Almost Got Phished Today
How to Protect Yourself from Phishing Scams
There's nothing like the bright ding of a text first thing in the morning to grab your attention. This one alerted me that "Your Apple ID was used to sign in to iCloud on a MacBook Air." I don't have a MacBook, so it got my attention.
Did some cybercriminal have my credentials?
Had I been hacked?
What else did they steal from me?
Oh crap, I need to fix this and fast.
But, wait. I have questions.
Who sent this text?
Have I ever seen a text alert like this before?
What's with the IP-based URL that isn't an apple.com domain?
Is this a scam?
Well, of course, it is a scam attempting to phish my credentials from me.
Just for fun, I used a test computer to open the bogus link.
The blue hyperlink above brought me to a fake website spoofing an Apple web page with a form to enter my Apple ID and Password. Were I to enter my actual credentials, the hacker behind the fraud would have gained the keys to my Apple Account and every linked credential.
If I were lazy enough to reuse my passwords, he would likely have taken over my Gmail, dropbox, amazon, and other accounts.
What's Wrong with this web page?
The URL is not an apple.com domain.
When I hover my cursor over the embedded links, "Store, Mac, iPad, iPhone, Watch, AirPods" they indicate the same non-apple page URL.
The blue hyperlinks "forgot your Apple ID or password and Don't have an Apple ID" both loop back to the same sign-in scam.
"If you're suspicious about an unexpected message, call, or request for personal information or money, it's safer to presume it's a scam and contact that company directly if you need to. If you're concerned about a security issue with your Apple device, you can get help" – Apple Support
What you need to do
Slow down. Hackers design their attacks to pressure you into fast decisions.
When in doubt, throw it out. It may have been legitimate, but if it was you will certainly hear from the sender again. It's better to err on the side of caution.
Never give your credentials to anyone or type them into a web form that you have not verified as genuine.
If it seems strange, contact the sender directly or reach out to your IT Professionals for their advice.
Slingshot Can Help
Slingshot Information Systems keeps its clients updated on new scams that might impact their networks. We provide training seminars both online and in person. We're always there, ready to help. Got a question, then reach out.