"Your account has been locked" - 7 telltale signs of a phishing scam

According to study after study, phishing remains the most efficient attack vector for bad actors to steal your data. Even though attackers have plenty of options, they prefer phishing because it does one thing better than any other method: it tricks victims into partaking in their own attack.

Some of the most lucrative phishing emails pretend to come from 1 Infinite Loop, Cupertino, California. That”s right: Apple Inc. The operators behind these campaigns have honed their skills to create messages that are nearly indistinguishable from Apple”s – graphics and everything. Thus armed, they dupe thousands of unwary users into handing over their passwords and credit card data thinking they are communicating with the actual help desk at Apple. In fact, they are handing over their precious data to the attackers.

A new Apple-themed phishing email is making the rounds as of late. Since it”s such a classic scam model, we thought it would be a great idea to use it as the basis for our latest short guide to spotting phishing scams. So, without further ado, let”s dive in!

As the screenshot below shows, the message instills fear, saying your account has somehow been compromised, that Apple has locked it “for security reasons,” and that you now need to re-enter all your data to confirm you”re you and not the hacker.

The message is crafted well enough to trick the untrained eye, but a few telltale signs show we are being scammed here.

Clue #1: “user@icloud.com has been temporarily disabled”

Ask yourself this: “How is my account disabled if I”m getting this on my current iCloud email account, which I can still access with my current Apple ID and password just fine?”

Something”s not right here…

Clue #2: email sender

Scammers will usually try to mimic the email address of the company they are impersonating. In this case they used the iconic “i” moniker typically found in Apple nomenclature. This is meant to both add credibility and avoid anti-phishing mechanisms. Clicking on the address name also reveals the actual address the email comes from. The address “iforgotmanageservicedtls11@personalverfctioninfos.com” hardly sounds like the real Apple in Cupertino.

For any other service or company the attackers might impersonate, check previous legitimate emails and see what the real address looks like.

Clue #3: “Your Apple ID has been locked for security reason”

Typical scareware subject line. Phishing scams try to frighten you by saying something has gone wrong and you need to take IMMEDIATE action. It”s a classic clue that you are dealing with a swindle. And shouldn”t “reason” be in plural here? Poor English is always a sign you should be wary [wink].

Clue #4: “go HERE” doesn”t actually take you to Apple”s website

Hover your mouse cursor over any hyperlink and you will see the actual URL without having to click on it. In this example, iCloud Mail is open in Chrome, which reveals the URL in the bottom left-hand corner of the browser”s window.(Microsoft Outlook reveals the URL in a square bubble, right above the mouse cursor.)

The first thing to notice here is that the URL has been shortened. No legitimate company, particularly Apple, will ever do that. But, say you don”t notice this and proceed to click on the link. Typically, you”ll be taken to a page designed to look like it”s on Apple”s website. Chances are the page will host a form asking you to enter your personal data, and sometimes even financial data. Don”t do it! Apple will never ask you to do any of this, even if your account does get hacked.

Clue #5: “Your Account will permanently disabled if you do not verify your account under 24 hours.”

Another dose of scareware, just in case the first attempts misfired. No company will EVER permanently disable your account simply on the basis that it got hacked. Quite the contrary. They will try to fix it and get you back on track.

We”re also missing a verb here. Nice try guys!

Clue #6: email signature

Big companies like Apple, Facebook and Google typically sign emails using nothing more than the company name. Some might contain terms like “Support” or “Team,” etc. This varies by company. But… “Apple Information?” That doesn”t sound like much of a department name, does it? In fact, it almost sounds like the scammers were running out of ideas.

When in doubt, look for the last legitimate email from your vendor and compare the signatures. If they don”t match, you know what”s going on [wink].

Clue #7: no URL where there should be one

Fake hyperlinks that in fact go nowhere also indicate that something is off. A “Privacy Policy” is meant to be accessible for the customer to review the rights and obligations of all parties involved. Here, we”re looking at an incomplete replica of Apple”s template.

This was a classic example of how phishing scammers operate. These campaigns are a dime a dozen, and almost each one brings something new to the table.

As a rule, never hand over your personal data, password, or credit card information to an email sender before you thoroughly verify they are who they claim to be. Few, if any companies solicit such information from customers via email.

(At press time, the phishing campaign had already been reported to the hosting company and the scam is now essentially defunct).

That”s not to say you should consider every warning message a scam. Just be sure to investigate thoroughly before you take any action that you might regret later.

As far as Apple users are concerned, if you receive what you believe to be a phishing email purporting to be from Cupertino, Apple recommends forwarding the message with complete header information to reportphishing@apple.com so that the company can investigate the matter.

For business-oriented readers, we have this editorial geared towards corporate environments: The Underrated Importance of Training Your Staff to Spot Devious Phishing Attacks.

Stay safe!