Inspired by this post, I just created a phishing test for my staff with a malicious URL in a “report this as spam” link, complete with a required training for those who click the link.
I had one a about a month ago now that I was actually impressed with how they did it.
I have a Apple account just for the kids Apple devices (required for school). Received an email from Apple support about fraudulent activity and that they’d call at sometimes. I thought that was weird and checked out the email and everything was legit.
Call came in a little early then in the email. They knew all the right details including the case number, sent a verification code to my mobile from a short code SMS “iCloud” and at that point they had me. But only until they asked me to go to a site apple.somebullshit.com. Well apple isn’t going to use a domain that’s not *.apple.com. went there anyway to check and the SSL cert was from Let’s encrypt, apple ain’t using let’s encrypt.
20 years in IT, that’s the closest I’ve been in. Very long time to falling for something.
So are you saying the original email genuinely was from Apple? If so do you have any idea how the scammers got all that info? And did you ever receive the legitimate call back from Apple?
wow I hate this meme format
privacy policy
look inside
sells your data
