View Blog Archive Main Page > Apple Subscription Renewal and Account Change Email Scam
Author - Blaine Transue
Posted - 03/03/2021 02:50pm
Apple Subscription Renewal and Account Change Email Scam
Well, here we go again, another round of fake Apple emails hitting our servers today. This one appears to be fairly legit, although if you are familiar with Apple's style, you'll notice that it's not up to par. There are a couple of emails in this group, both of which at first glance appear to be from Apple, but look deeper before you click those links.
First clue, do a quick right click on the "From" address and check the sender's email address, the first one appears to be coming from no_reply@email.apple.com. Ok, so I guess that's possible, but if you've received any other correspondence from Apple in the past, a quick check will reveal that it usually comes from noreply@apple.com or noreply@email.apple.com. Granted, that's a a subtle difference that most people wouldn't catch, but it's enough to make me suspicious.
Check the From Email address (this example is from the fake email)
Screen_Shot_2021_03_03_at_10.53.51_AM_1.png

Search your Inbox for any other legit email from Apple and compare and you'll see that they usually come from noreply@apple.com (or noreply@email.apple.com)
Screen_Shot_2021_03_03_at_10.59.53_AM_1.png

The next clue for me was that the subject is "Your Apple Subscription Renewal". Well, in my case, I know I don't have an "Apple Subscription" of any kind, and the subject itself is unclear, subscription to what? Maybe they were just in a rush, right, but let's dig a little deeper anyway.
Look at the body of the email. In other correspondence I have received from Apple, they refer to me by name, but in this case, they used the first part of my email address instead. I've been a customer since 1985, did they suddenly forget my name, change their policy, or is it that whoever sent this doesn't have any idea of what my name is? 

From the fake email
Screen_Shot_2021_03_03_at_11.20.15_AM_1.png

From a legit Apple email
Screen_Shot_2021_03_03_at_11.21.49_AM_1.png
Another small clue, in the fake email the username is bold and lower case, in the actual email it's not bold and all uppercase.
Ok, these are all pretty subtle differences and maybe still not enough to convince you it's wrong, so let's move on and look at the body of the email.
Note the following:
  • Addressed to a partial username and not the actual name of the recipient
  • No specifics given about what "changes" were made
  • Non-standard double spaced characters
  • Unidentified embedded Hyper Link (Apple always displays the actual full url and it's never an embedded hyperlink)
  • The word "unauthorised" is misspelled (that should be a BIG clue)
  • The body copy is not formatted to fit the screen
  • The copyright symbol in the footer is broken
  • The address is incorrect
In general, this is just "sloppy" and if you know Apple, you know they are anything but sloppy, in fact, their hallmark is perfection, so I already know this email could not possibly have come from Apple, but just in case someone in Cupertino was having a really bad day, we'll look deeper still.
Screen_Shot_2021_03_03_at_11.30.30_AM_1.png
The embedded link is suspicious in itself as it says "Unblock Account Now". If my account was blocked, wouldn't they have mentioned that as well?
And by the way, Apple NEVER embeds links to manage your account.

Be Careful not to click the link as that's just what they want you to do, instead, right-click on the link and copy it.
Screen_Shot_2021_03_03_at_11.40.27_AM_1.png

Copy the link to your clipboard and paste it into a text editor
Screen_Shot_2021_03_03_at_11.41.31_AM_1.png
In this case, the link goes to what appears to be an Amazon AWS sub domain. Ask yourself, why would Apple redirect me to Amazon to do anything when they have a mountain of their own servers?

This should all be enough to convince you that something isn't right, but just in case it doesn't, go a step further and look at the message headers. Most email clients allow you to look at the headers, essentially the path the email has taken to get to you. In MacMail for example, while viewing the message, Click the "View" menu and scroll down to Message > All Headers
Screen_Shot_2021_03_03_at_11.49.00_AM_1.png

This will show you the details of the message path and while you don't need to know what all of it means, and honestly, most of this will look Greek to anyone, pay special attention to things that just don't look right. Remember, this is supposed to be from Apple, a well oiled machine and a company that prides itself on not making mistakes, so ANY mistakes or errors should be a clue that something isn't right.
  • The test of something called the SPF record failed
  • the SPF Sender does not match the SPF record
  • The HTML Font is invalid
  • The IP address of the sender is unknown
  • The authenticated sender is something called abbey105
headers_fake_mail_1.jpg

The bottom line is, these emails appear legitimate, but look before you leap, as they say. A little attention to what you're looking at now will save you a lot of aggravation later.