Phishing Email 101

Phishing illutstration
Anda berbicara Bahasa Indonesia? Baca artikel terjemahannya di sini!

 Something funny occurred to me yesterday. I received an email which said that I signed up for a free trial on Apple App Store. The email said that the trial subscription was free for a week, then it would charge me.

Of course, I was surprised. Why, because I rarely buy apps on my iPad. I thought someone hacked into my account, but again, I didn't register my credit card in my Apple ID.

But I took a deeper look, and find out that it was a...

Phishing Email

Yup, that's it. Upon closer inspection into that surprising email, I concluded that my account was safe, and that email was nothing but a bluff. But hey, it looked so real.

The mail looks so genuine at first.
Had I not taken a closer look, I would've already taken the bait, and whoever had had sent the email to me, he/she would've gotten my Apple ID for real.

So yes, that's an example of what is mostly known as phishing emails. Phishing emails are basically emails that trick you to give away your important personal information, such as credit card numbers, online or bank account credentials, etc. They even go as far as recreating the whole website or email to make you think it was the real deal. In my case, it's Apple's App Store invoice.

Unsuspecting users will just follow the instructions blindly, and that would've been very dangerous. That's why I'm writing this article, to give you some precautionary steps to identify these annoying copycats.

Where is it from?

Usually, one dead giveaway of a phishing email is where it is sent from. If it was from an unknown or suspicious-looking domain, then there's a good chance that it is fake. Take a look at the one that I mentioned in the beginning.

Apple invoices certainly come from Apple's domain, and the one above does not. It came from a strange-looking domain, and it's the first and clearest giveaway.

It's certainly not coming from Apple.
However, unfortunately, there are ways to spoof these sender name and address. But don't worry, we have a few more tricks up our sleeve.

Is the content relevant?

Read the contents of the email once again. Have you made any changes to whatever is mentioned in the email? Is the information relevant to you? If it's not, then I bet it's safe enough for you to disregard it.

In my example, the charge was both in US Dollars and Indian Rupees. That's ridiculous. Why, because not only it is inconsistent, but also because my Apple ID uses Indonesian Rupiah, my local currency.

How can Apple be as inconsistent as putting two different currencies in a single email?
Another giveaway in my example is the link placements in my email. I know that Apple always puts their company information including important information in the bottom of the email. That information (such as privacy policy, etc.) is in the form of links. Strangely, however, the texts don't have links. Though some have them, it's related to our next point, which is...

Are the links okay?

Yes. Check the links before you click on it. If it's coming from a strange or suspicious website, then most likely, it's a fake.

The given is link is funny. Why would Apple mask its link like this?
In my example, the links are not only the same, but also masked using some sort of a URL shortener. I tried clicking at the link to see what happens, but my browser stopped me.

Most of today's browsers are so smart they know you're being deceived.
Yes, some modern browsers already know which websites are flagged as phishing or deceptive. But don't let your guard down, as buying new domains and setting up websites aren't that difficult.

HTTPS and Root Domain

If you have a question about how to identify whether a site is valid or not, let's get a bit more technical.

All reputable companies (and many smaller ones) use something called HTTPS on their websites. HTTPS makes the communication between the server (the website) and the client (your device) secure, or at least much more difficult to intercept. Finding out whether a site uses HTTPS or not is easy. Just look at the padlock symbol on the left of the web address. This applies to both desktop and mobile devices.

Watch the padlock before the address.
While HTTPS certificates are mostly paid, there are a few solutions out there which give away these certificates for free, so let's get to the next point for added security: root domain.

Generally speaking, a root domain is the top-level directory housing other subdirectories on a website. Confused? Here's an illustration for you:

A simple illustration for Root Domain.
Examples of this include apple.com, google.com, paypal.com, and many more. Many companies typically use the same root domain, while separating their services in subdomains, such as apple.com/mac or images.google.com. Some companies even buy similar root domains, so people wouldn't get into the wrong website, such as gooogle.com, which will kindly redirect you to the correct google.com.

Now, it's quite rare for companies to use different root domains for public use (even though there are some, they're usually a completely different address, and announced widely in public). Different root domains, especially the ones that spell funny, mean that it's very likely fake, no matter how close the new site look to the original.

They look disturbingly similar.
So, you need to watch out for subtle changes in a root domain in your email, such as applesm.com, geoogle.com, or any other funny-spelling domains.

Vigilance is Key

It doesn't matter how good you are in computers, the key here is vigilance. Heck, even an expert in computer science and security can still fall into these phishing scams.

If you notice something looks suspicious or dicey, either ask someone with better knowledge, or disregard the email altogether. Or better, contact the customer support directly and ask about the validity of the email. Better safe than sorry, right?

So I guess that's all for now, Folks. This is just a small PSA, since it happened to me, and I don't want you to fall into that trap. Remember, vigilance is key, and if you're uncertain, either disregard or contact customer support. Finally, thanks for reading, and see you in the next article (hopefully soon). Have a nice day! :D
Location: South Jakarta, South Jakarta City, Jakarta, Indonesia

Comments

Post a Comment

Popular posts from this blog

BOLT! 4G Mobile Wi-Fi Review

Image
If you're a guy who always follows how technologies advance, then you must know 4G. Yes, the next generation of GSM network (and also CDMA) promises clearer voice quality and significantly faster data transfer. Though that sounds fantastic, the availability of such network is currently limited to a handful of countries. Heck, even the next generation 4G (like LTE-A and 5G) is currently being deployed and developed respectively as we speak. BOLT! is the first operator to offer 4G network in Indonesia One of the countries that is currently preparing for 4G network is Indonesia. No offense, but I'm kind of pessimistic, since the 3G networks here suck pretty bad. But it's not that all bad. While telco operators are testing 4G networks in various locations, there's already one new kid on the block offering the sweetness of 4G network. Well, Folks, let me introduce you to BOLT!, a new operator which focuses on delivering 4G data. Unfortunately, it's currently av
Read more

Which WinRAR Compression Do You Need? [GUIDE]

Image
Okay, this is finally the time when I write a serious (and perhaps useful) post. The last time I wrote a post was about the first anniversary for Steve Jobs' passing. You can read it below this post. He was one of great people that mankind will miss. Anyway, the post before the anniversary was already weeks ago. Thanks to the busy routines and tons of assignments in my lecture, I almost abandoned by beloved blog. Today, though... marks the day for my return. Hit the break if you're interested about the meaning behind 'Store', 'Fast', 'Best', etc. :D
Read more

Logitech mk240 Mouse Combo Review

Image
What do you do when you have a Windows tablet that doesn't include a keyboard dock? No, you neither throw it into the trash can or merely play games with it. You'll buy a set of wireless mouse and keyboard and of course, a USB OTG cable and put them together. That way, you'll have yourself a complete 'hybrid' notebook, albeit cheap. Now, I'm pretty certain that you're thinking that there's no such set that has the right size for your tablet. It'd make you look very ridiculous, and you'll be ashamed to bring it with you, even to your favorite café. Fortunately, I have a solution that I recently found. The Logitech mk240 Keyboard + Mouse Combo. It's not the best solution, but at least it can save you some cash and a little bit of embarrassment. Logitech mk240 Mouse Combo Official Shot (White) With the width almost equal to a widescreen 10" tablet, this might be the closest-to-perfection keyboard to pair with yo
Read more