A significant danger to businesses today is phishing—the act of forging email to fool someone into revealing login credentials, credit card numbers, or other sensitive information. Of course, phishing is a problem for individuals too, but attackers more frequently target businesses for the same reason as bank robber Willie Sutton’s apocryphal quote about why he robbed banks: “Because that’s where the money is.”
The other reason that businesses are hit more often is that they have multiple points of entry—an attacker doesn’t need to go after a technically savvy CEO when they can get in by fooling a low-level employee in accounting. So company-wide training in identifying phishing attempts is absolutely essential.
Here are some tips you can share about how to identify fraudulent email messages. If you’d like us to put together a comprehensive training plan for your company’s employees, get in touch.
Beware of email asking you to reveal information, click a link, or sign a document
The number one thing to watch out for is any email that asks you to do something that could reveal personal information, expose your login credentials, get you to sign a document online, or open an attachment that could install malware. Anytime you receive such a message out of the blue, get suspicious.
If you think the message might be legitimate, confirm the request “out of band,” which means using another form of communication. For instance, if an email message asks you to log in to your bank account “for verification,” call the bank using a phone number you get from its Web site, not one that’s in the email message, and ask to speak to an account manager or someone in security.
Beware of email from a sender you’ve never heard of before
This is the email equivalent of “stranger danger.” If you don’t know the sender of an email that’s asking you do something out of the ordinary, treat it with suspicion (and don’t do whatever it’s asking!). Of course, that doesn’t mean you should be entirely paranoid—business involves contact with unknown people who might become customers or partners, after all—but people who are new to you shouldn’t be asking for anything unusual.
Beware of email from large companies for whom you’re an anonymous customer
Attackers often forge email so it appears to come from a big company like Apple, Google, or PayPal. These companies are fully aware of the problem, and they never send email asking you to log in to your account, update your credit card information, or the like. (If a company did need you to do something along these lines, it would provide manual instructions so you could be sure you weren’t working on a forged Web site designed to steal your password.)
Since sample email from large companies is easy to come by, these phishing attacks can look a lot like legitimate email. Aside from the unusual call to action, though, they often aren’t quite right. If something seems off in an email from a big company, it probably is.
Beware of email from a trusted source that asks for sensitive information
The most dangerous form of this sort of attack is spear phishing, where an attacker targets you personally. A spear phishing attack involves email forged to look like it’s from a trusted source—your boss, a co-worker, your bank, or a big customer. (The attacker might even have taken over the sender’s account.) The email then requests that you do something that reveals sensitive information or worse. In one famous spear-phishing incident, employees of networking firm Ubiquiti Networks were fooled into wiring $46.7 million to accounts controlled by the attackers.
Beware of email that has numerous spelling and grammar mistakes
Many phishing attacks come from overseas, and attackers from other countries seldom write English correctly. So no matter who a message purports to come from, or what it’s asking you to do, if its spelling, grammar, and capitalization are atrocious, it’s probably fraudulent. (This is yet another reason why it’s important to write carefully when sending important email—if you’re sloppy, the recipient might think the message is fake.)
One of the best ways to train employees about the dangers of phishing is with security awareness testing, which involves sending your own phishing messages to employees and seeing who, if anyone, falls for it. Again, if you need help doing this, let us know.
We don’t want to belabor the point, but multinational tech companies like Apple, Facebook, and Google will never call or text you personally out of the blue. So if you get a call or text purporting to be from such a company, it’s 99.9% likely to be a scam, and you should ignore it regardless of whether the caller ID seems legitimate. If you’re still worried, look up the company’s tech support phone number separately—never respond directly to such a call or tap a link in a text—and discuss the situation with the support reps. Or contact us, and we’ll talk it through with you.
Here is the easiest way to give someone your Wi-Fi network password. You know the drill—a friend comes to visit and wants to get on your Wi-Fi network. You’ve written the password down somewhere, but where? Even if you have it handy, it’s a pain for your friend to type in. Since macOS 10.13 High Sierra and iOS 11, Apple’s operating systems can make connecting a lot easier. Have your guest choose your network, and then put their device next to one of your devices that’s awake and connected to the Wi-Fi network. As long as you have a card in your Contacts app whose name matches your friend’s My Card in their Contacts, your device should ask if you want to share the Wi-Fi password with them. Just tap Share Password when prompted and you’re done!
Have you gotten an email message whose Subject line says something like “Change your password immediately! Your account has been hacked.”? If not, it may be only a matter of time before you do. It’s a scary message, especially because it contains one of your passwords, some threats, and a demand for money. Worse, the password is likely one you’ve used in the past—how could the hacker have discovered it? Has your Mac really been taken over?
Relax. There’s nothing to worry about.
This “blackmail spam” has been making the rounds on the Internet recently—we’ve heard from several clients who have received it, and we’ve gotten copies too. The message purports to be from a hacker who has taken over your Mac and installed spyware that has recorded you visiting Web sites that aren’t exactly G-rated. The hacker also claims to have used your Mac’s camera to photograph you while you’re browsing said non-G-rated sites and threatens to share those pictures with your contacts and erase your drive unless you pay a ransom using Bitcoin.
This blackmail spam has raised so many pulses because it backs up its claims by showing a password that you’ve used in the past. Hopefully, it’s not one that you’re still using, because it was extracted from one of the hundreds of password breaches that have occurred over the past decade. Impacted Web sites include big names such as Yahoo, LinkedIn, Adobe, Dropbox, Disqus, and Tumblr—thieves have collectively stolen over 5.5 billion accounts. It’s all too likely that some old password of yours was caught up in one of those thefts.
Concerning as the message sounds, all the details other than your email address and password are completely fabricated. Your Mac has not been hacked. There is no malware spying on your every move. No pictures of you have been uploaded to a remote server. Your hard drive will not be erased. In short, you have nothing to worry about, and you should just mark the message as spam.
However, if you’re still using the password that appeared in the message, that is cause for concern. It means that any automated hacking software could break into the associated account, and it must be a weak password if the bad guys were able to decrypt it from the stolen password files. Go to Have I Been Pwned and search for your email address. If it shows up for any breaches, make sure you’ve changed your password for those accounts.
As always, we recommend that you create a strong, unique password for each of your Web accounts. The easiest way to do this is to rely on a password manager like 1Password or LastPass to generate a random password. Then, when you want to go back to that site, the password manager can log you in automatically. It’s easier and more secure.
If you’re still concerned about your passwords, call us and we can help you get started with stronger security practices.
Potential clients sometimes ask why they should work with us instead of solving their own problems or hiring an employee to manage their IT infrastructure. It’s a fair question, and we’re happy to answer it in more detail if you want to chat. But here are a few of the reasons why working with an Apple professional is the right decision. All these revolve around the fact that we’ve been investigating and fixing tech problems for a long time, we’re constantly working to stay up with the latest changes, and we’re good at what we do.
The biggest reason to hire an expert to solve your problems is that we can save you time. If you’re an individual, it’s time you can spend on your real job, with your family, or on your hobbies. For companies, it’s time you aren’t taking away from your firm’s line of business.
Aside from the fact that we’ll be doing the work to fix your Mac or get your network operational instead of you or one of your employees doing it, we’ll probably be able to finish more quickly than someone who’s not steeped in the field. Would you prefer to spend hours on something that would take us half the time?
As an individual, it might seem counterintuitive that paying us will save you money, but it’s often true. If you buy the wrong hardware or software, that’s a waste of money that could be avoided with our advice ahead of time. For instance, no matter how many ads you see, never get suckered into buying MacKeeper.
For companies, the financial savings are more obvious. Most companies don’t have extra employees just waiting to solve tech problems, and hiring a dedicated IT staff will cost vastly more in salary, benefits, and overhead than outsourcing to us.
It’s easy for businesses to understand the importance of avoiding downtime. If your phone system is down, customers can’t call. If your point-of-sale database gets corrupted, you can’t take orders until the backup has been restored. And so on—the point of working with a top-notch Apple professional is that we can help you avoid problems that would cause downtime, and if catastrophe does strike, get you up and running as soon as possible.
Individuals might say they’re not too worried about downtime, but how long could you go without being able to send or receive email if Mail’s settings get wonky? Or what would your family think about not having Internet access while you back out of a bad firmware upgrade to your router?
Avoid Incorrect Information
Google is a godsend for figuring out weird problems, but it can also lead less experienced people down dead-end paths. If you don’t have years of experience, it’s easy to find a Web page or YouTube video that sounds helpful but makes the problem worse.
For instance, lots of Web articles have advised force-quitting iOS apps to increase battery life, improve performance, and more. Unfortunately, that advice is wrong—force-quitting apps generally hurts battery life and reduces performance. Only force-quit an app when it’s misbehaving badly or not responding at all. Ask us before assuming something you’ve read online is helpful or even correct.
Benefit from the Big Picture View
Because we live and breathe technology, we have a broad and current view of what’s happening both in the industry and with our other clients. We know what new products or services might be the best solution to any given problem, and we can take advantage of our experience with one client to help another.
For example, Apple has officially discontinued its AirPort line of Wi-Fi routers, so we’ve been comparing mesh networking alternatives, including Eero, Plume, Orbi, AmpliFi, Velop, and more. If you’re using an AirPort base station now, ask us which alternative makes the most sense for your installation.
More specifically, because we put the time into understanding your personal or corporate technology footprint, we can use our experience to ensure that everything we recommend will work well together. If you’re buying into HomeKit automation in a big way, for instance, you should stick with Apple’s HomePod smart speaker rather than competing products from Amazon and Google.
We hope we haven’t come off as cocky here—we’re certainly not perfect. But we are good at what we do, and we’re confident that we can help solve any technical problems you may have.
Touch ID lets users register up to five fingers that can unlock an iPhone, which has long been a boon for those who share access to their iPhone with trusted family members. However, users of the iPhone X haven’t been able to give a second person Face ID-based access, forcing those people to wait for Face ID to fail and then tap in a passcode manually. iOS 12 lifts that limitation, allowing a second person to register their face with Face ID on the iPhone X and the new iPhone XR, XS, and XS Max. To set this up, go to Settings > Face ID & Passcode. Enter your passcode and tap Set Up an Alternate Appearance. Then give your iPhone to the person who should have access and have them follow the simple setup directions.