A clever phishing email is making its way around the Web, attempting to trick people into handing over their Apple user name and password to view a purported update to their iTunes account.
With the subject "Account Info Change," the email appears to come from Apple, but the address is "do_not_reply@itunes.com via smtp.com," meaning it came from a third-party email service, the security firm Trend Micro reported. (Legitimate emails from Apple show an "id.apple.com" address.)
The discrepancy is so small, however, that Trend Micro said the phony emails share an "uncanny and almost identical resemblance" to real Apple emails, which makes this particular phishing campaign that much more dangerous.
The email informs recipients that their Apple ID was "updated" and includes a link users can click on "to review and update their security settings." The link, written as appleid.apple.com, redirects people to another Web page that looks strikingly similar to Apple's website, except that the phony Apple page includes advertisements at the bottom.
The phishing page asks for users' Apple IDs and passwords, which, of course, are then sent to the crooks behind the scam who can use the stolen IDs to access credit card information, home addresses and phone numbers.
Trend Micro warns users to "always be wary of the littlest detail in your email that may strike you as suspicious. Check and double-check embedded URLs, delete spammed messages, and never underestimate the endless possibilities of cybercrime."
It's also important to remember that Apple laptops, iPhones and iPads, which are long thought to be safer and more secure than PCs, are still not immune from online threats and cyberattacks. A host of new malware has recently emerged targeting Macs, and rather than banking on the supposed immunity of your Apple product, it's best to install anti-virus software that can detect and prevent cybercrime threats so you don't have to. Of course, there is no substitute for common sense, and no anti-virus software can protect you against social engineering scams like this one. If you receive an unsolicited email like this, contact the company directly rather than clicking on a suspicious link.