Checklist 294: The Threat is Coming from Inside the House!

On this week’s Checklist:

• A new PayPal scam
• Protecting kids online
• An update for very old iPhones

A PayPal phishing scam

Imagine this: You get a PayPal invoice charging you for something that you didn’t buy. The invoice actually comes from PayPal.com — you checked the email headers as you always do. There’s a number on the invoice that you can call if there’s any issue. 

Do you call the number?

If you said “yes,” you wouldn’t be the only one — but you would be opening yourself up to a scam.

According to a new report from KrebsOnSecurity, “scammers are using invoices sent through PayPal.com to trick recipients into calling a number to dispute a pending charge.” If you call, you end up talking to a scammer. The bad guy then tries to get you to go to a website that distributes malware. 

It’s not clear exactly how the scammers were able to send an invoice using PayPal’s tools. Krebs speculates that it was a compromised or fraudulent PayPal business account. However, this is a good example of why we recommend not replying to random emails that come to your email account — or calling the “customer service numbers” often included in such emails. 

To be safe, look up the relevant contact information yourself and reach out to investigate the alleged issue. In this case, you’d want to contact PayPal directly to complain about an incorrect invoice!

The world’s fifth largest economy protects kids

California has just passed the California Age-Appropriate Design Code Act. If signed into law, it will have a major impact on digital privacy for children nationwide.

According to a piece in TechCrunch, the proposed law is designed to safeguard anyone under the age of 18 when they go online.

Interestingly, the law would not only apply to apps, but also to businesses that offer online services or products used by children — which would likely include EdTech and gaming platforms as well.

The piece says that one of the law’s key provisions is to require strong privacy by default for underage users, which would include “disabling features that profile children using their previous behavior, browsing history, or assumptions of their similarity to other children, to offer detrimental material.”

Fines would be steep: $2,500 per child affected for accidental violations and $7,500 per child affected for intentional ones.

It’s a big deal for children all across the United States, because California has an outsized influence on the country. That’s due in part to its sheer size: over 1 in 10 Americans live there, and the state’s economy is so large that if California were an independent nation, its economy would rank fifth in the world by GDP.

The upshot for tech companies and app creators is that it will be safer and more cost effective to simply improve privacy for all users rather than attempting to develop separate products just for California (and risk running afoul of the law). That’s something for parents and kids to cheer — from sea to shining sea!

Update your (old) iPhones…

Apple has just released iOS 12.5.6. No, that’s not a typo.

According to MacRumors, Cupertino is fixing an issue that affects older devices:

The iOS 12.5.6 update fixes a major vulnerability that was actively exploited, so it’s worth updating right away if you have an older device. The WebKit vulnerability was already fixed in the iOS 15.6.1, iPadOS 15.6.1, and macOS Monterey 12.5.1 updates.

This was no small issue: The vulnerability could have allowed a bad actor to infect iPhone users with malware simply by bringing them to a malicious website. A separate vulnerability could have worsened the damage, allowing malware to spread and affect other apps on the device.

In short, if you’re using an ‌iPhone‌ 5s, ‌iPhone‌ 6, ‌iPhone‌ 6 Plus, iPod touch 6, original iPad Air, iPad mini 2, or ‌iPad mini‌ 3 — update right away! If it’s been a while since you performed an update manually, here’s how to find the update: Settings > General > Software Update.