1/17/25
9:00 am

Phishing Attacks: How They Work and How To Protect Yourself

Phishing attacks come into our email inboxes almost every day. Learn what they are, how they work and how to protect yourself. Learn how AI may be making phishing attacks even worse.

You can also watch this video at YouTube (but with ads).

Video Transcript: Hi, this is Gary with MacMost.com. Let's talk about the most common type of online scam, the Phishing Attack, how to protect yourself and how AI is going to make it worse!
So at this point I think just about everybody has seen a phishing attack. I hope you haven't fallen victim. A phishing attack is when you get either an email or a text message or a message in some other system claiming to be from some company or service. But it is really not. The message is fake. It's not from that company. It is sent by a scammer, usually using a system to send out thousands of them at a time. Most of the time it contains an urgent message. Like you owe somebody money or something is wrong with one of your accounts and you need to fix it immediately. Usually they look pretty legitimate. The idea is to scare you into thinking it's real and want to take action right away. What these messages are doing is trying you to click on a link or call a phone number in the message. Of course you're not contacting a real company. You're contacting the scammer. Often you're going to a fake website that looks just like the actual website and it is asking you to login entering your ID and password. But what you're actually doing is giving your ID and password to a scammer so that they can then use it to log into the real website and pretend that they are you. Most of the time it is about links. Sometimes it is about calling a phone number. Other times they just want to get you to reply to the message so that they can start a conversation and extract information from you. 
If you fall for it then the scammer has your ID and password and now can get into that account. It could be a social media account so now they can pose as you or it can be a financial institution in which case they can use the ID and password to steal your money. Now I'm going to show you some examples in a minute. But first I want to talk about some bad advice that is out there. There are a ton of articles and other videos that will tell you how to spot phishing attacks. But a lot of the advice they give is wrong because it won't prove whether or not the message is, in fact, a phishing attack. For instance a lot of times they will tell you to look at the From email address. Indeed, in many cases the from address doesn't make sense. It's coming from a company a company, say, Apple, but yet the from address isn't from Apple. However, it's easy to fake the from address in an email. So, it may appear to be legitimate but it's not. So that is not a good way to tell whether or not it is real. Also, a lot of places, and I'm sure before long there will be a comment to this video, that says that you should look for bad grammar. But that is only true some of the time. A lot of the time the grammar is perfect and often it is actually taken from real email messages from the real company. They're just copying and pasting. So looking for bad grammar is not going to be a good way to tell whether it is real or not. 
It is the same when you look at the design of the message. They can use the same graphics, the same logos, the same colors as the real company and they can even include the same contact information. As a matter of fact a common technique is to include lots of information in there. A phone number to call, an address, various different links to parts of the website, all of which are actually the real links. So as you check through it the email seems legit. But there is one link in there, the one that they are hoping you click on, which is the fake one. Speaking of links that's another place where people will tell you to check carefully. To look at the link before you click on it. But it can be so hard to tell if a link is real or not. Sometimes they can look legitimate with one letter being out of place that is really hard to spot. Or using the real name of the company in there but that is not actually the address for their website. Sometimes they will use redirects. So it looks like the link is to a real website that you know but is actually going to redirect to another bad website. 
By the way if you find these videos valuable consider joining the more than 2000 others that support MacMost at Patreon. You get exclusive content, course discounts, and more. You can read about it at macmost.com/patreon. 
So here is an example of a phishing attempt that looks like it comes from Apple. As you can see it is an urgent message trying to get you to panic just a little bit so that you'll not see that it is a phishing attempt. Here if you look in the From Field you'll see that it's not from Apple at all. But you can't trust that. Sometimes it will actually look like it is from Apple. So we're lucky here that we can see that this is bad but it is not always going to be that easy. The rest of the email looks pretty legitimate, choosing Apple's design, it looks like a message from Apple. If you actually move your pointer over the big blue button there you'll see that it doesn't seem to go to a bad website. But it is actually redirecting using Yahoo and Goggle. You have not idea where this link is actually going. But it is not really obvious just from looking at the link that this may be bad.
Here's another email message. This one seems to come from Amazon. You can see here the From is really mysterious. It's hard to tell whether this is real or not, although a real email from Amazon would come from Amazon. If you look at the message you can see it is using Amazon's colors, it is using their logo, and all of that. If you look at the button here, you move over it you can see that it actually going to a Goggle doc, which why would Amazon be sending you there. So, it is pretty easy to spot that this one isn't real, even though at the bottom they've got some real information here. 
Here's a really common one. This looks like it is coming from PayPal. Notice it does actually seem to come from PayPal. So you really can't tell from the From that it is a bad message. Although there are other indicators up here. Notice how it is trying to create a sense of urgency and a lot of the information here, like for instance the logos, a lot of the information here at the bottom including all of these links and such, are legitimate. So you may actually think this is really coming from PayPal, if you look at all this information. But the phone number that they keep repeating over and over again, I've changed it in the message here but I'm sure when you do call it it's sound like you're actually talking to somebody at PayPal, but eventually they'll try to get information from you to either get into your PayPal account, your bank account or somewhere else. 
Here's another very common one. This often comes as a text message instead of an email and you get this message, it says it is from the United States postal service or maybe UPS or some other delivery service telling you there  is some sort of problem with a package you're supposed to get. But if you look here you can see that the link isn't really USPS. It's USPS.com- and then all these other letters there dot vip. Obviously US postal service is not going to use a real link like that. But sometimes it may not be obvious from that URL. A quick glance looks like it is coming from USPS.com so if you've never seen one of these before you may easily be fooled. Plus, you could simply reply to this message and then you'll be talking to a scammer who will be trying to get information from you. 
So from those examples you can see you can't always rely on the From email address to let you know that it is a phishing attack. Often there is not bad grammar or else they use real links and real information in the logos and colors and all of that in there, even though there is one bad link hidden in there somewhere. Even if you check the links sometimes it can be really hard to tell, especially if they are redirecting through other services. So how do you really protect yourself against phishing attacks. 
Well, the most important thing is, of course, not to click on the links in those email messages. When you get a message like this just make it your practice to never click on a link there. If it is telling you there's a problem at Amazon, then go to Amazon.com and login there. If it is telling you there is a problem at PayPal then go to PayPal.com and log in there. Don't click on the link there. Rely on the Bookmarks that you have in your browser or by typing the URL that you know. Not anything you see in the email. 
The same thing for phone numbers. If it is a phone number in a message don't call it. Instead use the number on your credit card or the number on a bank statement and call the company directly. Don't use the phone number that is in the message. Of course, never reply to the email or message at all! If you really do want to check it out call the phone number on an official document that you received separate from this phishing attack or message the company through its official website.
Another way to protect yourself is to just use a password manager. Password Managers have an ID and password saved in there. But they are associated with a website. So if you happen to be caught off guard and you click on a link in a phishing message and you go to a website that's not the real website, then your password manager is not going to offer up the ID and password for that site because the domain name for that site doesn't match the domain name for that ID and password. Hopefully the fact that your password manager doesn't recognize the site is enough for you to realize now that you almost fell victim to a phishing attack.  
Now let's talk about AI. Most phishing attacks don't use AI yet. But it is predicted that AI is going to make things a lot worse. One of the things AI can do is it can look at vast amounts of information. Look at everything online and match details about a person before sending out something like a phishing attack. So, it can look for personal details about you like what services you use, places you've posted, things you posted about, and put personal details in the fake email messages that you get. These personal details may be enough to throw you off guard and think it is legit. Also, AI is great at fixing your grammar. Hopefully one of the things that you're using AI for right now. But it can also help scammers there. They can use it to fix the bad grammar in the messages they send out as well. It can also be used to make the psychology of the messages better. Just like you might be able to use AI to rewrite a cover letter to go with your resume, a scammer might be able to use it to rewrite their scam messages to make them more effective. Another thing AI can do is look through all the vast amounts of information out there and match you up with people that you may know. If it does that it potentially could start sending you messages that don't appear to come from companies or services you use but from people that you know, trying to get you to click on a link that appears to come from a friend or family member. So be on guard for that. 
I want to finish up here by talking about what to do if you have fallen victim to a phishing attack. If in a vulnerable moment you click on a link in an email and only after, say, giving your ID and password or some other piece of personal information you realize that this was a phishing attack and not a legitimate message. So what should you do then? Well, of course, for whatever service was affected you should immediately change your password. When you do that also go into your Account Settings and check to see if anything else has been changed there. If the scammer got into your account before you got to change your password they may have change something else. Like, for instance, they may have put another email address or another phone number as a backup contact for that account, so that later on they can claim that they couldn't get into the account and to please send a code or link to this other email address. So check all your account information, especially if the site has security questions. You know, it asked you what high school you went to, or the name of your favorite pet. That kind of thing. They may have changed those or looked at your answer for those if that's possible, so they know that later on they can try to get into your account. It's best to change those answers if you can. Of course, if this concerns any financial institution you should contact the financial institution even if you go to change your password soon after the attack you don't know if they got in there just before you did. So, contact them. Tell them that you may have been compromised and they should have some next steps for you to do. 
Also, check your transactions, not just right now, but also check later in the day, tomorrow, keep checking over the next weeks or months to make sure all the transactions are real. If this isn't a bank or something but maybe a social media site or something like that then check your activity. Make sure nobody else is getting into your account and posting using your identity. Always remember no matter how smart somebody is, and no matter how cautious they are, it is always possible to be scammed. As a matter of fact thinking that you're invulnerable to being scammed is a sure fire way to maybe let your guard down and be scammed at some point. The best way to protect yourself is to educate yourself about these kinds of scams, keep learning about them, and help protect your friends by telling them about these kinds of scams as well. Stay safe and thanks for watching.

Comments: 22 Responses to “Phishing Attacks: How They Work and How To Protect Yourself”

Lawrence Simas

3 months ago

FIRST Rule : When in doubt, DON'T!!! <---- use this and you'll never get caught! Another good rule is to check it out by NOT using anything from the e-mail or text etc,, Call the company or person from a GOOd known source!! When in doubt, Check It Out!! Thanks Kind Sir!! ;-)

Sheldon

3 months ago

Thanks bunches

Caroline

3 months ago

Invaluable! Following this advice is a great way to avoid a lot of anguish and kicking-oneself. Thank you very much indeed for this, Gary

Phyllis Steele

3 months ago

Thanks. I appreciate these detailed reminders. And, please update with new info as the scams get more sophisticated. You're the best! I'm very grateful for your videos, and I'm happy to support you on Patreon.

Jim Terrinoni

3 months ago

Poignant and relevant information well presented. By the way, I like the fact that you delay the “ask” for the Patreon membership until later. Patreon membership is an important part of your service and people should not get used to knowing when the factual part of the video starts so they don’t scrub ahead.

Gary Rosenzweig

3 months ago

Phyllis: And thanks for your support!

Dave G.

3 months ago

Thanks for the many reminders Gary. Excellent video.

Jeanne Bragg

3 months ago

Great info. I have a separate email account for my "hobbies," etc. and have been inundated with random emails lately. Is it safe to unsubscribe?

Gary Rosenzweig

3 months ago

Jeanne: Usually, if there is an unsubscribe link or a button appears at the top to unsubscribe, then yes. Real spammers don't bother with such things.

Louis Martin

3 months ago

It relates to the last comment of «unsubscribe» I have noticed that when you unsubscribe to a legitimate web site, you get a message that tells you that you have been unsubscribed and it will take effect in a few days. Clicking on unsubscribe of a scammer tells you to write your email address which is illogical since you got a email. I presume that putting your email address will have your email address sold to other scammers.

Gary Rosenzweig

3 months ago

Louis: Not exactly. Most scammers will not have any unsubscribe link at all. Why would they bother? If they do it is just for appearances and maybe doesn't work, or takes you to the site of the real company and their unsubscribe page.
But your hypothesis doesn't hold up either: the scammer already has your email address. They don't need you to tell them what it is again.
If you think the email is a *scam* then don't do anything else other than delete the message. Don't click on any link, including an unsubscribe one. If the email just appears to be spam, then if it is real spam (unsolicited from a not-real company) then also just delete. If it is from a real company then use their unsubscribe link if you like. If unsure, just delete.

Sherrie V

3 months ago

I get more newsletters etc all the time - most that I never heard of. Now I will be afraid to unsubscribe, but I need to get rid of them without having to delete all the time. On low budget so all those monetized apps not helpful for me. hmmm ??

Gary Rosenzweig

3 months ago

Sherrie: Don't be afraid to unsubscribe from them. Especially if you see that as a button at the top of Mail. But also look for the unsubscribe link in the newsletter if it is from a real company.

Cheryl F

2 months ago

Thanks for another great video, Gary. I’ve been forwarding “Paypal” phishing scams to the following email address that Paypal provided: phishing@paypal.com. Not sure if doing so helps Paypal track scammers more effectively, but at least Paypal is aware of the activity.

Kathy

2 months ago

Wonderful video Gary, thank you! If a scammer 'spoofs' an actual legitimate phone number that is actually saved in my contacts, will this spoofed number still ring through or be blocked? (I have silence unknown callers turned on). In other words, will the Apple device 'know' that the number is spoofed & send the scam call directly to voicemail? I wondered if this would happen for calls similar to a password manager not offering to fill your creds into a spam site? Thanks again. Kathy

Gary Rosenzweig

2 months ago

Kathy: It would ring through as there is no way for your iPhone to know. But the chances of that are astronomical.

Kathy

2 months ago

Thanks Gary, that does make sense. K

Tony

1 week ago

I understand phishing & malware are different. You advise "don't click" for phishing, and that we don't need anti-malware apps

But something recently changed. After updating to MacOS 15.4 I tried to open a .srt file (which I always use) and to my surprise saw a warning saying "Apple could not verify ... is free of malware that may harm your Mac or compromise your privacy." Then I searched and found others had the same problem for .mp4 files -- Does this mean we do need malware apps now?

Gary Rosenzweig

1 week ago

Tony: That sounds like the Gatekeeper message for installing apps. What was the complete exact message? Was the name of the app in there? Sounds like an issue with that app and how it was created or installed, nothing more than that. Gatekeeper has been around for a long time.

Tony

1 week ago

Thank you, Gary, for your response. Here is a message that someone else wrote (on the website below) and to me it look exactly the same except mine was a .srt file and theirs a .mp4
"Apple could not verify...mp4” is free of malware that may harm your Mac or compromise your privacy."
https://discussions.apple.com/thread/255983198?sortBy=rank

I can't go back to reproduce what happened because I went though the steps to "open it anyway" -- I tried several other file types but couldn't reproduce

Gary Rosenzweig

1 week ago

Tony: So it literally says that? Like the word verify followed by three periods followed by mp4? Honestly it sounds like the error message is referring to the app that double-clicking the srt file is trying to open, not the file itself. Or, that for some reason the file is set to look like it is an app, not a text file, and macOS is trying to not open it because it appears to be an app. So maybe something wrong with how the server had set it up. Either way, just "Open With" instead of Open and open it in TextEdit or whatever you use.

Tony

1 week ago

Once again, thanks for your help. As I said, I did not record the original message, but found the one that I mentioned being essentially identical to my case except for it being .MP4 rather than .SRT

Your help has convinced me that this is not a malware problem and I appreciate that. I'm concluding that recent updates of Mac OS are somehow disassociating applications from extensions, which would mean I don't need to worry about buying malware--which was my real question. Thanks again.