A Case Study in Phishing

A few days ago I received this email. I thought it was an excellent example of a phishing attack. If you’ve never heard of it before, phishing is a process where a bad guy sends you an email that looks legitimate in hopes that you’ll click on the link and give information to him that he can use to somehow screw you over or steal your money.

Here’s the email. Click to enlarge.

In this case, they’ve created an email that looks a lot like it came directly from Apple. It’s got the Apple Logo and the YouTube logo and, on first glance, looks official. It informs me that I’ve subscribed to YouTube Red for $149.99/month and it gives me a handy link to unsubscribe. There be the dragons. If I were to click on that link–I didn’t–it would ask me for my iTunes login or my credit card (or both), and then the bad guys would have my information. Game over.

The first tool you need in fighting Spam is common sense. YouTube Red does not cost $149.99/month, and a simple search will tell you that. If there is any question, also take a closer look at the details. The sender lists their name as “App Store” but disclosing the actual email address; it’s “noreply11@fillappealform.com”. Does that really sound like an address Apple would send you to confirm a subscription? Also, it lists “Payment Method” as “By Card”, not the usual xxxx-xxxx-1234 you usually see. It also creates this sense of urgency, explaining I’m on a free trial but I will be charged $150 in just two days if I don’t act. While I can see how this email may fool some people, on the barest scrutiny, it starts looking shady.

Screen Shot 2018-02-28 at 9.27.27 AM.png

If you ever find yourself tempted to click on any link in an email that involves a problem or access to any of your online accounts, stop and think for a moment. Then go to the source website itself and check. In this case, logging onto my iTunes account would show that I have not, nor have I ever, signed up for a YouTube Red subscription.

Finally, there’s nothing wrong with proving yourself wrong on this stuff. I recently got a “credit card expired” email from Squarespace. Rather than clicking on the link, I went and logged into my account and discovered that my credit card had, in fact, expired. Better safe than sorry.

Want to learn more? I wrote a book about email.