I regularly receive inquiries from clients who forward me an phishy email and ask, “Is this legit?” Starting earlier this year, my habit has been to respond with something like, “I see a multitude of reasons why it’s not. Would you like to list the ones you see?”

I don’t always get a response. Maybe because this is seen as a retort rather than a desirable curiosity.

Nonetheless, the volume of email we receive and the volume of spam, phishing attempts, and other malicious messages are both on the rise. Because of this, it’s good to learn to recognize these false requests for personal information, confidently turn them down, report when appropriate, mark as spam, and move on with your life.

Client Notes

Last week, I helped Lynn recover her Mac mini that wouldn’t let her log in after a likely botched software update. A reset to factory settings and restore from a fresh backup were necessary to conclude a lengthy troubleshooting process.

I also explored cleanup and syncing opportunities with Laurie and prepared her to make the switch to 1Password. Plus, I discussed with Rochelle the steps retire an email address and adopt a new one.

Sophisticated Google Phishing Email

Recognize Phishing Attacks

I shared a number of tips on how to handle phishing emails in Gone Phishing. Nearly seven years later, the design of these messages has gotten more sophisticated.

For example, this past April, Nick Johnson thoroughly documented a phishing attack that targeted him. This one was particularly convincing in that the email really did appear to come from Google.

However, note that the support case links to a Google Sites URL, a user-facing platform Google would never use to host such material. Meanwhile, the message is worded pretty well, but some telltale signs it’s not legit include:

  1. The first sentence is missing a period
  2. No one uses nor recognizes a numeric “Google Account ID”
  3. The subpoena was issued by “a law enforcement”
  4. The message was not sent to the user’s actual email address but something especially arcane
  5. The sender appears to include privateemail.com, which is not a known domain

If you’re curious, there’s plenty more in Nick’s analysis.

Not a Legit Text Message

Is This Legit?

A client recently forwarded me a text message she received (see above), asking if it was a scam. “In so many ways,” I replied. “Want to list a few?”

“For one,” she responded, “I don’t get texts from Apple.” This is an excellent observation! Product and service vendors generally don’t initiate text messages to customers.

Your bank’s fraud department might have an automated process that notifies you by text message of possible fraud on your payment card. To receive this benefit, perhaps you’ve also had to opt in. Generally, though, companies wait for customers to have the first word.

Here’s an exhaustive list of ways to know this message wasn’t legit:

  1. Any text message from Apple would have come through an encrypted business messaging channel on Apple’s own iMessage service, not carrier-based and unencrypted SMS
  2. There’s an extra space in the amount in the body of the message and on the Total line
  3. Apple no longer uses the term “Apple ID,” which never had periods, by the way. The current term is Apple Account.
  4. “Apple” is repeatedly spelled with a pipe character instead of an L
  5. Why is “Authorize” capitalized and “Txn” abbreviated, with odd spacing and a parenthetical?
  6. No one in the digital age says to “dial at” a number. The expected word would be “call.”
  7. The phone number is formatted oddly with periods or spaces as separators
  8. There are two stray quote marks at the end
  9. How many terms are needed to define the receipt and where in the world does someone receive a Tax Invoice, Bill of Supply, or Cash Memo?
  10. The date is missing a space before the year
  11. There’s no such thing as an “iOS Store” and “Iphone,” besides being misspelled, isn’t a purchase source either
  12. What does “In-Web purchased” mean?
  13. One of the prices has two decimals
  14. How can the copyright date include 2026 when it hasn’t arrived yet?
  15. “i-OS” is not a thing
  16. The line “All rights received” never includes “are”

Need I continue? I could probably list even more areas of poor style…

Next time you receive a message about a purchase you didn’t make or a legal document that doesn’t seem connected to your activities, take a breath and engage your powers of observation. With a little patience, can you assess the item and recognize whether it’s actually legit?