More Scams – Staying Safe
Following on from my article last time about phone scams, there has been a big rise in text scams on mobile phones. With so many of us ordering more things than usual online during lockdown, scammers are capitalising by sending texts claiming to be from delivery companies like Hermes, FedEx, DHL, DPD, UPS and Yodel – especially DHL at the moment. Of course, at some stage you may be expecting a parcel and be fooled into clicking the link. The one that is common at the moment takes you to a webpage that invites you to install an app to let you track your parcel or rearrange delivery times, but the app is really malware that spies on phones to gather sensitive data including bank details. It also uses your contact lists to send similar messages to your friends too.
Here are two I received:
And other scam messages are out there too, like this one I got claiming to be from HSBC and another from Vodafone. I a customer of neither. My phone flagged them as spam, but don’t rely on your phone catching every bad message!
The malware currently causing concern only applies to Android phones (basically, any smartphone that isn’t an iPhone), and the website asks you to disable a security setting and install an APK file. Despite those barriers, it has become quite widespread, and the simple rule is, don’t install programs from APK files but use the phone’s app store. Apple and Google check every program in their stores and automatically update them. While they’re not perfect, it is far safer than going it alone.
The important rules to remember are:
Email and URLs
It is worth understanding how Internet addresses work to spot scams in texts and emails. The addresses in the texts above are:
Most web addresses start with https:// or http:// though browsers may hide that part. It means it is a web address, as opposed to some of the other things found on the Internet.
After that – either until the end or the next slash (/) – comes the actual address. Anything that comes after the slash (if there is one) can be ignored, as can trailing slashes, because that only contains information used internally by the website. It might be the address of a specific page or a code that identifies you (or both). You will see that two of them have ‘dhl’ after the slash. That does not mean that the site has anything to do with DHL – it is not part of the site address.
Addresses themselves consist of parts divided by dots and are built up backwards. At the end you often see .com, .biz, .uk or another country code. The first one, .sg, means Singapore, which should set off alarm bells for you (if ‘goatstudio’ didn’t do that already!) In front of that, some countries have additional parts like .co.uk or .gov.uk.
The next bit is the important one: it is the name of the site, and it should match the company purporting to send the message and match their official web address. I have highlighted this in the list above. You can see that none of the examples have anything to do with the company they claim to be from. Note that only dots are separators, so if you see something like hsbc-bank with a hyphen or paypal_online with an underscore, the whole thing is the address. Don’t be fooled by an authentic-looking part of an address. (And in HSBC’s case, it should be hsbc.co.uk; Paypal’s is paypal.co.uk.)
Anything before the site name is also only internal, so the ‘hsbc’ and ‘vodafone’ in the last two are not part of the site name. A ‘www’ at the start is optional.
So now you know what to look for, really read a link and don’t just skip over it because it looks technical at first sight. In an email, ‘hover’ the mouse pointer over the link or button, and a good email program will show the address it is linked to in a pop-up or at the bottom of the window. An address that doesn’t match the one the link says is another red flag. Remember, look at the part just before the first single slash, or at the end if there isn’t one. But the golden rule remains: don’t ever click or tap a link in a text or email. If you want to visit the company’s site, open your browser (see You and the Internet) and enter the address for it that you have from a trustworthy source like a bill or a bookmark you have used before.
I often am asked whether to update programs when they say an update is available. The short answer is yes! If the publisher has patched a vulnerability, you need to install it before someone exploits the vulnerability to compromise you.
Keeping your whole system up to date is just as important as having an antivirus program. AV can’t protect you if an unpatched program provides criminals with a back door. Check regularly that Windows Updates are working, and every month leave your computer on for long enough for updates to be downloaded and installed – any time after the second Wednesday of each month.
But do make sure that the notification is genuine. Firstly close all other windows, especially browsers, because sometimes fake websites look like notifications. If it is a Windows notification, look at the title. For example, if the notification is from Google Chrome and it tells you McAfee has expired, the notification hasn’t come from McAfee but from a website, and is probably a scam. If unsure, compare the version number of your installed program against the latest version on the publisher’s website. The version is usually found by pointing to Help > About.
Again, like with texts and emails, the simple rule is: don’t click notifications in case they’re not genuine. Most programs have ‘Check for Updates’ or similar: use that instead. If in doubt, use the Comment box below to ask me. Better safe than sorry!