6 Things That Can Be Faked To Compromise Your Security

The weakest link in your computer security is often you. You'll receive fake emails, text messages, warnings and social media invitations that are attempts to break into your computer or online accounts. Know what to look for and how to protect yourself.

You can also watch this video at YouTube (but with ads).

Video Transcript: Hi, this is Gary with MacMost.com. Today let me tell you about six things that can be faked in order to get into your accounts or your computer. 
MacMost is brought to you thanks to a great group of more than 900 supporters. Go to MacMost.com/patreon. There you can read more about the Patreon Campaign. Join us and get exclusive content and course discounts. 
Now everybody is concerned about security when it comes to your computer and your online accounts. But a lot of people ignore the most vulnerable thing, which is YOU. You being tricked into giving away information so that people can get into your computer or accounts. They usually do this by faking something. So here are six things that can be faked in order to trick you into giving up your information. 
The first one is email. Email can be easily faked. The address that you can see in the From field in an email can totally be faked. Just because is says it's from somebody or from a company doesn't mean anything. An email can be sent from any source and have a different source in From. It's the same as if you got a physical piece of mail and somebody wrote a different return address in the upper left hand corner or on the other side of the envelope. They can write anything they want there. It's the same with email. You can have anything in that From field and it doesn't mean that the email is from that location. So an email may look like it's from your bank or from a shopping site or social media site and it could be from anybody. Now this is called a Phishing Attack. The main point of this kind of attack is to trick you into thinking you've gotten an official email from someplace but the email actually contains a link to a completely different place, a malicious server, that's going to try to steal your information. So the email may look completely legitimate. All of the text and graphics may look identical to emails you usually get from the source. But a link in there is going to lead to a different location. You may actually have a bunch of links in there and all of them, except one, may lead to the legitimate web site for that service. But you click that one wrong link and now you go to another web site that looks like the legitimate web site and you enter your ID, your password, and now they have that information. 
Never trust your eyes to confirm that a link is correct. They could be really tricky replacing just one letter and making it so that at a glance, or even after a long look, it looks like the real URL to that web site. They can even put a period right at a certain spot where it blends in with another letter and you think you're going to an actual website but you're going somewhere else and you're giving someone else your password. Often they try to make the email as stressful as possible. For instance it may be an email from your bank saying your account is overdrawn or it may be from a shopping website saying your account has been closed or some large item has been ordered and it's on its way. They try to stress you out so you forget about security, click on a link in there to take care of the problem and before you know it you've given your password to some malicious site. 
So how do you protect against this? First, don't trust links in emails. Instead go a bookmark you have for the actual site for that actual service or type the URL in manually if it's simple enough. Don't click on the link in the email. Also password managers help because a password manager matches a domain name with an ID and a password. If the link is fake well the password manager is not going to find a match for it in its database. So it's not going to have an ID or password for that which is going to tip you off that it was actually a fake email and a fake link. 
Next, we have phone calls. I hope you know that caller ID can totally be faked both the phone number and the name that comes up. So something may seem to come from a company you do business with but it's not necessarily the case. So if somebody calls you immediately be suspicious and don't give them any information. Keep in mind they may try to convince you that they are the real company by giving you information but a lot of your information is publicly available. Just because they know your address or some information about your account doesn't mean it's the legitimate company calling you. Don't trust any number they give you to call back or any web site they tell you to go to. Instead go and look up the phone number for that company. You probably have it on a bill or if you log into your account you can see a phone number. You can call their customer service department. Do that instead of talking to whoever calls you on the phone. As a matter of fact it's best to let those calls go to voicemail. Listen to the voicemail. Ignore the number they give and the number on caller ID and call the customer support number. 
Now a common use for this is for someone to call you and to tell you there's a problem with your computer to make you panic so that you give them access to your computer and now they can do all sorts of things. Apple will never call you to tell you there's a problem on your Mac. They don't know. They're not monitoring you. Your internet service provider will never call you either. Nobody will call you and tell you there's a problem and try to help you fix it. All of those calls will be fake. If someone calls and asks you for money, even if it's from a company that you know, hangup on them. It's almost always a scam. Just go to the web site or call the customer support number that you have for that company and talk to them that way. 
Now also, of course, text messages can be faked just as easily as phone numbers. The number calling you can be faked. The caller ID can be faked. Don't trust anything that you get in a text message from somebody you don't know or is asking you to log onto a web site or telling you there's a problem. Call the official support phone number for whatever company it is or go to their web site and look at your messages on there. Never click a link that you get in a text message from a company. The same is true for social medial messages too. This is rare but it is possible to get fake messages like that on systems like What's App, SnapChat, Facebook, Twitter, all of that. There are ways to get in there and trick you into thinking a text message is real. 
Now another thing that can be faked that fewer people know about are web sites. A web site can be fake. You can go to the right URL, look at that web site, but you're not looking at that web site. Now this would happen if you were on some WiFi that's been compromised. So not your home WiFi, probably not work or school either. But maybe using WiFi in a coffeeshop or other location. They can change what's on the router so that when you go to a web site you are not actually going to a real one. You're being redirected to a malicious server somewhere else. It looks just like the regular web site. It asks you to log on. You enter your password and ID and now you've given them your password to that site. Password managers won't protect you against this because they can't possibly know that you're at the wrong site. It looks to you, and to them, that you're at the right site. So how do you protect against that? Well, first it's rare so you don't have to worry about it too much. But basically don't try to log onto any site or click on a link in an email to anything important if you are on WiFi you don't trust. So if you happen to be out, say, at a coffeeshop and you get an important email and you need to log onto your bank or something like that, don't do it there. Wait until you go home or maybe switch to your own mobile provider for internet access. You know use your iPhone's hotspot instead of the local WiFi to make sure that doesn't happen. 
Also, of course, using two-factor authentication will protect you from this. It won't protect you at that moment. You'll still be able to log onto the fake web site or not log on as the case may be. But if somebody takes your password and tries to use it later on they won't be able to get on because they don't have the second factor, the code you'd be getting on your phone. 
Here's another one that most people don't think about. Social Media accounts can be faked. So what happens here usually is somebody sees a public social media account, like a Facebook account, there's the picture, there's the name. They go and create a new Facebook account with the same picture, that same name, and then they see who the real account has as friends. Then they Friend Request all of those people. So you get a friend request from somebody you actually know and you accept it. The email is legitimate. It's actually coming from the real social media service. But it's not the real person. It's a fake person. For months you may not hear again from that account or they may post some innocuous things and it really doesn't ring any alarm bells. But then all of a sudden that account asks you for help, asks you for money, asks you to go to a web site, all sorts of things. One way to protect yourself is to check with that person to make sure they really have setup a new social media account. Maybe check to see if you are already are friends with them. That's a sure signal that this new account is a fake account. 
You can make sure your name and photo aren't used in this kind of scam by making your social media accounts private. So somebody who's not your friend can't see information about you and, in particular, can't see who your friends are. So this can't be used to actually then ask people to be the friend of this new fake account. 
Now in addition to web sites being fake you can also have fake alert show up on real web sites. So you have probably have seen this. You go to a web site and you see on there that your Mac may have a virus. Click here to diagnose or something like that. These are just fake alerts. A web site cannot possibly know that your machine has any problems at all. It doesn't have access to it. It only is displaying information for you to see. These are quite often just advertisements for downloading some sort of anti-virus software or something like that. But in the worst case scenario they are really malicious. In some cases they are not ads but the web site itself has been compromised. Whoever owns the web site doesn't notice it because maybe they log on and they don't see it. But then when someone like you goes to the web site you get shown this alert that isn't supposed to be there and you think, oh something is wrong with my computer. I need to click on this link and do something like that. 
If you're ever shown any information on a web site that you may have malware, a virus, or anything like that, it's fake! It can't know, it can't possibly know, just ignore it. Maybe consider going to a different web site if that seems to be persistent on that one because there's obviously a problem with that web site. It's go nothing to do with you. Just seeing these doesn't mean that there's anything wrong with your Mac at all. There's nothing you need to do except ignore it and maybe stop going to that site. 
So there are six things that can easily be faked to trick you into giving up account information or computer access to somebody else. Now one final thing that covers all six of these is a lot of web sites give bad advice in that you should look at spelling and language in all of these to determine if something is fake. If words are misspelled or grammar is really bad inside of the message then that's a sign that this is a scam and not real. But that's really bad advice because it can just as easily be perfect. It can use perfect grammar, perfect spelling. If you trust it because the grammar and spelling are perfect then that could lead to trouble. It's very easy for them to get it all right or even just copy a real message from the real service and now it looks perfect. So, don't follow that advice. Don't look for spelling and grammar mistakes. Just always be suspicious of whatever email, phone call, text message, or any communication that you get that it may not be real, that it may not come from who it says it comes from, and that it may be trying to steal your login information or get access to your computer.

Comments: 10 Responses to “6 Things That Can Be Faked To Compromise Your Security”

Wayne D Moore

4 years ago

Well done ! You are a GREAT resource ! !

Michael

To not be tricked by look-alike domain names, see the rules for domain names (in gory detail) at DefensiveComputingChecklist.com. Its the first topic.

To defend against fake websites (really a DNS issue) set your web browser to use an encrypted DNS service. My experience has been that this over-rides the DNS specification from the router. You can verify that your preferred DNS provider is really being used at any of the DNS tester sites listed here
https://routersecurity.org/testdns.php

robert briton

great advice us seniors can never be careful enough

Lindy

Gary ...you are awesome. This is million dollar advice (figuratively speaking, since I can't pay up)... thanks so much for creating this video. When I get emails from my bank or investment company I NEVER click on anything in the email. I go to my bookmarks and use the link I put in. Saves a lot of worry.
If I get an email from someone I don't know I click forward instead of opening it.... is this method any good?

Gary Rosenzweig

Lindy: Using bookmarks is good. But why the "forward" technique? Is it because the email contents appear as text in the message instead of loading anything? I wouldn't worry about that. Try have to trick you into downloading something, going to a site or calling a phone number. Just viewing the message won't hurt.

The destination of links can also be faked
Hover a mouse over a link - just don't trust the results
https://michaelhorowitz.com/HoverOverLink.php

Thanks for your reply, Gary, on my not so clever trick to see what's in email. I also have "load images automatically" turned off ...as they can know you opened their email that way.

Jasper

I’m not aware of it happening but I remember hearing about the risk of non-latin characters, being used in latin-character URLs. Similar to adding periods or leetspeak, 1/l.

E.g, , υ ν η ο are all Greek but could pass for u v n o in a URL.

Gene

Great content. You stated that Password managers check something to ensure authenticity. Do you know if KeyChain checks?

Gene: Not sure what you mean by "authenticity."

Comments Closed.

6 Things That Can Be Faked To Compromise Your Security

Comments: 10 Responses to “6 Things That Can Be Faked To Compromise Your Security”

Welcome to MacMost

Free Weekly Newsletter

MacMost Online Courses

Keyboard Shortcuts PDF

Connect with MacMost

MacMost Sections

Popular Tutorials

Information