GlobalSign Blog

09 Nov 2018

Fake Spotify Emails are Targeting Apple ID Passwords

If your daily routine involves listening to your favorite Spotify playlist, you might want to hear this news first. As reported by a Reddit user, a new email phishing scam has surfaced that uses fake Spotify emails to steal Apple ID passwords. Pause your music for a while and learn more about this sketchy scheme.

The Game Plan: The One-Year Subscription

Like the classic email phishing scams, this one starts with an engaging premise. The hacker will send you an email that apparently came from Spotify, notifying you about your one-year subscription to the music streaming service. Since you (probably) don’t have any active subscriptions to Spotify, this email will definitely trigger you into lowering your guard. Lucky for you, the email contains a convenient link to “review your transaction.” The hacker hopes that you click this link because it will lead you to a compromised Apple ID login page, waiting for you to foolishly log in your credentials.

fake-spotify-e-mail

The Counter Measure: Look at Those URLs

Looking at the screenshots above, an agitated and distracted person will definitely fall victim to this email phishing scam. But if you step back and view the bigger picture, you’ll definitely see the signs of a deceptive email. For one, the fake Spotify email contains grammatical errors. “You are in charged for your subscription” is not a sentence a competent company writes. The most obvious giveaway will be determined by you—did you really subscribe to Spotify? If the answer is no, then bid this email “begone!”

If the answer is yes, then there’s a chance this email is legit, right? So before you open it, make sure the email is actually from Spotify. Legitimate emails use security indicators to authenticate themselves to their clients. Does the email have an email signature or a ribbon icon next to the sender’s name? This security icons indicate that the email really came from the sender and the contents were authenticated. Obviously, the fake Spotify email won’t have any of these indicators so for the second time, bid this email “begone!”

signed-email

But fine, let’s say you got too excited and clicked the link inside the phishing email. Once the webpage finished loading, check for the telling signs of a phishing website. Check the URL if it’s an existing domain or just a string of garbage text. Is the website flagged as “Not Secure?” Most browsers like Chrome and Mozilla will tell you otherwise. Does the webpage contain a Secure Trust Seal? If you check the screenshot above, the fake Spotify login page is obviously a fake. Don’t put your details in there, fam!

Secure Email Certificates allow companies to authenticate themselves to their clients. Wanna know how you can use this to your advantage? Check out GlobalSign’s Secure Email here. If you want to learn more about GlobalSign, visit our official website.

Share this Post

Connect with us

fb_icontw_iconin_icon