When Phishing Stops Looking Like Phishing

Matt Mullenweg, the co-founder of WordPress, almost got hooked by an Apple ID phishing scam in March. He wrote up the whole thing on his blog, and it’s a story everyone using an Apple ID should read.

This wasn’t a sloppy email with broken English asking him to confirm his account before midnight. The scam stacked four pieces of work that, taken together, looked almost identical to legitimate Apple security activity.

First, his Apple Watch, iPhone, and Mac all started buzzing at once with prompts to reset his Apple ID password. He hadn’t asked for any reset. Someone was bombing Apple’s real password reset flow against his account, hoping he’d tap “Allow” on one of the alerts out of confusion or fatigue.

Then the scammers called Apple Support themselves, pretending to be Matt. They claimed he’d lost his phone and needed to update the number on the account. Apple did what Apple does. They generated a real case ID. They sent legitimate emails from real Apple servers. Those messages landed in Matt’s inbox, properly signed, looking exactly like Apple emails should look.

A few minutes later, a text came through with a link to a site called audit-apple.com, asking him to review and cancel the pending request. The page was a pixel-perfect Apple replica. It displayed the real case ID from the actual Apple emails. It even showed a fake transcript of the scammer’s call to Apple, stitched in to make the page look like a transparent record of legitimate support activity.

Then a phone call from a calm, professional voice introducing himself as Alexander from Apple Support finished the play with a spoofed caller ID. He didn’t sound like a scammer. He sounded like Apple.

Matt caught it. He started poking at the phishing page and noticed that any case ID he typed in returned the same result. The site wasn’t validating anything. Once he saw the trick, he confronted the caller, who hung up.

Most people would not have caught it.

Matt Mullenweg runs a major tech company. He has Lockdown Mode turned on across his devices. He thinks about security all day. And he got close to clicking through.

The old phishing detection rules are showing their age. We were trained to look for typos, weird grammar, sketchy URLs, and broken logos. Those tells worked when scams were cheap and lazy. They don’t work anymore.

AI has changed the economics. Generating clean copy in any language costs nothing. Cloning a website is automated. Voice synthesis can put a convincing support agent on the line. An attacker can pull your background off LinkedIn and old blog posts in minutes. The friction that protected most of us has collapsed.

So the rules have to change with it. A few things I now do without exception:

If someone calls claiming to be from Apple, my bank, or any service, I hang up and call the official number myself. Always. No matter how legitimate the caller sounds.
If I get a password reset prompt I didn’t trigger, I don’t tap anything. I open the app or website directly and check the account from there.
If a text or email asks me to click a link to “review” or “cancel” a request, I treat it as hostile until proven otherwise. I get to the service the long way around.
I keep two-factor authentication on hardware keys for the accounts that matter most. A phishing site can’t replay a hardware key.

None of this is foolproof. Matt’s case shows what a well-resourced attacker can put together when they decide you’re worth the trouble. The defenses just have to be good enough to make the attacker move on to an easier target.

Constant vigilance.

“How to Avoid a Scam” From the FTC

After writing a few weeks ago about seniors’ particular vulnerability to online scams, I heard from several readers that are actively working to educate seniors about the risks they face. The stories in those emails indicate that things are worse than I thought, and that seniors are even more ignorant to these risks than I imagined.

Reader Lisa sent a link to this excellent document from the FTC, which you can get in PDF or printed form:

How To Avoid a Scam | FTC Bulkorder Publications

Phishing in the Age of AI: Why Seniors Are at Risk

I recently reviewed the FBI’s Internet Crime Complaint Center 2024 report, which revealed $16.6 billion in reported losses (a 33 percent increase) and over 859,000 complaints last year. The most frequent victims? Our oldest generation.

It wasn’t so long ago that phishing emails were easy to spot: terrible spelling, awkward phrasing, even comically bad graphics. That’s no longer true. Thanks to AI, scammers can now follow up a perfectly crafted email with a synthesized voice call that talks you through every step of the con. If you’re lonely or vulnerable, it’s terrifyingly convincing.

I experienced this firsthand just recently. I received what appeared to be an urgent notice claiming I owed a substantial amount to the IRS. The email was flawless, and the automated voicemail that followed sounded almost human. My gut told me it was a scam, but I still called my accountant—because who isn’t paranoid about the IRS? If these tricks can shake my confidence, imagine how easily they might break through to a less tech-savvy senior.

Be careful out there; the bad guys are getting smarter. Forewarned is forearmed.

For practical tips on spotting and avoiding phishing scams, check out the FTC’s guide on recognizing phishing. And if you’ve got loved ones in the older demographic, AARP’s scam prevention resources are a must-read: AARP: Scams and Fraud.

Why not talk to your elderly parents this weekend about phishing scams?

A Case Study in Phishing

A few days ago I received this email. I thought it was an excellent example of a phishing attack. If you’ve never heard of it before, phishing is a process where a bad guy sends you an email that looks legitimate in hopes that you’ll click on the link and give information to him that he can use to somehow screw you over or steal your money.

Here’s the email. Click to enlarge.

Screen Shot 2018-02-28 at 9.27.12 AM.png

In this case, they’ve created an email that looks a lot like it came directly from Apple. It’s got the Apple Logo and the YouTube logo and, on first glance, looks official. It informs me that I’ve subscribed to YouTube Red for $149.99/month and it gives me a handy link to unsubscribe. There be the dragons. If I were to click on that link–I didn’t–it would ask me for my iTunes login or my credit card (or both), and then the bad guys would have my information. Game over.

The first tool you need in fighting Spam is common sense. YouTube Red does not cost $149.99/month, and a simple search will tell you that. If there is any question, also take a closer look at the details. The sender lists their name as “App Store” but disclosing the actual email address; it’s “noreply11@fillappealform.com”. Does that really sound like an address Apple would send you to confirm a subscription? Also, it lists “Payment Method” as “By Card”, not the usual xxxx-xxxx-1234 you usually see. It also creates this sense of urgency, explaining I’m on a free trial but I will be charged $150 in just two days if I don’t act. While I can see how this email may fool some people, on the barest scrutiny, it starts looking shady.

Screen Shot 2018-02-28 at 9.27.27 AM.png

If you ever find yourself tempted to click on any link in an email that involves a problem or access to any of your online accounts, stop and think for a moment. Then go to the source website itself and check. In this case, logging onto my iTunes account would show that I have not, nor have I ever, signed up for a YouTube Red subscription.

Finally, there’s nothing wrong with proving yourself wrong on this stuff. I recently got a “credit card expired” email from Squarespace. Rather than clicking on the link, I went and logged into my account and discovered that my credit card had, in fact, expired. Better safe than sorry.

Want to learn more? I wrote a book about email.