Apple billing e-mail scam making the rounds

A rather convincingly official-looking e-mail now in circulation attempts to steal personal information. Here are the telltale signs.

Topher Kessler MacFixIt Editor
Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.
Topher Kessler
3 min read

Last week we warned that people be aware of potential Christmas scams, especially those involving Apple's products as the company has become exceptionally popular in the past few years.

While the scam I mentioned in our previous warning was laughably fake, apparently a number of Apple customers have found a new e-mail scam circulating that gives the appearance of being quite genuine. The e-mail appears well-formatted with proper grammar, and is styled with shading and official-looking links, addresses, and copyright marks. The message also claims to come from an official looking e-mail address "appleid@id.apple.com."

Fake e-mail message
The fake Apple e-mail looks very official (click for larger view). Intego

Beyond the e-mail looking authentic, the links provided in it are for a fake server that also appears to be authentic. If you click the Apple Store link, the server you go to will ask you for an Apple ID and password, and then display a page that requests you update your personal information including your credit card.

According to Intego this scam is apparently quite widespread, and is intended to target people who have new Macs, iPhones, and other Apple products that might have been purchased this Christmas season.

The best way to avoid any scam like this is to absolutely never click a link in an e-mail message, even if you think the e-mail is legitimate. Instead, go to the company Web site directly and use the resources on its Web site to update your account or access the features requested in the email.

Beyond safe practices like this, you can also avoid scams by checking the address for the pages they link to. While in this case the e-mail message states that its link is for "http://store.apple.com," if you hover your mouse over the link you will see the true URL appear. You can also right-click the link and copy it to the clipboard, followed by going to the Finder and checking the Clipboard contents in the "Edit" menu to see the link.

If you have clicked the link, the very first thing you should do is check the address. All official Web sites for companies, and especially those that contain account information, will have a valid URL and will not use a server IP address. In this case, the address for the server contains an IP address (a series of 12 numbers grouped in threes and separated by periods), followed by a folder containing an Apple-titles HTML document.

For reference, here is a comparison of the login page provided by the scammers (top), followed by the real login page that you will find if you visit any Apple store online (bottom). Note the fake URL in the page, the title that is not the same as the Apple store, and also note the page is not verified. In this case it does not use the "https" protocol and does not have a signed certificate, whereas the real Apple page does (see the green text in the address bar for the valid Apple page):

Fake Apple Store login
The fake Apple login page has an invalid URL and is titles "The Apple Store." Screenshot by Topher Kessler
Valid Apple Store login
The real Apple store login looks like this. Screenshot by Topher Kessler

In addition to the login windows being different, the update forms are also different. In the scam, after you enter your login information (any random information will work), the page will present the following page. In a real Apple store, entering invalid login information will result in an error. Additionally, the official Apple account page (bottom), will have separate pages for entering account information and otherwise managing your account.

Fake apple update page
The fake account update page looks like this. Note the same false URL and the difference in page title (Apple's pages all have both the Apple store name and section of the Apple store). Screenshot by Topher Kessler
Apple update page
The real Apple account update page looks like this. Screenshot by Topher Kessler

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.