An Apple ID Phishing Scam

Suppose your Apple ID login led you to another screen that asked you to provide such information as your full name, your credit card number (including expiration date and verification code), date of birth, phone number, and your mother’s maiden name… would you provide that information?

I suppose whether you’d share this sort of information would depend upon how trusting you are of your Apple ID account. Some people would share, and others wouldn’t. If you’re among those who would provide such sensitive information, you’d be well on your way to big trouble.

Yet this is just the situation some folks found themselves facing when they were redirected to what appears to be the Apple ID login page. It seems that hackers compromised a server within EA Games, which develops and distributes many popular games for iPhone and iPad. The phishing attempt directed users to a fake Apple ID page, which captured login and password information and then directed them to a second screen that asked for personal information, including credit card numbers and other identifying data. Once that information was captured, the user was directed once again to an Apple ID login screen – this time the real one.

Even savvy users have gotten snagged by this phishing attempt, because the fake Apple ID login screen is incredibly similar to the real thing. Yet in a side-by-side comparison of the real and the fake screens, you will find some telling discrepancies.

Apple ID Sign In Page

REAL : Apple ID Sign In Page

Fake Apple ID Sign In Page

FAKE : Apple ID Sign In Page

Apple is very, very precise in the language they use and the design of their screens, and the fake screen doesn’t take that into account. It asks users to “verify” their Apple ID (the real screen asks users to “manage” their Apple ID) and the layout of the text on the fake screen is center-justified and leaves the “ID” hanging on the second line. Apple nestles the word “Apple” in next to “ID” and left-justifies all of its text. Additionally, the Apple logo is missing from the lower left screen of the fake page, next to the words “My Apple ID.”

Still, without the advantage of a side-by-side comparison, many users could be fooled into thinking the fake screen is legitimate.

How do you avoid getting phished?

  1. Check the URL.
    Often the URL is a dead giveaway that what you’re seeing isn’t actually what you think it is.
  2. Go directly to the website.
    Typing in the URL will take you directly to the website. Relying on the URL that you’re directed to can lead you into unsavory territory. 
  3. Be skeptical.
    If you have no reason to be receiving a message or alert from a website (no matter how reputable), let your spidey sense be your guide. Approach all redirects with caution. 
  4. Don’t give out your personal information.
    This should go without saying, but lots of people – smart, savvy people – get fooled every day. Unless you’ve navigated to a site with the intent to purchase something, there should be no reason for you to hand over your sensitive personal data. Even ecommerce sites will be limited on the sort of information they seek to gather from you.

The cybercriminals who run these phishing scams have gotten more sophisticated as time has gone by. Be wary of any site that asks you for personal information, and view everything with a critical eye. A measure of diligence online will mean you’ll be able to spot a scam before it snags you.