Apple Store "Tax Invoice" Email Phishing Scam

We're blocking a dangerous Apple Store phishing email that has a fake PDF "Tax Invoice" attached with a clickable Order ID. Do NOT open the attachment, click the link or enter any information. The link in the PDF file goes to fraudulent Apple ID login and account verification pages designed to steal your identity by requesting sensitive information like your birthday, social security number and more.

With help from threat analyst Todd S.

How this Apple Store Phishing Scam Works

You get an email that looks like it's from Apple, with the subject "Tax Invoice" and a message that indicates you recently purchased a product or application with your Iphone. It tells you to read the attached PDF file and follow the link in it:

Payment Confirmed
AppleID Store
Order # xxxxxxxxx in Iphone 5S - Thanks For Purchase.

Date: xxxxxxxxxxxxxxxxxx
Transaction: xxxxxxxxx
Order number: #xxxxxxxxxxxxxxx

If you have not recently purchased a product or application on a Iphone 5S"With your AppIe ID and think of your access account,
Please read our link and follow to insure instuction your account.

AppIe department account

Fake PDF Tax Invoice

The attached PDF file is a realistic but fake invoice that lists a purchase with a clickable Order ID:

Apple Phishing Scam Fake Invoice PDF Attachment
Apple Phishing Scam Fake Invoice PDF Attachment

Fake Apple ID Login

The Order ID link is URL shortened so you don't notice it goes to some non-Apple webpage that tries to steal your Apple ID and password. Don't enter either.

Apple Phishing Scam Fake Login
Apple Phishing Scam Fake Login

The fake login takes you to a page telling you that your account is locked, with a link to unlock it. Obviously, don't click that, either.

Apple Phishing Scam Fake Account Locked Page
Apple Phishing Scam Fake Account Locked Page

Fake Account Verification

The Unlock Account link goes to an "Account Verification" page with a long form requesting sensitive information that could be used to steal your identity, including: first and last name, date of birth, telephone, social security number, address, credit card details, and security question/answer.

Apple Phishing Scam Fake Account Verification Form
Apple Phishing Scam Fake Account Verification Form

How to Spot this Apple Phishing Scam

Although this scam has some well-designed realistic-looking pages, there are some spammy indicators:

  • Grammar and spelling mistakes: These emails have several obvious mistakes.
  • Links that don’t go to Apple: The link in the PDF file uses a URL shortener. Be wary of those in an email or attachments. They can be used to hide that the actual destination is some weird address that is not the company's actual web site.
  • Does not use your name: However, the email does use a random name. That’s probably to avoid detection by filters that look for "Dear Customer" and similar short phrases common in spam.
  • Strange URLs: The forms are well-designed and the web page template they're on looks like the actual Apple website, but the URLs are clearly not Apple's. As we often suggest, if you want to check on the status of an account, type the URL you already know into the address bar of your browser. Never click the link in an email.
  • Intentional obfuscation: In the closing at the end of the email, the scammer spelled "Apple" with an uppercase "i" instead of a lowercase "L", probably to get around spam filters looking for short phrases like "Apple department".

How We Block this Phishing Scam

Depending on the specific email (there are some variations), we are blocking this phishing scam for our global customers with 2 to 3 filters based on phrases and the sender domain, and sometimes IP or URL.

About SpamStopsHere

To find out more about SpamStopsHere, check out our simple pricing and start a FREE 30-Day trial, visit our website, or contact us anytime via phone (800-458-3348 | 734-426-7500), chat or email.. We're always here. 24/7/365.