4 ways I spot and avoid phishing scams on my iPhone

In some ways, security on your iPhone is more fraught than ever, even though Apple has done an excellent job at building up its defenses. We’re bombarded with threats daily, some of them deeply insidious. Organized crime targets us with forced labor at scam centers, while other forces work to crush internal dissent and infiltrate foreign institutions.

Tricks are the main tactic you’ll encounter, though, coming in the form of phishing. Phishers produce websites, emails, and text messages that are designed to look legitimate, but are really engineered to steal your private data, or infect you with spyware or ransomware. The good news is that phishing is usually easy to dodge with a little skepticism, and that Apple and other app makers have implemented special anti-phishing protections. You’ll find some of the tools I rely on below.

1

Double-checking every new web address before tapping it

The most obvious tell

Most phishing scams are concerned with getting you to visit a specific fake website. If you’re not immediately hit with malware — which is less of a threat on iPhones, thankfully — the site will persuade you to share details like a password, your credit card details, or even your Social Security number. But the flaw in these scams is that they can’t use the exact URL of the site they’re pretending to be. Before clicking on a link, check that it matches the address of the site you’d normally deal with. For a hypothetical example, any legitimate Apple link is going to have “apple.com” at its root. A site like “apple-lucky-money.com” (which, hopefully, doesn’t actually exist) is going to have nothing to do with the company.

There are ways of concealing a URL, say by linking a keyword or image, or using a URL shortener. But if you touch and hold a link in Safari, you’ll get a preview of its contents, giving you a sense of whether you really want to proceed. There are ways of previewing links in other apps, too. As a rule of thumb, if there’s any doubt, don’t click.

2

Questioning how (and why) someone is reaching out

Pausing for a moment can save you

Being a tech journalist, I get a lot of unsolicited email pitches from press agencies, some of them non-sensical — why would the readers of a tech site care about who the sexiest athlete is? Yes, that’s a real pitch I got recently. The PR agent in question has probably never read any of my work.

Here’s the thing, though — I’m expecting to get pitches, and agents never insist that I click on a link or share private information. If you get a text or email that demands something of you, and is apropos of nothing you initiated, that’s probably a red flag or at least a yellow one. To ramp up the pressure, phishers often couch their demands in the most urgent-sounding scenarios, such as a hold on an important package. Don’t fall for it.

Also, consider the medium through which a request is sent. Unless you already know the person, you’re not going to get a serious job offer via a text message. Likewise, important investment deals don’t start with e-mail spam, and companies like Apple and Microsoft have dedicated chat systems and phone lines for tech support. They’re not going to send you an SMS or WhatsApp message out of the blue.

3

Using Safari’s built-in warning features

A fail-safe for dangerous content

Don’t beat yourself up if you end up being lured to a fake website. To err is human, and, for some perspective, well-educated people at major institutions have fallen prey. It’s difficult to keep up your guard 24/7, especially if you’re checking texts or emails on the go instead of sitting down in front of your tablet or laptop. It’s easier to be patient in a comfy chair.

To help you, Safari for iOS has two relevant features, both accessible via Settings > Apps > Safari. The first is Fraudulent Website Warning, which, as its name implies, should display a warning whenever it thinks a website is dangerous. Apple’s tech is a little overzealous sometimes, but it’s better to have to bypass a warning occasionally than put your iPhone at risk.

The other feature is Not Secure Connection Warning. It might not seem related to phishing on the surface, but since fake websites are built to either steal your data or deliver malware, they don’t use the encrypted connections reputable websites do. If you get a “Not Secure” warning on a webpage, back out immediately — even if the site is legitimate, its security measures may be too weak.

4

Chrome Safe Browsing

Many people use Chrome on their iPhone instead of Safari, and if you do too, protections similar to Safari are on by default. You can feel relatively comfortable that you won’t land in scam territory. You should, of course, continue to think critically about links in texts and emails.

If you’re especially worried about phishing, though, Chrome has an even tougher security option called Enhanced protection. You can find it by opening Chrome, tapping the triple-dot icon, then navigating to Settings > Privacy and security > Safe Browsing.

I actually use Standard protection myself, but the Enhanced option performs real-time analysis based on AI. That can potentially catch new and exotic phishing attempts, since Standard only relies on a list of known offenders, albeit regularly updated. There are trade-offs for going Enhanced — Google receives more data about the sites you’re trying to visit, and there’s an increased potential for a false positive. You’ll have to decide for yourself whether those things are acceptable in return for blocking anything remotely resembling an attack.