In this world of online digital commerce, cybersecurity is very important. Most of the breaches happen because the credentials are compromised – not intentionally, but through a phishing attack. Phishing refers to the fraudulent practice of sending emails purporting to be from reputable companies to induce individuals to reveal personal information, such as passwords and credit card numbers. It can also be a used to get the victim to download malware or ransomware.
I recently received such a mail, and I am sharing this so people can look for signs in the mail or elsewhere, to recognize the phishing attempt.
The Ploy
Surprise the victim, create a sense of panic! Here is a screenshot of the mail I received. I hadn’t made any purchase at 2:17 AM on 31st March. The expected behaviour is that the victim will get flustered – did my account get hacked?
The victim is puzzled, now nudge him to open the document with the details.
This was the content of the attached doc
The clickbait is here: the hyperlinks “Report a problem”, or “click here” to cancel your purchase.
The unsuspecting victim is lured into accessing a phishing site where he/she may end up disclosing sensitive information like passwords or credit card details. Remember an Indian Payment Gateway is forced by RBI regulations to use OTP, but an international Payment Gateway will not come under the purview of RBI, and will allow the card to be used as long as all the details on the card are available.
***
So let me attempt and decode this phishing attempt. There are many tell-tale signs, and if you catch even one of them, you should be suspicious.
The email Header
Note that the logo shows “Apple Notice”. Genuine companies take every opportunity to reinforce their brand, and therefore if this was a mail from Apple, I would have seen an Apple logo instead of “A N”.
Look at the sender’s address. Even though you see apple.co.cl, be aware that it is not apple.com. The manage-support2839 is also a flag. Suspicious.
Click on the “more” in the header, and you will see
Note the misspelt “no reply” and note also that the domain is very different now! There is amazon.com towards the end of the string of letters, but this is not the same as receiving a message from <address>@amazon.com. Suspicious!
The email body
The “Yesterday” was March 31, 2022, and the mail said the payment “will be made on Mar 30, 2022”!
Note that the mail does not refer to me by name, just a “Dear Customer”. If it was from Apple, they would surely address the customer by name.
If you have made purchases from iTunes or Apple Store in the past, you would have some idea about how the invoice is presented. So pause and review whether the email looks genuine.
If you don’t recollect the genuine mail, then maybe you will go to the next stage and open the attached file.
The Receipt
Zoom in a bit : see the logo is not sharp – not a genuine Apple logo.
Look at the way the text is formatted. Companies take pride in the way they craft their messages, they don’t make such mistakes. Of course, one must be cautious that scamsters will get savvier and more polished and remove such errors.
Note that in a genuine document or email, all the items below would be hyperlinks, and not just plain text.
But the most important thing to remember : Do not click the hyperlinks. Hover the mouse over them – in this case “manage your password” or “click here to cancel your purchase”. In this example, I saw that the hyperlink was:
Note that the link now points to a site in New Zealand! Whenever you see href.li at the start of the URL supposedly sent by a reputed company, that should always be a red flag. Someone is trying to obfuscate and hide. Best to stay away from it. Mark the email message as Spam.
If you are looking at such a document on a mobile phone, a long click on the URL should show you the link. If it doesn’t show, be wary and do not click!
Some of the more intelligent browsers may be able to flag the site and warn you to stay away, but this may not always be the case.
Where else to look?
One of the first places I checked was whether I had received any notification from the bank that has provided me the credit card. They will always keep you posted on the purchases made using the instrument, via SMS or email. I hadn’t received any. I then logged into the banking app on my mobile where my card is linked, and checked whether there was any transaction posted there. There wasn’t any.
These data points will confirm that there is no purchase made against your credit card, no credentials are compromised, and therefore there is no reason to panic.
Other Phishing Techniques
The example I have cited above is phishing via email, trying to create a sense of panic. Scamsters use alternative mechanisms as well. Phishing via phone calls is called vishing, and phishing via SMS messages in called smishing. I will write about these in another blog.
The instances of credentials being compromised because of a technical hack are very rare – it requires a lot of work. But in most cases, you will find that the psychological play on the victim’s mind results in the leak of sensitive information. The main ploy remains the same – create a sense of panic, or lure the victim with the promise of a reward. In both cases, the rational mind is not in control, increasing the chances of a mistake.
Enjoy the convenience, with caution
The two main things to keep in mind:
* Be aware that genuine companies / banks will not ask for your credentials or OTP – whether on phone call, or mail or sms.
* Be aware that there is no free lunch!
So, as described, if any of the checks you do raises a red flag, remember “When in Doubt, Throw it Out! Stay away from the clickbait offered by these phishy fellows, and continue to enjoy the convenience and benefits of digital commerce with confidence.
Title pic credit : Webroot
Thanks. Very true these are possible.