This week someone I care about very much was scammed out of thousands of pounds. I am just getting past my anger over it and have spent the past few days trying to work out what I could have done to prevent it happening. I work in security, I believe I have told everyone I care about how to protect from the most basic things but Apple introduced a layer of obfuscation that I hadn’t told anyone to look for, because I hadn’t fully noticed it myself.
So what happened? This person received an email from someone they knew (let’s say “Gabriella Davis’) with a simple “Good morning” type one liner. They read the email on their iPad and replied to “Gabriella”. Several back and forths later this conversation turned into a request to move some money. In this business situation it wasn’t that unusual a request. Obviously the “Gabriella” turned out to be a fake email address and the transferred money sent to “Aviva Insurance Ltd” (a valid company) was actually sent to an account owned by someone else and quickly extracted and closed down.
Why didn’t the person who was contacted check that the email they received was from the right Gabriella Davis? They did. It is one of the most basic things I teach people, always verify and dig into the email address. However on iOS the email address was shown incorrectly. Say the email was from “Gabriella Davis <email@example.com>” and my real address is “Gabriella Davis <firstname.lastname@example.org”> well Apple kindly matched the “Gabriella Davis” phrase part with a contact (me) in his contacts and showed not only my photo on the email as the sender but also – when clicking on it – filled in the email@example.com address.
Even though the reply actually went to firstname.lastname@example.org, there was no way to see that from iOS.
The person concerned took Apple’s representation of my contact information and my photo on the email as validation that it came from me and he was talking to me. He wasn’t. The same email opened in both Notes and Outlook immediately showed the fake address and the fake address was obvious when choosing reply from those clients. it simply would not have happened if he hadn’t been using iOS.
My instructions to always check the sender address hadn’t been spoofed and always check you are sending to the right person turned out to be the worst possible advice in this case because the contact information Apple prefilled in gave a layer of confidence to the email that otherwise wouldn’t have been there. “Of course it’s Gab, Apple are even showing me her picture and her email”.
I will probably not open comments on this entry as it isn’t entirely my story to tell and there is lots more information I am not prepared to share publicly. If you know me and have a specific question you can reach out and I may be able to answer. Otherwise please warn people you know.
- Never reply to important emails on an iOS device
- If in doubt , even a tiny bit of doubt, always forward and re-address
- Any sense of urgency in an email should be a red flag regardless of anything else
- There is no replacement, and always time, for verbal verification