Just as I was putting the finishing touches on a blog post about the need to keep your data and devices safe on summer travels, I got an email from Apple letting me know that now was a great time to buy a Mac for college. I don't plan to go back to college at the end of the summer, but I do have a daughter who is taking college courses, so I was tempted to click this Back to School ad. But first I gave it closer scrutiny. Was it a genuine ad or a scam?
Digital scam artists have a knack for pushing hot buttons. Whether it's a link to "crazy new Justin Bieber video" on Facebook or text messages like the one on the right urging you to claim your $1,000 BestBuy Gift Card, the bad guys are always looking for hooks to tempt us to click on links that are fraudulent or downright malicious.
The back-to-school season is likely to be another target of opportunity for the sleaze-machine, capitalizing on the natural human desire for bargains at a time of need (or want). So this post presents some tips on what to watch out for as you hunt for academic deals and educational essentials.
Bear in mind that the timing of "back-to-school" promotions by retailers can vary geographically and has a tendency to come a little earlier each year, as noted in this New York Times article from July, 2011: Back to School? Summer Season for Shopping is Early This Year.
These days you need to cast a skeptical eye over advertisements on your computer (or iPhone or iPad or other tablet/smartphone). Fortunately, you are quite likely to possess the required skepticism already, acquired through years of watching TV ads and looking at junk mail and print ads. Many consumers instinctively know that unsolicited ads or offers automatically rate lower in trust than ones you asked to receive. Offers or prices that seem too good to be true usually are and should be investigated with extreme skepticism. Any deal that requires up-front payment moves to the front of the "probable scam" class.
So what about that Apple back-to-school ad that I mentioned at the top of the post? It arrived in email addressed to the account that I have on file with my Apple account, a good sign but not proof that it is genuine. Here's the ad:
Notice how professional the ad looks? Again this is not conclusive proof that it is genuine, but it helps increase my trust, as does the lack of bad grammar and typos. (Note that the gift card SMS shown near the top of the post spells Congratulations as Congradulations, but this is probably not a typo since the word is being used with a "d" when congratulating graduating students.)
What usually convinces me of the veracity of an advert is the URL or website address to which the links in the ad propose to send me. You can preview these in most email programs (mouse hover works nicely in Gmail). Is the domain name one that I recognize? In this example the address starts with insideapple.apple.com/ and despite a long tracking code after the forward slash, a code that Apple's marketing department uses to track response to the ad, I was convinced the link was taking me to a genuine Apple page. However, the longer you spend in the security business the more you learn to rely on defense-in-depth. I know that clicking on the link will engage both my browser's malicious site filter and my ESET Endpoint Antivirus malicious site filter.
Finally, if you are still nervous about an online ad, try googling the keywords in the ad. If the ad is legit en Google usually produces a list of results like this:
Here you can see that there really is a back-to-school sale at Apple and you can click one of these links to get there. This advice mirrors a strategy ESET has long advocated when dealing with email alerts: Type the URL of the entity trying to reach you into your web browser; do not click the link in the email.
If you don't remember entering a drawing for a $1,000 BestBuy giftcard, chances are you didn't and that message on your iPhone with instructions on how to claim your giftcard is a scam. So is the message on the right telling me that I been selected for a free $1000 Walmart Giftcard. No I have not, I've been selected as a target for a scam.
My colleague, Aryeh Goretsky recently described the workings of one of these SMS giftcard scams and it is not pretty. But they can be a learning experience, one that I would be inclined to share with my kids in case they get these messages on their phones.
First thing to note is the address to which you are directed. The one on the right starts with www.walmart.com but there should be a forward slash after that .com top level domain, but no, there is a period. So the full domain is actually www.walmart.com.whmt.biz and that is not somewhere you want to go. At the very least it will be a waste of your time and at the worst, well the worst is hard to measure. Your device could be hijacked and you may lose data to criminals who sell it to other criminals who use it to rip you off.
There are many good reasons to get your kids involved in back-to-school planning but these days it seems like kids can't do much of anything without using social media. That means exposure to potential scams posted via compromised accounts or unscrupulous advertisers. Much as we would like there to be $29 iPads, these do not exist and you only get into trouble if you click ads that promise what does not exist.
While we have not seen any fresh 2012 back-to-school scams yet, they may appear at any time. Hopefully, reading this blog post has alerted your consumer skepticism and you will not fall for any of them. Why not make back-to-school time an opportunity to get your kids up to speed about online threats. A great place to start is the online training that comes with ESET security products. You should also check out Securing Our eCity, an ESET Foundation Signature Program. They have a great "Parents Guide to Facebook" you can download for free.
Author Stephen Cobb, We Live Security