yesterday i had someone try to hack my animal jam account again. if you
don't know, there is this phishing scam going around targeting animal
jam players that is presumably using data from the 2020 breach.
what
they do is try to reset your password, which causes the official animal
jam hq email to send a legitimate password change request email. the
scammer then sends their own email pretending to be animal jam hq that
says it is an automated support ticket and that you should reply with
screenshots of any suspicious password change requests.
i already
knew this was a scam because they had tried to do this to me several
times before (plus it was automatically detected as junk mail anyway).
the thing that scared me was something about the email client i was
using.
for the sake of simplicity, many email clients only show
the sender's display name unless you click on something extra. people
who are less internet-savvy and (rightfully) panick when they see a
phishing email may not think about clicking that extra thing.
specifically, the app that i was using (the default samsung email app)
makes you click on the sender's display name to see their email address.
out
of curiosity, i looked at all the email clients i use to see what you
have to do in them to see a sender's email address if they use a display
name.
gmail on desktop displays the sender's name as "name
<email>", but only once you have opened the email. plus it may be
partially or completely hidden if you use split view and the reading
pane is too small.
gmail on mobile makes you click an arrow after you open the email.
roundcube,
which is the software that cock.li (yes, there is an email service
named that) uses, won't even show the sender's email if you click on the
details button. you have to hover over their name.
outlook was
the best one. you can hover over display names to see their email on
both the website and the windows app. names are always displayed in
"name <email>" format once you open the email which is really
good. the spam inbox does this too, but not the other inboxes.
this
got me thinking about how windows now hides file extensions by default.
this was done because it can complicate things for tech-illiterate
users. it makes renaming files a bit harder (which windows pretty much
solved since it doesn't highlight the file extension when you rename a
file, although it could be improved upon) and you could accidentally
change the file extension (which windows also pretty much solved since
it shows a warning, but some people don't read apparently).
the
problem is that this makes people, especially tech-illiterate people,
more susceptible to malware. it's easy to confuse "movie.mp4.exe" or
even just "movie.exe" with a real video file when the icon makes it look
like it's a video.
but microsoft seems quite fond of sacrificing
security for user experience nowadays with things like copilot recall. someone
has already made a tool for extracting data from it before it has even
been officially released.
when simplicity endangers users
8 Kudos
Comments
Displaying 0 of 0 comments ( View all | Add Comment )