>When you get an email from Apple—or, really, anyone telling you to complete a digital security measure—check the URL they’re trying to send you to. Apple Support lives on apple.com and getsupport.apple.com, nowhere else.
That advice is fine for the technically savvy but doesn't work for a lot of normal people who don't have the knowledge to mentally parse urls.
People just pattern match on the substring "apple.com" because they don't understand that the DNS system works right-to-left. Therefore, the 2nd url looks just as "legitimate" as the first one.
I work with senior citizens and tried to explain how to parse the domain in the URL by looking for the first forward "/" after the "https://" and then scan backwards but they find that mental algorithm confusing and those instructions don't stick. (This is actually an area where some AI on phones/desktops could assist people decipher urls or mark them as suspicious.)
The other problem with that advice is people can't "whitelist" the legitimate domains to look for because they don't know ahead-of-time what they are. E.g.:
- An Amazon verification email will be sent from "account-update@amazon.com". It's intuitive to predict something coming from "@amazon.com" so a mental whitelist filter works in that case.
- However, State Farm Insurance legitimate login verification codes are actually sent from "noreply@sfauthentication.com" instead of the expected "@statefarm.com"
varun_ch [3 hidden]5 mins ago
Microsoft is really bad with this. Login might be live.com or microsoftonline.com or maybe onmicrosoft.com. I went to report a vulnerability to their security portal this week and it redirected me to b2clogin.com.
OneDrive email attachments link to, I kid you not, 1drv.ms, or maybe it was 1drv.com…
Not to mention, they use .ms as if it’s their personal TLD, but obviously anyone can register a .ms domain. It’s like they want people to get phished.
Handy tip: all two-letter TLDs are country code TLDs. Doesn't matter if they're trendy in website names (.nu, .cc, .io, .co, .it, .at, .cx, youtu.be and so on)
In fact, here we have the ma.tt website, where the ".tt" is Trinidad and Tobago. Is Matt Mullenweg from Trinidad? No!
the_mitsuhiko [3 hidden]5 mins ago
Though not all country codes point to a country. See .eu, .ac .su as different examples of stuff that breaks the rules.
mghackerlady [3 hidden]5 mins ago
the .su domain was made when the soviet union was still around, so that doesn't really break the rules. I would prefer for top level domains to be eternal for a great multitude of reasons
SAI_Peregrinus [3 hidden]5 mins ago
The possible annoyance with eternal country-code TLDs would be the dissolution of one country, and the creation (or renaming) of another country resulting in an eventual exhaustion of two-letter country codes. Eternity is a rather long duration.
RGamma [3 hidden]5 mins ago
They also use .microsoft now (e.g. for the M365 admin portal).
esquivalience [3 hidden]5 mins ago
> I work with senior citizens and tried to explain how to parse the domain in the URL by looking for the first forward "/" after the "https://" and then scan backwards but they find that mental algorithm confusing and those instructions don't stick.
Might try explaining it this way?
It works the same way as a postal address. The first part before `/` is the envelope: by analogy it runs streetaddress.city.country.
You can give a name to your house, or add an apartment to the front - but that doesn't change the most significant part.
xorcist [3 hidden]5 mins ago
> senior citizens and tried to explain how to parse the domain
Why would you want end users, senior citizens or not, to mentally parse URLs?
The rule is: If the bank, or paypal, or your landlord, or anyone else really emails you that you have to complete some information to your account or pay the latest bill or whatever, you GO TO THEIR WEBSITE and login normally. If it is important they will have the same information there.
The same rule also applied to unsolicited phonecalls, but it might be harder to follow: If your bank, or the police, or some other important person calls you and asks for information or for you to do something that feels the least bit off or hurried, you take their contact information, you look up whatever it is they want you to do and you CALL THEM BACK at the official telephone number of the bank or the police. You probably already have the number and if you don't it's on their web site. Do not call back on any other number.
People working the phone generally have much worse protocols than people working over email, so they may be less prepared for you to do this, but I have never heard of anything important that was emailed that wasn't also easily available when logged in to the website.
The only time it is appropriate to click a link in an email is when you are verifying your email address with them. Not for any other reason.
jasode [3 hidden]5 mins ago
>The rule is: If the bank, or paypal, or your landlord, or anyone else really emails you that you have to complete some information to your account or pay the latest bill or whatever, you GO TO THEIR WEBSITE and login normally.
Yes, that is a "best practice" and good internet hygiene is to never click on email and text message urls but the reason they like clicking on legitimate email urls is convenience and usability. A helpful email link directly lands them on the relevant website page to do whatever they need to do. That's because the email url has a long string query parameters (id, etc) that automatically navigates to the correct webpage.
On the other hand, to do it the "best practice" way, it requires clicking around a confusing website menus and drilling several layers deep to find whatever issue the email is talking about.
A helpful email url link bypasses the hassle of learning whatever flavor-of-the-month confusing UI the website designer happened to to use.
Hang around old people and watch over the shoulder how they use computers and you become sympathetic to how the make it work for them.
E.g. An order status email has a URL link of a UPS tracking number to monitor shipping status. But don't click on that! Instead, copy the 1Z... number to the buffer. Then open a web browser and type in the ups.com url. Then paste the number into the text box. Those copy&paste mechanics not too difficult on desktop (Ctrl+C Ctrl-V) but it is much more difficult on mobile phones (double taps or long press and hold).
That was a simple example. The more complicated one is email from health and medical companies with confusing websites. They'd rather just click on the email url.
dwedge [3 hidden]5 mins ago
Man it's like we live in two different realities and yours is a textbook. dozens of times I've been sent links to download a pdf or fill out a form that is not linked from the main site anywhere. I know because I check - I hate clicking links in emails because of tracking if nothing else
basilikum [3 hidden]5 mins ago
It is unfortunately normal for companies to impersonate scammers.
We can teach people as much as we want about security against phishing. It won't matter because people have to break these rules constantly. Companies actively train people to fall for phishing by doing everything in their power to be indistinguishable from phishing themselves.
microtonal [3 hidden]5 mins ago
The worst are DHL, UPS, etc. customs payment mails. Even the real ones look like phishing mails and in some cases they don’t link the payment request to your account, so you cannot circumvent it by logging into your account and checking wether it is legit.
re [3 hidden]5 mins ago
> getsupport.apple.com.phish.xyz
I notice that a lot of scam texts use domains that start with a TLD followed by a hyphen, like:
(Real examples, with "phish" replacing a string of 3-4 random letters)
In some ways, it's a more convincing fake URL, since even if you're used to reading the domain right-to-left, your brain wants to start from the hyphen since it's a different character following a familiar TLD. But that type of domain also seems a lot easier for spam detection rules to catch.
qingcharles [3 hidden]5 mins ago
Bluesky's moderation email is moderation@blueskyweb.xyz which 100% looks like a phishing address.
> The other problem with that advice is people can't "whitelist" the legitimate domains to look for because they don't know ahead-of-time what they are. E.g.:
Yep, and there's even things like irs.gov which tells you how to know a site is official (https, and .gov), and then links you to id.me to login. (not sure what was wrong with login.gov, which SSA lets you use)
Terr_ [3 hidden]5 mins ago
Or the insanity of IRS services that use the "id.me" domain for a vendor with a Montenegro TLD.
Privacy issues aside, white-labeling the service and infrastructure behind *.irs.gov should be a mandatory requirement.
latexr [3 hidden]5 mins ago
> I work with senior citizens and tried to explain how to parse the domain in the URL by looking for the first forward "/" after the "https://" and then scan backwards but they find that mental algorithm confusing and those instructions don't stick.
Have you tried some analogy which will be personal to them? Like describing the URL as a family tree: “com is the oldest ancestor, like you Mr Johnson. Then apple is your son Bill, and getsupport is your grandchild Cody. If you saw ml instead of getsupport, that would be a different grandchild, but still in your family. However, when you see phish and xyz before apple and com you can think ‘I don’t know those people, they aren’t my father and grandfather’”.
The idea is imperfect but I literally just thought of it. We could certainly come up with something better that might eventually work.
Thank you for working to keep vulnerable people safe from phishing.
kstrauser [3 hidden]5 mins ago
For a simpler example:
“You ever watch MASH? Remember the main guy, Benjamin Franklin Pierce? He’s not the same guy as Benjamin Franklin, is he? You can tell because you don’t stop after the first part of the name you recognize. You have to go all the way to the end and look at the whole name.
Well, same here!”
latexr [3 hidden]5 mins ago
Agreed, I like that better. It even has the correlation with family names being at the end.
small_scombrus [3 hidden]5 mins ago
1Password has really been bugging me recently, all the emails they send have giant link buttons they want you to click without verifying where you're actually going
JohnMakin [3 hidden]5 mins ago
hp’s email sender always look malicious and makes me double take
AnimalMuppet [3 hidden]5 mins ago
I recall receiving an email from company X, warning me to not trust emails that said they were from X but didn't come from X.com. But the warning email itself did not come from X.com! They broke their own rules in the warning email.
It's been a while, so I cannot name and shame X...
KomoD [3 hidden]5 mins ago
This was easily one of the best phishing attempts I've ever seen.
JumpCrisscross [3 hidden]5 mins ago
> Apple Support lives on apple.com and getsupport.apple.com, nowhere else.
Meanwhile: “Microsoft support uses the following domains to send emails:
Also, Microsoft regularly sends me legitimate emails regarding "Microsoft Rewards" that are absolutely indistinguishable from phishing, like "Total Prize Drop is here! Your chance to win 1,000,000 USD cash grand prize or one of three customizable Mercedes-Benz cars!", complete with links to login pages and everything. So like this one, just as mail: https://xcancel.com/bing/status/2034720189003231410
The first time I got those I couldn't believe these were legitimate. Thank you Microsoft for teaching your customers how to fall for scams!
That's just for support. Legit password resets for example come from more random top level domains with "microsoft" in it, like microsoftonline.com
Another fun one is facebook, they use facebookmail.com or whatever else for serious security stuff
CraigRood [3 hidden]5 mins ago
Is this because at one point <username>@facebook.com was a valid communication method? Great concept to be fair, but once you pull back the first layer you can immediately see its problems.
Metacelsus [3 hidden]5 mins ago
>Legit password resets for example come from more random top level domains with "microsoft" in it, like microsoftonline.com
Or aka.ms
e40 [3 hidden]5 mins ago
The number of redirects while using ms properties is just insane. It makes white listing them in uBO impossible because they redirect so fast, through multiple domains. The White listing is needed to sometimes make them work.
throwaway290 [3 hidden]5 mins ago
It's a thing with google and facebook too. If you login to youtube or go to facebook account settings, at least 3 redirects through very random places. I guess 3 is not a lot compared to microsoft's 15.
mattlondon [3 hidden]5 mins ago
No mention of password managers yet? One of the major benefits is the password manager can do a quick, simple, completely deterministic check on the domain before providing the password. That would have stopped this dead in its tracks without relying on the human just happening to notice.
I personally use bitwarden on my chrome profile across Windows Mac Linux and android and think it's great. Highly recommended.
Of course I tell this to family and friends and no one does it so I dunno...
ChrisMarshallNY [3 hidden]5 mins ago
Phishing has gotten really good, lately. As he noted, they will often re-use legit templates from the actual corporation. The email will be 99.9% legit, with maybe only one link being dodgy.
I don’t think they can pass DMARC, though.
My wife was almost scammed, a few years ago. What tipped her off, was how extremely good the “tech support” was. Real tech support is generally someone on a scratchy line, with a heavy accent, following an inappropriate script.
Even after she backed away, they sent a few followup snail mails, looking somewhat legit (cheap printer).
olmo23 [3 hidden]5 mins ago
I told my parents: if they are ever called by anyone, to tell them "now is not a good time, please give me a case number and I'll call back when I do have the time."
And then, this is important, look up the number for the customer service hotline online.
I feel like this is a simple solution that works 100% of the time.
e40 [3 hidden]5 mins ago
My dad googled “amex phone number” and called the first result. I spent most of a Saturday cleaning up after the scammers.
I told him, next time call the number on the back of your card.
MaxGabriel [3 hidden]5 mins ago
Any chance the first result was an ad? Those are definitely a popular phishing distribution mechanism, so getting your parents an adblocker could help
qingcharles [3 hidden]5 mins ago
I just got a family member to install one after they Google'd a hotel name and accidentally clicked the first ad instead of the hotel site.
dspillett [3 hidden]5 mins ago
Another top tip is how to response to “can I just confirm”. No, they can't just confirm any details, until they have confirmed who they are, which they can't do without us calling them on the company's published support number.
Luckily my parents are appropriately cynical and have not fallen for anything like that, but I know a couple of people of my generation who have (in the worst case losing 5K+ in savings, back when there was no onus on UK banks to take any responsibility for such fraud through their systems so it was properly lost to them).
argee [3 hidden]5 mins ago
Mike Tyson once said "Everyone has a plan until they get punched in the mouth". I think you are underestimating the underhanded tactics and emotional tools available to scammers to keep you on the line.
dspillett [3 hidden]5 mins ago
When I'm at home with the old man (mam is unfortunately in a care home), it _really_ irritates me how many scam calls he gets some days. Most of them are obvious: they just hang up when you pick up, the line is very bad or the caller is otherwise barely intelligible (i.e. they are speaking their 4th language), they refer to an account that doesn't exist or a fictitious government agency. But the occasional one is very smooth, and sometimes even have a few details about Dad's life and/or accounts that give pause (either of the form “could this actually be real” or “I wonder how have they collected and associated that?”).
If my family are anything to go by, they definitely target the elderly more than even one generation down (so it isn't just due to those of the younger generations often only having mobile phones and landlines are more targeted) because they know those tend to be more susceptible to the con and more likely to have some savings worth pillaging.
Also in DayJob, some of our C*s and others associated with them (PAs, office managers) have seen some pretty sophisticated phishing attempts, both targeting the business's dealings and their personal accounts. I get the impression that these are reducing in number ATM (or the filtering of them is improving) but that those coming in are making an increasing effort to be convincing.
Cider9986 [3 hidden]5 mins ago
Having identifiers where anyone can initiate conversation is the problem. Modern messengers like Signal or SimpleX allow you to share one-time contact info, completely preventing anyone you don't allow to contact you.
Besides that, people should sign up with random email aliases just as much as they sign up with random passwords.
Here is a free crossplatform workflow:
New, free Proton Mail[1]-->Free Bitwarden[2] account with single master password memorized[3]-->duck.com[4] alias pointing at Proton Mail-->Extract[5] duck.com api key to generate random duck.com alias for each site in Bitwarden-->Sign up for new service using new random email+password in seconds and never have to remember it and no spam.
Here is a simple crossplatform workflow: Paid proton suite[6]-->Single memorized master password[3]-->Generate random email alias and password for new services using proton pass.
If you use iCloud+ you can generate email aliases using a Raycast[7] extension or a browser extension[8] or inside of safari natively. There is also iCloud+ settings, but that is a pain to get to.
I’ve found that just not answering any calls from unknown numbers (and having my phone just silence those calls so I don’t even see them) prevents all of this. If the caller is legitimate (e.g., new dentist office regarding an appointment) they can leave a voicemail. And if it isn’t spam and they aren’t willing to leave a voicemail and have me call the back, it probably wasn’t important in the first place.
Sure, I may be missing out on some opportunities. But the peace of mind is far greater.
seb1204 [3 hidden]5 mins ago
This, my pixel marks almost all calls not in my address book as suspected spam or phishing.
PaulHoule [3 hidden]5 mins ago
Whenever I get some breathless email about security from my organization I send a phishing report for it even if I think it is real. All the messages about mandatory password resets and the like just increase the surface area for phishing. There should be a policy like "we will never send you an email about the security of your account" See
As others have mentioned, one big issue is that every company does these things differently and just because someone texts you a link doesn't mean it's phishing, even though it feels shady. In Australia I have had calls by immigration officers on supressed numbers that wanted PII over the phone without being able to tell me what the purpose of the call is.
seb1204 [3 hidden]5 mins ago
Wow, this is tricky. Even though you can look up the official number you will likely not get through to the same person.
jbellis [3 hidden]5 mins ago
I've had some close calls already and with AI making it cheap to tailor scams to individuals it's probably only a matter of time.
For my parents in their 70s, even more so. No amount of reminding them to read URLs first is going to help.
So my question is: what are best practices to limit the blast radius when I (or they) inevitably click the wrong link?
haar [3 hidden]5 mins ago
Thank you for writing this up (and getting it put into a video). I sent this blog post to my parents and my mum has decided to forward it on to all of her friends after watching.
Seems easily digestible and approachable for a specific target audience.
maplethorpe [3 hidden]5 mins ago
The scammer sounds Australian, but he pronounces mobile as "mobil", like an American. I wonder if he's doing that intentionally to provide cover, or if he's worked with Americans so much in the past that it's changed his pronunciation.
wateralien [3 hidden]5 mins ago
The pause in replies also suggests he's not around the corner.
WhyNotHugo [3 hidden]5 mins ago
What's the end goal here?
I know that after a phone has been stolen, attackers want to gain access to an Apple account to remove the activation lock. But in this case, no devices had been stolen yet. The most they could do would be to… remotely mark the devices as stolen? Then ask the victim to pay to unlock them?
sdwr [3 hidden]5 mins ago
Get into the account, change the phone number, and start charging the cards on file. Or look through iCloud data for passwords/contacts
voidUpdate [3 hidden]5 mins ago
Whats at the bottom of the page? It looks like it's meant to be brushstrokes or something?
ErneX [3 hidden]5 mins ago
Yes, same as the logo / header.
ShowalkKama [3 hidden]5 mins ago
step 1) use a password mamager
step 2) forget your own password
step 3) witness the password mamager NOT autofill on phishing sites
emptybits [3 hidden]5 mins ago
I had two calls from "Apple Support" very very much like this in the past two weeks. Both times, their claim was that someone was trying to reset my Apple password and they were trying to protect me.
Both times, they asked me to go to a BS "apple-support" website and enter a six digit number they'd read out to me, where I'd see a transcript of this very phone call so I could then have full assurance that they were legit and working for Apple.
Uh huh.
And both times, when I asked them to just send me a quick email from their address at Apple (any address, even a generic inbox or support address) to assure me they worked for Apple ... pause ... [click]. Yeah.
firstrulephish [3 hidden]5 mins ago
For the record, Apple will never call you first, but other services might. The REAL first rule of not being scammed should be stated
"Thanks for the concern, I will call you right back"
If your bank calls you, you turn off the call and call them. Don't take suggestions for contact address. You look them up, and you call them. Don't elaborate. The scammer is either and idiot and will try to call you telling to stop, or smart and fuck off. And if it was the bank, they'll at best, pick right back from where you left it, and at worst, learn better from the event.
whywhywhywhy [3 hidden]5 mins ago
Apple let someone in India a place I have never been to, Apple knows I've never been to log into an old Apple account I'd forgotten about and hadn't logged into for 12 years with a password from a leak. All I got was "Your apple account has been linked to a new mac in India".
Disgusting to me that even the most basic of logic for what would be someone stealing an account: has the account been used in years, would this person we have location data for ever be in India setting up a new computer, with a computer type ID we know is compromised to hackintoshes (iMac Pro) wasn't enough of a red flag to send me an email confirmation first.
Luckily the account was so old iCloud barely stored anything back then but still shocking to me.
tom-blk [3 hidden]5 mins ago
This is actually quite impressive and concerning
dude250711 [3 hidden]5 mins ago
Google users are safe from this, as neither the fraudster nor the potential victim would be able to contact their support to begin with.
qingcharles [3 hidden]5 mins ago
I can't even get into my own damned account with the username, password and recovery email.
emmelaich [3 hidden]5 mins ago
I believe this is actually part of the intent.
xnx [3 hidden]5 mins ago
audit-apple.com is offline now. Is that something ICANN does, and if so, can they fix zombo.com?
chuckadams [3 hidden]5 mins ago
ICANN doesn't do that, individual registrars do. ICANN can suspend a registrar's accreditation if they don't act on spam/scam domains brought to their attention, which is something they do at the dizzying frequency of never.
rererereferred [3 hidden]5 mins ago
I've gotten phishing domains taken down by going to their registrar and filling a support ticket.
metalman [3 hidden]5 mins ago
Currently my device has no passwords, and the only apps that lead to anything personal are browsers, and then sign into my website/email. I have eliminated online banking, except for allowing people to pay me through direct deposit, which I confirm on my once a week trip to an actual bank.
Very occasional online purchases use a dedicated credit card.
The above, I believe makes me a smol, challenging target, and I use the many many attempts to fish through, text, email, and voice, as practice sessions to refine my customer faceing presence, and answer all calls, and chearfully deflect anything or anyone that is not a legitimate human and/or customer, in under 10 seconds.
Going forward I would train any office helpers to use the same methods on any work devices.
mentalgear [3 hidden]5 mins ago
This scam is scarily well made and what terrifies me is how easily scalable it is across sectors (e.g. your bank) and with AI voice clones (like in the attached video they mentioned the new 11lab generation).
HN.zip
That advice is fine for the technically savvy but doesn't work for a lot of normal people who don't have the knowledge to mentally parse urls.
People just pattern match on the substring "apple.com" because they don't understand that the DNS system works right-to-left. Therefore, the 2nd url looks just as "legitimate" as the first one.I work with senior citizens and tried to explain how to parse the domain in the URL by looking for the first forward "/" after the "https://" and then scan backwards but they find that mental algorithm confusing and those instructions don't stick. (This is actually an area where some AI on phones/desktops could assist people decipher urls or mark them as suspicious.)
The other problem with that advice is people can't "whitelist" the legitimate domains to look for because they don't know ahead-of-time what they are. E.g.:
- An Amazon verification email will be sent from "account-update@amazon.com". It's intuitive to predict something coming from "@amazon.com" so a mental whitelist filter works in that case.
- However, State Farm Insurance legitimate login verification codes are actually sent from "noreply@sfauthentication.com" instead of the expected "@statefarm.com"
OneDrive email attachments link to, I kid you not, 1drv.ms, or maybe it was 1drv.com…
Not to mention, they use .ms as if it’s their personal TLD, but obviously anyone can register a .ms domain. It’s like they want people to get phished.
In fact, here we have the ma.tt website, where the ".tt" is Trinidad and Tobago. Is Matt Mullenweg from Trinidad? No!
Might try explaining it this way?
It works the same way as a postal address. The first part before `/` is the envelope: by analogy it runs streetaddress.city.country.
You can give a name to your house, or add an apartment to the front - but that doesn't change the most significant part.
Why would you want end users, senior citizens or not, to mentally parse URLs?
The rule is: If the bank, or paypal, or your landlord, or anyone else really emails you that you have to complete some information to your account or pay the latest bill or whatever, you GO TO THEIR WEBSITE and login normally. If it is important they will have the same information there.
The same rule also applied to unsolicited phonecalls, but it might be harder to follow: If your bank, or the police, or some other important person calls you and asks for information or for you to do something that feels the least bit off or hurried, you take their contact information, you look up whatever it is they want you to do and you CALL THEM BACK at the official telephone number of the bank or the police. You probably already have the number and if you don't it's on their web site. Do not call back on any other number.
People working the phone generally have much worse protocols than people working over email, so they may be less prepared for you to do this, but I have never heard of anything important that was emailed that wasn't also easily available when logged in to the website.
The only time it is appropriate to click a link in an email is when you are verifying your email address with them. Not for any other reason.
Yes, that is a "best practice" and good internet hygiene is to never click on email and text message urls but the reason they like clicking on legitimate email urls is convenience and usability. A helpful email link directly lands them on the relevant website page to do whatever they need to do. That's because the email url has a long string query parameters (id, etc) that automatically navigates to the correct webpage.
On the other hand, to do it the "best practice" way, it requires clicking around a confusing website menus and drilling several layers deep to find whatever issue the email is talking about.
A helpful email url link bypasses the hassle of learning whatever flavor-of-the-month confusing UI the website designer happened to to use.
Hang around old people and watch over the shoulder how they use computers and you become sympathetic to how the make it work for them.
E.g. An order status email has a URL link of a UPS tracking number to monitor shipping status. But don't click on that! Instead, copy the 1Z... number to the buffer. Then open a web browser and type in the ups.com url. Then paste the number into the text box. Those copy&paste mechanics not too difficult on desktop (Ctrl+C Ctrl-V) but it is much more difficult on mobile phones (double taps or long press and hold).
That was a simple example. The more complicated one is email from health and medical companies with confusing websites. They'd rather just click on the email url.
We can teach people as much as we want about security against phishing. It won't matter because people have to break these rules constantly. Companies actively train people to fall for phishing by doing everything in their power to be indistinguishable from phishing themselves.
I notice that a lot of scam texts use domains that start with a TLD followed by a hyphen, like:
(Real examples, with "phish" replacing a string of 3-4 random letters)In some ways, it's a more convincing fake URL, since even if you're used to reading the domain right-to-left, your brain wants to start from the hyphen since it's a different character following a familiar TLD. But that type of domain also seems a lot easier for spam detection rules to catch.
https://bsky.app/profile/safety.bsky.app/post/3ljp6zi7tp227
Yep, and there's even things like irs.gov which tells you how to know a site is official (https, and .gov), and then links you to id.me to login. (not sure what was wrong with login.gov, which SSA lets you use)
Privacy issues aside, white-labeling the service and infrastructure behind *.irs.gov should be a mandatory requirement.
Have you tried some analogy which will be personal to them? Like describing the URL as a family tree: “com is the oldest ancestor, like you Mr Johnson. Then apple is your son Bill, and getsupport is your grandchild Cody. If you saw ml instead of getsupport, that would be a different grandchild, but still in your family. However, when you see phish and xyz before apple and com you can think ‘I don’t know those people, they aren’t my father and grandfather’”.
The idea is imperfect but I literally just thought of it. We could certainly come up with something better that might eventually work.
Thank you for working to keep vulnerable people safe from phishing.
“You ever watch MASH? Remember the main guy, Benjamin Franklin Pierce? He’s not the same guy as Benjamin Franklin, is he? You can tell because you don’t stop after the first part of the name you recognize. You have to go all the way to the end and look at the whole name.
Well, same here!”
It's been a while, so I cannot name and shame X...
Meanwhile: “Microsoft support uses the following domains to send emails:
microsoft.com
microsoftsupport.com
mail.support.microsoft.com
office365support.com
techsupport.microsoft.com” [1]
[1] https://learn.microsoft.com/en-us/troubleshoot/azure/general...
The first time I got those I couldn't believe these were legitimate. Thank you Microsoft for teaching your customers how to fall for scams!
"Sign up for Uber Eats and win 50,000 MXN of credit https://bit.ly/1234"
What's funny is that they also send these over the same channel:
"Warning: Telcel will never call you nor ask you for your personal info!"
Gee, maybe stop priming your whole customer base to click on messages identical to spam?
Another fun one is facebook, they use facebookmail.com or whatever else for serious security stuff
Or aka.ms
I personally use bitwarden on my chrome profile across Windows Mac Linux and android and think it's great. Highly recommended.
Of course I tell this to family and friends and no one does it so I dunno...
I don’t think they can pass DMARC, though.
My wife was almost scammed, a few years ago. What tipped her off, was how extremely good the “tech support” was. Real tech support is generally someone on a scratchy line, with a heavy accent, following an inappropriate script.
Even after she backed away, they sent a few followup snail mails, looking somewhat legit (cheap printer).
And then, this is important, look up the number for the customer service hotline online.
I feel like this is a simple solution that works 100% of the time.
I told him, next time call the number on the back of your card.
Luckily my parents are appropriately cynical and have not fallen for anything like that, but I know a couple of people of my generation who have (in the worst case losing 5K+ in savings, back when there was no onus on UK banks to take any responsibility for such fraud through their systems so it was properly lost to them).
If my family are anything to go by, they definitely target the elderly more than even one generation down (so it isn't just due to those of the younger generations often only having mobile phones and landlines are more targeted) because they know those tend to be more susceptible to the con and more likely to have some savings worth pillaging.
Also in DayJob, some of our C*s and others associated with them (PAs, office managers) have seen some pretty sophisticated phishing attempts, both targeting the business's dealings and their personal accounts. I get the impression that these are reducing in number ATM (or the filtering of them is improving) but that those coming in are making an increasing effort to be convincing.
Besides that, people should sign up with random email aliases just as much as they sign up with random passwords.
Here is a free crossplatform workflow: New, free Proton Mail[1]-->Free Bitwarden[2] account with single master password memorized[3]-->duck.com[4] alias pointing at Proton Mail-->Extract[5] duck.com api key to generate random duck.com alias for each site in Bitwarden-->Sign up for new service using new random email+password in seconds and never have to remember it and no spam.
Here is a simple crossplatform workflow: Paid proton suite[6]-->Single memorized master password[3]-->Generate random email alias and password for new services using proton pass.
If you use iCloud+ you can generate email aliases using a Raycast[7] extension or a browser extension[8] or inside of safari natively. There is also iCloud+ settings, but that is a pain to get to.
[1] https://proton.me/mail
[2] https://bitwarden.com/go/start-free
[3] https://strongphrase.net
[4] https://duckduckgo.com/email
[5] https://bitwarden.com/blog/how-to-use-the-bitwarden-forwarde...
[6] https://proton.me/mail/pricing
[7] https://www.raycast.com/svenhofman/hidemyemail
[8] https://chromewebstore.google.com/detail/icloud-hide-my-emai...
Sure, I may be missing out on some opportunities. But the peace of mind is far greater.
https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/201...
a policy that's been talked about for more than 10 years and that the industry is almost catching up to.
Why do I need to go to Settings? I get these occasionally and ignore them; what harm is there in that?
FWIW these were real bad for a while, but Apple seems to have gotten better at canning the spam. Maybe 1-2 per year?
For my parents in their 70s, even more so. No amount of reminding them to read URLs first is going to help.
So my question is: what are best practices to limit the blast radius when I (or they) inevitably click the wrong link?
Seems easily digestible and approachable for a specific target audience.
I know that after a phone has been stolen, attackers want to gain access to an Apple account to remove the activation lock. But in this case, no devices had been stolen yet. The most they could do would be to… remotely mark the devices as stolen? Then ask the victim to pay to unlock them?
Both times, they asked me to go to a BS "apple-support" website and enter a six digit number they'd read out to me, where I'd see a transcript of this very phone call so I could then have full assurance that they were legit and working for Apple.
Uh huh.
And both times, when I asked them to just send me a quick email from their address at Apple (any address, even a generic inbox or support address) to assure me they worked for Apple ... pause ... [click]. Yeah.
"Thanks for the concern, I will call you right back"
If your bank calls you, you turn off the call and call them. Don't take suggestions for contact address. You look them up, and you call them. Don't elaborate. The scammer is either and idiot and will try to call you telling to stop, or smart and fuck off. And if it was the bank, they'll at best, pick right back from where you left it, and at worst, learn better from the event.
Disgusting to me that even the most basic of logic for what would be someone stealing an account: has the account been used in years, would this person we have location data for ever be in India setting up a new computer, with a computer type ID we know is compromised to hackintoshes (iMac Pro) wasn't enough of a red flag to send me an email confirmation first.
Luckily the account was so old iCloud barely stored anything back then but still shocking to me.