In my early-morning haze, I opened an emailed receipt that showed a $95 transaction for an e-book purchase. I summoned my young teen in a panic. “Did you buy this!?” Ridiculously over-priced listings on Amazon or eBay exist and I thought she inadvertently bought the wrong copy of a school reading requirement. My daughter reflexively denied buying anything. She didn’t even recognize the book title. That’s when I started waking up. This is why we shouldn’t check email in the early hours, and why we shouldn’t check email using mobile.
When using Chrome (or other browsers), I depend on the hover feature. Hold your cursor over a link, and the link’s URL address pops up in a window. This allows you to read the contents of the link without having to click through to its site. Absolutely essential in the fight against spoofing and other email scams, the link hover feature doesn’t work on touch screen devices like my iPhone. Our behavioral switch toward mostly using mobile computing hasn’t escaped the bad guys who know we check links before we click and that pre-checking a link on mobile isn’t possible. Plus, they count on us being tired and distracted when we check email. So they devise and design clever spoofs like this:
My daughter returned to her room to finish preparing for the school day (probably rolling her eyes at me as she went). I scooted over to my laptop. I still was in panic mode; Instead of simply hovering over the link in the spam email – which would’ve been the more efficient approach – I logged on to my Apple Store and iTunes Store accounts and scanned the previous transactions. No $95 charge was listed. Everything seemed normal. It’s at this late point when I finally started to suspect the email. This spoof scam was the first to slip through the spam filter at this almost-exclusively-for-my-Apple-ID email account. I opened up the email in my laptop’s mail application and hovered over the “If you haven’t authorized this transaction…” link, and there it was: a junk URL. I then looked at the return address, which was also junk. I raised the alarms for no good reason. Embarrassing, to say the least.
I should’ve known this email was a scam without depending on the hover feature. The return address was wrong. Even on mobile, hitting “Reply” would’ve shown the sender wasn’t “email@example.com.” I could’ve noticed that the Apple Store doesn’t sell books (which my daughter pointed out later). I did have a fleeting thought that it was a game, but that idea was far-fletched. The $95 price-point was designed perfectly: not too high to send up “this must be a scam” alarms, but not low enough to pass my notice. Above all, I should’ve never checked email in the early a.m., and I never should’ve checked it on my mobile client. Email deserves my full attention, and it is best given when I have high-functioning email and browsing clients at my disposal. Mindful computing is the best security against mistakes, especially mistakes like the one I made this morning. Thankfully I didn’t suffer financially. But I owe my daughter another apology. I acted like a panicky idiot and immediately suspected her of being irresponsible, when in fact it was I who was shirking my responsibility. I’ll have to deal with that possible chink in the armor of our mutual trust.
A Deadly Sin
On a final note, I want to draw your attention to the deadly sin that plagues us all when it comes to daily computing tasks: Pride. My pride at being a computer savvy tech writer (I love mentioning my sys admin experience!) and educated psychologist blinded me to the errors of my bad email habits. The more we are aware of the dangers that come with computing, the more mindful we should be. I fell into a trap common to Internet denizens: I thought it couldn’t happen to me. As spoofs are more and more socially engineered, it’s likely that even a person like me, with over 25 years of email experience, can and will be pulled in someday. It’s just a matter of time. Until then, I’ll attempt to keep my pride in check and develop better habits that help keep me and my family secure.