Phishing scams Mac users should look out for | Cult of Mac

Phishing scams Mac users should look out for


Macs may be pretty secure, but Mac users can still fall victim to lots of scams.
Macs may be pretty secure, but Mac users can still fall victim to lots of scams.
Photo: Pixels/Mikhail Nilov

Apple’s macOS is more secure than other operating systems like Windows. But an increasing number of phishing and malware attacks now target Mac users.

And, no matter how secure macOS is, it does not make Mac users immune from the danger of phishing. The success of such attacks often depends on the vigilance of the user.

Phishing scams target Mac users

Phishing is a type of cybercrime where a criminal poses as a legitimate authority with counterfeit emails or texts to lure people into providing sensitive information, like credit card numbers, login details or passwords that can be used to steal money or carry out cyber-attacks.

In the first six months of 2019, Mac users were targeted in around 6 million phishing attacks, according to research by Secure List. Around 11% of that figure were corporate users and about 255,000 users were attacked annually between 2012 and 2017 through malware.

Even if you use a Mac, you are still at risk of being targeted because many of your activities are online, especially banking and finance.

How a phishing scam works

To execute a phishing attack, the scammer has to carry out social engineering on you. They normally do this by visiting your social media pages to learn your personal details, as well as places you have been, shops you have visited, trips you have made, as this determines how the phishing attack will be designed.

After the social engineering research is complete, the scammer will follow three basic steps:

Step 1: Create a fake website

The scammer creates a fake website and no, they don’t have to know complex code. There are various software platforms, some even available for free to download on GitHub, that come with cloned websites for hackers to deploy. These websites look and behave just like popular websites, such as Amazon, Badoo, eBay, PayPal, Adobe, DropBox and more.

Step 2: Deliver the fake website to the target

The scammer often uses your email address to send the fake website to you. If the fake website looks like the Amazon website, the scammer might pose as Amazon staff and send you an email containing a link to redirect you to the fake Amazon page.

Please note that the malicious link could be covered up with a phrases such as ‘click here to validate login details’ so you don’t see that the destination URL isn’t the official Amazon website. Once you swallow the bait and click on the link, the scammer is notified with a message such as ‘the target has visited the phishing website.’

Step 3: Harvest passwords and other data

This malicious website usually contains places where user input their passwords or other data. Oftentimes, the site promises a fake offer to be be paid, and the unsuspecting user is asked to input their bank details. In some cases, these websites mimic banks or other financial institutions where they can get credit card details.

Throwing in the hook

There are several techniques scammers use to lure the target to swallow the bait.

How angler phishing works

This type of phishing scam often targets social media users.

Many commercial banks, e-commerce firms and online trading companies all have social media pages with comment sections. Scammers will sometimes use these comment sections as watering holes where they lie in wait for customers with complaints.

If you come to the comment section and complain about a service issue, the scammer sends you a link to click on and once you do, you’re redirected to a fake landing page resembling the institution’s official page. The scammer’s page has the same logo and name as the legitimate page. They also take care to design their social media handle to mimic that of the legitimate firm they are impersonating. But when you log into the fake page, your login details are stolen.

As per research by on the scams related to forex brokerages, there has been a sharp increase in the number of fake social media accounts that target clients of brokerages. The research found that many scammers create fake pages on social media to target clients from a particular country. For example, the scammer would create a legitimate looking page and pose as the broker’s intermediary for that country.

Angler phishing is becoming a menace. The handlers of corporate social media pages are under pressure to respond to user complaints swiftly, to prevent scammers from hijacking the complaint and referring innocent targets to malicious links.

As a precaution, customers of banks and trading apps should use only official communication channels such as email, telephone lines or even physical visits to the organizations’ offices to avoid angler phishing attacks.

Angler phishing attacks are increasing because social media giants like Facebook still allow anyone open accounts with similar names. Usually, the legitimate organization’s page might have a blue verification tick but if you are not careful this might go unnoticed.

How email phishing works

Email phishing is a social engineering technique where online scammers masquerade as legitimate individuals or organizations asking them to urgently share sensitive data for various reasons. These emails are sent to millions of people with the hope that a small percentage click on them.

This process is called spraying and praying. The spraying and praying email phishing is not a targeted attack as emails are sent to different categories of individuals in different organizations. It is not targeted.

Email phishing is less expensive to carry out and generally has a low return per individual for the scammer. However, it has the potential to pay off even if a very small number of people fall for it. The tools needed to carry out an email phishing attack are less expensive and are usually purchased off-shelf on the dark web.

How spear phishing works

Spear phishing is a targeted and sophisticated attack. Here the scammer researches their target — usually an individual in a particular organization. The scammer starts by getting their contacts and sending a message that’s likely to elicit a response from them.

Spear phishing usually uses email and these messages contain insider info such as names of other staff, email signatures and departments in the organization to make them appear as legitimate as possible about the workings of the firm.

In many cases, the target willingly and unknowingly compromises sensitive information or data.

Spear phishing usually brings high returns for the scammer involved and it could lead to loss of money, sensitive info and it might even damage the reputation of the organization involved.

How a whaling attack works

This is a highly targeted spear-phishing method where attackers pose as legitimate individuals, businesses, websites and organizations to go after large, high-profile targets such as CEOs and executives, celebrities or influential political office holders.

Whaling often relies on convincing this “big fish” — the whale — to make a mistake by invoking a sense of urgency. For example, the scammer might pose as a law enforcement agent or a Department of Justice official, making the target panic and click on a malicious link in email.

The goal of the scammer could be any of the following; making a victim start a wire transfer, capturing sensitive info like login credentials, or capturing a company’s intellectual property, customer data and other high-value information.

The usually scammers deploy standard industry terminology in crafting the email and use personalized information about the target individual or organization.

In recent times, scammers have been known to call to follow up on an email. The call serves two purposes; to confirm the email request and make the potential victim feel it is not a scam.

Whaling sometimes leads to financial loss, reputational damage and loss of important data.

Deep-fake technique

Deep fake scams use Artificial Intelligence to mimic people’s voices, photos and videos. A deep fake scam usually resembles someone’s voice or appearance. It does this with such great accuracy that many will fall for it.
According to a report in The Wall Street Journal, fraudsters made use of AI to reproduce the voice of the CEO of a German company. The fake AI CEO made a phone call to the UK branch of the company and told them to transfer GBP 220,000. The money was transferred and the fraud successful.

Smishing technique

This is similar to phishing but this time the scammer uses SMS messages to deliver a malicious link. It is just as dangerous as phishing and you should be on the lookout.

‘Mac’ these points

The points discussed above will keep you prepared and make detecting phishing easier for you. Cybercriminals have devised new means and methods on how to fleece people of their hard-earned resources.

When seeking help from online customer service be sure you’re chatting with a legitimate company representative. Before clicking on any link, hover your cursor to reveal the true destination URL. Also call the original line of a company when you see any shady email originating from them.

This post is presented by Safe Forex Brokers.


Daily round-ups or a weekly refresher, straight from Cult of Mac to your inbox.

  • The Weekender

    The week's best Apple news, reviews and how-tos from Cult of Mac, every Saturday morning. Our readers say: "Thank you guys for always posting cool stuff" -- Vaughn Nevins. "Very informative" -- Kenly Xavier.