Users of Apple devices have been warned about a new fake invoice email scam that attempts to get them to provide attackers with their bank details.
Another Email Scam Targets Apple Device Users
Criminals are sending spam emails in the millions in the hope that they will be received by owners of Apple devices. The spam emails contain a bogus invoice which indicates the user’s iTunes account has been used to download a number of videos, games, singles, and albums.
The fake invoice includes Apple logos and details of the amounts charged for each purchase. The email is intended to scare iTunes account holders into thinking their account has been compromised and used to make fraudulent purchases.
At the bottom of the invoice is a link for users to click if they did not authorize the purchases. The email recipient is told that they have 14 days to query purchases and receive refunds. However, clicking the “manage my refunds” link will not take the user to the Apple App Store website, but to a spoof site where they are asked to enter in their bank account information. The attackers claim that a refund will be given; however, divulging bank account details will enable the attackers to make fraudulent charges to the users’ accounts.
Both Apple and the FBI are investigating the latest fake invoice email scam. While Apple has not released a statement about this fake invoice email scam, after previous email spam campaigns Apple has told customers that they would not be asked to reveal sensitive information such as bank account details, passwords, and credit card numbers in emails.
When bank account information is required, such as to set up an iTunes account, the web address will be a subdomain of apple.com: store.apple.com for example. Apple advises customer never to reveal their sensitive information on any non-Apple website.
Fake Invoice Email Scam Targets Netflix Users
Criminals often spoof popular websites and attempt to phish for sensitive information such as credit card numbers and bank account details. Netflix it another popular target for scammers due to the number of subscribers to the service. A similar fake invoice email scam is also being used to fool Netflix account holders into disclosing their bank account information.
The spam emails contain an invoice for a subscription to Netflix claiming the user’s account will be charged to renew their subscription. The funds will be automatically taken from users’ accounts unless action is taken to change their auto-renew settings.
As with the Apple scam, a link is provided on the invoice which allows the email recipient to manage their subscription settings. The email appears to have been sent from Netflix, but clicking the link in the email will similarly take the user to a scam site. They are then taken through a series of steps to manage their subscription, which involves confirming their bank account details.
How to Avoid Becoming a Victim of Email Scams
These fake invoice email scam are designed to catch out the unwary and scare people into revealing sensitive information. However, by adopting some email security best practices it is easy to avoid scams such as these.
If you are sent an invoice in an email that claims to be from a web service, never click on the links in the email, no matter how realistic the email appears to be. Instead visit the official website and check account details or account charges directly on that website.
Cybercriminals often include links to spoofed websites in an attempt to obtain sensitive information, although the links can also direct the email recipient to a website hosting an exploit kit. Exploit kits probe for vulnerabilities in browsers and plugins that can be exploited to automatically download malware.
It is safest to assume that all attachments sent via email could be malicious. Never open an email attachment contained in an email unless you are 100% sure that it is genuine. Cybercriminals use email attachments to transmit malware and ransomware. Opening an attachment can potentially result in a malware infection.
Small business owners should use software solutions to prevent the downloading of malware. While anti-virus and anti-malware software can prevent malware from being installed, cybercriminals are developing highly sophisticated malware which is not detected by anti-virus software. By installing a spam filtering solution such as SpamTitan, small businesses can prevent these malicious emails from being delivered to end users’ inboxes. This reduces reliance of employees’ ability to identify phishing and scam emails.