This morning, I discovered that I had received an email “from” Apple informing me that I had recently updated my credit card with Apple:
The screenshot above is from my Thunderbird email client but that’s not where I originally checked it – I originally checked it on my phone.
When checking it on my phone it loses a lot of the rendering. That’s part of the problem. Above, you can see that the images fail to load. But on my phone there was no indication that there were any images at all. The lack of loading images in Thunderbird along with no option to load them would make me immediately suspicious but because there was no indication of this on my phone, no suspicions were raised.
Furthermore, the only link in the above phishing message that actually went anywhere was the one to iforgot.apple.com. All the other ones didn’t point anywhere if I hovered my mouse over them. However, on my phone, there is no option to hover over a link. The only way to verify it is to click and see where it goes (which is why I clicked on it above).
Finally, in Thunderbird I can easily open up the headers of the message and take a look where the message came from, thus confirming it as a phish. There’s no way to view the raw source of a message on my phone.
And this illustrates the conundrum of mobile mail clients: yes, they are convenient but it’s difficult for users to inspect the message when it is suspicious using the heuristics I just described above. You can do it on a desktop client, but not on a mobile one. I would think that would make it easier for phishers to trick users since there’s no way for them to investigate further (assuming, of course, that they even did this to begin with).