Scam of the Week: Spotify Phishing Scam Tricks Users into Revealing Credit Card Details

December 13, 2019 9:59 am Geraldine Strawbridge

Spotify users are being warned to avoid a new phishing scam designed to steal their credit card details.

The scam was uncovered by security researchers at MailGuard, who noted the phishing emails bear a striking similarity to legitimate correspondence sent out by the music streaming service. To gain the user’s trust, the email uses the display name ‘Spotify’, alongside the company’s logo, branding and other images found on official Spotify pages.

The malicious emails are titled ‘Your payment didn’t go through’ and inform the recipient that as their payment couldn’t be processed, their subscription has been paused. Consequently, the user will lose all the benefits of their premium subscription, including the ability to listen to their favourite songs offline, and without the interruption of ads.

Spotify Phishing Scam (Source: MailGuard)

Promoting a sense of urgency is a common psychological tactic used in phishing attacks. Criminals want the user to feel that they are missing out and need to take immediate action to reinstate their full account services.

To get their account back up and running, the user is encouraged to click the green button with the words, ‘Get Premium’.

If the user clicks on the link, they are taken to a fake Spotify-branded phishing website that asks for their login details. Once they log in, they are directed to another similar looking site that asks them to update their payment information, including their credit card number and CCV numbers.

Spotify Phishing website (Source: MailGuard)

In the final stage of the attack, the user is asked to update their billing details. This provides the fraudsters with yet another layer of personal details that can be used in further scams. Once the user clicks ‘Finish’, they are redirected to a Spotify page containing a ‘404 error’ message.

The attack demonstrates the attention to detail the crooks will use to scam their victims. With 248 million active users, Spotify is the world’s largest music streaming site and hackers have been quick to capitalise on the site’s popularity by launching a range of different phishing scams aimed at defrauding users.

Spotify has advised members that they will never ask for personal information over email. This includes:

  • Payment information (credit card number, debit card number, etc.)
  • Account password
  • Social Security number or tax identification number

How to Protect Yourself from Phishing Scams

To protect yourself from falling victim to a phishing scam, you should follow the below guidelines:

  • Never click on links or download attachments from unknown sources.
  • Always verify the security of a website.
  • Hover your mouse over the links contained in emails to check if they are legitimate– don’t click unless you are sure they are safe.
  • Pay close attention to the spelling of an email or web address, if there are any inconsistencies, delete immediately.
  • Ignore and delete emails with poor grammar and formatting.
  • Install the latest anti-virus software solutions on all your devices.
  • Use strong passwords to reduce the chance of devices being hacked and use different passwords for different accounts.
  • Question the validity of any email that asks you to submit personal or financial information.

Identifying a phishing email has become a lot harder than it used to be as criminals have become more advanced and deceptive in their attack methods. MetaPhish provides a powerful defence against phishing and ransomware attacks by training employees how to identify and respond appropriately to these threats. Contact us for further information on how we can help protect your business.