Mum got phished — Maybe

Turns out my mum might have been phished this evening. It was difficult to decipher the chain of events over the phone but by looking at the email she received I thought it worth a few words.

Exhibit A

The scam email. Without scrolling down, see what you can spot then take a look at the list below…

First theres the physical issues:

1. jam322@curranmor.org — what has curranmor.org got to do with anything Apple when it’s at home? And who’s jammin’?
2. Apple Id <>—Could Apple not find it? I doubt it.
3. Space between “[Report Statement” and “]” — Apple emails wouldn’t contain such errors.
4. Grammatical typos under ”Issues with this transaction” — Again, an issue of quality.
5. http not https — tread carefully wherever there be, http.
6. 1 forward slash after http: — syntactically incorrect
7. <#[email]#> — WTF
8. The Apple logo just looks crap.

Then there are the contextual issues:

1. Mum doesn’t own any Apple products
2. Pretty sure she’s never owned or played Mobile Legends Bang Bang or bought 1000 Diamonds

What might have happened?

Unfortunately, she did put her password into a website which is normally auto-populated with credentials stored in her browser.

Which means one of a couple of things:

1. Phishing happened.
2. She went to a slightly different login screen for some reason — you know how Microsoft has 38 different ways of logging in.
3. Her browser had a brain fart.

One very big issue for me, is that her email provider did not display any warning messages! She forwarded the email to me and Google Inbox displayed a thick red box a the top of my screen saying:

“Be careful with this message. It contains content that’s typically used to steal personal information.”

They even included a red icon with a fish hook.

The problem

Like the majority of people who use computers, they use a single password for everything. There are many, many problems with this which I won’t go into because the incredibly Troy Hunt has written about it countless times… have you put your email address into have i been pwned yet? Also read this blog post by him.

You might think your passwords are strong and random. If you thought of them, then chances are they are not, because you are human. Humans do not random.

A Solution

Until websites and apps improve the way they handle security, you should use a password manager!!!

I highly recommend 1Password. In fact today I turned off password storage in Google Chrome, because 1Password’s auto-complete feature is so effective.

On the face of it, it may sound like a lot of effort. But once your on this side of the fence I don’t think you’ll ever want to go back.

Convenience + increased security = MAJOR WIN!

It works for like this:

1. I have 1 password manager: 1Password.
2. Only devices I have gone to additional effort to allow access, can access it. This is a built-in feature of 1Password.
3. An additional layer of authentication is required each time I want to access credentials- a strong, memorised password on laptop, finger print on my phone.
4. Most of the time it remains unlocked, for example when I am at work. So it’s quick and easy to retrieve credentials.
5. 1Password auto-populates credentials in websites both on the computer, and in apps on my phone.
6. Every website, or app, or anything, or whatever else has a unique and strong password which is automatically generated by 1Password.

But Security, I don’t CARE

Worth caring. What if this:

1. Mum was phished, malicious person now has a password and her email address.
2. They now have access to her email - access to correspondences, documents, etc. Someone could use this to build up a story in order to dupe some other service, into believing that that they are her. They could send emails as her.
3. They probably have access to other websites… it’s very easy for hackers to try usernames and password combinations on countless websites very quickly.

Cheers Mum. Enjoyed writing this. Change your password.

Oh, I didn’t mention 2FA…