of the sender?
5. Check the destination of the link
Don't click the link. However, if you hover over it with the mouse pointer, you will see a tool tip that displays the real destination. If it’s a website that doesn’t match the organisation from which the email claims to come, it’s a phishing email.
You should also remember that no bank or reputable company will ask you to reveal a password or other sensitive data by email. And most companies recognise that users are now wary of clicking on links and will either not ask you to do so in an email, or provide an alternative.
What to do if you suspect you’ve been phished
If you’ve clicked a link and typed in your credit card number, and you now suspect it was fraudulent, contact your credit card company straight away and cancel the card, telling them why. Likewise, if you typed in banking information, contact your bank. If the details you entered in the spoof site were a username and password, contact the company that runs the real site and let them know.
1. Scan your Mac for threats
If you suspect a link you clicked downloaded something to your Mac, run a scan with a free antivirus tool like BitDefender. Also, check your Applications folder for apps you don’t recognise and your web browsers for extensions you didn’t install.
2. Teach Mail about phishing emails
The good news is that most modern email clients, including Apple Mail, are very good at identifying junk email, including phishing messages. However, occasionally some do get through. Once you’ve identified a message as a phishing email, don’t just delete it. Mark it as junk. That way, your email client will learn and be better informed next time it encounters a phishing email from the same source.
3. Report phishing to Apple
Like most responsible companies, Apple wants to know when its users are sent phishing emails, in order that it can analyze them and attempt to stay one step ahead of the hackers. You can report phishing to Apple using this email address: firstname.lastname@example.org
As you can see, while phishing emails can seem quite frightening, there is plenty you can do to identify them. The most important lesson is not to click on any link in any email or text message unless you are absolutely certain who has sent it to you. If it comes from a business, it’s much better to go to their website and log in manually, that way you won’t risk being redirected to a spoof website.