Lately, a bunch of folks have been targeted by phishing emails that look pretty darned convincing. The messages tell you that you’ve got a document of some type waiting to be viewed, and when you click the link, you’re taken to a website that asks you to log in with your email credentials. Do so, and your account information is compromised. Pretty soon, your Gmail account (or whatever) will start sending out its own versions of those phishing emails to your contacts. Fun!
There are many variants of this scam, and some are more real-looking than others. Here’s one I received recently:
The page this link directs to looks official enough that it’d fool a lot of people:
That’s some smart evildoing right there. Not only can it capture Gmail login info, but if you don’t happen to have a Gmail account, you can conveniently give the bad guys the passwords to your other accounts, too! And check it out—if you click on “Other emails,” there’s yet another way to give them your data!
How very awesome.
So how do you avoid this scam? The easiest way to do so is just to never click on a link in an unexpected email, especially if it seems suspicious. Note that in the message I received above, I wasn’t addressed by name, and the grammar wasn’t great. Those are big red flags. And if the site you see when you click a link looks strange or poorly designed, be wary.
Another good habit to get into is hovering over links in Apple Mail before you click them—that, at least, will tell you where they go.
You can't always depend on that, though, as in a recent phishing attempt, scammers hosted their files on Google Drive, so the URL itself looked legitimate.
Another prevention tip is to contact the person who sent you a link before you click it if you’re not expecting anything from him or her. And depending on what email service you’re using, you could set up two-step verification so that it’s way less likely that someone could break into your account. Here’s how to do it in Gmail, for example, and here are instructions for configuring it for your Apple ID.
Now, what do you do if you’ve already fallen for one of these scams, and your contacts start flooding you with complaints about the messages your account is sending? First of all, change the password for the account in question as soon as possible. Make sure it’s a complicated password, and don’t pick anything related to what you had before the trouble started (so avoid the password “kitty1234” if you were using “kitty123”). Then, unfortunately, if you’re using that same email/password combo in other places, you’re gonna need to change those, too. And it might be worth giving some thought to any confidential information that you've sent from that email account—have you ever emailed someone your credit card number? Your bank account info? You see how much of a hassle this can be.
Here's one final piece of advice: If you get a suspicious email, take a moment to text or call the friend whose account may have been compromised. Believe it or not, I saw a recent scammer who set up filters on the target's account to block messages informing him of the breach—so emails with words like "hacked" were getting sent straight to his trash. It's a scary world out there, dear readers, so tread carefully, and be suspicious of email links you run across.