Legitimate Apple Emails Are Being Abused In Callback Phishing

by Justin Erickson

Scammers are abusing Apple account change notifications to deliver phishing content inside legitimate emails sent from Apple’s own infrastructure. In the example reviewed by Bleeping Computer, the message arrived from appleid@id.apple.com, passed standard email authentication checks, and included a fake warning about an $899 iPhone purchase via PayPal with a phone number to call for “cancellation.” How do attackers do this? They “…create an Apple ID and insert the phishing message into the account’s personal information fields, splitting the text across the first and last name fields.” This tactic is called callback phishing. Instead of directing victims to a malicious website, the email fakes urgency and directs the victims to call a scam number. Once on the phone, attackers may claim the account was compromised and try to collect information or convince the victim to install remote-access software. Here are 3 ways to respond to this type of phishing:

1. Be skeptical of urgent purchase warnings, especially if they reference payments you did not make and ask you to call their “support” number
2. Don’t call phone number(s) listed in unexpected account-alert emails
3. Check your Apple account status through Apple’s official website