Some scam emails and texts are easy to spot, but scammers are getting better, and more convincing. Here’s how you and your loved ones can avoid getting phished.
If you’ve been on the internet long enough, and I’m betting you have been, you’ve probably seen your fair share of scam emails. Back in my day, most scam emails fell into one of two categories: the classic 419 scam, aka the “Nigerian Prince” scam, or pill peddlers offering near mythical enhancement in one very, very specific area.
While these scams still exist — and I still get a fair amount of both — most of them have taken a back seat to something far more sinister: phishing.
Phishing isn’t new, it’s been around since at least the mid-1990s. However, in 1996, 45 million people were using the internet, or just about 0.85% of the total global population. In 2024, that number jumped to 5.5 billion, which accounts for 68% percent of the global population.
This means that phishers have a much, much larger pool of people to work from.
The one bit of silver lining is that phishing scams are pretty easy to spot. Either they were so riddled with typos and grammatical errors that they were nigh unreadable, or they looked like something I would have designed on Geocities in 1999.
This is pretty poorly designed, even as far as phishing emails go
For example, here’s one that landed in my junk email address recently.
So, thankfully, its super easy to tell which emails are scams and which ones aren’t.
Or, at least, it used to be.
Your friends at Netflix
My friend and I often screenshot phishing scams we receive, send them to each other, and giggle over how ridiculous they are. Setting aside the fact that, yes, it is a weird thing to bond over, it’s always been “look how stupid this phishing attempt is.”
Until today, at least.
It’s Monday morning, which means most of us are sleepily emptying our inboxes of anything that doesn’t need to be there. My friend predictably had a few scam emails sitting in his inbox, so he snapped a screenshot and sent it to me.
“I thought you would enjoy my “friend Netflix” playing hardball with me,” the text read. “I certainly wouldn’t want them to disrupt the account that I canceled months ago. (Though I guess it’s already on hold? They move fast). Absolutely no way this is a scam.”
This is a surprisingly well done phishing attempt. It didn’t work, but it’s still impressive.
And, as anticipated, there was a screenshot of a phishing scam. But wait, was it a phishing scam?
I zoomed into the screenshot and panned around. There were no obvious typos and no weird grammatical issues. I was surprised by how legitimate it looked.
I looked at the email address the scam was sent from. Typically, these days, phishing emails are sent from randomly generated strings of words and numbers, often 40 characters or longer, at shady domains.
Not this one. It was a no-reply address for a company called My Protect All.
Curiosity got the better of me, so I did a quick search to see what that company was. The company, as far as I can tell, is legitimate.
But it isn’t a debt collection agency — it’s a product insurance agency. Essentially, they’re the people you buy third-party insurance protection plans from when you buy something online.
My Protect All exclusively insures furniture, major appliances, HVAC, and consumer electronics. It doesn’t shake down people for missed Netflix payments.
The scammers are getting smarter
So, it looks like the scammers are getting smarter. They’ve learned to emulate official-sounding, grammatically tight copy. They use official logos and colors associated with the company they’re pretending to be.
This is likely the way that scams, and not just phishing scams, are going to trend. And I assume that email filters, no matter how good they seem to be, are going to miss a fair amount of them.
And, unfortunately for us, some of us will get tricked. I know everyone likes to think they’re above getting phished, I certainly would like to think that I am.
But all it takes is one day when you’re tired, distracted, or rushed. Fortunately, most of the internet savvy will recognize a false landing page — but maybe, because you’re tired or rushed, you don’t look at the URL.
And now you’ve got to have a frustrating conversation or two with your credit card company or bank. It happens; that’s just how it goes.
So, dear reader, this is a reminder to keep your wits about you.
Look out for your people
When Mike asked me to write this PSA, we both knew what he was really asking. It’s not so much the AppleInsider reader base that we’re worried about, but their family and friends.
Seniors are disproportionately affected by scams across the board. And while there are plenty of tech-savvy septuagenarians and octogenarians, I’m willing to bet most seniors fall somewhere between “beginner” and “average” internet users.
Don’t let grandma get scammed | Image credit: Pixabay
Teens and college-age students are another group that are preyed upon by scammers. Inexperience can make it difficult to discern legitimate emails, texts, and websites from illegitimate.
Both of these groups may see the urgent language of a phishing scam and feel as though they need to act quickly before suffering repercussions. Take some time to talk to more inexperienced internet users in your life, and if you’re pretty tech-savvy yourself, let them know they can come to you if they’re worried something may be a scam.
How to avoid getting phished or otherwise scammed
Good internet hygiene goes a long way to protect you from getting scammed. As a quick refresher, here are some of the best ways you can prevent a malicious actor from taking advantage of you.
And, be sure to make sure others in your lives — especially inexperienced internet users — practice good internet hygiene as well.
A good password goes a long way
Be sure to use unique, complex passwords for every single account you make. At minimum, you should aim for at least 16 characters, and include a mix of letters, numbers, and special characters, if the account creation allows it.
Using a password manager, such as Apple’s Passwords app or Google Password Manager, makes this very easy. Not only do they generate unique, complex passwords, these password managers store them, and allow you to automatically enter them using a pin or biometric data on your device.
Apple Password Manager
Passkeys are also a great way to keep your accounts secure. While users still have to do things to confirm their identity in some way, Passkeys does it in other methods than the usual password.
Like passwords, Apple’s Passwords feature will automatically create passkeys when available, allowing you to one-touch login to a website with Face ID or Touch ID.
Don’t give away your information for free
Use Hide My Email when signing up for new, “non-essential” accounts. Obviously, you should use your primary email for utilities, your rent or mortgage, and any big life events.
However, if you’re just signing up for that 15% coupon from that internet retailer, there’s no reason to give out your email. It’s also a good idea to use Hide My Email for most of your online shopping.
Data breaches are officially a part of everyday life now, and small and mid-sized retailers often fall victim to these attacks. Keeping your personal email out of their databases helps prevent it from winding up on the dark web in the event of a data breach.
Hide My Email
This protects you from identity theft, but also from phishers who buy emails in bulk to target. Not to mention, a lot of retailers give your email out to their partners — and let’s be real, there’s no reason they should have it in the first place.
And, as a word of caution: I know many websites encourage you to sign up for SMS coupons and deal alerts. I would suggest you strongly consider whether or not that 10% off is worth entering your phone number into a marketing form.
Leave no trace
Once or twice a year, go through and delete accounts for websites you no longer use. Yes, even for websites where you used Hide My Email.
While annoying, it’s one of the best things you can do to protect yourself from cybercrime. Plus, it often helps reduce the number of marketing emails you get.
There’s no standardized process for deleting old accounts, it’ll change from app to app or website to website. Generally, you can find information on how to do this in a posted FAQ or your account settings page.
Mike does this every April 1, and October 31, and evaluates his subscriptions at the same time. Those days are as good a time as any.
Interface with websites directly as much as possible
The Netflix scam I showed above relies on people assuming that they should click a link to resolve issues with their accounts. Fortunately, you rarely need to click any link that shows up without warning.
If you receive an email telling you that there’s a problem with an account you own, just go straight to the website itself. If there is a problem with your account, any reputable website will also mention this on your account page.
Of course, reoccurring bills do exist, and every utility bill I’ve gotten in the last thirteen years has come with a link in the email. This is a case where you may need to click a link to access a payment portal.
If that is the case, just make sure that the link resolves to the correct website. Do a quick check of the URL bar, and if anything seems off, give the company a quick phone call or email to make sure everything is on the level.
Be careful with text messages
Unless you’re getting links from a trusted source, like your friend or employer, try to avoid clicking anything that shows up randomly via text.
This goes doubly for any text claiming to be your bank, postal/package services, or a utility company asking you to fix account problems. In these cases, it’s best to go directly to your account via an app or your browser, rather than click any links.
Again, there is a caveat, unfortunately. Phones are both a form of two-factor authentication and a common way to receive alerts about package deliveries, food orders, and more.
It isn’t unreasonable to assume that you’re going to receive links you’ll need to click. I know that my pharmacy uses texts to remind me to pay for my medication, and it includes a link that allows me to pay online via a website.
Whenever I receive a text from my pharmacy, it clearly states my pharmacy’s name and street address, as well as the pharmacy’s hours of operation. I also opted into the pay online feature when my pharmacist asked me on my first visit.
The text on the left is legitimate, the text on the right is not
I also get an astounding amount of Turnpike toll alert emails. This is pretty easily dismissible as a scam, because not only have I not recently been on a toll road, but I also don’t own a car.
And, even if I did, the steps this scam requires are convoluted, requiring me to paste a link to a .xin domain, which would not be used by a US-based company.
Like with emails, you’ll need to use your best judgment.
For example, say you’re waiting for groceries to be delivered from Walmart. It would be reasonable that Walmart would text you about any order changes and provide a link to follow. However, if you randomly get a text alerting you to pay to release a package from customs when you didn’t order a package, it’s best to avoid that link.
Keep your devices and browsers updated
Lastly, make sure you’re keeping your devices and apps, especially your browsers, up to date. Don’t delay updates because they seem inconvenient.
An iPhone running iOS 18
Sure, it can be annoying to routinely download operating system updates, but these updates are essential to the health of your device. After all, many smaller updates to your iPhone and Mac are centered around security and bug fixes.
A little bit of preemptive updating now can save you and yours from some serious headaches down the line.
