As a general rule, clicking on any email asking you to verify a login or a password reset is a terrible idea. It’s easy to build a website that looks authentic and then steals your login info, and it’s hard for even trained IT professionals to tell the difference.
According to one user on Reddit, this particularly nasty Apple ID scam is doing the rounds, targeted specifically at iPhone users. It uses the same standard formula, but viewed on an iPhone, it could be devastating if you don’t know what to look out for.
The subject line uses a “Reminder: We have update on our Policy Updates Page,” combined with a fake case reference number, to get around the spam filters. It then uses a tried-and-tested message to try and get you to log in and “verify” your account info:
Recently a request has submitted to reset your password for our client area from unknown device.
Date: 25 October 2017
Country: United States
For security measures, your account has locked until we hear from you. If you have not signed in to iCloud recently and someone may have accessed your account, go to Apple ID and verify your account.
At that point, there’s a big link to “verify my account,” which presumably goes to a fake login page that retains your username and password.
It’s a clever scam — the recommendation to “go to Apple ID” is exactly what Apple tells you to do — but there’s a few tell-tale signs that it’s a scam. Firstly, the English in the copy is inconsistent, and there are grammar errors (although none of the typos that normally litter this kind of thing). The email address is also long and obviously not from Apple.