A new phishing scam is reportedly making the rounds trying to trick people into giving up their Apple ID credentials.
The particular attack in question was highlighted by a Reddit user this week. It was spotted by media outlets in the UK — though it’s worth noting that the original post has been removed for unknown reasons.
Redditor the101maham posted an image of the email he received, which was ostensibly sent by Spotify and Apple. The email claimed to be a receipt for a one-year subscription to Spotify Premium to the tune of $150.99.
The scam obviously tries to scare users with an apparently fraudulent charge to their credit card. It attempts to get users to click on a link that brings them to a fake Apple ID page where they can “cancel” their subscription. But in reality, the site is a phishing website that will collect the user’s Apple ID email and password.
While phishing scams targeting Apple users aren’t new, this particular attack highlights just how convincing and sophisticated they can be.
The email itself is fairly plain but can look authentic enough to fool unaware users. The fake Apple ID landing page also looks incredibly real, and many users would be hard pressed to tell the difference between the two at first glance.
If a user actually types in their Apple ID and password into such a webpage, it could give hackers full access to their accounts.
That may include making fraudulent iTunes or App Store purchases (as was seen affecting Chinese users recently). They could even steal photos, calendars and other sensitive data from iCloud.
What Do I Do?
The first line of defense against scams like these is careful observation. There are a number of things that blatantly give away the email and landing page as a scam.
- First off, the web address for the fake Apple page is a clear giveaway. While it contains “myappleid,” the rest of the URL has random gibberish like “confirm cancellation” and “aijcbtgroup.” These aren’t web addresses used by Apple.
- Similarly, you can generally tell authentic webpages from big tech companies because they’ll be HTTPS, rather than HTTP.
- The little details may be easy to miss, but are also a clear sign that this is a scam. For example, Apple and Spotify would never send a joint email. And while the email claims to be a receipt from Apple, it’s signed off with “Regards, The Spotify Team.”
- Normally, grammatical and spelling errors are also present in many of these scams. But this particular attack seems to be relatively free of those common goofs.
If there’s even a shred of doubt, just delete the email (and contact Apple Support directly if you’re worried about mistaken subscriptions).
Secondly, it’s a good idea to have two-factor authentication enabled. When this security feature is on, attackers won’t be able to log in to your account unless they have physical access to one of your trusted iOS or Mac devices.