>When you get an email from Apple—or, really, anyone telling you to complete a digital security measure—check the URL they’re trying to send you to. Apple Support lives on apple.com and getsupport.apple.com, nowhere else.
That advice is fine for the technically savvy but doesn't work for a lot of normal people who don't have the knowledge to mentally parse urls.
People just pattern match on the substring "apple.com" because they don't understand that the DNS system works right-to-left. Therefore, the 2nd url looks just as "legitimate" as the first one.
I work with senior citizens and tried to explain how to parse the domain in the URL by looking for the first forward "/" after the "https://" and then scan backwards but they find that mental algorithm confusing and those instructions don't stick. (This is actually an area where some AI on phones/desktops could assist people decipher urls or mark them as suspicious.)
The other problem with that advice is people can't "whitelist" the legitimate domains to look for because they don't know ahead-of-time what they are. E.g.:
- An Amazon verification email will be sent from "account-update@amazon.com". It's intuitive to predict something coming from "@amazon.com" so a mental whitelist filter works in that case.
- However, State Farm Insurance legitimate login verification codes are actually sent from "noreply@sfauthentication.com" instead of the expected "@statefarm.com"
show comments
JumpCrisscross
> Apple Support lives on apple.com and getsupport.apple.com, nowhere else.
Meanwhile: “Microsoft support uses the following domains to send emails:
Phishing has gotten really good, lately. As he noted, they will often re-use legit templates from the actual corporation. The email will be 99.9% legit, with maybe only one link being dodgy.
I don’t think they can pass DMARC, though.
My wife was almost scammed, a few years ago. What tipped her off, was how extremely good the “tech support” was. Real tech support is generally someone on a scratchy line, with a heavy accent, following an inappropriate script.
Even after she backed away, they sent a few followup snail mails, looking somewhat legit (cheap printer).
olmo23
I told my parents: if they are ever called by anyone, to tell them "now is not a good time, please give me a case number and I'll call back when I do have the time."
And then, this is important, look up the number for the customer service hotline online.
I feel like this is a simple solution that works 100% of the time.
show comments
KomoD
This was easily one of the best phishing attempts I've ever seen.
Cider9986
Having identifiers where anyone can initiate conversation is the problem. Modern messengers like Signal or SimpleX allow you to share one-time contact info, completely preventing anyone you don't allow to contact you.
Besides that, people should sign up with random email aliases just as much as they sign up with random passwords.
Here is a free crossplatform workflow:
New, free Proton Mail[1]-->Free Bitwarden[2] account with single master password memorized[3]-->duck.com[4] alias pointing at Proton Mail-->Extract[5] duck.com api key to generate random duck.com alias for each site in Bitwarden-->Sign up for new service using new random email+password in seconds and never have to remember it and no spam.
Here is a simple crossplatform workflow: Paid proton suite[6]-->Single memorized master password[3]-->Generate random email alias and password for new services using proton pass.
If you use iCloud+ you can generate email aliases using a Raycast[7] extension or a browser extension[8] or inside of safari natively. There is also iCloud+ settings, but that is a pain to get to.
I’ve found that just not answering any calls from unknown numbers (and having my phone just silence those calls so I don’t even see them) prevents all of this. If the caller is legitimate (e.g., new dentist office regarding an appointment) they can leave a voicemail. And if it isn’t spam and they aren’t willing to leave a voicemail and have me call the back, it probably wasn’t important in the first place.
Sure, I may be missing out on some opportunities. But the peace of mind is far greater.
show comments
mattlondon
No mention of password managers yet? One of the major benefits is the password manager can do a quick, simple, completely deterministic check on the domain before providing the password. That would have stopped this dead in its tracks without relying on the human just happening to notice.
I personally use bitwarden on my chrome profile across Windows Mac Linux and android and think it's great. Highly recommended.
Of course I tell this to family and friends and no one does it so I dunno...
PaulHoule
Whenever I get some breathless email about security from my organization I send a phishing report for it even if I think it is real. All the messages about mandatory password resets and the like just increase the surface area for phishing. There should be a policy like "we will never send you an email about the security of your account" See
Don’t approve any password-reset prompts—those are the first part of the attack. Do not pass Go, just head directly to your Apple ID settings.
Why do I need to go to Settings? I get these occasionally and ignore them; what harm is there in that?
FWIW these were real bad for a while, but Apple seems to have gotten better at canning the spam. Maybe 1-2 per year?
valzam
As others have mentioned, one big issue is that every company does these things differently and just because someone texts you a link doesn't mean it's phishing, even though it feels shady. In Australia I have had calls by immigration officers on supressed numbers that wanted PII over the phone without being able to tell me what the purpose of the call is.
show comments
jbellis
I've had some close calls already and with AI making it cheap to tailor scams to individuals it's probably only a matter of time.
For my parents in their 70s, even more so. No amount of reminding them to read URLs first is going to help.
So my question is: what are best practices to limit the blast radius when I (or they) inevitably click the wrong link?
haar
Thank you for writing this up (and getting it put into a video). I sent this blog post to my parents and my mum has decided to forward it on to all of her friends after watching.
Seems easily digestible and approachable for a specific target audience.
maplethorpe
The scammer sounds Australian, but he pronounces mobile as "mobil", like an American. I wonder if he's doing that intentionally to provide cover, or if he's worked with Americans so much in the past that it's changed his pronunciation.
show comments
WhyNotHugo
What's the end goal here?
I know that after a phone has been stolen, attackers want to gain access to an Apple account to remove the activation lock. But in this case, no devices had been stolen yet. The most they could do would be to… remotely mark the devices as stolen? Then ask the victim to pay to unlock them?
show comments
voidUpdate
Whats at the bottom of the page? It looks like it's meant to be brushstrokes or something?
show comments
ShowalkKama
step 1) use a password mamager
step 2) forget your own password
step 3) witness the password mamager NOT autofill on phishing sites
emptybits
I had two calls from "Apple Support" very very much like this in the past two weeks. Both times, their claim was that someone was trying to reset my Apple password and they were trying to protect me.
Both times, they asked me to go to a BS "apple-support" website and enter a six digit number they'd read out to me, where I'd see a transcript of this very phone call so I could then have full assurance that they were legit and working for Apple.
Uh huh.
And both times, when I asked them to just send me a quick email from their address at Apple (any address, even a generic inbox or support address) to assure me they worked for Apple ... pause ... [click]. Yeah.
firstrulephish
For the record, Apple will never call you first, but other services might. The REAL first rule of not being scammed should be stated
"Thanks for the concern, I will call you right back"
If your bank calls you, you turn off the call and call them. Don't take suggestions for contact address. You look them up, and you call them. Don't elaborate. The scammer is either and idiot and will try to call you telling to stop, or smart and fuck off. And if it was the bank, they'll at best, pick right back from where you left it, and at worst, learn better from the event.
whywhywhywhy
Apple let someone in India a place I have never been to, Apple knows I've never been to log into an old Apple account I'd forgotten about and hadn't logged into for 12 years with a password from a leak. All I got was "Your apple account has been linked to a new mac in India".
Disgusting to me that even the most basic of logic for what would be someone stealing an account: has the account been used in years, would this person we have location data for ever be in India setting up a new computer, with a computer type ID we know is compromised to hackintoshes (iMac Pro) wasn't enough of a red flag to send me an email confirmation first.
Luckily the account was so old iCloud barely stored anything back then but still shocking to me.
tom-blk
This is actually quite impressive and concerning
dude250711
Google users are safe from this, as neither the fraudster nor the potential victim would be able to contact their support to begin with.
show comments
xnx
audit-apple.com is offline now. Is that something ICANN does, and if so, can they fix zombo.com?
show comments
metalman
Currently my device has no passwords, and the only apps that lead to anything personal are browsers, and then sign into my website/email. I have eliminated online banking, except for allowing people to pay me through direct deposit, which I confirm on my once a week trip to an actual bank.
Very occasional online purchases use a dedicated credit card.
The above, I believe makes me a smol, challenging target, and I use the many many attempts to fish through, text, email, and voice, as practice sessions to refine my customer faceing presence, and answer all calls, and chearfully deflect anything or anyone that is not a legitimate human and/or customer, in under 10 seconds.
Going forward I would train any office helpers to use the same methods on any work devices.
mentalgear
This scam is scarily well made and what terrifies me is how easily scalable it is across sectors (e.g. your bank) and with AI voice clones (like in the attached video they mentioned the new 11lab generation).
>When you get an email from Apple—or, really, anyone telling you to complete a digital security measure—check the URL they’re trying to send you to. Apple Support lives on apple.com and getsupport.apple.com, nowhere else.
That advice is fine for the technically savvy but doesn't work for a lot of normal people who don't have the knowledge to mentally parse urls.
People just pattern match on the substring "apple.com" because they don't understand that the DNS system works right-to-left. Therefore, the 2nd url looks just as "legitimate" as the first one.I work with senior citizens and tried to explain how to parse the domain in the URL by looking for the first forward "/" after the "https://" and then scan backwards but they find that mental algorithm confusing and those instructions don't stick. (This is actually an area where some AI on phones/desktops could assist people decipher urls or mark them as suspicious.)
The other problem with that advice is people can't "whitelist" the legitimate domains to look for because they don't know ahead-of-time what they are. E.g.:
- An Amazon verification email will be sent from "account-update@amazon.com". It's intuitive to predict something coming from "@amazon.com" so a mental whitelist filter works in that case.
- However, State Farm Insurance legitimate login verification codes are actually sent from "noreply@sfauthentication.com" instead of the expected "@statefarm.com"
> Apple Support lives on apple.com and getsupport.apple.com, nowhere else.
Meanwhile: “Microsoft support uses the following domains to send emails:
microsoft.com
microsoftsupport.com
mail.support.microsoft.com
office365support.com
techsupport.microsoft.com” [1]
[1] https://learn.microsoft.com/en-us/troubleshoot/azure/general...
Phishing has gotten really good, lately. As he noted, they will often re-use legit templates from the actual corporation. The email will be 99.9% legit, with maybe only one link being dodgy.
I don’t think they can pass DMARC, though.
My wife was almost scammed, a few years ago. What tipped her off, was how extremely good the “tech support” was. Real tech support is generally someone on a scratchy line, with a heavy accent, following an inappropriate script.
Even after she backed away, they sent a few followup snail mails, looking somewhat legit (cheap printer).
I told my parents: if they are ever called by anyone, to tell them "now is not a good time, please give me a case number and I'll call back when I do have the time."
And then, this is important, look up the number for the customer service hotline online.
I feel like this is a simple solution that works 100% of the time.
This was easily one of the best phishing attempts I've ever seen.
Having identifiers where anyone can initiate conversation is the problem. Modern messengers like Signal or SimpleX allow you to share one-time contact info, completely preventing anyone you don't allow to contact you.
Besides that, people should sign up with random email aliases just as much as they sign up with random passwords.
Here is a free crossplatform workflow: New, free Proton Mail[1]-->Free Bitwarden[2] account with single master password memorized[3]-->duck.com[4] alias pointing at Proton Mail-->Extract[5] duck.com api key to generate random duck.com alias for each site in Bitwarden-->Sign up for new service using new random email+password in seconds and never have to remember it and no spam.
Here is a simple crossplatform workflow: Paid proton suite[6]-->Single memorized master password[3]-->Generate random email alias and password for new services using proton pass.
If you use iCloud+ you can generate email aliases using a Raycast[7] extension or a browser extension[8] or inside of safari natively. There is also iCloud+ settings, but that is a pain to get to.
[1] https://proton.me/mail
[2] https://bitwarden.com/go/start-free
[3] https://strongphrase.net
[4] https://duckduckgo.com/email
[5] https://bitwarden.com/blog/how-to-use-the-bitwarden-forwarde...
[6] https://proton.me/mail/pricing
[7] https://www.raycast.com/svenhofman/hidemyemail
[8] https://chromewebstore.google.com/detail/icloud-hide-my-emai...
I’ve found that just not answering any calls from unknown numbers (and having my phone just silence those calls so I don’t even see them) prevents all of this. If the caller is legitimate (e.g., new dentist office regarding an appointment) they can leave a voicemail. And if it isn’t spam and they aren’t willing to leave a voicemail and have me call the back, it probably wasn’t important in the first place.
Sure, I may be missing out on some opportunities. But the peace of mind is far greater.
No mention of password managers yet? One of the major benefits is the password manager can do a quick, simple, completely deterministic check on the domain before providing the password. That would have stopped this dead in its tracks without relying on the human just happening to notice.
I personally use bitwarden on my chrome profile across Windows Mac Linux and android and think it's great. Highly recommended.
Of course I tell this to family and friends and no one does it so I dunno...
Whenever I get some breathless email about security from my organization I send a phishing report for it even if I think it is real. All the messages about mandatory password resets and the like just increase the surface area for phishing. There should be a policy like "we will never send you an email about the security of your account" See
https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/201...
a policy that's been talked about for more than 10 years and that the industry is almost catching up to.
Previous submission: https://news.ycombinator.com/item?id=47388201
Don’t approve any password-reset prompts—those are the first part of the attack. Do not pass Go, just head directly to your Apple ID settings.
Why do I need to go to Settings? I get these occasionally and ignore them; what harm is there in that?
FWIW these were real bad for a while, but Apple seems to have gotten better at canning the spam. Maybe 1-2 per year?
As others have mentioned, one big issue is that every company does these things differently and just because someone texts you a link doesn't mean it's phishing, even though it feels shady. In Australia I have had calls by immigration officers on supressed numbers that wanted PII over the phone without being able to tell me what the purpose of the call is.
I've had some close calls already and with AI making it cheap to tailor scams to individuals it's probably only a matter of time.
For my parents in their 70s, even more so. No amount of reminding them to read URLs first is going to help.
So my question is: what are best practices to limit the blast radius when I (or they) inevitably click the wrong link?
Thank you for writing this up (and getting it put into a video). I sent this blog post to my parents and my mum has decided to forward it on to all of her friends after watching.
Seems easily digestible and approachable for a specific target audience.
The scammer sounds Australian, but he pronounces mobile as "mobil", like an American. I wonder if he's doing that intentionally to provide cover, or if he's worked with Americans so much in the past that it's changed his pronunciation.
What's the end goal here?
I know that after a phone has been stolen, attackers want to gain access to an Apple account to remove the activation lock. But in this case, no devices had been stolen yet. The most they could do would be to… remotely mark the devices as stolen? Then ask the victim to pay to unlock them?
Whats at the bottom of the page? It looks like it's meant to be brushstrokes or something?
step 1) use a password mamager step 2) forget your own password step 3) witness the password mamager NOT autofill on phishing sites
I had two calls from "Apple Support" very very much like this in the past two weeks. Both times, their claim was that someone was trying to reset my Apple password and they were trying to protect me.
Both times, they asked me to go to a BS "apple-support" website and enter a six digit number they'd read out to me, where I'd see a transcript of this very phone call so I could then have full assurance that they were legit and working for Apple.
Uh huh.
And both times, when I asked them to just send me a quick email from their address at Apple (any address, even a generic inbox or support address) to assure me they worked for Apple ... pause ... [click]. Yeah.
For the record, Apple will never call you first, but other services might. The REAL first rule of not being scammed should be stated
"Thanks for the concern, I will call you right back"
If your bank calls you, you turn off the call and call them. Don't take suggestions for contact address. You look them up, and you call them. Don't elaborate. The scammer is either and idiot and will try to call you telling to stop, or smart and fuck off. And if it was the bank, they'll at best, pick right back from where you left it, and at worst, learn better from the event.
Apple let someone in India a place I have never been to, Apple knows I've never been to log into an old Apple account I'd forgotten about and hadn't logged into for 12 years with a password from a leak. All I got was "Your apple account has been linked to a new mac in India".
Disgusting to me that even the most basic of logic for what would be someone stealing an account: has the account been used in years, would this person we have location data for ever be in India setting up a new computer, with a computer type ID we know is compromised to hackintoshes (iMac Pro) wasn't enough of a red flag to send me an email confirmation first.
Luckily the account was so old iCloud barely stored anything back then but still shocking to me.
This is actually quite impressive and concerning
Google users are safe from this, as neither the fraudster nor the potential victim would be able to contact their support to begin with.
audit-apple.com is offline now. Is that something ICANN does, and if so, can they fix zombo.com?
Currently my device has no passwords, and the only apps that lead to anything personal are browsers, and then sign into my website/email. I have eliminated online banking, except for allowing people to pay me through direct deposit, which I confirm on my once a week trip to an actual bank. Very occasional online purchases use a dedicated credit card. The above, I believe makes me a smol, challenging target, and I use the many many attempts to fish through, text, email, and voice, as practice sessions to refine my customer faceing presence, and answer all calls, and chearfully deflect anything or anyone that is not a legitimate human and/or customer, in under 10 seconds. Going forward I would train any office helpers to use the same methods on any work devices.
This scam is scarily well made and what terrifies me is how easily scalable it is across sectors (e.g. your bank) and with AI voice clones (like in the attached video they mentioned the new 11lab generation).