 |
| Holy chicken, look at that tail! |
Full text of It Can Be Easier to Fall Victim to Fraud on Mobile than Desktop is below, so you don't have to click on links.
Also: How Metrics Make Us Miserable (podcast)
Have you ever met an optimizer (or hard-core EA, or capital-V Vegan) who was enviably happy?
Also, from 10 Rules For Dealing With Uncertainty, "Discipline matters more than optimization.... perfect is the enemy of good."
Why You're Always Right (funny cat story) (also, you don't need "maybe" about astrology)
It Can Be Easier to Fall Victim to Fraud on Mobile than Desktop
This article is the second in a series about cybersecurity/fraud prevention. (You can find the first article here: What Does a Thief Need to Access Your Financial Accounts? It’s Likely Less Than You Think.)
I recently received a very clever phishing attempt by email. (In hindsight, I wish I had taken screenshots prior to deleting it.)
Here’s what it looked like in my inbox:
- From: Vanguard Brokerage Services
- Subject: Your Vanguard statement is ready
Looking at the email via my desktop browser, it was very easy to see that it was a phishing attempt.
Looking at the email on my mobile device, however, there was no immediately obvious sign that the email was not legit. Based on everything immediately visible via my mobile mail app, it looked exactly like a genuine Vanguard email.
Looking at the “From” Field
When I viewed the email on desktop, the “from” field was a dead giveaway. While the “name” of the sender was “Vanguard Brokerage Services,” the email address of the sender was complete gobbledygook. Something like “senderx34x3@xyzpayments.info.” Clearly, that’s not actually Vanguard.
On mobile though, the sender’s email address does not appear immediately (at least not on most mobile mail apps). You just see the name. When viewing the email, there will be somewhere you can tap to display the sender’s email address. But you have to go out of your way to actually do that. And of course the percentage of people who do that with every single email is vanishingly small.
Body of the Email
The text of the email was a character-for-character copy/paste of the real statement-notification emails that Vanguard sends, complete with the appropriate images, branding, etc. Everything looked exactly as you’d expect.
The only thing about it that was wrong is that the links that appeared to point to Vanguard’s login page actually pointed to a scam URL. (That is, the “anchor text” of the link was the appropriate URL, but that’s not where the link actually pointed.)
In other words, it was something like this:
If you look only at the text of the link itself (the “anchor text”) you’ll think the link is going to take you to Vanguard. But it doesn’t. The link points to ObliviousInvestor.com. On desktop, you can see that easily by hovering over the link. Your browser (usually in the bottom corner) will show you where the link points. (Though even this can be spoofed. So as with the email address, if it looks suspicious, it definitely should not be trusted. But if it looks normal, that doesn’t necessarily tell you that it’s genuine.)
On mobile, however, “hover over” isn’t an option. You can tap a link and hold your finger down, in order to see where the link points. But how many people actually do that for every link they consider tapping? Also, there’s the risk that you tap the link and accidentally take your finger off the screen too early — and now you’ve visited the scam link rather than activating the “preview” functionality.
Browser Location on Mobile
Of course, I did not visit the links in the spam/phishing email. But if I had, I’m confident that the destination page would look exactly like Vanguard’s real login page. Except, of course, it wouldn’t have actually been Vanguard. It would have been a fraudster’s website, set up to collect people’s usernames and passwords as they entered them.
On desktop, at the top of your browser window, you easily see the full URL of the page you’re on. That makes it at least somewhat easier to recognize whether you’re on a legitimate website or not.
On mobile, depending on your browser and device, you often don’t. You might see the first several characters or the last several characters. But you might, for example, have accidentally visited:
vanguard.com-payments-us-vanguard.com
If you only see the beginning or end of that URL, you might think that you’re on Vanguard’s website. But that’s not Vanguard’s website. The actual domain in that URL is “com-payments-us-vanguard.com”, which any old fraudster could have purchased. (The “vanguard” at the start of the URL is a subdomain.)
What To Do
There are a handful of ways to avoid falling for this sort of thing.
Firstly, it’s helpful to actually look at the email address of the sender, even if it’s not immediately displayed in your mobile app. But even that can be spoofed. So while a spammy email address tells you it’s spam, a legit-looking email address does not necessarily tell you it’s genuine.
Secondly, it’s helpful to generally be aware when using mobile that 1) you aren’t seeing as much information as you would via desktop and 2) sometimes the information that you’re not seeing would have been a clear red flag.
Thirdly, if you did end up falling for the email and visiting the link in question, you’d be in better shape if you use passkeys or a password manager (both topics for another day, which we’ll get to). Your passkey would not work on the fake domain. And a password manager would recognize that the domain in question was not actually Vanguard.
But the most effective way to avoid falling for this? It’s the same exact rule that we discussed in the first article in this series! (I promise I’ll move on to other topics soon. But I just want to drive home how critical and valuable this rule is.)
If you receive any inbound communication (whether email, text, or phone call) that purports to be from a company with which you have any sort of account:
- Do not reply.
- Do not give them any information whatsoever.
- Do not click on any links.
Essentially, don’t interact with inbound communications. Instead, if you think it might be genuine and require some sort of response, reach out directly, via trusted means (i.e., either typing the company’s URL directly into your browser or calling the number on the back of your credit/debit card) and ask the company in question about it.
No comments:
Post a Comment