What would you do if you received a mistaken email saying you'd bought nearly a hundred dollars' worth of movies on iTunes? You'd probably dispute the charges — and that's exactly what the latest Apple phishing scam hopes you'll do.
The catch, and the giveaway, is that the link "to get full refund" goes to a bogus Apple site that asks for your credit-card information, government ID and even your mother's maiden name.
Important Security Tip: As Apple itself states on a page instructing customers on how to spot phishing emails (opens in new tab): "The iTunes Store will never ask you to provide personal information or sensitive account information (such as passwords or credit card numbers) via email."
This scam targets Canadian residents, but could easily be retooled for the U.S. market. It was uncovered by researchers at Sunnyvale, California-based security firm Fortinet, which detailed its findings on the company blog last week.
If you do see such a message, forward it to "firstname.lastname@example.org". If you fall for the scam, cancel your credit card and institute a credit freeze for the next few months.
Fortinet's posting included screenshots of a legitimate-looking phishing email, which included an Apple logo, one of Apple's preferred typefaces and a list of movie posters corresponding to those purportedly purchased by the recipient, including "Arrival," "The Accountant," "Jack Reacher: Never Go Back," "Allied" and "Deepwater Horizon." All those titles are indeed currently for rent or sale in iTunes.
The recipient is presented with a receipt for $95.95 in Canadian dollars, which comes to about $75 U.S. at current exchange rates.
At this point, anyone who had not indeed purchased these movies would be pretty outraged. Then there's this text at the bottom of the message: "If you haven't authorized this transaction, click the link below to get full refund. Go to the Help Centre at: http://idmsa.apple.com/IDMSWebAuth/refund/login.html?appIdKey".
Except the link doesn't go to an Apple page. (One thing about embedded links is that the stated link can be completely different from the actual link.) Instead, you'll find yourself on what only SEEMS to be an Apple Store page.
Your suspicions should be aroused at this point by what the fake Apple page asks from you. It not only demands your name and address, but your credit-card number with security code, mother's maiden name and your social insurance number (the Canadian equivalent of the U.S. Social Security number). Surprisingly, it doesn't ask for your Apple ID or Apple password, two things that are pretty valuable to online thieves.
Needless to say, if you do provide the requested information, you will be pretty well hosed. Not only can the baddies on the other end of this scam (Fortinet did not speculate on who they might be) be able to rack up charges on your credit card, but they might also be able to get new credit cards issued in your name or hijack your email account.
Remember, they already have your email address, and you've just given them your mother's maiden name, which might let them reset the password.