Spot the Fake Email

Many fake email messages try get you to click on a link that takes you to a web site that will try to do bad things (nab your passwords, steal credit card numbers, install malicious software). 

A good rule to follow is never click on a link in a email message, but let’s be honest: we all click on email links when we think we know better.

Learn to spot the fakes and you’ll be much safer.

I recently got a fake Apple email that has several warning signs:

  • Close-but-not-quite-right sender’s email
  • Subject line that makes you panic
  • Not addressed directly to your email address
  • Slick images are old or for the wrong department
  • Salutation does not include your first name
  • Typographical errors
  • Grammar or usage errors, especially errors common to non-native speakers (missing “the”, for example)
  • Mistakes in layout (a closing line with a comma but no signature)

If you spot a fake email, it helps everyone if you report it to the company that provides your email. Usually this is as simple as forwarding the message to a special email account. Most companies use abuse@ their domain name to accept reports.

For example, if you get one of these malicious email messages at an Apple-provided email address (like me.com or icloud.com), forward it to reportphishing@apple.com or abuse@icloud.com. Read more at Apple's support article "Identify and report phishing emails and other suspicious messages". 

Google requires that use their tool to report, which means you have to log into your Gmail from a computer.

Another Day, Another Zero-Day Exploit

August is a slow news month, especially for technology, so the press jumped all over the serious security problems (and their fix) announced by Apple this week.

The problems are serious; by clicking a single link, your entire iPhone can be remotely “jailbroken”, potentially allowing someone else access to the entire phone (all contents, location, camera, and microphone). The particular incident involved two things:

  1. Trident, a series of exploits that makes a device accessible (including "zero-day", or previously unknown, vulnerabilities), and
  2. Pegasus, a commercial spyware package from NSO Group that is sold exclusively to government agencies. 

(If you want more details, read the Executive Summary and Conclusion of The Million Dollar Dissident from Citizen Lab, the Canadian research laboratory that researched this event.)

What Should You Do? Update Immediately.

Apple announced an update to iOS that closes the door on Trident. So to protect yourself, update all of your iPhones and iPads to iOS 9.3.5 as soon as possible.

(Not sure what version you are running? On you device, go to Settings > General > About > Version.)

Before you update, make sure you have a current backup either on your computer via iTunes or in iCloud Backup.


Corrected 2016-08-28: Apple’s patch addresses the Trident vulnerability, not Pegasus.

Warning: New Email Scam

Apple World Today alerted me to a This Is Money article warning about a new outbreak of fake Apple (and Netflix) emails. They look legitimate, listing recent “purchases” that can be disputed by clicking a link where you are invited to enter banking and other account details (this is called phishing).

Ignore them.

If you are concerned about unauthorized Apple purchases, you can use iTunes on a Mac (or PC) to check report problems. Apple Support has an article that explains how to see your purchase history in the iTunes Store.