In fact, some of our staff members here at have received variations of these phishing messages. They’re so cleverly disguised, I suspect that plenty of people are unfortunately falling for it. As usual, these crafty crooks are sending out emails and creating websites that look like the real deal. Recognizing these fake messages can be difficult to the untrained ey, but we’re here to help. Read on and learn about the latest Apple ID phishing scam that’s making the rounds and how to spot it before it’s too late.

Apple app purchase phishing scam

Here’s how this elaborate scam works. The scammers are now sending out phishing emails that are disguised as Apple App Store payment confirmations for apps you did not purchase. The idea behind this scam is that you’ll be more inclined to take the bait if you see unauthorized charges on your account.

Within these emails are links that are supposed to take you directly to the Apple website to view your purchase invoice and dispute the charges. But note the tip-offs that this is not a legitimate email. The subject line says “Thankyou” and has two periods after “Apple”. An email from Apple would never be this sloppy. In a more elaborate version of the scam, an attached PDF file appears to be the receipt for a recent app purchase. Aside from the dollar amount of the transaction, conveniently embedded in the PDF file are links for reporting a problem about the purchase and for refunds. You probably know what comes next, right? All these links redirect to a fake Apple ID login page. Similar to other elaborate phishing scams, the malicious page looks exactly like the real Apple Account management page.

Fake Apple page

Here’s where the real trickery begins. If you attempt to login with your Apple ID credentials, you’ll be directed to a page that says that your Apple ID has been “locked for security reasons.” Combined with the unauthorized app purchase and your locked account, you might think that your Apple account has indeed been hacked – exactly what these crooks are counting on.

This scam will clean you out

At this point, if you click the “Unlock Account” button, you will be taken to yet another fake verification page that asks for your personal information such as your full name, address, phone number, date of birth, and payment information. Worse yet, the scammers are going all the way by asking for your sensitive details like your Social Security number, driver’s license number and your passport number, enough to completely steal your identity. Now, here’s the clever part. Once your information is submitted, you will be redirected to an “Account Verification Complete” page stating that you will be automatically logged out of your Apple account for security purposes. Note: At this point, it’s game over. The scammers have everything they need from you. You will then land on the real Apple account management page, thinking that the account unlocking process is successful. Note: Do you think you can spot a phishing scam? See this phishing email scam to see how good scammers can be.

Fake phishing pages are spreading

Elaborate phishing scams that use fake login pages that look like the real deal are becoming more common. To the unsuspecting eye, these pages can be easily perceived as authentic, so I could see many people falling for these scams. This is why it’s important to carefully check the addresses or URLs of the websites you visit, especially login pages and payment portals. If you get an unusual email or notification that’s exceptionally alarming, don’t click on its links. It could be a phishing attack. If you want to verify if there are indeed unauthorized charges on your account, it’s always better to type a website’s address directly into a browser than clicking on a link. Before you ever click on a link, hover over it with your mouse to see where it is going to take you. If the destination isn’t what the link claims, do not click on it.

More tips to protect yourself against phishing scams:

Use unique passwords – Many people use the same password for multiple websites. This is a terrible mistake. If your credentials are stolen on one site and you use the same username and/or password on others, it’s simple for the cybercriminal to get into each account. Click here to find out how to create hack-proof passwords.Set up two-factor authentication – Two-factor authentication, also known as two-step verification, means that to log in to your account, you need two ways to prove you are who you say you are. It’s like the DMV or bank asking for two forms of ID. Click here to learn how to set up two-factor authentication.Watch for typos – Phishing scams are infamous for having typos. If you receive an email or notification from a reputable company, it should not contain typos. Take our phishing IQ test to see if you can spot a fake email.Check your online accounts – The site HaveIBeenPwned allows you to check if your email address has been compromised in a data breach.Have strong security software – Having strong protection on your family’s gadgets is very important. The best defense against digital threats is strong security software.