You almost got me, you crafty little phisherman.
The subject line of the e-mail referenced "your Apple ID." The body mentioned my credit card and how it had just been "updated." A quick scan of the rest caused momentary alarm. My credit card? I didn't make any changes to my credit card or my Apple account.
Then my morning coffee -- and common sense -- kicked in. Upon closer inspection, I recognized this e-mail for what it was: an attempt to infiltrate my computer and steal some personal information. In other words, a hacker doing a little phishing.
While many users are well-acquainted with this practice and know what to look for, I suspect there are plenty of folks who still fall victim. Heck, I consider myself an expert at phishing avoidance, yet a momentary lapse almost got me to click a fraudulent link. Therefore, allow me to share the actual e-mail I received this morning and some telltale signs of phishing fakery:
- Like many users, I have several e-mail addresses. But this message came to an address that isn't linked to my Apple account. What's more, the address appears in the "From" field, an obvious sign it didn't actually come from Apple.
- The date shown here is formatted DD/MM/YYYY, but here in the US, we use MM/DD/YYYY. That's how I know this e-mail originated elsewhere. Otherwise it would have read 01/27/2014.
- My name is missing. The salutation merely reads, "Hello, [blank]." I'm pretty sure Apple would communicate with me by name.
- Perhaps the biggest clue of all (and the sign of a particularly sloppy bit of phishing): When I moused over the "reset your password" link, it revealed a decidedly non-Apple URL. Were I to click that, I'd probably be directed to a site that looks fairly Apple-like, with a form requesting all kinds of personal info -- including a credit card number. Alternately, I could land at a site that stealth-installs a bunch of spyware and/or viruses on my system.
Like I said, this was some sloppy phishing. I've seen "your account has been compromised!" e-mails that looked indistinguishable from the real thing, and on occasion I've been distracted enough that I almost clicked a bogus link.
Fortunately, it's fairly easy to protect yourself against come-ons like these:
Always be suspicious. Phishing e-mails try to freak you out with warnings of stolen information (or worse), and then offer an easy fix if you just "click here." (The flipside: "You've won a prize! Click here to claim it!") When in doubt, don't click. Instead, open your browser, go the the company's Web site, then sign in normally to see if there are any signs of strange activity. If you're concerned, change your password.
Check for bad spelling and grammar. Just as my phisherman got the date format wrong, most of the missives that come from outside the US are riddled with spelling mistakes and bad grammar. Big companies hire professional writers and editors to make sure their e-mails contain perfect prose. If you're looking at one that doesn't, it's almost certainly a fake.
Beef up your browser. An accidental click of a phishing link doesn't have to spell disaster. McAfee SiteAdvisor and Web of Trust are free browser add-ons that will warn you if the site you're about to visit is suspected of malicious activity. They're like traffic cops that stop you before you turn down a dangerous street.
Use your smartphone. If you're checking e-mail on your smartphone, it might actually be harder to spot a phishing attempt. You can't "mouse over" a questionable link, and the smaller screen makes you less likely to spot obvious gaffes. The good news is that most smartphone browsers (and operating systems) are immune from harmful sites and downloads, so there's little harm in tapping a suspicious link. (Obviously you still shouldn't complete a form that asks for your password or other personal info.)
Most of all, rely on common sense. You can't win a contest you didn't enter. Your bank won't contact you using an e-mail address you never registered. Microsoft did not "remotely detect a virus on your PC." Know the warning signs, think before you click, and never, ever give out your password or financial info unless you're properly signed into your account.
Got any other anti-phishing tips to share? Load 'em up in the comments.