Most web sites, especially those for credit card companies, take account security very seriously. They ask us for security questions, and they notify us when something changes. Change your e-mail address? You get a notification – and it tells you to contact them if you did not initiate the change. All very good things, except….when those notifications are not legitimate.
Over the past few days, I’ve gotten two e-mail notifications asking me to confirm changes to my accounts – one from Apple, the other from American Express. Here’s the one from Apple:
On the surface, this notification looks like something I’d get from Apple. The URL’s that are provided are actually correct. It really got my attention because I had not made any account changes. So naturally, my first instinct – and the first instinct of most people – was to click on one of the links to get it sorted out. That choice would have gotten me into a lot of trouble. There are six links in this message, and not one of them points to Apple. In fact, there’s a different link beneath each link shown in the message.
This kind of message falls into the world of phishing – impersonating a real site or company for the purpose of doing bad things. These “socially engineered” traps are designed to prey on people’s natural reactions or instincts, either in an attempt to trick you into surrendering personally identifiable information (like a user name, password, credit card number, etc) or to take you to a web site that’s set up to inject virus payload onto your computer. Either way, no good will come of it.
So how did I know that bad things were around the corner? I’m very security conscious when it comes to links sent to me, so I pay attention to the underlying URL’s that are delivered. I also pay attention to who sends these links to me. Just like attachments, if you don’t know the source, don’t click them.
Most e-mail systems (Outlook, Notes, GMail, iOS, etc) provide a way to see the underlying destination. In most cases, it’s simply a matter of moving the mouse over the link text. Here are a few examples of how to do this:
For Lotus Notes, mouse over the link to see the target URL in the status bar at the bottom of the window – here’s how the actual target URL link for the iforgot.apple.com link text in the message:
For Microsoft Outlook, moving the mouse over linked text will display a little balloon with the target URL:
Believe or not, this can also be done with mobile devices. For the iPhone and iPad, using a “tap and hold” gesture on a link in an e-mail message will display the following choices:
The same applies for Android-based smartphones: a “tap and hold” on a link will display a prompt to either share or copy the link, but the URL in play is displayed at the top of the prompt.
It’s unfortunate that there are so many out in Internet-land that have bad things in mind, so it’s worth just a little extra effort to pay attention to links that are sent to us. I received two messages in two days, both looked very legitimate. So take the extra step when you’re not sure, because one wrong click can create a slew of new problems.