How do they do it, and why?
Internet information thieves forge email messages to look like they come from the likes of Apple, Facebook, and Amazon. Or well-known banks, payment services, retailers, and even government agencies such as HMRC. Even more dangerous are messages that appear to come from a trusted individual and include personal details. These messages are often targeted at executives and company managers. These attacks are called phishing.
The goal? Get you to click a link in the message and visit a malicious Web site. That site usually continues to masquerade as being run by a company you trust. Its aim is to trick you into revealing confidential information by asking you to log in or pay for a product or service. Or even fill out a survey. The site or an attachment in the email message might also try to install malware. Although macOS is quite secure, if you approve security prompts, it can still be infected.
What to look out for
Although phishing is a huge problem that costs businesses millions every year, you can easily identify phishing messages by looking for telltale signs:
- Be suspicious of email messages, particularly from people you don’t know. Or from well-known companies that ask you to click a link and do something with an online account.
- Look closely at email addresses and URLs (hover the pointer over a link to see the underlying URL). Phishing messages don’t use official domains, so instead of paypal.com, the addresses and links might use paypa1.com—close enough to pass a quick glance, but clearly a fake.
- Watch out for highly emotional or urgent requests. You might be tempted to act without thinking. Take any such messages with a pinch of salt.
- Channel your inner English teacher and look for poor grammar spelling or odd phrasing, which are red flags for phishing messages. Email from real companies may not be perfect, but it won’t have multiple egregious errors.
- Look out for strange internal communication. With some internal email addresses now appearing on your website, or on Linkedin, phishing emails may try and mimic a member of staff. Double check requests for payment in person or over the phone if in doubt.
What do you do if you do receive a phishing email?
Most of the time you can just ignore it. If you’re worried that it might be genuine, instead of clicking any links in the message, navigate to the site in question manually by typing the organisation’s URL into your browser. Use a URL that you know to be correct, not the one in the email message.
Whatever you do, don’t open attachments that you aren’t expecting and never send confidential information via email. You may also want to let everyone in your company know you’ve received a fraudulent email. Like London buses phishing emails have a habit of coming in batches and therefore your colleagues may receive the same!
But what if you do fall victim and reveal a password? Don’t worry too much, you’ll want to change your passwords immediately but that should be enough, particularly if you realise your error quickly. If you’ve opened any attachments or approved any installs, run anti-malware software to determine whether your Mac has been infected.
For our clients, the majority of supported machines have monitoring software installed. This will normally alert us about possible malware infections. If you think your account may have been compromised, please get in touch with us. And always ask for advice if you’re concerned about the content of any email, we’re happy to provide a second opinion!
There are some really useful resources for raising staff and organisational awareness of Phishing and Cybercrime on these websites: