Apple warns customers about phishing emails, details legitimate communication
Apple last week posted a new support document to its website detailing a few tips designed to help customers distinguish official emails from phishing attempts, the latter of which have become increasingly sophisticated in recent months.
In a new document, appropriately titled "Identify legitimate emails from the App Store or iTunes Store," Apple explains scammers and other nefarious actors might use the company's name, logo and other credentials to trick users into handing over sensitive data.
As the company explains, phishing emails often resemble official Apple correspondence, with similar formatting, language and graphics. Often included are links to what appear to be legitimate Apple websites, but the pages are merely fences designed to gather personal details like a home address or credit card information.
Many phishing emails come in the form of phony App Store, iTunes Store, iBook Store or Apple Music receipts. The goal is to fool a target into thinking they were erroneously billed. Victims are often instructed to correct the mistake by following a malicious link to update account information or provide the same to a fraudulent email address.
To assist customers in identifying real Apple email from fake phishing schemes, the company says genuine purchase receipts include a current billing address, information scammers are unlikely to have. If a user wants to check on a particular charge, they can review their purchase history by navigating to Settings > [your name] > iTunes & App Store on iOS or Account > View My Account in iTunes.
Further, Apple never asks for social security numbers, maiden names, full credit card numbers or credit card CCV codes in emails about App Store, iTunes Store, iBooks Store or Apple Music purchases.
When an email requests an update to account or payment information, Apple suggests doing so only through controlled avenues like the Settings app on iPhone or iTunes on a Mac or PC. The same goes for updating an Apple ID password, an action that should be accomplished in the Settings app or through http://appleid.apple.com/.
Apple is always on the lookout for phishing emails, and urges users who have received such correspondence to forward it to [email protected].
Finally, for users who think they might have handed over personal information like a password or credit card information to a phony website, Apple says the best course of action is to reset their Apple ID password.
The recently published support document joins a similar help page, "Avoid phishing emails, fake virus alerts, phony support calls, and other scams," that was last updated in November.
In a new document, appropriately titled "Identify legitimate emails from the App Store or iTunes Store," Apple explains scammers and other nefarious actors might use the company's name, logo and other credentials to trick users into handing over sensitive data.
As the company explains, phishing emails often resemble official Apple correspondence, with similar formatting, language and graphics. Often included are links to what appear to be legitimate Apple websites, but the pages are merely fences designed to gather personal details like a home address or credit card information.
Many phishing emails come in the form of phony App Store, iTunes Store, iBook Store or Apple Music receipts. The goal is to fool a target into thinking they were erroneously billed. Victims are often instructed to correct the mistake by following a malicious link to update account information or provide the same to a fraudulent email address.
To assist customers in identifying real Apple email from fake phishing schemes, the company says genuine purchase receipts include a current billing address, information scammers are unlikely to have. If a user wants to check on a particular charge, they can review their purchase history by navigating to Settings > [your name] > iTunes & App Store on iOS or Account > View My Account in iTunes.
Further, Apple never asks for social security numbers, maiden names, full credit card numbers or credit card CCV codes in emails about App Store, iTunes Store, iBooks Store or Apple Music purchases.
When an email requests an update to account or payment information, Apple suggests doing so only through controlled avenues like the Settings app on iPhone or iTunes on a Mac or PC. The same goes for updating an Apple ID password, an action that should be accomplished in the Settings app or through http://appleid.apple.com/.
Apple is always on the lookout for phishing emails, and urges users who have received such correspondence to forward it to [email protected].
Finally, for users who think they might have handed over personal information like a password or credit card information to a phony website, Apple says the best course of action is to reset their Apple ID password.
The recently published support document joins a similar help page, "Avoid phishing emails, fake virus alerts, phony support calls, and other scams," that was last updated in November.
Comments
I wonder when they’ll start using cryptographic keys.
Also , use a VPN on public WiFi.Or better yet use LTE or 3G.
The last email I got I traced to a domain registered in Barcelona (where it was stolen) and linked to a website with a domain registered in Russia. Decided it wasn't worth the trouble reporting any of this as they send from random SIMs and domains all the time. Most of the domains look loosely like iCloud such as lcoud.pw etc.
I've gotten tired of sending them pictures of my middle finger in response, so haven't been responding lately. Hope they enjoy their $1150 paperweight.
But, at least Apple is trying to do the right thing with this training. So many companies are far worse and do these kind of things in their actual official emails. It's hard to train users to do it correctly when the companies themselves are breaking the rules.
I be calling as rep for Apple Computers: 🍎
We have noticed some suspect activities happen on your iPhone XXX.
Please be logging into your account at http://applecomputers.ru and provide yours name, address and blood group.
Thanking you and happy computing
If you're fooled by a story about a Nigerian astronaut trapped on a space station and who is willing to give you a million dollars of his back pay to transfer to the Nigerian Space Agency so they pay to bring him back, then the scammers know they can milk you forever more.
https://www.microsoft.com/en-us/research/publication/why-do-nigerian-scammers-say-they-are-from-nigeria/
Instead, on Macs just hover over the link to reveal the real URL; in iOS tap and HOLD on the link to reveal the true URL. On PCs et al or just as a best practice, copy the link and paste into a word processor to reveal the true URL. Only once you are sure the link is for real should you put it in a browser (again NEVER EVER click a link directly in an email).
Make them aware. I personally have deleted the mail app’s from my mother’s iPhone.
I don’t want her getting scammed.
Unfortunately it’s the elderly getting scammed the most.
If you have older folks in the family or extended family, be sure to raise this topic from time to time.
I typically start things off in conversation “ Hey I got this strange text/ email the other day, and it concerned me so much I wanted to let you know what is going on just in case you get this junk as well ....”
She was suspicious enough to no just panic and click the link, but I can see lots of people falling for this one. It was one of the best phishing emails I've ever seen. Criminals suck!
The only kind of link I'll click in an email is one of the 'confirm/authorize' type emails that I know I'm going to be getting because just filled out the request a few seconds/minutes ago. But, even with those, there should be no asking you for any info.... it's just a matter of it visiting a URL as a confirmation method (i.e.: verify you signed up for an email list, or verified account creation, etc.).
Otherwise, always just go log into your account manually and/or call the company on the phone with the number you have for them or look up independently.
Also, don't forget about the younger folks. With more youth and teens having various online accounts, they are often unaware of this kind of stuff too. It's a matter of not enough tech experience on one end of the spectrum, and not enough life experience on the other.
And.... then there's the whole middle and range of people who should (and maybe even do know better), but are too impatient or carefree to even care or be bothered with taking extra precautions. I know a lot of people who are well aware of the dangers, yet still use passwords like their name with a digit at the end or such. They just don't think they'll ever actually be the victim or realize how serious it could be.
This morning received a phishing email for Netflix. Its a little difficult to decipher under IOS.
A good use of AI would be helping identify such attempted scams.
To cover the situation of a legitimate code being copied out of an official email and used in spoofed emails, the encrypted message would need some info about the email itself. Rather than burdening an online service with validating every email text, when an email is sent out the encrypted message can contain the checksum of the text. The validation service just returns the decoded checksum and the mail app can do a checksum of the email to see if it matches. It can also have a timestamp in there. This would need the encryption key as well as decryption key to be kept secret but that shouldn't be too difficult and would be changed for every email campaign.
A similar thing can be done for popup panels in the OS that ask for passwords. The system can detect that a password box is on screen and it can store timestamps in the secure enclave of when a password request was made. If there was no recent timestamp for a request, the OS can show a warning somewhere that the password request didn't come from the OS.