Gone (Almost) Phishin'
by luu on 3/31/2026, 5:11:39 AM
https://ma.tt/2026/03/gone-almost-phishin/
Comments
by: jasode
<i>>When you get an email from Apple—or, really, anyone telling you to complete a digital security measure—check the URL they’re trying to send you to. Apple Support lives on apple.com and getsupport.apple.com, nowhere else.</i><p>That advice is fine for the technically savvy but doesn't work for a lot of normal people who don't have the knowledge to mentally parse urls.<p><pre><code> https://getsupport.apple.com/customer?cvid=8c11bcc71f684b6ab405d4fa1e86c146 https://getsupport.apple.com.phish.xyz/customer?cvid=8c11bcc71f684b6ab405d4fa1e86c146 </code></pre> People just pattern match on the substring "apple.com" because they don't understand that the DNS system works right-to-left. Therefore, the 2nd url looks just as "legitimate" as the first one.<p>I work with senior citizens and tried to explain how to parse the domain in the URL by looking for the first forward slash after the "https://" and then work backwards but they find that mental algorithm confusing and those instructions don't stick. (This is actually an area where some AI on phones/desktops could assist people decipher urls or mark them as suspicious.)<p>The other problem with that advice is people can't "whitelist" the legitimate domains to look for <i>because they don't know ahead-of-time what they are</i>. E.g.:<p>- An Amazon verification email will be sent from "account-update@amazon.com". It's intuitive to predict "@amazon.com" so mental whitelist filter works.<p>- However, State Farm Insurance login verification codes are actually sent from "noreply@sfauthentication.com" instead of the expected "@statefarm.com"
4/2/2026, 11:19:25 AM
by: JumpCrisscross
> <i>Apple Support lives on apple.com and getsupport.apple.com, nowhere else.</i><p>Meanwhile: “Microsoft support uses the following domains to send emails:<p>microsoft.com<p>microsoftsupport.com<p>mail.support.microsoft.com<p>office365support.com<p>techsupport.microsoft.com” [1]<p>[1] <a href="https://learn.microsoft.com/en-us/troubleshoot/azure/general/email-domains-support-agent" rel="nofollow">https://learn.microsoft.com/en-us/troubleshoot/azure/general...</a>
4/2/2026, 10:06:25 AM
by: valzam
As others have mentioned, one big issue is that every company does these things differently and just because someone texts you a link doesn't mean it's phishing, even though it feels shady. In Australia I have had calls by immigration officers on supressed numbers that wanted PII over the phone without being able to tell me what the purpose of the call is.
4/2/2026, 11:19:38 AM
by: olmo23
I told my parents: if they are ever called by anyone, to tell them "now is not a good time, please give me a case number and I'll call back when I do have the time."<p>And then, this is important, look up the number for the customer service hotline online.<p>I feel like this is a simple solution that works 100% of the time.
4/2/2026, 9:47:58 AM
by: haar
Thank you for writing this up (and getting it put into a video). I sent this blog post to my parents and my mum has decided to forward it on to all of her friends after watching.<p>Seems easily digestible and approachable for a specific target audience.
4/2/2026, 11:15:59 AM
by: ChrisMarshallNY
Phishing has gotten <i>really good</i>, lately. As he noted, they will often re-use legit templates from the actual corporation. The email will be 99.9% legit, with maybe only one link being dodgy.<p>I don’t think they can pass DMARC, though.<p>My wife was almost scammed, a few years ago. What tipped her off, was how <i>extremely good</i> the “tech support” was. Real tech support is generally someone on a scratchy line, with a heavy accent, following an inappropriate script.<p>Even after she backed away, they sent a few followup snail mails, looking somewhat legit (cheap printer).
4/2/2026, 10:30:15 AM
by: hk__2
Previous submission: <a href="https://news.ycombinator.com/item?id=47388201">https://news.ycombinator.com/item?id=47388201</a>
4/2/2026, 9:43:02 AM
by: maplethorpe
The scammer sounds Australian, but he pronounces mobile as "mobil", like an American. I wonder if he's doing that intentionally to provide cover, or if he's worked with Americans so much in the past that it's changed his pronunciation.
4/2/2026, 10:13:33 AM
by: tom-blk
This is actually quite impressive and concerning
4/2/2026, 10:43:43 AM
by: xnx
audit-apple.com is offline now. Is that something ICANN does, and if so, can they fix zombo.com?
4/2/2026, 10:50:11 AM
by: metalman
Currently my device has no passwords, and the only apps that lead to anything personal are browsers, and then sign into my website/email. I have eliminated online banking, except for allowing people to pay me through direct deposit, which I confirm on my once a week trip to an actual bank. Very occasional online purchases use a dedicated credit card. The above, I believe makes me a smol, challenging target, and I use the many many attempts to fish through, text, email, and voice, as practice sessions to refine my customer faceing presence, and answer all calls, and chearfully deflect anything or anyone that is not a legitimate human and/or customer, in under 10 seconds. Going forward I would train any office helpers to use the same methods on any work devices.
4/2/2026, 11:11:52 AM
by: voidUpdate
Whats at the bottom of the page? It looks like it's meant to be brushstrokes or something?
4/2/2026, 9:36:09 AM
by: firstrulephish
For the record, Apple will never call you first, but other services might. The REAL first rule of not being scammed should be stated<p>"Thanks for the concern, I will call you right back"<p>If your bank calls you, you turn off the call and call them. Don't take suggestions for contact address. You look them up, and you call them. Don't elaborate. The scammer is either and idiot and will try to call you telling to stop, or smart and fuck off. And if it was the bank, they'll at best, pick right back from where you left it, and at worst, learn better from the event.
4/2/2026, 9:46:17 AM
by: mentalgear
This scam is scarily well made and what terrifies me is how easily scalable it is across sectors (e.g. your bank) and with AI voice clones (like in the attached video they mentioned the new 11lab generation).
4/2/2026, 10:13:30 AM