Scammers tricking Apple into sending Phishing Email Scams
Scammers have worked out a way to trick tech giant Apple into sending recipients phishing scams, so let’s explain what’s happening in case one of these emails land in your inbox.
Firstly, the email itself, which is below.
It’s a pretty standard “you’ve been billed” phishing scam which claims your PayPal account has been billed a bunch of money and you should call a phone number provided if you have any questions. And if you call that phone number, a scammer is waiting at the other end of the line pretending to be PayPal customer service and will try and trick you into either handing over sensitive financial information or installing malware on your computer, both of which will likely lead to the scammer being able to rummage around your bank accounts.
It’s a phishing scam that’s been around a while. So, what makes the above example any different?
Well, because it’s been sent by Apple. Technically, at least.
One issue that phishing scammers have is that while it is relatively cheap to mass mail hundreds of thousands of email addresses the same generic phishing scam like the one above, they’re pretty easy for anti-spam filters to spot. This means that only a small percentage of them actually land in people’s inboxes. The rest of them get flagged and condemned to digital black holes for the rest of eternity.
However, if scammers could trick a reputable tech company into sending the emails, such as, let’s say, Apple, then that’s going to make the phishing emails much more difficult for anti-spam tools to detect.
Sponsored Content. Continued below…
But how would scammers do this?
Through the iCloud Calendar invite feature (as reported by BleepingComputer) that allows a person to send iCloud Calendar invites to email addresses of that person’s choosing. Anyone can create an iCloud account and send invites to join a Calendar event to anyone else. This means a scammer can create a dummy iCloud account, create a Calendar event, and invite any email address they choose. Such invites are sent from Apple servers, so the emails appear authentic to anti-spam tools.
The scammers create misleading event names (in the example above it’s “Purchase Invoice”) and can append text of their choosing in the event “Notes” section, which they use for the phishing text itself.
A novel way to help a scam land in your inbox, yet the advice to avoid these scams is the same as always. Don’t respond to emails that create a sense of urgency, use generic greetings, contain spelling mistakes and don’t include your email in the To: field. If you need to contact your bank or PayPal, NEVER use a phone number on an email you received. Go to their website or use paperwork at hand to get their contact details.
Continued below...
Thanks for reading, we hope this article helped, but before you leave us for greener pastures, please help us out.
We're hoping to be totally ad-free by 2025 - after all, no one likes online adverts, and all they do is get in the way and slow everything down. But of course we still have fees and costs to pay, so please, please consider becoming a Facebook supporter! It costs only 0.99p (~$1.30) a month (you can stop at any time) and ensures we can still keep posting Cybersecurity themed content to help keep our communities safe and scam-free. You can subscribe here
Remember, we're active on social media - so follow us on Facebook, Bluesky, Instagram and X