While this particular scam message had many giveaways showing it was not legitimate, the person fell for it anyway, and the consequences began within minutes.
The initial message from the scammers is shown here. While it contains several indications that it’s not actually from Apple — a non-apple “From:” address, poorly written text, a link that doesn't go to Apple.com — these can all be overlooked by someone who is tired, worried that their account is limited, or simply not paying close attention.
Many scam messages contain these flaws, but it is possible for a scam message to look entirely legitimate: It can have a legitimate Apple address in the From line (it's easy to fake this information), it can be well written, and the Click Here link can be made to look like it goes to a page at apple.com. So, how do you protect yourself?
One Weird Trick To Stay Safe
There is one simple step I recommend you always, always take when receiving an e-mail asking you to log in to an account (and it's not really weird; I just wrote that to get your attention). Instead of clicking a link in the e-mail to go to the log-in page, type the known, legitimate address of the page into your browser yourself.
In this case, if the person had gone to his Web browser and typed “appleid.apple.com,” he'd have known he was on a real Apple page. (All pages whose addresses end with “apple.com” are real Apple pages.)
What Happened To The Victim
The victim of this scam filled in a whole bunch of personal information on a page that claimed to need that data to verify his account. This included his Social Security Number, mother's maiden name, date of birth, and credit-card information, in addition to his Apple ID log-in and password.
Within minutes, the scammers changed his Apple ID password so he couldn't get in. Now they have his contact lists and possibly all data backed up from his iPhone and Mac. He will need to recover access to his account, possibly by phoning Apple and reporting the problem.
A victim of this scam will need to cancel the credit card, initiate a fraud alert with the credit bureaus, report the data theft at IdentityTheft.gov, and watch for instances of the thieves using his information for harm. It is possible they will use his e-mail to send out spam, including the spam that tricked him; they may also use the information they've gathered about him to rob his friends (e.g., by e-mailing them that he needs them to send an immediate loan because he is abroad and has lost his passport, which they can do convincingly because they have a lot of info about him that they can use in an e-mail to make the request seem genuine).
So, once again, what’s the one thing you can do to always avoid falling for this kind of scam? That’s right: Instead of clicking a link in the e-mail to go to the log-in page, type the known, legitimate address of the page into your browser yourself.
- https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en (do this one first)
- Forward the e-mail as an attachment (instructions here) to: firstname.lastname@example.org
- Report the site by sending its Web address to: email@example.com