Is this the most dangerous phishing scam yet?
SPF, DKIM, and DMARC: What They Are and Why You Need Them
No More Phish! Three Scams You Need to Spot in 2023
5 Tips To Improve Your Digital Security in 2021
Watch Out for iCloud Phishing Phone Calls!
Beware Microsoft Office 365 Phishing Attacks!
We’re seeing an uptick in email phishing attacks purporting to come from Microsoft about Office 365. They’re quite convincing messages that tell users that their credit card payment has failed, that an account needs renewing, or that a password needs to be confirmed. Needless to say, they’re all complete scams, and clicking a link in them takes you to a malicious Web page that will try to steal your password or credit card details. As we noted in “Gone Phishing: Five Signs That Identify Scam Email Messages,” large companies never send email asking you to click a link in order to log in to your account, update your credit card information, or the like. Hover over links to see where they go before clicking anything, and stay safe out there!
Block Telemarketing Calls Automatically on Your iPhone
Junk calls are one of the great annoyances of the modern world. You’re minding your own business when your iPhone vibrates in your pocket. You pull it out, curious as to who’s calling, but don’t recognize the number. You may notice that it’s in the same exchange as your phone number, suggesting that it’s a neighbor. But no. When you answer, it’s “Heather,” a pre-recorded voice wanting to sign you up for a resort vacation, give your business a loan, or help with your credit card debt. Angered by the intrusion, you tap the red hangup button, wishing you had an old-style telephone receiver to slam down.
There’s no way to retaliate against these scum-sucking bottom feeders, and the best option is to hang up immediately. For quite a few versions of iOS, you’ve been able to block a caller manually—just tap the i button next to the call in the Recents screen in the Phone app, scroll to the bottom, and tap Block This Caller. But that’s seldom worth doing since telemarketers often spoof the numbers they call from, so it’s unlikely you’d get a second call from the same number.
Instead, we recommend taking advantage of a feature Apple introduced in iOS 10 that enables apps to block calls for you. Quite a few of these apps have appeared, with some of the best reviewed being Hiya, Mr. Number, RoboKiller, and Truecaller. Hiya and Mr. Number are both free and from the same company—Mr. Number is a stripped-down version of Hiya—whereas RoboKiller and Truecaller require an in-app purchase for a monthly membership.
In general, these apps work by receiving caller ID information from iOS and comparing it against both your local contacts (to identify good calls) and a constantly updated database of numbers used by telemarketers (bad calls). Calls from your contacts ring through normally, as do calls from phone numbers not in either of those sets. That’s key, since your doctor might call back from a secondary number, or your kid’s new teacher might call to talk about an upcoming snack day. But if you receive a call from a number known to be used by a telemarketer, the app can either identify it on the incoming call screen or block it automatically, sending it to voicemail.
To enable one of these apps, after you download it from the App Store, go to Settings > Phone > Call Blocking & Identification and enable its switch. You’ll probably also have to do some setup in the app itself, providing your phone number, perhaps creating an account, and determining what should happen with different calls (Mr. Number is shown below, right).
With Hiya and Mr. Number, you can copy a number from the Phone app’s Recents screen (tap the i button for a call, and then press the number to access a Copy button) and then look it up to learn more and see comments other users have made. And if you get a telemarketing call from a number that the app doesn’t recognize, you can submit it to protect others.
RoboKiller claims that it wastes the telemarketers’ time by playing pre-recorded “Answer Bots” conversations to keep them on the line, preventing them from calling more people.
Details vary by app, but the only real downside to using one of these apps is that it may ask for information about you or your contacts to improve its services. If that feels intrusive, investigate one of the apps that requires a membership, like RoboKiller, to see if it better answers your concerns.
In the end, it comes down to how many telemarketing calls you receive each day, week, or month. If you’re lucky and get only one or two per month, it’s probably not worth messing with a call blocking app—maybe just send unidentified (and unexpected) calls to voicemail. But if you’re interrupted by multiple junk calls per day or week, give one of these apps a try and let it reduce the onslaught.
Gone Phishing: Five Signs That Identify Scam Email Messages
Don’t Freak Out If You Get Blackmail Spam Containing an Old Password
Have you gotten an email message whose Subject line says something like “Change your password immediately! Your account has been hacked.”? If not, it may be only a matter of time before you do. It’s a scary message, especially because it contains one of your passwords, some threats, and a demand for money. Worse, the password is likely one you’ve used in the past—how could the hacker have discovered it? Has your Mac really been taken over?
Relax. There’s nothing to worry about.
This “blackmail spam” has been making the rounds on the Internet recently—we’ve heard from several clients who have received it, and we’ve gotten copies too. The message purports to be from a hacker who has taken over your Mac and installed spyware that has recorded you visiting Web sites that aren’t exactly G-rated. The hacker also claims to have used your Mac’s camera to photograph you while you’re browsing said non-G-rated sites and threatens to share those pictures with your contacts and erase your drive unless you pay a ransom using Bitcoin.
This blackmail spam has raised so many pulses because it backs up its claims by showing a password that you’ve used in the past. Hopefully, it’s not one that you’re still using, because it was extracted from one of the hundreds of password breaches that have occurred over the past decade. Impacted Web sites include big names such as Yahoo, LinkedIn, Adobe, Dropbox, Disqus, and Tumblr—thieves have collectively stolen over 5.5 billion accounts. It’s all too likely that some old password of yours was caught up in one of those thefts.
Concerning as the message sounds, all the details other than your email address and password are completely fabricated. Your Mac has not been hacked. There is no malware spying on your every move. No pictures of you have been uploaded to a remote server. Your hard drive will not be erased. In short, you have nothing to worry about, and you should just mark the message as spam.
However, if you’re still using the password that appeared in the message, that is cause for concern. It means that any automated hacking software could break into the associated account, and it must be a weak password if the bad guys were able to decrypt it from the stolen password files. Go to Have I Been Pwned and search for your email address. If it shows up for any breaches, make sure you’ve changed your password for those accounts.
As always, we recommend that you create a strong, unique password for each of your Web accounts. The easiest way to do this is to rely on a password manager like 1Password or LastPass to generate a random password. Then, when you want to go back to that site, the password manager can log you in automatically. It’s easier and more secure.
If you’re still concerned about your passwords, call us and we can help you get started with stronger security practices.
Watch Out for Phishing Attacks Hidden in Your Email
One of the most important things you can do to stay safe on the Internet is to be careful while reading email. That’s because online criminals know that we’re all busy, and we often don’t pay enough attention to what we’re reading or where we’re clicking.
To take advantage of our inattention, these Internet information thieves forge email messages to look like they come from the likes of Apple, Facebook, and Amazon, along with well-known banks, payment services, retailers, and even government agencies. Even more dangerous are messages that appear to come from a trusted individual and include personal details—these messages are often targeted at executives and company managers. Generally speaking, these attacks are called phishing—you can see examples here.
The goal? Get you to click a link in the message and visit a malicious Web site. That site usually continues to masquerade as being run by a company or organization you trust. Its aim is to sucker you into revealing confidential information by asking you to log in, pay for a product or service, or fill out a survey. The site—or an attachment in the email message—might also try to install malware. Although macOS is quite secure, if you approve security prompts, it can still be infected.
Although phishing is a huge problem that costs businesses hundreds of millions of dollars every year, you can easily identify phishing messages by looking for telltale signs:
- Be suspicious of email messages, particularly from people you don’t know or from well-known companies, that ask you to click a link and do something with an online account.
- Look closely at email addresses and URLs (hover the pointer over a link to see the underlying URL). Phishing messages don’t use official domains, so instead of paypal.com, the addresses and links might use paypa1.com—close enough to pass a quick glance, but clearly a fake.
- Watch out for highly emotional or urgent requests. They’re designed to make you act without thinking. Take any such messages with a grain of salt.
- Channel your inner English teacher and look for poor grammar or odd phrasing, which are red flags for phishing messages. Email from real companies may not be perfect, but it won’t have multiple egregious errors.
So what do you do if you get a message that may be phishing for sensitive information? Most of the time you can just ignore it. If you’re worried that it might be legit, instead of clicking any links in the message, navigate to the site in question manually by typing the organization’s URL into your browser—use a URL that you know to be correct, not the one in the email message. Whatever you do, do not open attachments that you aren’t expecting and never send confidential information via email.
If you think you’ve fallen prey to a phishing attack and given away a password, you’ll want to change passwords on any affected accounts. If you’ve opened any attachments or approved any installs, run anti-malware software to determine whether your Mac has been infected. Contact us if you need help. And remember, regular backups protect you from a multitude of sins.
Twitter: Can you tell if you’ve been targeted by a phishing attack? Read on to learn how to identify malicious messages!
Facebook: Phishing attacks—email containing links that try to get you to reveal usernames, passwords, or credit card details—are all too common these days. Follow our advice to learn how to identify malicious messages.