“Phishing” is a pretty name for a malicious practice. An attacker sends millions (if not a billion) of emails that try to convince someone that they are from a legitimate source. Phishing sometimes relies on the billions of account compromises that have taken place over the past few years to include personal information, such as your mailing address or an account name associated with a site.
The email convinces you that something is wrong with your account, or that there is a big promotion going on, and invites you to click on a link that looks correct. Clicking takes you to a website that asks for your account credentials. Continue and you may have given the keys to your kingdom.
This type of attack is insidious because most of us receive so many emails from the companies and organizations we deal with that we can barely handle it all. A message that says “the credit card has exceeded the limit!” Can rise above the fray, and you pay attention. The site the email is linked to looks exactly as you’d expect.
I’m talking about a position of a companion in misfortune. Over the past year, I have received a text message from “DHL” and two e-mails from “American Express” which almost touched me. I clicked on the DHL message, as I was expecting a package from this service, which is rare for me, and quickly realized what I was doing and closed the window. With the Amex messages, they both ended up getting filtered into my junk folder, but I looked at them and thought, “That must be a mistake.” However, on closer inspection, I realized that my spam app was more attentive than me and I never clicked at all.
Here is what you can do to resist these attacks in an email message.
Disable loading of images
Invisible tracking pixels let marketers and scammers know that a post has been opened and can reveal more about yourself than you want. You can follow these instructions to turn off automatic loading of images and media. Starting with the release later this year of iOS / iPadOS 15 and macOS 12 Monterey, you can go a step further by enabling Mail Privacy Protection, which loads trackers through a proxy to sever connection with you. (This feature does not require iCloud +, the new name for paid iCloud levels.)
Do not click on site links in emails
While it is convenient to click on links in emails, do not clicking on links and instead using bookmarks or typing the first few letters of a site circumvents most phishing attacks.
Hover over the links before clicking
If you plan to click and have an email client (like Apple’s Mail) that supports it, you can hover over any link and see what it looks like. If it’s not the URL of the company or group that sent it, don’t click. Some companies use email tracking and route their links through Mailchimp and other legitimate email sending companies. But you can’t tell the difference between use and abuse in these cases. With Apple Mail, the hover displays the URL as hint text; it is only when you click on the arrow pointing down that you get a full preview, which I recommend do not do given the risk of providing more information about yourself.
Look for warnings in emails
Some email applications notify you automatically, or you can turn on warnings that tell you that a message looks suspicious or contains links to known phishing sites. I am using Postbox, which has this option. It’s not always accurate – he doesn’t like emails from eBay for some reason – but it at least makes me more leery of an inbound email.
If you decide the link is legitimate and click on it, beware and follow this advice:
Check the padlock. Safari and most other browsers show a lock icon in the Location bar or similar at the top of their window in desktop and mobile versions. If you don’t see a padlock, that’s a problem.
Watch for blatant security warnings. Safari issues a big warning when you visit a site that uses a security document (a digital certificate) that doesn’t match the domain name it’s in. It’s a huge red flag and you should quickly go in a virtual direction. You must work to bypass this warning.
Watch for more subtle security warnings. Apple also checks Safari for an expired security document (sites must be renewed at least once a year) that was previously legitimate. What if you are on an insecure page asking for your password or credit card. They are also red flags.
Use a password manager. Apple’s built-in password support on iOS, iPadOS, macOS, and 1Password and other third-party ecosystems will only populate a password if the domain matches precisely. A similar domain intended to trick you will never match, so you won’t be able to click or use Touch ID or Face ID to fill in the login fields.
The only time you’ll see an error when trying to visit the legitimate version of a site is when you’re on a public hotspot and haven’t jumped through their hoop to join the network yet. When you connect to such an access point, it blocks general internet traffic. It efficiently redirects everything to a local “portal” page where you can pay, enter a login, or agree to the terms of service for free access.
Until you pass the portal page, any other web page you visit will produce an error that makes it look like you are on a scam site.
This Mac 911 article answers a question asked by Macworld reader Tom.
Ask the Mac 911
We’ve compiled a list of our most frequently asked questions, along with answers and column links – read our awesome FAQ to see if your question is covered. Otherwise, we’re always on the lookout for new issues to solve! Email yours to [email protected], including screenshots if any, and if you would like your full name to be used. Not all questions will be answered, we do not respond to emails, and cannot provide direct troubleshooting advice.