You've been hacked
We are the weakest link. It’s embarrassing but true.
Last night a friend was starting a yoga class when she got a call from Apple that her account had been hacked. The nice guy wanted to get it fixed and proceeded to confirm details. Among those details was her login password.
“I knew that was wrong the instant I said it,” she told me.
She rushed home to her computer and proceeded to change all her passwords. When she called me, I walked her through a check of her Apple account to see if any data had been changed, and I suggested she contact Apple support to flag her account in case of any unusual activity with her iTunes, App and Apple Store purchases. Fortunately, it looks like the only damage was the inconvenience and trauma of the experience. Once she realized the mistake, she acted quickly to plug any holes.
Some other friends have not been so fortunate. More than one has ended up in an hours long conversation, with the scammer granted access to their computer where they can rummage around for all sorts of data. It’s unnerving and scary.
The thing is that these scammers have become very good at deception and at playing on the fears that we all feel about our risk in a digital world. A visit to Snopes.com shows that this Apple hoax is widespread and that even the caller ID on mobile looks like an authentic Apple logo.
There are also the email versions of these scams which are masterpieces that look even more legitimate than the company’s own emails. I got a “FedEx” email asking for updated credit card information and was 90% through completing a form before I thought to check the sending email address. Of course it was not from FedEx at all.
If one of these calls or emails finds you at a moment when you are distracted or rushed, anyone can fall for it.
But that’s also the good news. Because for these scams to work, you have to participate. By applying some basic rules of engagement, you can easily dodge the situation and reduce the risk factor to virtually none.
Here are 5 tips to take control:
ALWAYS INITIATE THE CALL YOURSELF - If you receive a call from a company and they ask for any passwords, logins or financial information - basically anything you wouldn’t share with your taxi driver - ask them for a case number and/or personal ID and offer to call them back at a published support number. It’s the only way to really know if you are talking to the real company.
CHECK THE SENDER’S EMAIL ADDRESS / LOG IN THROUGH A KNOWN LINK - Most email software shows you a name in the FROM field that can be set up to show anything. If you click and hold on the dropdown arrow or the name itself, you will see the actual email address. If the address has no connection with the company then it’s a no brainer. Hit Delete. Also, prudence would tell you not to click on any link in the email. Better to go to the company site and log in as you usually do to update any data.
CHECK ONLINE FOR KNOWN SCAMS - Most situations can wait 10 minutes for you to do a quick fact check. Snopes.com is a great resource to research scams, rumors, and suspicious activity. These sophisticated phishing attempts have enough scale to be known on the internet and will show up in a quick Google search. In the case of the Apple scam, the caller warned my friend of “suspicious activity” on her iCloud account. A search for “Apple suspicious activity” on Google returned a page full of references describing the scam.
TAKE YOUR TIME - Rushing you into a snap decision is what makes these scams work. It only takes a few minutes to gather your thoughts, look for holes in the logic or urgency, and do some quick independent research.
BE PASSWORD PROACTIVE - Using multiple login passwords and 2-factor authentication is probably the best way to secure your data. Then at least you only expose one account if your login data gets out. Consider using a password app to manage your account logins as online security issues become more complex. Yes, it’s a little bit of a nuisance, but not as much as a hacked account.
Keep in mind that you are not alone in this. Every company that does business online - like, everyone - wants to eliminate security issues and password theft because it impacts the customer experience. For instance, the Apple support page offers multiple security tips as well as ways for their customers to report phishing scams. See: https://support.apple.com/en-us/HT204759. American Express, Amazon.com and other companies do the same.
Here’s a final tip. Take a few minutes and note which accounts are your most important for day-to-day activity and for financial exposure. Make these your best, most secure passwords and be proactive about changing them out from time to time. Use 2-factor authentication on top of that. Then, even if you happen to get caught unaware in one of these phishing schemes, just the effort of sharing your long, complex, hard to duplicate password will give you the time to really consider what’s going on, hang up on the guy, and get back to your yoga class.