I had one a about a month ago now that I was actually impressed with how they did it.
I have a Apple account just for the kids Apple devices (required for school). Received an email from Apple support about fraudulent activity and that they’d call at sometimes. I thought that was weird and checked out the email and everything was legit.
Call came in a little early then in the email. They knew all the right details including the case number, sent a verification code to my mobile from a short code SMS “iCloud” and at that point they had me. But only until they asked me to go to a site apple.somebullshit.com. Well apple isn’t going to use a domain that’s not *.apple.com. went there anyway to check and the SSL cert was from Let’s encrypt, apple ain’t using let’s encrypt.
20 years in IT, that’s the closest I’ve been in. Very long time to falling for something.
They got you because you’re not familiar with the Apple ecosystem nor their support system. That’s all sus as hell.
You also failed at basic opsec because you allowed them to control the flow of communication.
Was there actual suspicious activity? Did an actual Apple representative ever contact you because it sounds like the whole thing was a phish but you make it sound like they just got the case number and timing when the more likely scenario is that the email was also them.
I know someone who got had by a spearfishing call. They knew all the details about his phone contract, sounded 100% legit. The scammer got thousands of dollars in prepaid SIM cards from his account.
After the police investigation, turned out that the scammer was actually a former employee of the phone company who downloaded a copy of the customer list when he got fired.
This is why even if I think something is 100% legit, if a place calls me asking for anything I tell them I have to check on it and call back. Then I’ll call their known public number and go through that way. I’ve avoided a couple scam situations like this
This is literally the correct way to proceed in any inbound communication. Doesn’t matter who it is, the more authority they claim the faster to hang up.
They will try and trigger your lizard brain and make you feel like you must act now.
Honestly this is so simple and effective at stopping these sort of scams dead in their tracks. When you call in to help desk and say “I was just on the phone with your agents about a payment problem” and they don’t see any record, it’ll set off all sorts of alarm bells. Especially if it’s the bank.
So are you saying the original email genuinely was from Apple? If so do you have any idea how the scammers got all that info? And did you ever receive the legitimate call back from Apple?
I’m just speculating but maybe they (scammers) filled out a fraudulent activity form on the Apple site on behalf of the victim and then called before an Apple rep did.
I had one a about a month ago now that I was actually impressed with how they did it.
I have a Apple account just for the kids Apple devices (required for school). Received an email from Apple support about fraudulent activity and that they’d call at sometimes. I thought that was weird and checked out the email and everything was legit.
Call came in a little early then in the email. They knew all the right details including the case number, sent a verification code to my mobile from a short code SMS “iCloud” and at that point they had me. But only until they asked me to go to a site apple.somebullshit.com. Well apple isn’t going to use a domain that’s not *.apple.com. went there anyway to check and the SSL cert was from Let’s encrypt, apple ain’t using let’s encrypt.
20 years in IT, that’s the closest I’ve been in. Very long time to falling for something.
They got you because you’re not familiar with the Apple ecosystem nor their support system. That’s all sus as hell.
You also failed at basic opsec because you allowed them to control the flow of communication.
Was there actual suspicious activity? Did an actual Apple representative ever contact you because it sounds like the whole thing was a phish but you make it sound like they just got the case number and timing when the more likely scenario is that the email was also them.
Imagine when AI is automating the whole process. Including the phone call.
I know someone who got had by a spearfishing call. They knew all the details about his phone contract, sounded 100% legit. The scammer got thousands of dollars in prepaid SIM cards from his account.
After the police investigation, turned out that the scammer was actually a former employee of the phone company who downloaded a copy of the customer list when he got fired.
This is why even if I think something is 100% legit, if a place calls me asking for anything I tell them I have to check on it and call back. Then I’ll call their known public number and go through that way. I’ve avoided a couple scam situations like this
This is literally the correct way to proceed in any inbound communication. Doesn’t matter who it is, the more authority they claim the faster to hang up.
They will try and trigger your lizard brain and make you feel like you must act now.
Honestly this is so simple and effective at stopping these sort of scams dead in their tracks. When you call in to help desk and say “I was just on the phone with your agents about a payment problem” and they don’t see any record, it’ll set off all sorts of alarm bells. Especially if it’s the bank.
So are you saying the original email genuinely was from Apple? If so do you have any idea how the scammers got all that info? And did you ever receive the legitimate call back from Apple?
I’m just speculating but maybe they (scammers) filled out a fraudulent activity form on the Apple site on behalf of the victim and then called before an Apple rep did.
That’s frightening