Phishing Email 101

Phishing illutstration
Anda berbicara Bahasa Indonesia? Baca artikel terjemahannya di sini!

Something funny occurred to me yesterday. I received an email which said that I signed up for a free trial on Apple App Store. The email said that the trial subscription was free for a week, then it would charge me.

Of course, I was surprised. Why, because I rarely buy apps on my iPad. I thought someone hacked into my account, but again, I didn't register my credit card in my Apple ID.

But I took a deeper look, and find out that it was a...

Phishing Email

Yup, that's it. Upon closer inspection into that surprising email, I concluded that my account was safe, and that email was nothing but a bluff. But hey, it looked so real.

The mail looks so genuine at first.
Had I not taken a closer look, I would've already taken the bait, and whoever had had sent the email to me, he/she would've gotten my Apple ID for real.

So yes, that's an example of what is mostly known as phishing emails. Phishing emails are basically emails that trick you to give away your important personal information, such as credit card numbers, online or bank account credentials, etc. They even go as far as recreating the whole website or email to make you think it was the real deal. In my case, it's Apple's App Store invoice.

Unsuspecting users will just follow the instructions blindly, and that would've been very dangerous. That's why I'm writing this article, to give you some precautionary steps to identify these annoying copycats.

Where is it from?

Usually, one dead giveaway of a phishing email is where it is sent from. If it was from an unknown or suspicious-looking domain, then there's a good chance that it is fake. Take a look at the one that I mentioned in the beginning.

Apple invoices certainly come from Apple's domain, and the one above does not. It came from a strange-looking domain, and it's the first and clearest giveaway.

It's certainly not coming from Apple.
However, unfortunately, there are ways to spoof these sender name and address. But don't worry, we have a few more tricks up our sleeve.

Is the content relevant?

Read the contents of the email once again. Have you made any changes to whatever is mentioned in the email? Is the information relevant to you? If it's not, then I bet it's safe enough for you to disregard it.

In my example, the charge was both in US Dollars and Indian Rupees. That's ridiculous. Why, because not only it is inconsistent, but also because my Apple ID uses Indonesian Rupiah, my local currency.

How can Apple be as inconsistent as putting two different currencies in a single email?
Another giveaway in my example is the link placements in my email. I know that Apple always puts their company information including important information in the bottom of the email. That information (such as privacy policy, etc.) is in the form of links. Strangely, however, the texts don't have links. Though some have them, it's related to our next point, which is...

Are the links okay?

Yes. Check the links before you click on it. If it's coming from a strange or suspicious website, then most likely, it's a fake.

The given is link is funny. Why would Apple mask its link like this?
In my example, the links are not only the same, but also masked using some sort of a URL shortener. I tried clicking at the link to see what happens, but my browser stopped me.

Most of today's browsers are so smart they know you're being deceived.
Yes, some modern browsers already know which websites are flagged as phishing or deceptive. But don't let your guard down, as buying new domains and setting up websites aren't that difficult.

HTTPS and Root Domain

If you have a question about how to identify whether a site is valid or not, let's get a bit more technical.

All reputable companies (and many smaller ones) use something called HTTPS on their websites. HTTPS makes the communication between the server (the website) and the client (your device) secure, or at least much more difficult to intercept. Finding out whether a site uses HTTPS or not is easy. Just look at the padlock symbol on the left of the web address. This applies to both desktop and mobile devices.

Watch the padlock before the address.
While HTTPS certificates are mostly paid, there are a few solutions out there which give away these certificates for free, so let's get to the next point for added security: root domain.

Generally speaking, a root domain is the top-level directory housing other subdirectories on a website. Confused? Here's an illustration for you:

A simple illustration for Root Domain.
Examples of this include apple.com, google.com, paypal.com, and many more. Many companies typically use the same root domain, while separating their services in subdomains, such as apple.com/mac or images.google.com. Some companies even buy similar root domains, so people wouldn't get into the wrong website, such as gooogle.com, which will kindly redirect you to the correct google.com.

Now, it's quite rare for companies to use different root domains for public use (even though there are some, they're usually a completely different address, and announced widely in public). Different root domains, especially the ones that spell funny, mean that it's very likely fake, no matter how close the new site look to the original.

They look disturbingly similar.
So, you need to watch out for subtle changes in a root domain in your email, such as applesm.com, geoogle.com, or any other funny-spelling domains.

Vigilance is Key

It doesn't matter how good you are in computers, the key here is vigilance. Heck, even an expert in computer science and security can still fall into these phishing scams.

If you notice something looks suspicious or dicey, either ask someone with better knowledge, or disregard the email altogether. Or better, contact the customer support directly and ask about the validity of the email. Better safe than sorry, right?

So I guess that's all for now, Folks. This is just a small PSA, since it happened to me, and I don't want you to fall into that trap. Remember, vigilance is key, and if you're uncertain, either disregard or contact customer support. Finally, thanks for reading, and see you in the next article (hopefully soon). Have a nice day! :D

Comments

Popular posts from this blog

Logitech mk240 Mouse Combo Review

Smartfren M3Z Review: Bigger and Better

Smartfren M2Y 4G Mi-Fi: A Pebble That Connects To The World