Yikes! I got an email claiming to be from Apple Billing, and when I tapped on the sender, I got a notice that it was a Digitally Certified email from the domain “email.apple.com.” What tipped me that something was weird was that it was addressed, “Dear firstname.”
But it indicated that I had a 14" MBP, which I do, with AppleCare+ renewal coming up soon, which I do. It said there was a problem with the payment method to renew the AppleCare. There was a “button” to tap that had "Fix Visa … then 4 digits that did not match my card.
I tried to do the “tap and hold” to see a link preview, which showed an iTunes Store (?) link. Unfortunately, I accidentally released it in a way that triggered the link, and as I went to immediately “swipe up” to close the app, it triggered FaceID, which registered as approved after I “force quit” the app.
No purchases or subscriptions were made in the App Store or on my ApplePay card. But holy cow, how strange and weird.
Any suggestions about anything I should be worried about?
How the heck could a fake Apple email get marked, in Apple Mail, as “digitally certified” (BIMI standard)? And how can a link to something in the App Store automatically request a FaceID authentication? Ugh, I have the creeps now.
Just sharing as a warning, wondering if anyone has seen anything like this, and also wondering if I should worry about any implications…
As a precaution, I updated my iCloud password and forced all devices / browsers to sign out, and just getting 2 Macs, an iPhone and an iPad all updated was a pain that involved multiple failed verifications, freezes, and one device restart. Come on, Apple!
It’s great that you’re so cautious about potential phishing emails. You can never be too careful.
It does sound like this may just have been a genuine email though, and something had gone wrong with the merge field for your name (and your credit card has been replaced since you first paid for AppleCare, or you paid with ApplePay which would show a different card number).
If it linked you through to the App Store, there’s no fraud that could happen at that point.
Have you tried going to mysupport.apple.com to see what’s actually going on with your AppleCare?
Also one tip: when you hold down on a link in iOS/iPadOS to get a preview, it’s still loading the link. So don’t do that if you think it might be a phishing email. Best bet is to hover over the link on a Mac so you can see the URL without actually generating a preview.
I’ve been caught out by this before on a dodgy email! It’s common advice to check the URL of a link before clicking on it if you’re unsure, but there’s no easy way to do that on iOS without opening the link!
EDIT: the iOS17 beta seems to have added a safeguard:
Having had a few close calls myself, I’ve changed my default behavior. I don’t preview links at all. If I receive an email that may have anything to do with my accounts, email, services, payments, etc., I close it and go directly to the official site and check to make sure everything is as it should be. I don’t preview, click or otherwise mess with the email for fear of accidentally triggering something bad. I also never call phone numbers in an email. If not already in my contacts, I find the number on the official site.
It is a shame we have come to such a low state of mistrust.
Yes and Amen. My problem was that I didn’t pay for the machine & AppleCare with ApplePay (I know I had a good reason at the time), and that rendered a lot of the AppleCare payment status opaque to me. (I could see it was active and would renew, but had no way to see or change the payment method.) Fortunately, I was able to link it to my AppleID, which now ties it into all my other Apple subscriptions.
This is precisely what I do. I call it my, “Oh yeah? We’ll see about that!” move. If there is anything to see, I will certainly be able to view it on the creditor/manufacturer/provider’s site.
Had to update my wife’s phone and MBA with the new password (Apple Music, for which we share the same library), and again, the process was so sloppy. I put the new password in, it says something like “unable to verify,” while another window pops up asking for the 6 digit code, which we pull off my phone. Enter the code, that window goes away, leaving the “unable to verify” message still on screen. Dismiss that, and an alert pops up saying verification is needed, go to Settings / Preferences/ whatever we call it, where we go to find that everything is working.
Nah… It’s not societal mistrust to want to be sure that the person standing outside the window looking in is known to us. That’s all that being cautious about email, or websites, or text messages is about.
It comes with all of the risks of loading a webpage that’s been created by a malicious actor: For most of us, nearly all of the time, the risk is limited to information disclosure (valid email address verification or anything else that can be gleaned by running javascript in a browser). In exceptionally rare cases, it can deliver an exploit for a browser vulnerability, but that’s not something most people should worry about.
I really dislike the preview function and would much prefer it to just show the URL for the link instead.
