That advice is fine for the technically savvy but doesn't work for a lot of normal people who don't have the knowledge to mentally parse urls.
https://getsupport.apple.com/customer?cvid=8c11bcc71f684b6ab405d4fa1e86c146
https://getsupport.apple.com.phish.xyz/customer?cvid=8c11bcc71f684b6ab405d4fa1e86c146
I work with senior citizens and tried to explain how to parse the domain in the URL by looking for the first forward "/" after the "https://" and then scan backwards but they find that mental algorithm confusing and those instructions don't stick. (This is actually an area where some AI on phones/desktops could assist people decipher urls or mark them as suspicious.)
The other problem with that advice is people can't "whitelist" the legitimate domains to look for because they don't know ahead-of-time what they are. E.g.:
- An Amazon verification email will be sent from "account-update@amazon.com". It's intuitive to predict something coming from "@amazon.com" so a mental whitelist filter works in that case.
- However, State Farm Insurance legitimate login verification codes are actually sent from "noreply@sfauthentication.com" instead of the expected "@statefarm.com"
OneDrive email attachments link to, I kid you not, 1drv.ms, or maybe it was 1drv.com…
Not to mention, they use .ms as if it’s their personal TLD, but obviously anyone can register a .ms domain. It’s like they want people to get phished.
We can teach people as much as we want about security against phishing. It won't matter because people have to break these rules constantly. Companies actively train people to fall for phishing by doing everything in their power to be indistinguishable from phishing themselves.
Meanwhile: “Microsoft support uses the following domains to send emails:
microsoft.com
microsoftsupport.com
mail.support.microsoft.com
office365support.com
techsupport.microsoft.com” [1]
[1] https://learn.microsoft.com/en-us/troubleshoot/azure/general...
The first time I got those I couldn't believe these were legitimate. Thank you Microsoft for teaching your customers how to fall for scams!
Another fun one is facebook, they use facebookmail.com or whatever else for serious security stuff
Or aka.ms
I don’t think they can pass DMARC, though.
My wife was almost scammed, a few years ago. What tipped her off, was how extremely good the “tech support” was. Real tech support is generally someone on a scratchy line, with a heavy accent, following an inappropriate script.
Even after she backed away, they sent a few followup snail mails, looking somewhat legit (cheap printer).
And then, this is important, look up the number for the customer service hotline online.
I feel like this is a simple solution that works 100% of the time.
I told him, next time call the number on the back of your card.
Luckily my parents are appropriately cynical and have not fallen for anything like that, but I know a couple of people of my generation who have (in the worst case losing 5K+ in savings, back when there was no onus on UK banks to take any responsibility for such fraud through their systems so it was properly lost to them).
If my family are anything to go by, they definitely target the elderly more than even one generation down (so it isn't just due to those of the younger generations often only having mobile phones and landlines are more targeted) because they know those tend to be more susceptible to the con and more likely to have some savings worth pillaging.
Also in DayJob, some of our C*s and others associated with them (PAs, office managers) have seen some pretty sophisticated phishing attempts, both targeting the business's dealings and their personal accounts. I get the impression that these are reducing in number ATM (or the filtering of them is improving) but that those coming in are making an increasing effort to be convincing.
Sure, I may be missing out on some opportunities. But the peace of mind is far greater.
I know that after a phone has been stolen, attackers want to gain access to an Apple account to remove the activation lock. But in this case, no devices had been stolen yet. The most they could do would be to… remotely mark the devices as stolen? Then ask the victim to pay to unlock them?
Seems easily digestible and approachable for a specific target audience.
"Thanks for the concern, I will call you right back"
If your bank calls you, you turn off the call and call them. Don't take suggestions for contact address. You look them up, and you call them. Don't elaborate. The scammer is either and idiot and will try to call you telling to stop, or smart and fuck off. And if it was the bank, they'll at best, pick right back from where you left it, and at worst, learn better from the event.