I guess I should try it out with a few people to whom I send messages routinely, just so I can get a sense of what happens in my own inbox and sent mail box if I use it. I don’t understand very basic things, such as how responses to hidden-address email find their way back to me. I guess I could actually just hide my iCloud mail address in a few messages I send to one or two of my own mail accounts with other providers, or even messages I send to listservs to which I subscribe, but I assume the hiding will result in the listservs’ automated processing rejecting such messages. It seems to me it’s not meant to be a “use it all the time” tool.
I assume Apple sets up mail-forwarding for these addresses. So a message sent to it (to an Apple server) will result in it being forwarded to your iCloud mailbox. If these random addresses are served by the same server that handles the real mailboxes, then this forwarding should be a very quick and simple procedure - just look up the destination mailbox and drop it there.
The web page seems to indicate that when you receive a message via one of these random addresses and then reply to it, the reply will appear to come from that address. This should be no problem if you are using Apple’s mail apps (Mac, iOS or the iCloud web site), but I can’t see how that would work for a third-party mail app, unless you explicitly configure it for each such address. (But maybe there’s an e-mail standard that I’m unaware of that allows this to work in a portable fashion. I haven’t looked.)
That’s not what it’s for. It’s for signing up to services to hide your real email from them, so that if you ever don’t want that service any more, you can just delete the email alias and they have no contact real info for you. Or if they leak that email and you start getting spam to that address, you know they leaked it and can block that address.
While I don’t use this for a “real” service that already knows a lot about me (such as Amazon, which is going to have payment information, my address, and other details), but it’s great for apps that require an email address to set up an account, temporary services you want to test before committing, etc. I use it to sign up for things like fast food apps, etc. which track reward points and give you coupons, games, web apps, and other “throwaway” accounts.
There is someplace where you can go to actually manage these email aliases, but I can never remember where it’s hidden when I need it.
2 Likes
From memory it’s something like Settings > Apple ID > iCloud > Hide My Email
2 Likes
Wonderful that preferences search didn’t bring that up when I searched for “hide” and “email” 
. I tried both Mac and iPhone. Bad Apple.
That’s exactly like the PayPal phishing I documented in the article. It’s not real spam since it’s sent legitimately through PayPal’s systems, but it’s absolutely a scam that should be reported to phishing@paypal.com. I’ve gotten a bunch of these, and I always report them and then delete them without marking them as spam.
1 Like
I don’t think this is problematic. In fact, I’d suggest that you’re actually reversing the two examples in importance: email is much more important to protect than something you can make purchases with, because control over someone’s email gives them control over many other accounts.
The real key is two-factor authentication, which prevents even a compromised password from being used to break into your account.
2 Likes
And, wherever possible, use 2FA that does not depend on receiving text messages for the response, so a SIM swap scam won’t neutralize that second factor.
I prefer using TOTP code generators, like Google Authenticator (among many that implement the same algorithm). Once initially configured, they generate all their codes locally, without any data exchange with the remote service. So there’s no data to intercept.
As I understand it, Apple’s 2FA is also TOTP (but possibly with a different algorithm). Although it receives notifications from the network, the actual code is generated locally and is not received over the air.
Unfortunately, you don’t always have a choice. Some systems (including banks) insist on sending you SMS text messages or e-mail as a part of their authentication process, which won’t help you if your phone number or mailbox has been compromised.
1 Like
I have two methods I use for
- Phishing - go hunting and see if you can find a zip file with same name as a folder. If so, download the zip file and have a look through the PHP code. If you find an email address, Sign the f()ckers up for spammy newsletters.
- 419 scams - they invariably have to have a reply to address or try to hide it in the email by putting in spaces and ‘dot’ instead of ‘.’
Sign the f()ckers up for spammy newsletters.
Also, report the phishing to phishtank[dot]com. This way it gets verified and added to antivirus software as malicious. Any spam email, I report to spamcop[dot]org, any suspected virus gets passed through virustotal[dot]com
One thing that is about the easiest way to test where the email came from is in the picture.
I try to always go directly to the location if asked to go to “my bank” and log in directly.
1 Like
Although I would agree that this is the first place to check for phishing, it’s not the last. That field can be easily faked and does not positively identify the source of the message. The full headers showing the where the message was first received need to be examined in order to access the true source of the message.
2 Likes
See also this recent thread:
Quite a lot of information in an e-mail’s headers can be forged, so you need to know what to look for and what to ignore when determining if mail is real or not.
Many times, it’s not possible to know conclusively, in which case you should assume it’s fake and proceed accordingly.
Refusing to click on links from unexpected messages (instead going straight to the source, like your bank, with a URL you know to be valid) is a good practice in general these days.
Of course, if the phish is looking for a direct response, you can also check the "Reply-To:’ header and be sure it is going to a reasonable address in the real domain. As the phisher needs to see the response, it is less likely for this to forged if the real domain has not been hacked.
Scanning the headers is not real hard to pick up some information. I figure if I send the phishing e-mail to an IT person, they can figure out the headers, and what to take action on, much better than I can. Especially if the headers contain info that shows the e-mail originated on their site, and the sender does have an account on their server.
No, that’s what https://spamcop.net is for, not some random IT guy that you hope has some spare time to deal with your issue.
Al,
If the e-mail was sent from one of his servers, it IS his issue! Either an employee has gone rouge or an intruder is using his server. He needs to deal with either possiblility!
No. Please don’t trust what you see there. This cannot be repeated enough:
It is super easy to spoof header information and put into From: whatever a scammer wants. Do not trust anything you see there as a guarantee for anything.
This on the other hand is sound advice.
Always go to the company/service website yourself, manually typing in the address or using your own bookmark. If the email was legit and you need to do something related to your account with them, they will tell you once you log on. The massive advantage of this is you need to trust only yourself about who you are dealing with. You initiate communication with a known entity using your own URL information. You do not rely on a link provided by any external party. This way you always know who you are dealing with.
I have yet to encounter a company or service that will send me a link to do something which I can only access using that email they sent me. If I truly need to do something, logging on to my account with them will always give me the same option. In fact, many companies will immediately query me on the task they want me to carry out as soon as I log on (like my utility that will ask me to verify my contact details are up-to-date before I can do anything else on my account with them). No need to follow any email directions or use any email links. None at all. Using such an email as a reminder is fine, following its links is not.
2 Likes
Agree.
I’m sure it has happened to me (and I wish I could cite a specific example); it is extremely annoying, for the reasons you mention. My general rule is never to click on a link in email, although there are exceptions (verifying a registration being the most common).
Partially related is when an email tells me to call and provides a number that I have not recorded. This happened with a bank, and a search at the bank’s web site did not find the number, so I used my preferred search engine. It returned sites that said the number was legit and it returned sites that said the number was a scam. (“Ask the internet, and pick the answer you like.”) Any advice for that situation?
Me, I’m pretty certain I’d never call an unknown phone number suggested in an email.
I have yet to encounter a serious company that will tell me in an email I need to call them on the phone.
If they need to talk to me, they will either call me (which opens another can of worms…) or they will send me a proper letter. Either way, I will make sure to initiate the call myself to a number I have on file and if that requires a callback, so be it. No way I will just take some email or call and assume it’s legit.
I realize that this is not a timely reply but there are email provider options that do a much better job at preventing phishing and spam from reaching your inbox. Of course, it may cost a bit more than outlook.com but when your sanity is at risk, isn’t that worth spending pennies a day for relief?
I’ve used the privacy-oriented email service Runbox.com for years now and I cannot recall receiving a phishing email in recent years. . . Its server-based spam filters do an outstanding job. The small amount that gets through to me is snagged by SpamSieve. No spam reaches our family inboxes.
Using the Runbox website to “train” the filters is easy and customer support really is 24/7 if assistance is needed. The company is based in Norway, which has no downsides as far as I am concerned.