Avoid this security threat to keep your inbox from becoming a horror story

It’s that time of year! We’re all having fun planning our Halloween costumes. What’s not so fun? Cybercriminals are doing the same thing.

Just as you can put on a Dracula outfit and look the part, criminals can camouflage their emails to present a perfect facade, too — of a brand you trust.

But crooks don’t have to buy their costumes: a phisher — let’s call him Vlad the Impaler — can just take a real email from, say, Apple, save its HTML content, and modify a few links. Vlad can then resend a perfect-looking Apple mail from a plausible sounding server like “apple-mail-gateway.com” and … trick or treat.

The trick is: Vlad makes that Apple email say something along the lines of “Log in to verify your payment details.” The treat (for them) is you click through and type your username and password into their fake login page. Maybe you’ll even enter your credit card information. Then Vlad sells this info on the dark web for a lot more than a bag of candy corn.

This deception is surprisingly easy for real world fiends: Vlad can register a new domain named whatever he likes for just a few bucks. How about apple-secure-mail.com? Once Vlad gets his new fake Apple domain, it’ll take him under an hour to set up a mail server and start sending out phishing emails targeting lists of potential victims he’s gotten from, guess where? The dark web.

In another few hours, he’s gotten the goods and is gone without a trace.

If this seems all too easy, you’re right. Email is a relatively “old” internet protocol and it therefore lacks security features of more modern protocols. There’s no way to ensure that the sender of an email is really who it claims to be. There’s no master list anywhere of “the domains Apple legitimately emails from.” And there’s no practical way to link a domain to a specific brand.

Furthermore, unlike social media and messaging apps, email is federated. That means anybody can run a mail server for free and exchange email with anybody else on Earth. A great triumph for freedom of access, but not so good for security.

Vlad also knows that as humans, if an email comes into your inbox claiming you need to “verify your payment” or “your password has expired” or something of that nature, we are very likely to be worried that someone has logged into our account and we are quick to react before thinking this through. The Vlads of the world prey on this tactic constantly. Human error is almost impossible to avoid or train for. Organizations can’t know what the next email scam is going to look like so therefore can’t prevent this from happening. This makes it super easy for Vlad to trick, or treat.

So how do you protect yourself from Vlad’s dressed up scams? The easiest way is to avoid clicking links in emails entirely. Instead of clicking on the link in that mail from Apple, just type “apple.com” into your browser and go directly there. Or call Apple via its customer service phone number.

As a rule, try to perform any sensitive transaction — one involving passwords, subscriptions, money, etc. — outside of email, even if the initial notification arrived via email. Make that especially if it arrived via email.

And above all, never assume an email is from who it appears to be from. While it may arrive in a convincing costume, its intention might just be to egg your virtual house.