Spotify users are being warned about a convincing new phishing scam designed to steal their account credentials.
Security researchers at App River uncovered the scam, which uses a common tactic of threatening to suspend a service to pressurise a victim into divulging personal information.
The phishing email notifies users that they will need to confirm their account in order to remove any restrictions imposed on Spotify. As soon as the user clicks on the link, they are taken straight through to a cloned website that looks exactly like the legitimate Spotify site.
Victims are then prompted to enter their username and password, and as soon as they enter this sensitive information, the scam is complete. Their account can be hijacked and more often than not, the attackers will try and use the same username and password to gain access to other accounts.
60% of people use the same username and password for all their accounts so if hackers can gain access to just one account, they can attempt to hack into them all.
Image: Spotify phishing email (Source: AppRiver)
With such a huge global customer base, the crooks know that there will always be a proportion of people that fall for their carefully crafted phishing emails.
To the untrained eye, the email may appear entirely legitimate but upon closer inspection there are a number of tell-tale signs that point to a phishing scam.
The first warning sign is the sender address and the URL. Both are clearly not legitimate domains used by Spotify so the user should immediately be on high alert and avoid clicking any links within the email.
Image: Sender address used in phishing email
The use of urgent language to rush the user into confirming their account is also another frequently used tactic in phishing emails. Other signs to look out for include; spelling mistakes, poor grammar, claims of prizes or a request for personal information.
Spotify issued advice to its customers on what to do if they think they’ve received a phishing email: “Spammers and phishers can’t get any information from you unless you give it to them. You should never respond to the suspicious email, and don’t click any links or download any attachments in the email.
“You should forward the entire email to firstname.lastname@example.org and then delete the suspicious email from your inbox. Our team will investigate and let you know if the email is legitimate. Your security is always our top priority so please always send us something you’re unsure of.”
Despite the increasing sophistication of phishing attacks there are a number of ways you can protect yourself online. MetaPhish has been designed to protect businesses from phishing and ransomware attacks and provides the first line of defence in combating cyber-crime. Get in touch for further information on how we can help your business.