Scams Archives ~ TechKnowledge

Safari vulnerability exposed

August 20, 2022 by Gregg Montgomery

It’s Sat, Aug 20, 2022, and it’s time to update your devices.

This week (third week of Aug 2022) Apple has issued a critical update for most of its’ operating system softwares. This includes iPhones, iPads, and Mac computers. An exploit was discovered in the system software connected to the Safari web browser, the default browser on all of Apples’ devices. The exploit could enable a hacker to take control of an affected device. Apple believes the exploit has already been actively used and so has issued these critical updates to address the vulnerability.

The update for both iPhone and iPad will bring the system software up to version 15.6.1. For Mac computers, the update brings the system software up to 12.5.1 (Monterey). For older Macs that can’t update to Monterey, there is a software patch exclusively for Safari on the Big Sur and Catalina operating systems.

Apple recommends this update for all devices capable of updating to the current software. It’s not clear if older devices that operate below iOS 15 or Macs that operate below Catalina (Mojave, High Sierra) are affected by the exploit, but it would be a good idea to run whatever updates are available to your device.

To check for updates on your mobile devices (iPhones and iPads), open Settings > General > Software Update. If an update is available, you’ll see a button that says ‘Download and Install’, or perhaps just the word ‘Install.’ Tap that button and your device will begin the update process, which can take some time depending on the speed of your internet connection.

To check for updates on your Mac computer, open System Preferences > Software Update. If an update is available, you’ll see a button that says ‘Update Now.’ Give that button a click and your Mac will begin the update process, which can also take a little time.

A few tips for updating (on any occasion);

Keep your device plugged in and charging during an update so it doesn’t run out of juice in the middle of an important update. Some devices won’t even allow you to run updates until the battery is charged enough.
Less critical, but it’s never a bad idea to run a backup just before an update, on the slim chance that something goes wrong.
Be ready with passwords – Your device may ask for your mobile device unlock passcode, your Apple ID password, or your Mac administrator password. Have these all ready just in case.
If you don’t currently use an unlock passcode on your iPhone/iPad, your device may prompt you to create one after an update. If you don’t want to create a passcode, when you reach the screen that prompts to create one, tap Passcode Options > Don’t Use Passcode.

The scam of a thousand phone calls

July 28, 2020 by Gregg Montgomery

Another season… another new scam. The latest thing going around this season is a series of persistent phone calls. The messages make you aware of a compromise to your iCloud account. But it’s not one call, it’s a TON of calls, and the calls may continue to come in for several days. The persistency of the calls may make you wonder, ‘Is this legitimate?’

The answer is ‘No.’ If it were true that your iCloud account had been compromised, Apple would never call to inform you. Apple has way too many customers to keep tabs on every single account. They might send you an email, but even then, it would be months after the compromise had occurred. These things are rarely discovered and reported right away. What lets you know it’s a scam is the sense of urgency and persistence. Scammers love to press your panic button, because they hope panic will bring you to swift action. The faster you move, the less likely you are to calm down and realize the scam before it’s too late. That’s why scam messages always include a sense of great urgency… a telltale red flag! The calls should subside sooner or later, so be patient, ignore the calls, delete the voicemails, and live your life.

Now that we know about this scam, let’s talk about the role that you play in protecting your iCloud account. There’s an easy way to find out if your iCloud account (actually called ‘Apple ID’) is protected. This involves enabling a feature called two-factor authentication, or ‘2FA’. 2FA is triggered when you sign in to your Apple account, either on the Web, or when setting up a new Apple device. 2FA prompts you to enter a 6-digit code in addition to your password. You might receive this code on your phone as a text message, or you might receive it on another Apple device you use as a system pop-up message.

Your password is your first method of authenticating yourself. The 6-digit code is your second factor of authentication. Those codes are one-time use, so no need to save them. I expect many people are familiar with 2FA codes, because anytime you sign in online to your bank or investment account website, you are undoubtedly sent a 2FA code to your phone to authenticate that the person signing in really is you.

2FA adds an extra step for you, but makes it much harder for cyber-criminals to access your account. A criminal might be able to get your password, but it’s not likely they’ll also have access to your phone. If you’ve got 2FA enabled, then you can rest easy and laugh it off when those scam calls come in and make you think your iCloud account has been compromised.

So, how do I enable 2FA? I’m so glad you asked. On your iPhone, open the Settings app, tap [Your Name] at the top, and then tap Password & Security. This screen will tell you if you have 2FA turned On or Off. If it is Off, tap Turn On Two-Factor Authentication, and follow any prompts. That’s it… your Apple account, which includes iCloud, is now protected.

I hear people say that they dislike having to deal with this extra step. I also hear people say that they don’t use the cloud or have anything in the cloud worth protecting. I would bet that most people have more in the cloud than they realize. Consider this – Do you sync your Notes between devices? Do you keep your passwords in your Notes app? Do you see where I’m going with this…? It’s the cloud that syncs your notes between devices. Please don’t keep your passwords in your Notes app, but if you insist, then at least make sure 2FA is enabled!

To those worried about the extra steps that 2FA presents… You do have the choice to leave 2FA turned Off, however once 2FA is turned On, it cannot be turned back Off. For those a little annoyed by 2FA, I will say that you won’t be bothered with it for every sign in. For example, 2FA is not triggered every time you make an iTunes purchase or download an app. You’ll only see it when you setup a new Apple device, or you access your Apple account from the Web. It’s a really good idea to enable 2FA, and I highly recommend it. It should also give everyone peace of mind that your Apple account is protected, especially when the scammers start calling.

It’s a jungle out there. Stay safe. :O)

A new twist on an old scam

January 14, 2020 by Gregg Montgomery

Remember that age old scam where you inadvertently click something on a webpage and everything freezes… Then a phone number appears offering help and when you call, an Eastern accented voice convinces you to let them remote control your computer… and then he or she convinces you that you’ve got viruses and they can get rid of them for a low price of only $600…? I’m sure you’ve seen, or at least heard of this one. People still fall for it, but now that the public is getting more informed on this scam, it’s evolving. The next iteration involved these scammers cold calling you on the phone to let you know that you’ve got viruses on your computer. It seems crazy, but people fall for this one, too. By the way, if you get a call like this you should just hang up… there’s no way they can know if you have viruses on your computer.

Here’s the latest iteration of this same scam: You decide you need to call a company for some help and you’d like to ask some questions; maybe about your tax return, maybe about your Garmin device, maybe about your phone or internet plan, etc. So you open your computer and go to Google, and do a search for something like ‘Spectrum customer service number.’ Conveniently, a phone number appears, and you give a call. A pleasant voice answers the phone and seems happy to help. All of a sudden they change the subject from your questions to a more dire need…, all the viruses on your computer. Wait… what!? How did that happen!?

Somehow… these scammers have figured out a way to manipulate Google’s search results so that their fraudulent phone numbers appear at the top of the search results. Once you call that number, the same old scam begins again.

How do I avoid this?

The bottom line here is that you just cannot Google search customer service phone numbers. Ever. If you need a customer service phone number, what you can do is:

1 – Find a paper bill in your stack of mail that has a customer service phone number printed on it. If calling about a product you ordered, look for a phone number in the literature it came with, or look for a phone number printed on the box. Use those numbers to place your call.

2 – Visit the website of the company you’re trying to reach. This means typing the website address directly into the address bar of your browser… most of the time you can guess the site will be something like: companyname.com.

3 – Google search the company’s name to see if you can link directly to the company website. It’s still possible to reach a fraudulent site this way, but it’s less likely than Google searching a customer service number. Fraudulent sites often have pages that are missing or incomplete. Even though you might see links like; Products, About Us, Contact, etc., those links may not go anywhere because they are just pretense. Clicking around a bit and seeing multiple pages load correctly will make sure the site is fully fleshed out, a sign that a real company is likely behind the site.

Note how the latter two options both involve landing at the company’s website. Once you’re there, look for a link that says ‘Contact Us,’ or something similar in order to find a customer service number that originates from the company website, and not a Google search.

Once you’ve found a legitimate website, be sure to bookmark it so you don’t have to go through all that again. Next time you need to find the company website, you’ll have a bookmark that is known and trusted that you can use instead of Google searching. In similar fashion, once you’ve been on the phone with a company and you sense the number you called is the real deal, save it in your phone’s Contacts. That way you won’t have to scramble through paperwork to find a legitimate number next time. You might not think there will be a next time, but…, there probably will be a next time. So set yourself up for success!

What if I still somehow end up on the phone with a scammer?

Just hang up. Don’t give ’em a piece of your mind, and don’t give ’em your credit card number. Just hang up! Unfortunately, now that they have your number, they’ll be calling you over and over in the hopes that they can salvage the scam. They might even offer you a refund to keep you on the phone. Either don’t answer, or block their number, and sooner or later, they’ll leave you alone. If you did give out your credit card number, be sure to call your bank or credit card company and contest the charges.

It’s a jungle out there… be careful!

What is Spoofing?

January 9, 2019 by Gregg Montgomery

The New Year has brought us a new scam, and thankfully, it’s all over the news. I’ll keep this short because it is being reported widely, but I do want to add my own two cents. What’s happening is that spoofers are calling people pretending to be from Apple.

What is Spoofing? If you’ve ever heard of a movie spoof, it’s a movie that imitates characters from another movie, and the characters are imitated poorly for comedic effect. In the context of technology, spoofing is when communication is sent from an unknown source imitating a known source. But in this context, it’s not funny. It’s basically Phishing, only instead of a fraudulent email, it’s a fraudulent phone call.

Spoofers have figured out how to make it so your caller ID makes it look like you’re receiving a call from Apple. What compounds this, is that many people have a contact card saved in their Contacts for Apple (Apple put it there). When these spoofers call you, your iPhone matches the caller ID with the contact card on your iPhone and displays Apple’s info, making the call look authentic.

So what do they want? Oh, maybe they want you to know that credit card on file with the App Store is about to expire, or maybe they want to inform you that your Apple ID account is missing information and so they need to verify your password. I haven’t talked to them, but it really doesn’t matter what they want, the bottom line is this: Never ever give sensitive information to someone over the phone when they have called you!

Think about it… why would Apple call you? Perhaps if you called them for help and you’ve asked that they call you back, or perhaps your Mac is at the Apple store being repaired. Even still, why would they need your Apple ID password, or your credit card information? They don’t need that information, and they’re not going to call you randomly to ask for it.

So what should you do? I already mentioned the most important thing to NOT do, but the next thing you should do is delete Apple’s contact card from your iPhone. I’ve never used it, and I bet most people have never used it either. This may not be enough though, the spoof call will still display Apple’s number, even if your Apple contact card is not there to authenticate it. A few other things you can do; don’t answer the phone if it seems suspicious, or, if you do speak to someone and it sounds legitimate, politely hang up the phone anyway, and call back using a number you know and trust.

Be safe, be smart, and spread the word!