CBS Sacramento

Why Did Apple Want My Social Security Number For My Netflix Subscription?

January 3, 2017

SACRAMENTO (CBS13) — It started out with a fake iTunes receipt.

From there, it turned into a ridiculous circle designed to steal my identity. Here’s a look at what to watch out for when something seems too ridiculous to believe.

Somewhere buried in my inbox was something that claimed to be an iTunes receipt for an order. Since my wife and I recently started the new season of “Sherlock,” it wasn’t a surprise to see a receipt waiting in my email.

But what was inside was a brilliant piece of social engineering designed to get me to hand over my Apple ID and other relevant and much more sensitive information.

If you don’t know what you’re looking for in a receipt, this all looks like it could be legitimate, except for one glaring thing—Netflix doesn’t cost $36 a month. It’s just the kind of thing that would drive someone to cancel a subscription or get a refund. It’s sure good to see there’s a convenient link waiting to be clicked on.

Hovering over that link showed it was actually pointing to a site that had no connection with Apple. Since the site is designed to scam people, I will not include the name of it in this post.

Following that link in a quarantined browser took me to a page that looks entirely legitimate. In fact, it’s a cloned version of the actual Apple ID sign-in page, right down to the background image.

It’s designed for one purpose: Getting a user to enter their Apple ID and password so the scammer can take it over. So I did what seems perfectly sensible—I entered a phony set of credentials. Since it’s not a legitimate site, it couldn’t actually log me in, so I was curious what the next step would be.

It throws out another fun wrench—my Apple ID has been locked! Oh no, not my fake email address and password! I guess I’d better try to unlock it. This is the part where the scam goes beyond getting an Apple ID.

Rather than a simple challenge question, the site presents users with a slew of questions designed to steal someone’s identity—Name, date of birth, Social Security number and mother’s maiden name. If you followed everything that was requested, they would have your Apple ID as well as enough information to open new accounts under your name.

So what should you do if something like this happens?

  • Check to see if it’s legitimate: Make sure the email is coming from a legitimate address, and hover over links before clicking on them. In fact, if you have any qualms, don’t click anything.
  • Contact the company: If you want to make sure it’s legitimate, reach out to the company directly. Go to their site and find their support or contact us section on your own without clicking anything in the email.
  • Report the email: Search for “(insert company name) fraud email” and you’ll likely find an email address where you can send the fake email. Companies don’t like people pretending to be them, so they’re ready to find these fraudsters.

This story originally appeared on CBS Sacramento on Jan. 3, 2017.