Today I had an anguished phone call from a dear friend who, just a few days ago, succumbed to a phishing attack in which he surrendered his Apple ID and partial bank account details.
Thankfully his prompt actions, and excellent support from both Apple and his bank, have ensured that he has not lost any money.
The attack on him was smart and professional, and psychologically adept. He received a series of messages by email, from the domain ‘applesecurityfirm.eu’. Unlike many attacks, these messages were well crafted to look very genuine, with Apple-style links to new product info, Tim Cook presentations, and so on. But they persistently warned:
“This is the final notice to notify you as of 22 – April – 2015 that you have not yet reviewed your iCloud ID information. Under “KYC” legislation Apple Inc is required by law to perform a verification of your information, failure to complete this validation will result in deletion of your Apple ID and associated information within the next day.”
He queried this by email, but finally, under the threat of losing all that he held on iCloud, he followed the link and yielded his Apple ID and partial bank information.
The criminals behind this accessed his iCloud account and started tampering with it before my friend was alerted to what had happened. He immediately spoke to Apple Support, who talked him through all the painful changes that had to be made to regain control of his account and render it secure. He contacted his bank next, who have secured his bank account. Thankfully his credit card and bank account remain unscathed: his prompt action, and Apple’s support, in this case caught the criminals unaware, before they could take advantage.
He still feels an idiot. But every day there are many more who get tricked by phishing attacks. There is no shame – sooner or later, someone is going to steal your credit card details, perhaps more. This happened to me some years ago, and the first that I knew was when I was phoned up by my card provider performing a fraud check because 8,000 Australian dollars had been charged to my card from some back-street tobacconists in Sydney.
If he is an idiot, then so are we all.
And so is society: for he also discovered the greatest inevitability, that the police had no interest whatsoever in even having this crime reported, let alone trying to do anything about it.
He was electronically mugged, and no one cares.
In the cold light of day, there were clear signs that this was only going to lead to disaster: Apple’s sole domain for such emails has always been apple.com. If Apple wishes you to attend to your Apple ID or any other account issue, then they will ask you to connect via your iTunes account and iTunes, and never send you such a link to hell.
And most ironic of them all, KYC stands for ‘know your customer’, yet another financial compliance scheme intended to verify customer identity and prevent money laundering.
Perhaps the police and financial industries should spend a little time knowing what their customers have to go through too.