I got a somewhat convincing phishing attempt today. In fact, it wasn’t flagged by my junk mail filtering until I flagged it myself. A screenshot of the email is above. Can you see what’s wrong with it? An annotated screenshot is below.
When this first showed up on my Apple Watch, I quickly sprung into action without looking at it closely. However, the steps I took are the correct steps one should take if they’re suspicious of a seemingly important email. I’ll also go into those steps below.
The Phishing Attempt
Phishing attacks are when a hacker will send you an email or text asking you to click a link. The email will look official, as will the website it links to. However, if you enter any personal information on it, the hacker will have your information.
Here are the red flags that appeared in this email:
- The “To” was an obviously fake email address.
- I received it because I was in the BCC field, which means this was likely sent out to a massive number of people, but we can’t see that.
- Apple or any real company could address you by your name.
- Bad grammar, likely because it was copied from a real email Apple would send out with the names removed.
- Apple wouldn’t ask you to click a confirm my account link.
- The links at the bottom of the page from Apple would be actual links.
What to Do
I wasn’t looking at this email and sprung into action quickly to protect my account. However, you should never click the links in a phishing email. Even if you don’t enter information, this is how hackers will know to continue targeting your email address.
Instead, go directly to the page in question. In this case, I went to https://appleid.apple.com. This is Apple’s webpage for managing your Apple ID. I logged in and checked the devices that were verified with my account. The “Windows device on Chrome” was nowhere to be seen. Still, to be sure, and because I haven’t done it in a few months, I changed my password. Also, make sure two factor authentication is on, if it’s not already. This allows you to stop these attacks from working, even if they have your password. Without access to your phone, they won’t be able to login to your Apple ID.
Remember, no matter what, don’t click the links in an email. Navigate to the page on your own, verifying any messages on your own. Phishing attacks are extremely common and surprisingly effective. Always question any email you get that encourages urgent action.