Apple warns customers about phishing emails, details legitimate communication

Posted:
in General Discussion edited February 2018
Apple last week posted a new support document to its website detailing a few tips designed to help customers distinguish official emails from phishing attempts, the latter of which have become increasingly sophisticated in recent months.




In a new document, appropriately titled "Identify legitimate emails from the App Store or iTunes Store," Apple explains scammers and other nefarious actors might use the company's name, logo and other credentials to trick users into handing over sensitive data.

As the company explains, phishing emails often resemble official Apple correspondence, with similar formatting, language and graphics. Often included are links to what appear to be legitimate Apple websites, but the pages are merely fences designed to gather personal details like a home address or credit card information.

Many phishing emails come in the form of phony App Store, iTunes Store, iBook Store or Apple Music receipts. The goal is to fool a target into thinking they were erroneously billed. Victims are often instructed to correct the mistake by following a malicious link to update account information or provide the same to a fraudulent email address.

To assist customers in identifying real Apple email from fake phishing schemes, the company says genuine purchase receipts include a current billing address, information scammers are unlikely to have. If a user wants to check on a particular charge, they can review their purchase history by navigating to Settings > [your name] > iTunes & App Store on iOS or Account > View My Account in iTunes.

Further, Apple never asks for social security numbers, maiden names, full credit card numbers or credit card CCV codes in emails about App Store, iTunes Store, iBooks Store or Apple Music purchases.

When an email requests an update to account or payment information, Apple suggests doing so only through controlled avenues like the Settings app on iPhone or iTunes on a Mac or PC. The same goes for updating an Apple ID password, an action that should be accomplished in the Settings app or through http://appleid.apple.com/.

Apple is always on the lookout for phishing emails, and urges users who have received such correspondence to forward it to [email protected].

Finally, for users who think they might have handed over personal information like a password or credit card information to a phony website, Apple says the best course of action is to reset their Apple ID password.

The recently published support document joins a similar help page, "Avoid phishing emails, fake virus alerts, phony support calls, and other scams," that was last updated in November.
«1

Comments

  • Reply 1 of 23
    seanismorrisseanismorris Posts: 1,624member
    SSN’s have been made obsolete by the digital age...

    I wonder when they’ll start using cryptographic keys.
  • Reply 2 of 23
    racerhomie3racerhomie3 Posts: 1,264member
    Only use the iTunes interface on Mac or PC or the Settings app on iPhone,iPad or iPod Touch to update Apple ID information.
    Also , use a VPN on public WiFi.Or better yet use LTE or 3G.
    edited February 2018 watto_cobra
  • Reply 3 of 23
    fastasleepfastasleep Posts: 6,435member
    When my iPhone X got stolen in Spain, I started getting texts and eventually emails pretending to be "found iPhone" reports and links to fake Apple sign-in pages to try and get my Apple ID and unlock the phone. I'm smart enough to know the difference, but I bet this works often — especially because they initially were texting my friend who was still texting me around the time the theft occurred, and later my two Emergency ID contacts. So I can imagine someone's contact getting the text, then telling the owner of the phone "Hey Apple is getting ahold of me and needs your Apple ID and password to get your phone back!" etc.

    The last email I got I traced to a domain registered in Barcelona (where it was stolen) and linked to a website with a domain registered in Russia. Decided it wasn't worth the trouble reporting any of this as they send from random SIMs and domains all the time. Most of the domains look loosely like iCloud such as lcoud.pw etc.

    I've gotten tired of sending them pictures of my middle finger in response, so haven't been responding lately. Hope they enjoy their $1150 paperweight.
    racerhomie3muthuk_vanalingamwatto_cobra
  • Reply 4 of 23
    anantksundaramanantksundaram Posts: 20,407member
    I have to say that I came close to getting scammed a couple of times. Both times when I was traveling abroad. 
    muthuk_vanalingamSpamSandwich
  • Reply 5 of 23
    cgWerkscgWerks Posts: 2,952member
    AppleInsider said:
    Further, Apple never asks for social security numbers, maiden names, full credit card numbers or credit card CCV codes in emails about App Store, iTunes Store, iBooks Store or Apple Music purchases.
    Of course they might do so with random pop-up dialogs on your devices, which trains people to be more careless than they should be. Apple really needs to get this stuff under control on their OSs and devices. You should only ever be asked to enter that kind of info on account setup or in the specific settings spot.

    But, at least Apple is trying to do the right thing with this training. So many companies are far worse and do these kind of things in their actual official emails. It's hard to train users to do it correctly when the companies themselves are breaking the rules.
  • Reply 6 of 23
    Rayz2016Rayz2016 Posts: 6,957member
    Hallo!

    I be calling as rep for Apple Computers: 🍎

    We have noticed some suspect activities happen on your iPhone XXX.

    Please be logging into your account at http://applecomputers.ru and provide yours name, address and blood group.

    Thanking you and happy computing



    cgWerksmuthuk_vanalingamjony0fastasleepwatto_cobra
  • Reply 7 of 23
    Rayz2016Rayz2016 Posts: 6,957member
    Microsoft published a report once, explaining why these scams are so obvious. Apparently, they're deliberately crafted in poor English and spun with the most bizarre backstories to help the scammers target the really really gullible. 

    If you're fooled by a story about a Nigerian astronaut trapped on a space station and who is willing to give you a million dollars of his back pay to transfer to the Nigerian Space Agency so they pay to bring him back, then the scammers know they can milk you forever more.

    https://www.microsoft.com/en-us/research/publication/why-do-nigerian-scammers-say-they-are-from-nigeria/

    racerhomie3muthuk_vanalingamdewmewatto_cobra
  • Reply 8 of 23
    chasmchasm Posts: 3,378member
    This one is well put-together enough that it will fool (or at least alarm) a number of people who won't check the link before clicking it (checking it shows off the fake URL immediately). Once again, my general rule of thumb applies: NEVER EVER EVER click a link directly in an email, solicited or unsolicited.

    Instead, on Macs just hover over the link to reveal the real URL; in iOS tap and HOLD on the link to reveal the true URL. On PCs et al or just as a best practice, copy the link and paste into a word processor to reveal the true URL. Only once you are sure the link is for real should you put it in a browser (again NEVER EVER click a link directly in an email).
    edited March 2018 cgWerkswatto_cobraSpamSandwich
  • Reply 9 of 23
    racerhomie3racerhomie3 Posts: 1,264member
    Tell your parents & grandparents about this.
    Make them aware. I personally have deleted the mail app’s from my mother’s iPhone.
    I don’t want her getting scammed.
    watto_cobra
  • Reply 10 of 23
    son3son3 Posts: 7member
    It’s not only emails, but text messages as well.
    Unfortunately it’s the elderly getting scammed the most.
    If you have older folks in the family or extended family, be sure to raise this topic from time to time.
    I typically start things off in conversation “ Hey I got this strange text/ email the other day, and it concerned me so much I wanted to let you know what is going on just in case you get this junk as well ....”
    watto_cobra
  • Reply 11 of 23
    maestro64maestro64 Posts: 5,043member
    Yeah I have been getting emails saying my iCloud account has been lock due to someone treating to access it and I needed to login to verify my credentials again, just click on this link, the problem was I using my iCloud account at the time. Scammers are stupid and those who fall for this stuff are even dumber.
    watto_cobra
  • Reply 12 of 23
    rattlhedrattlhed Posts: 155member
    My mother-in-law received what appeared to be an email from Apple saying that a $49.99 in-app purchase had been make on her iTunes account.  The email looked completely legit, but luckily she was suspicious and called me and asked me to check it out.  She forwarded the email to me and it was a very good phishing attempt.  No bad english, formatting exactly like an Apple purchase email.  The only give away was hovering over the URL that stated "if you did not make this purchase click here to file a dispute".  The URL was definitely not Apple.  I had her delete the email and rest assured nothing was purchased on her account.  Over the next couple of days this was confirmed by no charge on her credit card.

    She was suspicious enough to no just panic and click the link, but I can see lots of people falling for this one.  It was one of the best phishing emails I've ever seen.  Criminals suck!
  • Reply 13 of 23
    cgWerkscgWerks Posts: 2,952member
    chasm said:
    This one is well put-together enough that it will fool (or at least alarm) a number of people who won't check the link before clicking it (checking it shows off the fake URL immediately). Once again, my general rule of thumb applies: NEVER EVER EVER click a link directly in an email, solicited or unsolicited.

    Instead, on Macs just hover over the link to reveal the real URL; in iOS tap and HOLD on the link to reveal the true URL. On PCs et al or just as a best practice, copy the link and paste into a word processor to reveal the true URL. Only once you are sure the link is for real should you put it in a browser (again NEVER EVER click a link directly in an email).
    As I said above, unfortunately, some companies still do send legitimate emails with links you have to click. But, I agree. When that is the case, contact the company directly. If they get enough support load and complaints, it might encourage them to change their ways.

    The only kind of link I'll click in an email is one of the 'confirm/authorize' type emails that I know I'm going to be getting because just filled out the request a few seconds/minutes ago. But, even with those, there should be no asking you for any info.... it's just a matter of it visiting a URL as a confirmation method (i.e.: verify you signed up for an email list, or verified account creation, etc.).

    Otherwise, always just go log into your account manually and/or call the company on the phone with the number you have for them or look up independently.
  • Reply 14 of 23
    cgWerkscgWerks Posts: 2,952member

    son3 said:
    It’s not only emails, but text messages as well.
    Unfortunately it’s the elderly getting scammed the most.
    Also, don't forget about the younger folks. With more youth and teens having various online accounts, they are often unaware of this kind of stuff too. It's a matter of not enough tech experience on one end of the spectrum, and not enough life experience on the other.

    And.... then there's the whole middle and range of people who should (and maybe even do know better), but are too impatient or carefree to even care or be bothered with taking extra precautions. I know a lot of people who are well aware of the dangers, yet still use passwords like their name with a digit at the end or such. They just don't think they'll ever actually be the victim or realize how serious it could be.
    edited March 2018
  • Reply 15 of 23
    anton zuykovanton zuykov Posts: 1,056member
    SSN’s have been made obsolete by the digital age...

    I wonder when they’ll start using cryptographic keys.
    gov-ts are ineffective in implementing such changes quickly, so the answer is - probably at least within 5-10 years they will start THINKING about replacing SSNs with something a little larger and a little more secure.
    cgWerks
  • Reply 16 of 23
    zoetmbzoetmb Posts: 2,655member
    SSN’s have been made obsolete by the digital age...

    I wonder when they’ll start using cryptographic keys.
    gov-ts are ineffective in implementing such changes quickly, so the answer is - probably at least within 5-10 years they will start THINKING about replacing SSNs with something a little larger and a little more secure.
    The only thing the U.S. Government is doing is that this year, they'll be re-issuing Medicare cards so that they no longer contain your social security number.   Even if they did use cryptographic keys, what good is it when you go to the doctor and every medical form (still on paper and my bet is that no one ever looks at it) asks for your SSN?   On the other hand, U.S. passports now contain an embedded chip in the rear cover. 
  • Reply 17 of 23
    fallenjtfallenjt Posts: 4,056member
    I forwarded to Apple many emails of this phishing. 1 easy way to recognize is to click on the email to see if it’s from Apple or from some kind of bullshit emails like: [email protected] 
  • Reply 18 of 23
    larryjwlarryjw Posts: 1,031member
    It would be useful is Apple added the capability to read email header files in IOS similar to the functionality on MacOS. Sometimes I need to look at this information do determine if the email is legit.

    This morning received a phishing email for Netflix. Its a little difficult to decipher under IOS. 

    A good use of AI would be helping identify such attempted scams. 
    fastasleep
  • Reply 19 of 23
    cgWerkscgWerks Posts: 2,952member
    larryjw said:
    It would be useful is Apple added the capability to read email header files in IOS similar to the functionality on MacOS. Sometimes I need to look at this information do determine if the email is legit.

    This morning received a phishing email for Netflix. Its a little difficult to decipher under IOS. 

    A good use of AI would be helping identify such attempted scams. 
    Note, while you can sometimes tell from this, spoofing a sender email address is pretty trivial. While I agree in terms of UI, it wouldn't be all that useful in this case.
  • Reply 20 of 23
    MarvinMarvin Posts: 15,377moderator
    larryjw said:
    It would be useful is Apple added the capability to read email header files in IOS similar to the functionality on MacOS. Sometimes I need to look at this information do determine if the email is legit.

    This morning received a phishing email for Netflix. Its a little difficult to decipher under IOS. 

    A good use of AI would be helping identify such attempted scams. 
    Another thing companies can do is to include a code in emails they send out like a QR code and have a service check the code. The code can be hidden if the mail apps can check it directly. All of the plain text information visible in an email can be spoofed, including sender address. The code can be an encrypted message that also has an unencrypted company ID. The service (accessed via phone app or built-in mail feature) would have a database of companies with validation links and the companies can decode the encrypted message to verify it was ok. For a company ID to be added to the database, it would need to go through a validation process. Any of the big companies can set this up and the online mail services on detecting a fraudulent code can then immediately see the code in other emails and block them. Email apps can show a message saying that the email definitely came from a particular company.

    To cover the situation of a legitimate code being copied out of an official email and used in spoofed emails, the encrypted message would need some info about the email itself. Rather than burdening an online service with validating every email text, when an email is sent out the encrypted message can contain the checksum of the text. The validation service just returns the decoded checksum and the mail app can do a checksum of the email to see if it matches. It can also have a timestamp in there. This would need the encryption key as well as decryption key to be kept secret but that shouldn't be too difficult and would be changed for every email campaign.

    A similar thing can be done for popup panels in the OS that ask for passwords. The system can detect that a password box is on screen and it can store timestamps in the secure enclave of when a password request was made. If there was no recent timestamp for a request, the OS can show a warning somewhere that the password request didn't come from the OS.
Sign In or Register to comment.