New Phishing Scam Targets Apple ID Logins with Spotify Purchase

It’s not uncommon to get an email or a phone call from someone pretending to be someone else.  I often get emails from someone saying they’re PayPal and there is a problem with my account.  Of course, you never click on the links in the emails.  You simply open up your PayPal account and come to the realization that it’s a scam.  But there is a scam going around right now in the form of a fake confirmation for a Spotify subscription.  This phishing attempt hopes to get you to give up your Apple ID, by telling you (falsely) that you’ve purchased a year of Spotify Premium.  Of course, you haven’t.  And as noted above, the scammers want you to click on those links so you will give up the information that they need to get into your account.

How it works is that the hackers send an email that is a fake confirmation of a year-long Spotify Premium subscription agreement.  If you choose the option to “review your subscription”, then you’re going to get taken to a page that disguises itself as an Apple ID login page. Presumably, once you attempt to log-in to that page, your Apple ID email and password are logged, which is a big fat win for the hackers.  I mean, this is a basic phishing scam, but the hackers are getting more and more sneaky with how they are going after you.

Most of us know if we did or did not purchase a year subscription for Spotify.  But if you didn’t, or you’re not very tech savvy, you could easily get caught up in this phishing attempt.  The general public, however, might not realize the red flags once they see that their “credit card” had been “charged” $150.99″ and they immediately try to cancel or reverse the charges through that “review your subscription” link.

Apple ID phishing scams are incredibly common, so much so that Apple has a support page dedicated to providing tips on how to avoid falling for these scams. These are the tips Apple outlines on watching for posing emails and texts:

• The sender’s email address or phone number doesn’t match the name of the company that it claims to be from.
• Your email address or phone number is different from the one that you gave that company.
• The message starts with a generic greeting, like “Dear customer.” Most legitimate companies will include your name in their messages to you.
• A link appears to be legitimate but takes you to a website whose URL doesn’t match the address of the company’s website.*
• The message looks significantly different from other messages that you’ve received from the company.
• The message requests personal information, like a credit card number or account password.
• The message is unsolicited and contains an attachment.

A phishing scam can happen to the best of us.  Just because we click on it, doesn’t mean that you’re doomed, it just means that you’ve given away information that should have been kept private.  With all emails, just make sure that you know who the sender is.  If in doubt, delete the email, call the company and find out if something is going on with your account.