Most web sites, especially those for credit card companies, take account security very seriously. They ask us for security questions, and they notify us when something changes. Change your e-mail address? You get a notification – and it tells you to contact them if you did not initiate the change. All very good things, except….when those notifications are not legitimate.
Over the past few days, I’ve gotten two e-mail notifications asking me to confirm changes to my accounts – one from Apple, the other from American Express. Here’s the one from Apple:
On the surface, this notification looks like something I’d get from Apple. The URL’s that are provided are actually correct. It really got my attention because I had not made any account changes. So naturally, my first instinct – and the first instinct of most people – was to click on one of the links to get it sorted out. That choice would have gotten me into a lot of trouble. There are six links in this message, and not one of them points to Apple. In fact, there’s a different link beneath each link shown in the message.
This kind of message falls into the world of phishing – impersonating a real site or company for the purpose of doing bad things. These “socially engineered” traps are designed to prey on people’s natural reactions or instincts, either in an attempt to trick you into surrendering personally identifiable information (like a user name, password, credit card number, etc) or to take you to a web site that’s set up to inject virus payload onto your computer. Either way, no good will come of it.
So how did I know that bad things were around the corner? I’m very security conscious when it comes to links sent to me, so I pay attention to the underlying URL’s that are delivered. I also pay attention to who sends these links to me. Just like attachments, if you don’t know the source, don’t click them.
Most e-mail systems (Outlook, Notes, GMail, iOS, etc) provide a way to see the underlying destination. In most cases, it’s simply a matter of moving the mouse over the link text. Here are a few examples of how to do this:
For Lotus Notes, mouse over the link to see the target URL in the status bar at the bottom of the window – here’s how the actual target URL link for the iforgot.apple.com link text in the message:
For Microsoft Outlook, moving the mouse over linked text will display a little balloon with the target URL:
Believe or not, this can also be done with mobile devices. For the iPhone and iPad, using a “tap and hold” gesture on a link in an e-mail message will display the following choices:
The same applies for Android-based smartphones: a “tap and hold” on a link will display a prompt to either share or copy the link, but the URL in play is displayed at the top of the prompt.
It’s unfortunate that there are so many out in Internet-land that have bad things in mind, so it’s worth just a little extra effort to pay attention to links that are sent to us. I received two messages in two days, both looked very legitimate. So take the extra step when you’re not sure, because one wrong click can create a slew of new problems.
About the Author
This is SUCH useful information! Thanks for the “how to” on how to check the destination link.
Thanks, Sharon – just trying to keep people safe. This little gem almost bit me – almost.
I got the same note sent at work this morning sent around noon on 4/28/12. The status line in Firefox shows proper Apple URLs. However, I’m pretty sure you can set whatever you like in the status line.
But – I left the house at 11 AM Saturday. Plus, I never sign in to my Apple account. I will have to ask my daughter if she went to iTunes after I left and if so, did she have to do anything. The note said it changed my birthday and security questions/answers. I can’t imagine she would change my birthday. Most of us are only born the one time. And she very likely would NOT know the answers to any of the security questions. I *ASSUME* that one would have to answer an existing question before being allowed to change it.
Be assured I a NOT clicking any of the links.
You are correct, in that the status line can be manipulated – particularly in the browser. It’s just a little bit of JavaScript to do it. So for cases where you want to be sure what’s “under the hood”, here’s something else that can be done:
Hover over the link
Right mouse click and select “Copy Link Location” (which puts the underlying link in the clipboard)
Open Notepad (or your text editor of choice) and paste the link from the clipboard for review.
It’s a little clunky to do, but it will at least keep you safe.
As for changes to things from iTunes – I agree, I think you’ve got some questions to ask.
Another thing I have seen lately is where the link is the only thing in the email but there is no subject line. This happens when someone’s account has been hacked and they are using the account to send through. I have received these emails from my mom and my youngest daughter. If there is no subject line and all the email contains is a link, DELETE IT!! Then let that person know their account may have been hacked and that they should consider changing their password ASAP.