iPhone users warned over FAKE Spotify iTunes email that lets hackers steal your account
A scarily realistic scam email is being aimed at iPhone users – we reveal the simple signs to look out for so you don't get hacked
IPHONE users are being warned over a new scam that tries to steal your Apple login details.
It works using a "phishing" email that claims to be from Apple and Spotify, but it's completely fake.
The iPhone scam was highlighted on Reddit by a user named /u/the101maham, who said: "I saw this email today, I thought the sender looked fishy, so I went in to see if I had bought a year of Spotify Premium.
"I was drinking last night so I had a slight panic and clicked the link.
"But when I saw the Apple page with a random address I immediately knew it was a scam."
The email suggested the user had bought a year of Spotify Premium for $150.99 (£115), and linked out to a page to "review your subscription".
This leads to a convincing mocked-up Apple landing page that asks for your log-in details, but it's completely phoney.
Tim Sadler, CEO at security firm Tessian, told The Sun: "This is an example of a classic phishing scam.
"Phishing emails, like spam, are bulk in nature, but are often farming for a user's credentials by mimicking the identity of a trusted website or service – in this case, Apple and Spotify.
"Like spam, phishing doesn't discriminate. Anyone, individual or business, can be targeted and easily duped."
The email is particularly threatening, suggesting that there'll be a huge renewal charge unless you log on and cancel the subscription.
It's designed to look like an official Apple iTunes purchase email, and even links out to Apple Support pages.
But there are some tell-tale signs that the email is fraudulent.
"With phishing scams like these, the first line of defence is careful observation," Steve Giguere, of security firm Synopsys, told The Sun.
"This particular message is almost an ideal lesson in the hallmarks of poorly (but not that poorly) crafted phishing emails.
"Spelling errors and./or poor grammar, mixed identifiers (is it Apple or Spotify?), and no HTTPS on the landing page are a few of the key giveaways."
How to avoid being phished – a security expert's advice
Here's what James Hadley, CEO at Immersive Labs, told The Sun...
As the days are getting shorter, a lot of people will slowly turn to the inevitable Christmas shopping list, so we should expect an increase in consumer phishing emails look to exploit this seasonal shopping trend.
If you receive an email and you are unsure of its contents, follow these simple rules and you should be able to avoid this prime time for email scams without getting stung:
- Are you expecting an email from the company?
- Look at the sender address – is the email sent from that company's domain?
Is the email poorly written? - Does it use poor grammer or have an unusual sign-off?
- Does the email ask for personal information which they wouldn't really need?
It's a very dangerous scam, because unwitting clickers could end up handing over their login information to hackers.
This could potentially give hackers complete access to your Apple accounts.
They'd be able to snoop on your personal information, and potentially even make fraudulent purchases.
They may also be able to gain access to your iCloud account, stealing personal photos or videos that you've stored in the cloud.
A Spotify spokesperson told The Sun: "The email does not come from Spotify and it's a form of scam/phishing attempt.
"We encourage all users who have seen or received notice of this particular email to refrain from clicking any links or sharing any personal or payment information.
"We are actively working to have all domains and websites connected to this email blocked and closed down."
They continued: "Affected users can reach out to our customer service using spoof@spotify.com or our Community, with any concerns regarding potential scam offers and/or phishing attempts."
MOST READ IN TECH
One of the best ways to avoid being hacked – even if you've given away your password – is through two-factor authentication.
This is an extra layer of security that requires a unique code sent via text to log in.
So if hackers steal your password, they still wouldn't be able to nab your account.
Apple has a guide on how to set up two-factor authentication here.
We've asked Apple for comment and will update this story with any response.
Have you received any scam emails recently? If so, let us know in the comments!
We pay for your stories! Do you have a story for The Sun Online news team? Email us at tips@the-sun.co.uk or call 0207 782 4368 . We pay for videos too. Click here to upload yours.