A phishing scam asking users to click refund links in a legitimate-appearing email purporting to be from Apple is doing the rounds
Apple customers are being targeted by a phishing iTunes invoice scam designed to trick them into clicking a link to claim a refund for a purchase they did not make.
An email purporting to be sent from Apple is currently in circulation, appearing to bill the recipient for £34.99. The invoice contains the line: ‘If you did not authorize this purchase, please: Click here for Refund’ [sic] in an effort to trick users into entering their Apple ID into a fake login page, according to internet security blog Malwarebytes.
After entering their Apple ID and password, victims are then prompted to enter credit or debit card information, including their card number, address and full name.
The scam emerges in the wake of the news that TalkTalk’s website was subjected to a “significant and sustained” DDoS attack which may have compromised millions of users’ personal information, including names, email addresses, financial information and telephone numbers.
The attack, which took place on Wednesday October 21, is the third time TalkTalk has been targed this year alone. In August, its mobile sales site was targeted and personal data breached and in February, hackers were able to steal account numbers and names of TalkTalk customers.
The Metropolitan Police Cyber Crime unit said it was currently investigating the attack.
Earlier this week, it was reported that fraudsters were imitating Apple’s remote help site in an effort to gain access to victim’s computers.
Scammers typically try to trick users into landing on such falsified support sites by targeting them with false warnings and pop ups warning of something wrong with their computer.
When legitimate sites ask for sensitive information such as financial or personal details, a padlock icon is displayed in front of the url to indicate the presence of a Secure Sockets Layer (SSL) certificate.
Fraudulent sites impersonating Apple’s iTunes pages and banks including Natwest and Halifax have been wrongly issued with the authentication certificates recently, which can instill users with false confidence when inputting their details.