We’re seeing an uptick in email phishing attacks purporting to come from Microsoft about Office 365. They’re quite convincing messages that tell users that their credit card payment has failed, that an account needs renewing, or that a password needs to be confirmed. Needless to say, they’re all complete scams, and clicking a link in them takes you to a malicious Web page that will try to steal your password or credit card details. As we noted in “Gone Phishing: Five Signs That Identify Scam Email Messages,” large companies never send an email asking you to click a link in order to log in to your account, update your credit card information, or the like. Hover over links to see where they go before clicking anything, and stay safe out there!
Have you ever gotten an emergency alert on your iPhone, telling you about an abducted child or public safety emergency? That’s the Wireless Emergency Alerts (WEA) system, at least in the United States, although some other countries have similar systems.
The WEA system enables authorized national, state, and local government authorities to send alerts about public safety emergencies to mobile devices in the affected area. Also included in the WEA system are AMBER Alerts designed to solicit public information when law enforcement is searching for a missing child. Some US states also broadcast Silver Alerts about missing adults, particularly senior citizens with Alzheimer’s, dementia, or other mental disabilities. The alerts are always meant to be useful, either to you or to law enforcement working on a case.
Unfortunately, the alerts aren’t always helpful or well targeted. Worse, they break through the Do Not Disturb cone of silence, and there’s no way to change their tones. You might not appreciate being woken up at 2 AM to be told to look for a white Ford that’s potentially associated with a missing child. Plus, although the AMBER Alerts are generally popular with the public, research suggests that they’re largely ineffective.
More concerningly, the loud noise that accompanies the alerts can be dangerous, either to your hearing if you’re wearing earbuds when the alert comes through, or to your life if you overreact while driving.
In iOS 12 in the US, you’ll see three categories of government alerts at the bottom of Settings > Notifications: AMBER Alerts, Emergency Alerts, and Public Safety Alerts.
In most countries, Apple lets you turn off all three categories, but you could still receive so-called “Presidential Alerts,” which are meant to reach everyone in the country during a national emergency. The Federal Emergency Management Agency, which manages the WEA system, tested the Presidential Alert system for the first time in October 2018.
What should you do? It’s entirely up to you, of course, but in most situations, it’s probably best to leave all three alert types enabled. If you find yourself being annoyed by repeated AMBER Alerts or Silver Alerts, particularly if you’re unlikely to be in a location where you could be helpful, you might want to toggle the AMBER Alerts switch off. But the Emergency and Public Safety alerts could be essential, especially if you’re in an area prone to hurricanes or tornadoes.
If you’ve already disabled the alerts because of poor targeting—being notified of something of concern only to people hundreds of miles away is just an interruption—you might consider turning them back on later this year, since the FCC requires carriers to improve the geo-targeting starting November 30th, 2019.
When you follow a link in Safari, you generally don’t know where you’re going to end up. That’s fine most of the time, but what if you’re concerned that a site might be trying to trick you into going somewhere malicious? Safari provides an easy way to look at the URL under a link. On the Mac, choose View > Show Status Bar, hover your pointer over the link, and look at the bottom of the window. In iOS, touch and hold a link (don’t press for 3D Touch) until a popover appears, showing the link and giving you options for opening it. The most important thing to look at is the domain—us.norton.com in the screenshots. It should match where you think you’re going, or at least look reasonable. If the URL is dubious, don’t follow the link.
A significant danger to businesses today is phishing—the act of forging email to fool someone into revealing login credentials, credit card numbers, or other sensitive information. Of course, phishing is a problem for individuals too, but attackers more frequently target businesses for the same reason as bank robber Willie Sutton’s apocryphal quote about why he robbed banks: “Because that’s where the money is.”
The other reason that businesses are hit more often is that they have multiple points of entry—an attacker doesn’t need to go after a technically savvy CEO when they can get in by fooling a low-level employee in accounting. So company-wide training in identifying phishing attempts is absolutely essential.
Here are some tips you can share about how to identify fraudulent email messages. If you’d like us to put together a comprehensive training plan for your company’s employees, get in touch.
Beware of email asking you to reveal information, click a link, or sign a document
The number one thing to watch out for is any email that asks you to do something that could reveal personal information, expose your login credentials, get you to sign a document online, or open an attachment that could install malware. Anytime you receive such a message out of the blue, get suspicious.
If you think the message might be legitimate, confirm the request “out of band,” which means using another form of communication. For instance, if an email message asks you to log in to your bank account “for verification,” call the bank using a phone number you get from its Web site, not one that’s in the email message, and ask to speak to an account manager or someone in security.
Beware of email from a sender you’ve never heard of before
This is the email equivalent of “stranger danger.” If you don’t know the sender of an email that’s asking you do something out of the ordinary, treat it with suspicion (and don’t do whatever it’s asking!). Of course, that doesn’t mean you should be entirely paranoid—business involves contact with unknown people who might become customers or partners, after all—but people who are new to you shouldn’t be asking for anything unusual.
Beware of email from large companies for whom you’re an anonymous customer
Attackers often forge email so it appears to come from a big company like Apple, Google, or PayPal. These companies are fully aware of the problem, and they never send email asking you to log in to your account, update your credit card information, or the like. (If a company did need you to do something along these lines, it would provide manual instructions so you could be sure you weren’t working on a forged Web site designed to steal your password.)
Since sample email from large companies is easy to come by, these phishing attacks can look a lot like legitimate email. Aside from the unusual call to action, though, they often aren’t quite right. If something seems off in an email from a big company, it probably is.
Beware of email from a trusted source that asks for sensitive information
The most dangerous form of this sort of attack is spear phishing, where an attacker targets you personally. A spear phishing attack involves email forged to look like it’s from a trusted source—your boss, a co-worker, your bank, or a big customer. (The attacker might even have taken over the sender’s account.) The email then requests that you do something that reveals sensitive information or worse. In one famous spear-phishing incident, employees of networking firm Ubiquiti Networks were fooled into wiring $46.7 million to accounts controlled by the attackers.
Beware of email that has numerous spelling and grammar mistakes
Many phishing attacks come from overseas, and attackers from other countries seldom write English correctly. So no matter who a message purports to come from, or what it’s asking you to do, if its spelling, grammar, and capitalization are atrocious, it’s probably fraudulent. (This is yet another reason why it’s important to write carefully when sending important email—if you’re sloppy, the recipient might think the message is fake.)
One of the best ways to train employees about the dangers of phishing is with security awareness testing, which involves sending your own phishing messages to employees and seeing who, if anyone, falls for it. Again, if you need help doing this, let us know.
We don’t want to belabor the point, but multinational tech companies like Apple, Facebook, and Google will never call or text you personally out of the blue. So if you get a call or text purporting to be from such a company, it’s 99.9% likely to be a scam, and you should ignore it regardless of whether the caller ID seems legitimate. If you’re still worried, look up the company’s tech support phone number separately—never respond directly to such a call or tap a link in a text—and discuss the situation with the support reps. Or contact us, and we’ll talk it through with you.
Here is the easiest way to give someone your Wi-Fi network password. You know the drill—a friend comes to visit and wants to get on your Wi-Fi network. You’ve written the password down somewhere, but where? Even if you have it handy, it’s a pain for your friend to type in. Since macOS 10.13 High Sierra and iOS 11, Apple’s operating systems can make connecting a lot easier. Have your guest choose your network, and then put their device next to one of your devices that’s awake and connected to the Wi-Fi network. As long as you have a card in your Contacts app whose name matches your friend’s My Card in their Contacts, your device should ask if you want to share the Wi-Fi password with them. Just tap Share Password when prompted and you’re done!