191106_wcc_life_techtipsMy wife called me over to her computer. “I’ve never seen this before, what do I do?”
The “this” was an alert screen that had popped up on her computer while she was playing an on-line game. At first glance, it looked legitimate. It looked like an Apple web page, it had the Apple logo. It listed all the malware it claimed to have discovered and it included a big button [SCAN NOW].
To add to the urgency, it included a countdown timer to when, it claimed, “damage is permanent”.
Since no website can see what’s on your computer other than the cookies you allow it to see, I immediately assumed this was a scam but here are some steps I took to further confirm it.
First, I checked the URL in the address bar. It looked like this:
It said “Not Secure | apple.com-clean-mac.website/redirect/?ip=18.104.22.168&...” followed by dozens of seemingly random characters.
This kind of URL address shows that this web page is certainly a scam. While one might be misled by the very beginning of the URL, “apple.com”, the actual URL is everything up to the first “/” which is “apple.com-clean-mac.website”. The last section of a URL is called the “domain”. In this bad URL the “.com” is in the middle and is meaningless, the actual domain of this bad URL is “.website”, which is invalid. The avalanche of characters following “/” are designed to further obfuscate the true web page source.
Note, also, the “Not Secure” preface. The address has not been authenticated. A valid page from Apple or another legitimate company would show a lock icon, indicating the source was secure.
I also used the “hover” technique on the button “SCAN NOW”. I put the cursor on the button but did not click it. The hover text at the bottom of the browser window showed the same invalid URL “apple.com-clean-mac.website/...”.
If I had clicked the “SCAN NOW” button, it would have pretended to scan my wife’s computer, pretended to find malware and then it would have informed me that I now had to pay for and download a program to clear the computer. All bogus. It is likely that any such downloaded program would actually have installed malware instead of removing any.
I assured my wife that there was no reason to panic. There is no malware on the computer, it was all a scam.
You can use these simple techniques any time to ensure you don’t fall for website scams.
A recent phone scam
Here is another example, a phone call scam, recently reported by CNN Business. The intended victim received the call, claiming to be from his bank, regarding a credit card charge from Miami. Having received legitimate calls from his bank regarding attempted fraud in the past, the victim did not immediately suspect anything unusual.
According to the news report, the victim confirmed that he had not used his card in Miami and the caller told him the transaction had been blocked. So far, all appeared legitimate.
However, the caller then asked the victim for his bank member number. Shortly the victim received a text from his bank and the caller asked him to read the text – and he did, not realizing it was a password reset code and he had been tricked into giving the scammer complete access to his bank account.
Fortunately, at this point, the victim realized what had happened and called his bank to report the fraud.
We can use this news account to show how to avoid some easily-made mistakes and stop scams like this before they even start.
According to the victim, the caller said “Hi, this is your bank. There was an attempt to use your card in Miami, Florida. Was this you?”
The victim undoubtedly made the mistake of responding something like “Oh, Bank of America?” (or whatever his actual bank was). This was his first mistake.
The correct response would have been “Oh, which bank are you calling from?” Even if you only have one bank account, don’t give possible scammers any information.
To check even further, ask for details the bank would easily have but scammers wouldn’t: “What’s the card number? What’s the address on the account?”. A call from your real bank will already know this, scammers won’t.
The second mistake was when the scammer asked the victim for his “bank member number” – and he gave it to them. Major mistake!
If the call is legitimate, the bank would already have his “member number” and would not have to ask for it. Your bank or credit card company will never ask you for your account number, your password, your social security number or your pin number. If the caller asks for any such information, it’s a scam.
The ground rules are simple: If you get a call from “your bank” or “your credit card company” make them tell you all the information, never “fill in the blanks” for them. If it’s a scam, it will quickly fall apart.
Remember: Be careful, be suspicious and be safe.
Kimball Hawkins is a computer software engineer who lives in Wallowa.