Check out the rest of the videos in this special course: The Practical Guide To Mac Security.
Even if you have a strong password and use two-factor authentication, your Mac and accounts can still be vulnerable to social engineering when you fall victim to simple scams.
▶ You can also watch this video at YouTube.
▶
▶ Watch more videos about related subjects: Security (138 videos).
▶
▶ Watch more videos about related subjects: Security (138 videos).
Video Summary
In This Tutorial
Part 6 of The Practical Guide to Mac Security explains social engineering and phishing attacks, how they trick you into handing over passwords and even two-factor codes, and the basic rules that prevent them.
Intro
- Social engineering is a technique where the attacker uses you rather than a weak or stolen password, so even strong passwords and two-factor authentication can be circumvented if you give up the information yourself.
How A Phishing Attack Works
- A phishing attack often arrives as a mass email that looks legitimate, claims there is an urgent problem, and provides a link to a fake site that looks real and asks for your user ID and password.
- The fact that the email seems to know which bank you use is just coincidence from sending out millions of messages, and once you enter your credentials on the fake site they have been captured regardless of what the page shows next.
Example Phishing Emails
- One example imitates Amazon with the real logo and a fake high-priced order to create urgency, pushing you to call a fake number or click fake links where you are asked to hand over account or credit card details.
- Another imitates Apple with a link that appears to go to appleid.apple.com, but hovering the cursor reveals it actually points to a URL redirect elsewhere, leading to a convincing fake login page.
Other Phishing Channels
- Phishing does not only come by email; it can arrive as a text message, a phone call claiming something is wrong with your computer or account, a fake alert ad on a legitimate webpage, or even a physical letter in the mail.
Getting Around Two-Factor Authentication
- A more complex attack relays your login through a fake site: you enter your credentials, the attacker uses them on the real site to trigger a genuine two-factor code sent to you, and when you enter that code on the fake site they capture and use it immediately.
- A simpler version is a phone call, perhaps claiming to be from the phone or insurance company, that says a code is being sent; the code actually comes from the real site the attacker is logging into, and reading it back to them completes their login.
How To Prevent It
- Never click links in emails, texts, or messages; instead go directly to a site using your own bookmark or by typing the URL.
- Using a password manager helps because it will not offer a saved password on a fake look-alike site, and not answering calls from unknown numbers avoids phone-based scams; if a caller claims to be your bank, use the official number you already have, since caller ID can be faked.
- Do not assume you can always spot a phishing attempt by bad grammar or obvious signs, because a convincing fake can look perfect, so always rely on the basic rules instead.
Summary
In social engineering and phishing, you are the weakness, and attackers can defeat even strong passwords and two-factor authentication by convincing you to hand over your information through fake emails, sites, texts, calls, ads, or letters; the reliable defense is to never click links, use a password manager, avoid unknown callers, and always reach a service through its official site or number rather than anything contained in a message.
Video Transcript
Hi, this is Gary with MacMost.com. This is Part 6 of my course The Practical Guide to Mac Security. This course is brought to you free thanks to my Patreon supporters. Go to MacMost.com/patreon to find out more. Join us and get exclusive content and course discounts.
So Social Engineering is a technique where somebody tries to get access to your computer or accounts by using YOU. So they are not relying on a weak password or stolen password but, in fact, you are the weakness when it comes to social engineering. So it doesn't really matter if you have a strong password. It can be strong, random, unique but social engineering they can still get that from you because you've given up the password. Also, if you have two-factor authentication that can also be circumvented with social engineering. Here's one way a social engineering attack can happen.
This is also called a phishing attack. So you get a mass email. It looks legit. It's coming to you. Usually these emails say that there's some sort of problem. That somebody has tried to break into your account or somebody has ordered something or there's an issue and you need to log on. They want to create a sense of urgency. They want to throw you off your guard. There's usually a link there to click to login. So you go, click the link and you end up at what looks like a legitimate website. Maybe it's telling you to log into your Facebook account or your Amazon account or your bank's account. Don't mistake the fact that they seem to know that you have an account at a certain bank as some sort of legitimacy. They probably sent out thousands, millions of emails and just the random fact that you happen to have an account at that bank is just a coincidence. Maybe you also get some for other banks and you dismiss those easily. They're looking for quantity. They just want to send out millions of emails and be able to get a few passwords.
So you're at this webpage that looks legit. They ask you for your user ID and password. and you enter that in. What happens next doesn't matter. It may tell you that the problem is resolved. It may redirect you to the real website where it looks like you just have to login again, like maybe it didn't accept that user ID and password. It doesn't matter because at that point they've got you. As soon as you entered your user ID and password you've just sent it off to them. So they know how to get into that site.
Here's an example of an email that you may get. This one looks like it comes from Amazon and it has the Amazon logo in it. It looks very official. It looks exactly like an email you may get from Amazon. Notice how it creates a sense of urgency because it's showing you, hey your Playstation 4 Pro Consul is shipping and it's arriving tomorrow. Then it puts in an address of somebody you don't know. It's probably even a person that does not exist. It shows you it's going to cost a bunch of money and your immediate thought is, I didn't order this. This person shouldn't get this Playstation off of my credit card. So what should I do? What do I need to do? Well, there's a phone number there that, of course, is a fake phone number. There's also a link to those. You can click on those. Those are fake links and they will take you somewhere where you'll be asked to login or perhaps if you call Customer Service they may tell you that you need to give them your Amazon ID and Password or maybe the credit card number. You know you may be so upset and trying to stop this that you may give it to them not realizing, of course, that this is all fake and the whole point was to get you to call them or go to this webpage so that you could handover some of your information.
Here's another one. It seems to come from Apple. This one is a little easier to see through because it's coming from an address that's not Apple. It's got the Apple logo. It seems maybe it's legit and it's telling you that, oh somebody tried to login using your Apple ID. This may make you upset and you may want to click on where it says Apple ID.apple.com which is a legitimate place where you would go to look into something like this except that if you actually move your cursor over it you'll notice that it's not going to that website at all but to, in fact, what looks like a url redirect in India. So it could take you to a page that looks very much like Apple's site and once you enter in your Apple ID and your password then they've got you.
Now phishing attacks don't have to come as an email. They can come as a text message. They could some as a phone call and often do. People will call you and tell you that something is wrong with your computer. Something is wrong with an order for Amazon or something is wrong with your bank account. The attack is the same. It's just somebody on the phone rather than this email going out. It could even be an ad on a webpage. So you go to a webpage. It's a legitimate webpage but an ad that has slipped into the advertising network for that site says there's a problem with your computer or something like that. It pops up and it looks like it's an alert to you and you need to do something. This could even be used in the real world as a physical letter that you get in the mail. As a matter of fact often you get scams like this where there are letters that pretend to be from your insurance company or from your credit card company or from, perhaps, even your bank that ask you to contact them and it has nothing to do with your bank at all.
Now you could also use a phishing attack to get around two-factor authentication. It's a little more complex. Here's a complex way they do it. You end up at a fake site and you enter your User ID and Password. Then, of course, it's going to prompt for two-factor. Now since this is a fake site it won't know what your two-factor is. So what happens at that point is your user ID and password are sent off to the malicious individuals that are trying to steal from you and they will go to the real site and enter that user ID and password. That in turn generates two-factor code which is sent to you. So you get it. You were expecting it. Now you are still at the fake site and it asks for that two-factor code. You enter it in and all that is doing is that fake page is sending it to the same malicious individuals that you've always been in communication with at this website. They get the code and they quickly enter it in and while you have access to nothing because you're at a fake site, they have access to the real site. You could start this anyway you want. It can start with a mass email to a bunch of people and it can go through this process. It can be a phone call. All sorts of ways.
A simpler way that this can happen is say somebody already has the user ID and password for you. Maybe they've gotten it some other way. Maybe through a data breech. They go to login to your Facebook account, your Amazon account, your bank account and they are hit with a two-factor code. But in addition to the information that they have they can easily find a phone number for you. They just maybe use the name that's in your email address, look it up, find a phone number. You get a phone call. Now this phone call may not seem to come from whatever it is they're trying to break into. Say they are trying to break into your bank. They may not say that at all. They may say they're from the phone company or your insurance company or from somebody completely different saying they are just doing some sort of test and they are going to send you a code. Then sure enough your phone buzzes and you see the code there. Now they said they are going to send you a code and there's a code. But it doesn't mean that they sent you the code. What they were doing is when they said they were going to send you a code they tried to log onto your bank's site and the code was sent from your bank to you. Now, they ask you for the code. You give it to them and they can complete their log on to your bank's site.
So with social engineering you could see you're the weakness. None of this can happen unless you are actually volunteering this information. How can you prevent this from happening to you? Well, there are a variety of different ways.
First, of course, don't click on links in anything. Any emails, text messages, websites. If you get a message and you want to investigate further go directly to that site. In other words if you get a message from your bank don't click on the link in the message. Instead go to your bookmark for that bank or type the URL for that bank to go and log into your account. Disconnect what you're doing in your web browser from the message that you've got by not clicking on a link to go from one to the other.
Using a Password Manager helps as well because if you do accidentally forget this rule and click on a link you'll end up at a site that might look a lot like your bank's site but, in fact, maybe slightly different. Maybe barely different. You could read the URL a million times but not tell that there's one letter off of it. But a Password Manager wouldn't recognize the website and would say it doesn't have a password for that URL
If you get a phone call my advice is always don't answer the phone if you don't know who is calling you. If the caller ID isn't one that you recognize then there's no reason to answer the phone. If it's important they'll leave a message but most, if not all, phone calls that you get from numbers that you don't know, that you're not associated with, are going to be either spam or scams. So the best way to avoid those is just don't answer the phone. Most times phishing attempts they won't even leave a message. They want to talk to somebody live. But if they do leave a message and they give a phone number don't call back that phone number. If they identify themselves as coming from your bank or from Amazon or from whatever use the official numbers that you already have for those. Don't use the number that they tell you in the phone call or the caller ID number. Remember caller ID numbers can always be faked. So even if the number comes up as an official number for your bank on caller ID, it doesn't mean it's coming from your bank. That can easily be faked.
Also, never assume that you could detect when you're the victim of a phishing attack. A lot of people go and say, well it's easy to tell when you're seeing a phishing attack. The email has bad grammar in it or there are mistakes or your could see at the top it's not from Amazon or eBay or PayPal or whatever. Don't assume this because there's no reason that there has to be grammatical mistakes or things like that. The email can actually look absolutely perfect. You saw in that email that looked like it came from Apple how the link looked like it was actually from Apple. It was only when I moved my cursor over it that it said it wasn't. That URL could actually be made to look very close to a real Apple URL. So I think it's a mistake to always look for telltale signs of a phishing attack.
Always stick to the basic rules by not clicking on the links, by using a Password Manager, by not answering the phone, and by always going to either the website or phone number that's the official one, not the one connected to whatever message that you received.
