Apple Gives Tips on Avoiding Phishing Scams Amid Warnings of New SMS Threat

[polyphenol]

I don’t want Apple reading my email regardless of the cause.

The software on your own machine could check for mismatches between displayed text and actual link and warn about it. It does NOT need any of the companies to look themselves.

Indeed, I'd be very happy if the software on my machines checked and warned me if I was passing on such mismatches. So that I could stop, edit, not send, send anyway, whatever I want.

 

[brett_x]

While I think it's good they have some kind of article about the threats, it's just a bunch of words on a page. I was hoping for something I could forward to my parents. Apple could do so much better. I'd like to see them do more.. like an advertising campaign. Maybe post a few videos on Youtube.

 

[kc9hzn]

"Smishing" is about the most un-menacing word I can think of. Beware of the Smishers! (by Dr. Seuss)

“Vishing” (voice phishing) isn’t much better!

But the iron rule of security still applies. Authenticate any message via a second communications channel. Get an email or SMS about a problem on your account that has a link? Don’t click on the link, enter the site’s address in your browser manually, log in, and check. Get an email from your bank about an account issue? Call the number on the back of your card or on your statement. Follow that rule, and you’ll stop 99.99% of attacks in their tracks. Get a voicemail claiming to be from your bank? Don’t call them back at that number, but go on their website and find their contact number. Now, obviously, this advice is harder to follow when it comes to spear phishing campaigns and high value targets (say, if you’re the target of state actors), but it’s a hard and fast rule for the vast majority of users.

For an additional level of security, you could always decline to click any links in email/SMS, even from “trusted senders”. And using a password manager to store randomly generated account passwords is another great idea. If you do inadvertently click on a phishing link, a password manager gives you an extra layer of protection (it won’t automatically populate the log in fields, since it’s not the website address the account was set up with, which is a red flag that the page isn’t the page you think it is).

 

[kc9hzn]

I thought messages go through apple servers, can't apple see one number is "robo calling" people and just block those messages.

SMSs and phone calls don’t go through Apple’s servers, they’re handled exclusively by the carriers (which is apparently not the case with RCS, incidentally). Plus, if carriers block a number, scammers will just spin up another number.

 

[macfacts]

I don’t want Apple reading my email regardless of the cause.

Everyone on your network (example: same neighborhood on cable ISP) can already read your emails, emails aren't encrypted.

 

[Apple_Robert]

Everyone on your network (example: same neighborhood on cable ISP) can already read your emails, emails aren't encrypted.

That is not an accurate statement.

 

[Apple_Robert]

The software on your own machine could check for mismatches between displayed text and actual link and warn about it. It does NOT need any of the companies to look themselves.

Indeed, I'd be very happy if the software on my machines checked and warned me if I was passing on such mismatches. So that I could stop, edit, not send, send anyway, whatever I want.

I am not opposed to what you stated here.

 

[kc9hzn]

Everyone on your network (example: same neighborhood on cable ISP) can already read your emails, emails aren't encrypted.

Yes and no, email at rest isn’t encrypted (unless you use PGP or something similar, or your email provider offers encryption at rest*). If you’re using SSL (which most email providers require) or you’re accessing webmail via an HTTPS connection, the IP packets are encrypted during transmission, though other users can see the handshakes, I don’t believe they can see the contents of the packet (though man-in-the-middle attacks still can occur if a malicious actor controls the access point). I also imagine that, while cable internet does mean you share a physical connection with your neighbors, I think your switch/router/cable modem prevents your neighbors from running, say, Wireshark on your connections. (The modem makes it so that these shared physical connections are disconnected in terms of network topography.)

* The actual text of your email isn’t encrypted (that’s what PGP does, encrypts email at every step of the chain), but there’s probably some whole disk encryption or file encryption going on. If the outbound email connection isn’t encrypted or the connection between two email providers is intercepted, then others can see the email in transit.

 

[Strebor]

I don’t want Apple reading my email regardless of the cause.

Neither do I. But I do want my mail app to do that, on device, without sending content back to Apple.

 

[DavidMalcolm]

Honestly, the lack of work done by large companies to cut down on scammers is a huge problem. The number of times I’ve talked to people who end up on a confusing scam website because they clicked on a Google ad for a major company that Google SHOULD have known wasn’t from that company and automatically blocked is staggering. Facebook is equally as guilty.

The fact that there haven’t been mandatory six month payout waits for in app purchases of gift card codes is nuts. The idea that Apple and Google are not required to refund people who buy these gift cards and give them to scammers is nuts to me.

Like how long has this been going on? There are easy steps that could have been put in place years ago that would have stopped these scammers from making tons of money to reinvest into their operations.

Even just a warning label in the back of all gift cards “these are gift cards, if someone over the phone asked you to purchase this and you did not buy this to use yourself or give to a friend and or family member, please return to a store for a refund with your receipt.”

The fact that phone companies aren’t legally required to provide any information about where a call is originating or how long that number has been assigned to that device is nuts. There’s so much that could be done automatically to prevent these scams, but it isn’t in the interest of stockholder value it’s in the interest of the good of society so nothing is done.

 

[polyphenol]

Honestly, the lack of work done by large companies to cut down on scammers is a huge problem. The number of times I’ve talked to people who end up on a confusing scam website because they clicked on a Google ad for a major company that Google SHOULD have known wasn’t from that company and automatically blocked is staggering. Facebook is equally as guilty.

The fact that there haven’t been mandatory six month payout waits for in app purchases of gift card codes is nuts. The idea that Apple and Google are not required to refund people who buy these gift cards and give them to scammers is nuts to me.

Like how long has this been going on? There are easy steps that could have been put in place years ago that would have stopped these scammers from making tons of money to reinvest into their operations.

Even just a warning label in the back of all gift cards “these are gift cards, if someone over the phone asked you to purchase this and you did not buy this to use yourself or give to a friend and or family member, please return to a store for a refund with your receipt.”

The fact that phone companies aren’t legally required to provide any information about where a call is originating or how long that number has been assigned to that device is nuts. There’s so much that could be done automatically to prevent these scams, but it isn’t in the interest of stockholder value it’s in the interest of the good of society so nothing is done.

For telephones, I have long thought that it should be possible to report the previous call on that line. Dial a special number and the systems collect the information and send it on to an investigation unit.