With help from threat analyst Todd S.
How this Apple Store Phishing Scam Works
You get an email that looks like it's from Apple, with the subject "Tax Invoice" and a message that indicates you recently purchased a product or application with your Iphone. It tells you to read the attached PDF file and follow the link in it:
Order # xxxxxxxxx in Iphone 5S - Thanks For Purchase.
Order number: #xxxxxxxxxxxxxxx
If you have not recently purchased a product or application on a Iphone 5S"With your AppIe ID and think of your access account,
Please read our link and follow to insure instuction your account.
AppIe department account
Fake PDF Tax Invoice
The attached PDF file is a realistic but fake invoice that lists a purchase with a clickable Order ID:
Fake Apple ID Login
The Order ID link is URL shortened so you don't notice it goes to some non-Apple webpage that tries to steal your Apple ID and password. Don't enter either.
The fake login takes you to a page telling you that your account is locked, with a link to unlock it. Obviously, don't click that, either.
Fake Account Verification
The Unlock Account link goes to an "Account Verification" page with a long form requesting sensitive information that could be used to steal your identity, including: first and last name, date of birth, telephone, social security number, address, credit card details, and security question/answer.
How to Spot this Apple Phishing Scam
Although this scam has some well-designed realistic-looking pages, there are some spammy indicators:
Grammar and spelling mistakes:These emails have several obvious mistakes. Links that don’t go to Apple:The link in the PDF file uses a URL shortener. Be wary of those in an email or attachments. They can be used to hide that the actual destination is some weird address that is not the company's actual web site. Does not use your name:However, the email does use a random name. That’s probably to avoid detection by filters that look for "Dear Customer" and similar short phrases common in spam. Strange URLs:The forms are well-designed and the web page template they're on looks like the actual Apple website, but the URLs are clearly not Apple's. As we often suggest, if you want to check on the status of an account, type the URL you already know into the address bar of your browser. Never click the link in an email. Intentional obfuscation:In the closing at the end of the email, the scammer spelled "Apple" with an uppercase "i" instead of a lowercase "L", probably to get around spam filters looking for short phrases like "Apple department".
How We Block this Phishing Scam
Depending on the specific email (there are some variations), we are blocking this phishing scam for our global customers with 2 to 3 filters based on phrases and the sender domain, and sometimes IP or URL.
To find out more about SpamStopsHere, check out our simple pricing and start a FREE 30-Day trial, visit our website, or contact us anytime via phone (800-458-3348 | 734-426-7500), chat or email.. We're always here. 24/7/365.