Stay informed about cyber awareness training topics and mitigate risk in your organisation.

Scam of the Week – iPhone Users Targeted with Spotify Phishing Scam

iPhone users targeted in spotify scam

iPhone users have been targeted with a sophisticated phishing scam designed to steal their Apple ID credentials.

Users have reported receiving emails from Apple and the music streaming service Spotify, confirming a year’s subscription service for Spotify Premium.

The phishing email is designed to catch the user off guard and alert them to a fraudulent charge being made on their account.

To review the subscription charge, users are directed to click on a link which takes them straight through to an official looking Apple ID login page with all the branded logos.

The site is in fact nothing more than a fake phishing website set up to steal Apple login and password details. The hackers can then use this information to gain unrestricted access to Apple Pay, videos, pictures and personal account information.

It’s believed the scam is taking advantage of the recent changes made to Spotify subscription payments. Spotify users previously had the option to pay for their Spotify Premium account via their Apple ID, but as of August, Spotify now requires its premium subscribers to switch to Spotify’s own payment system.

A spokesperson from Spotify commented on the scam: “The email does not come from Spotify and is a scam/phishing attempt. We encourage all users who have seen or received notice of this particular email to refrain from clicking any links or sharing any personal or payment information.

“We are actively working to have all domains and websites connected to this email blocked and closed down. Affected users can reach out to our customer service using or our Community, with any concerns regarding potential scam offers and/or phishing attempts.”

Despite the convincing nature of the phishing email, there are a number of red flags that point to a well-crafted fake. They include:

  • A grammatical error in the main body of the email – ‘you are in charged for your subscription’. Any official correspondence from Spotify would be proofed for any spelling or grammatical errors.
  • The subscription email claims to be from Spotify, but the payment system being referenced is Apple ID. If any changes or charges were made using an Apple ID, then all account correspondence would come directly from Apple.
  • The URL does not match any of the official Apple web addresses. Despite the address starting with ‘myappleid’, the text is followed by a long line of random words and letters, including ‘aijcbtgroup’.
  • Legitimate sites will always be secured using a ‘HTTPS’ certification. If a web address starts with ‘HTTP’, it means the site is not secure and you should leave immediately.

MetaPhish has been designed to provide the first line of defence against phishing and ransomware attacks. Contact us for further information on how we can help protect your business from this growing threat.

about the author

sharing is caring

Share on linkedin
Share on twitter
Share on facebook

you might enjoy reading these

UK GDPR Series Available Now

Privacy is an ongoing concern for every organisation, however, the notion of consent isn’t without its complications. To help organisations navigate data protection protocols, we
Read More »

Seasonal Phishing Templates

Phishing is a year-round activity for cybercriminals, and just like retailers, they use seasonal events as an opportunity to cash in. Seasonal occasions, including St
Read More »

Request Demo

The personal information that you provide to us in this form will only ever be used by MetaCompliance (as the Data Controller) for the following specifically defined purposes:

  • email you content that you have requested from us
  • with your consent, occasionally email you with targeted information regarding our service offerings
  • continually honour any opt-out request you submit in the future
  • comply with any of our legal and/or regulatory obligations