/ Technology

Warning: your Apple ID is NOT due to expire

Have you had a text, apparently from ‘Apple’, telling you your Apple ID is about to expire? Don’t be fooled – it’s a scam. So what’s being done about it?

I happily admit that I’ve completely bought into the Apple brand. Some people consider them to be a bit expensive, but I love my Apple products. They’re easy to use and the technology’s great. But just like everyone else it would seem that they’re not immune to scams.

Apple ID expiration scam

Apple iPhone users have recently been targeted with a scam text.

This says that your Apple ID is due to expire and advises you to confirm your details via a link which directs you to a very convincing-looking ‘Apple branded’ website.

The site asks for your personal details including date of birth, telephone number, address and payment details – supposedly to unlock your account.

Some security experts have suggested that clicking on the link forwards the message to your contacts. So the scam seems to be spreading like wildfire.

Advice from Apple

As a result of our new scams campaign, I’ve become increasingly concerned about the security of my personal details. So, as an Apple user, I went in search of its advice on this latest scam. What I really wanted to know is what the company is doing about it.

So we asked Apple what it’s advising customers to do. Apple has warned users to be cautious, advising that most account-related activities will take place in iTunes or on an Apple.com website such as the online Apple Store. It has provided guidance on how to spot a genuine Apple email, as well as advice on identifying a phishing email.

Apple also told us that the iTunes Store will never ask you to provide your:

  • Social Security Number/National Insurance Number
  • Mother’s maiden name
  • Full credit card number
  • Credit card CCV code

Apple also advises that you should never send credit card information, account passwords, or extensive personal information to someone, unless you’ve fully verified that the senders are who they say they are.

But is this enough?

Of course, it must be tough to keep on top of all scams – it’s estimated that one is attempted every six seconds in the UK. But the Apple ID expiration scam is one of the most common types – a phishing message.

Our campaign is calling on companies to do more to safeguard us from scams. It’s important to take adequate steps to protect yourself from falling victim to a scam like this, but we we want companies like Apple to look at what more they could do to protect people from falling victim to scams. 

If you agree that more needs to be done, sign our petition today:

So have you received one of these texts? What did you do about it? Do you think Apple is doing enough to advise its customers?


If I owned Apple or any major company with their amount of clout for that matter. I’d simply write to domain registers saying don’t allow any urls to be registered with my copyrighted company name in it., without checking with our fraud department first. Similarly I’d do almost the same thing with social media sites. Is it really that difficult for these overpaid CEOs to not show some degree of intelligence?

And do we know if the names/ addresses used in these scam sites ( FYI sites are registered to uk individuals) are being contacted. I suspect the scammers are fraudulently using some poor souls details. Long gone a re the days when scammers would use their own details in places far flung.

I have been warned many times my Apple account would be closed down unless I logged in and updated my details (using the link in their email of course).

I have never had an Apple account !!!

Lauren, this is simply a continuation of another topic on phishing. I’m not at all sure why you want to know ‘what the company is doing about it’. There are millions of these scams, all very similar, all asking you to follow dubious links and give away all your secrets. It’s not Apple doing it; it’s thieves, rogues, vagabonds, miscreants, ne’er-do-wells, looters, pillagers. It’s also somewhat misleading that the topic header starts by aiming at Apple, even hinting at potential insecurity in Apple itself (they have a reputation for being pretty secure – but are they really?) but ends by calling on ‘all companies’ to take action.

As an analogy someone knocks at your door and claims to be from the Council. They come in and ask you for all your papers, money and valuables. They don’t show you any ID, don’t wear any uniform but they try to ‘sound like’ Council workers.

Two questions: do you hand over all your worldly goods, chattels and loaves and, secondly, do we decide to have a petition demanding that councils do something to stop this?

Apple’s as secure as it gets. Try losing your Apple ID and forgetting your password and the answers to the secret questions you’ve set up and see how easy it is to get them reinstated. People need to educate themselves and learn about the risks. They’ve probably cottoned on to not patting a bull or sticking their hands in a wasps’ nest but being on the internet is as much about security and care as any other activity. People need to become more savvy.

“Apple’s as secure as it gets.” Really ? Ask Jennifer Lawrence and dozens of other celebrity just how mickey mouse the iCloud password system was back in 2014. Best I can describe that was amateur hour by a greedy corporation.

You need to research your facts. All that was down to a phishing attack. The Apple ID system itself was not the issue.

“According to NBC News, it’s 36-year-old Ryan Collins the person responsible for phishing login credentials from many celebrities. With usernames and passwords in hand, he was able to log into Gmail accounts and even download iCloud backups from where he extracted nude photos.

What Collins did to gain access to at least 50 iCloud accounts and 72 Gmail accounts between November 2012 and September 2014 was rather simple. He sent his victims emails that looked like they originated from Apple or Google, fooling them into handing their credentials over.”

If people respond by following links and then input their details without extensively checking they deserve what they get.

Well done Ian. It’s refreshing to see a balanced, well thought out response to some of the mis-informed hysteria we see all too often.

This comment was removed at the request of the user

Again I say. Some people will always fall for the simplest scam they can be warned told about it but some will fall for it.

Duncan brings up an interesting point. BT does have a server-side option blocking capability for individual senders, but spammers change the ‘from’ fields as often as their socks (or more, probably). The only email address from which I’ve never, ever had spam is my Apple iCloud address.

This comment was removed at the request of the user

Never owned any Apple product in my life, find them overpriced with plenty of lower priced alternatives. Yet I have friends and work colleagues who drool over any thing Apple, just cannot see it myself!

or put another way, making money out of Apple fans is Apple’s job! They should want to do their best to stop others from milking their cash cows, especially when, as here, fraud may also be involved.

The most frequent phishing message I receive from the Apple impersonators tells me that I am running out of storage space on my iCloud account. I always post the offending message on to Apple’s security department, though whether they do anything with it is anyone’s guess.

Keith says:
20 May 2016

Stop being so damn ridiculous. Why target Apple specifically… this sort of scam is happening daily and I see all sorts aimed at my bank, linked in, Facebook, etc. Are you going to campaign to get them to address their scam issues. How about directing your energy to getting the scammers and spammers shut down, that would be a greater good.

Hello Keith, sorry for the delay in responding. Our scam experts have been in Cardiff continuing our Scams Roadshow to raise awareness of scams and give free advice to those concerned about them.

This post doesn’t target Apple – Apple customers are being targeted by this scam. We are raising awareness of this scam to Apple customers so that they aren’t caught out and have asked Apple for their advice for their customers and put it here too. We’ve also asked the question of what more companies could be doing.

You can see all of the scams we’ve raised awareness of here: https://conversation.which.co.uk/tag/scams/ We also invited Commander Chris Greany of the met police to share his advice and help on cybercrime, which you can read through here: https://conversation.which.co.uk/money/banking-scams-action-fraud-itv-tonight/

Our scams campaign is also working on the issue of scams as a whole, looking for a concerted and joint effort from the government and businesses to sort them out. You can read more about it here and join 70,000 others in supporting it: https://campaigns.which.co.uk/scams-fraud-safeguard/

This is not just a text based scam, this hits any apple based email system such as @icloud.com, @me.com, etc. the emails pose as official apple emails but here’s how to check their validity.

WARNING!!! DO NOT CLICK ANY LINK on the emails. fake Apple ID emails contain links to 2 or 3 part hack structures which hit your email services, they can also obtain credit card information and location to commit advanced acts of fraud.

Here’s how to tell a fake apple ID email.

1: look at the email address received from. some email systems will hide the complete email host but you can click on the email address name and it discloses the full details.
2: examine the format of the subject header including it’s wording, poor english is a huge clue here in their emails, lack of correct grammar and punctuation are also good indications.
3: examine the format of the email body. do not double click the email to read it, just preview it. You will notice a number of issues including: poor english language usage, poor grammar and punctuation.
4: examine any attached files that are visible such as logo files, etc, these have been cloned and altered.
5: sometimes the email will not be a pure html based email, it will be an image embedded email with HTML links. with this there can be potential embed instructions.
6: you will also spot certain words like “blocked”, “Permanently” and also be aware that some comments can be of a forced instruction nature, basically threatening the use of your apple ID.

How these scams work:

These scam emails fall under the following action methods…

1: a cloned version of Apple ID login script service.
2: A cloned version of Apple’s website.
3: A direct connection instruction (rare) but this has surfaced.


You will know if you accidentally engage with one of these emails how to be 100% sure of it’s flaws by looking at the web address bar. THIS IS A HUGE CLUE! the domain Apple uses officially is a secure APPLE ID framework with a secure ID key. these pages do not have this and are front ends to extremely dodgy websites. some of these websites can contain virus code and yes macs CAN be potentially harmed but the likelihood is rare. There are mac based viruses but the likelihood of such occurring is rather rare. The is the potential for a background embedded key logger script in the website constructed (cloned from apple’s secure service) to clone your details, etc then attempt lookups.

Here is what to do if you receive any of these emails.

1: right click on the email and “Forward As Attachment”.
2: in the email address field, please use the two following addresses.: Abuse@icloud.com and reportphishing@apple.com
3: If you receive more than one of these (I have done so and as a developer, my data is secure) please contact Apple and inform them of a potential security threat and that your icloud account may have been compromised. They will advise you to change your icloud password and I advise you to do the same. they will also advise you to do steps 1 and 2 of the above.

We as consumers have the legal right under data protection for our email addresses to be protected. Apple has the legal right to secure their systems completely by performing a rewrite of their web systems and blocking copy options etc or screen grabs to edit site forms etc. this is achievable but it’s a question of whether Apple will listen. I have channeled my time into this but there’s only so much time I have or patience. as a customer and service provider for apple for 20 years plus, this is where a lot of headaches are now surfacing for customers.

Good luck.

Ed, I totally agree! I’m not a developer, just a bog-standard user but there has been so much publicity and warnings about online scams that, dare I say it, it’s almost the user’s own fault if they do not take note of what they are reading.

Yesterday, Apple downloaded the new Sierra OS to my iMac. It may have been pure coincidence but within an hour, I had an email, purportedly from Apple, telling me that my Apple account had been accessed by an iPhone 5s from somebody called ‘Emma’. “If this was me, ignore it or if not… blah, blah….click on this link”. Like a muppet, I clicked the link, and found a page asking for account details. The penny started to drop and I went back to the email – body font looked right but it wasn’t addressed to me and the “From” entry was somewhat strange and nothing in the recipient line. D’uh! In a case like that, my immediate reaction is to forward it to – “Action Fraud” and let them deal with.

The obvious thought is, “If in doubt, chuck it out!”

Back again, this time to alert folks to a very new piece of Malware. My wife received it yesterday, and it was sent from [removed]@ which. net…

I’ll resist asking Lauren if she intends to run a topic asking what Which? are doing to stop this (!) and restrict myself to describing the scam.

“This fake document scan has a malicious attachment. It appears to come from within the victim’s own domain, but this is a malicious forgery.

From: admin [[removed]@(various inc. Which.net)]
Date: 24 March 2016 at 15:25
Subject: Scanned image

Image data in PDF format has been attached to this email.

I have only seen a single sample with an attachment containing a malicious script [pastebin] which in this case downloads a binary from:

[Links removed by mods.]

My sources say that other versions download from:

[Links removed by mods.]

As this Hybrid Analysis shows, the payload is the Locky ransomware. The dropped binary has a detection rate of just 3/55. Those reports show the malware phoning home to:

The important point here is that the Which? Mail servers allowed this through without question. No system is perfect and it behoves every email user to educate themselves as to the dangers of opening unsolicited attachments. But please stop trying to pin the blame on companies such as Apple. They at least have DMARC, or Domain-based Message Authentication, Reporting, and Conformance records. Which?, it would seem, does not…

[Hi Ian, we’ve just had to edit your comment to remove the malicious links. We’ll be in touch with you about this, so thank you very much for raising it. Thanks, mods.]

This comment was removed at the request of the user


Did this really reach you via the Which? Mail Servers – or was it just yet another case of “joe jobbing”?

Yes – it really was allowed through the Which.net servers, because I went onto the server itself to check. I also queried it with the W? tech support who confirmed two things: no one in Which? itself owns the address and it ought not have got through.

In short, Which.net has not yet deployed DMARC (en.wikipedia.org/wiki/DMARC) which is a far more sophisticated system for preventing malicious communications than the currently-used SPF records. This is why I feel the tone of the header in this topic is so misplaced.

This comment was removed at the request of the user

Topleveldeals . co. uk are among the worst offenders for spam. This company, registered in Panama (!), spoofs its email ‘from’ address routinely, making them appear to be from companies you use and trust, including M & S, and their techniques are deplorable. On a recent email, purporting to offer you £500 from M & S but in fact attempting to sign you up to a draw costing £4.29 per week, there were the usual number of links, including one to ‘unsubscribe’. In the interests of research I followed that link. That link, and every other link on the email, led to the same page: one emblazoned with the M & S sparks card and offering entry to the draw. No unsubscribe, no account – nothing.

Again, the Which.net servers allowed that email through. So I have some questions: why doesn’t Which.net use Domain-based Message Authentication, Reporting and Conformance records? They’re not alone, of course: surprisingly few sites do at the moment, but with spam as bad as it is surely every system possible should be deployed to aid subscribers.

Mark says:
21 May 2016

It is simple. Never, ever, ever follow a link in an unsolicited text of email. Add a few more evers if the message is asking you to confirm personal details. Go to the sites website by hand typing it’s homepage address into the address bar (NOT copying and pasting!) and log in there. If you can’t do that, forward the message to the ‘contact us’ address and ask them if its genuine.

Peter Lee says:
21 May 2016

I have never received any texts but during the end of 2015 I received several emails purporting to be from Apple that aroused my suspicions. I reported this to Apple and I have yet to receive any acknowledgement or reassurances that this scam attempt was and is being taken seriously. Apple need to have more respect for the concerns of their customers.

They may have great products, but, in my experience, Apple’s after-sales service is appalling. For a considerable time, now, I’ve been trying to make an appointment online to visit a “Genius Bar”. All I ever get is a message advising me that there are no appointments available. So the fault on my MacBook Pro remains unrepaired and I have no way, that I can find,to have it repaired.

In my experience Apple’s after sales service is outstanding. I have had a friend’s four-year old iMac repaired free of charge by Apple and when my wife’s 3 year old Macbook Pro’s drive failed (Apple doesn’t make the drives) Apple sent a courier around the next day with a box ready for the laptop and delivered back to her 48 hours later fully functioning. If you’re having an issue finding an Apple repairer then I would suggest you visit the Apple uk main site, where under ‘support’ you can locate the nearest recognised dealer. Alternatively, describe the fault on Google and the Apple support forums will flock to your aid.

I, too, have received this text message. I simply deleted it, as it was so very obvious that it was a scam. It’s difficult to understand how people can be fooled by these things. A few weeks ago, I received an email that informed me that there was something wrong with my Apple account, and that I should update my details. In that case, there was something about the email that made me think it was genuine, but I’d never click on a link in an email that I was not expecting, even if it has come from a company or individual I would usually trust, so I rang Apple to check. It was indeed the real thing – I’d forgotten to update when my credit card went out of date – and I resolved the matter by then going directly to the website.

This is quite easy to defend against! Turn on second factor authentication so any changes made to your account require a code sent to a second device like your phone. The scammers won’t have your phone so any changes will be rejected and you will get an alarm message from Apple. As others have said, look at the long headers in the email- it may look as if it comes from Apple but of course it doesn’t.

Well, the ‘weekly scoop’ has just gone out with this as the main leader item:

Is your Apple account secure from this Apple ID scam? Read more about the threat

which itself raises more questions. Why is Apple being targeted by Which? in this way? Why not Microsoft, or Google, or your bank, your post office account, your sky subscription – in short anyone for whom you need both a username and password. Yes – these scams are flying around the internet at an astonishing rate for just about every company you can name and some you can’t, but I’m not at all clear why the topic only mentions Apple.

And why does Which? not maintain an up to date list of known scams for all companies? It could be grouped under subheadings such as Banks, Building Societies and so on and would, I believe, be far more effective than YASS – yet another scare story.

Hello Ian, firstly I’m sorry that we’re only responding to you now. Our scams experts have been in Cardiff continuing our Scams Roadshow where they’ve been raising awareness of scams, helping people with advice on how to spot them and being a safe place for vulnerable people to get help. They’ve been joined by members of the police and MPs, who have come out in support.

Secondly, I’m sorry that it wasn’t clear what this post is about. I feel it was written in a very balanced way. It is raising awareness of a scam that has recently become very prominent – the Apple ID scam. Not only have we explained how to spot the scam so that people can keep on their guard, we’ve asked Apple themselves what advice they have for their customers and listed it here too. This all acts as a warning to people and how they can avoid it. We’ve also asked the question – could businesses be doing more to raise awareness of these scams?

Where many companies haven’t, we have pro-actively gone out to our members and supporters to let them know about this scam and others so that they can avoid them. One of these ways is in the ‘Weekly scoop’ email to Which? members. We are doing our best to raise awareness of this scam and so many others, including the Microsoft phone scam, the BT phone scam, the TalkTalk phone scam, and how we worked with Google to crack down on scam copycat websites. Indeed, you can see a list of all the scams we’ve raised awareness of here: https://conversation.which.co.uk/tag/scams/

It’s also worth mentioning that have a monthly column in Which? magazine called Scam Watch where we help a member with a scam and advise our readers on how to avoid it. This then links to Which? Conversation with a historical list of all those scams to help people and for them to tell us about new scams: https://conversation.which.co.uk/tag/scam-watch/ We also have extensive advice on scams here: http://www.which.co.uk/consumer-rights/scams

Of course, we want to hear what more we could be doing as well. But I want to make clear that no company is safe from scams and we will continue to work hard to raise awareness, but also to call for more action to tackle them. And with your support and the support of thousands of others on our scams campaign, we will get somewhere. Thank you.

And thank you, Patrick, for a fullsome response. Whilst I do appreciate Which? doing what it can to help I just think in this case the header was…slanted and gave the impression that somehow Apple were at fault. Given that slant it’s hardly surprising that some of the posts complained about Apple cost, equipment and after sales – none of which has to do with the scam.

In effect the Apple ID scam (as I’m sure you’re aware) is no different from any of the other thousands of scam emails that attempt to trick people into giving out sensitive information. D’you not think Which?’s energies should be focussed more on general scam education rather than mounting what appears at the least to be a single scam topic on a fairly narrow user base? Which? is ideally placed to raise awareness of scams, their techniques and their flaws and when those same techniques can be applied to various financial targets it seems unwise or even somewhat profligate to focus only on one type. Just my thoughts, anyway.

This comment was removed at the request of the user

Andy Turner says:
21 May 2016

I recently had an email from Apple Store advising that a new purchase had been made for a Tomtom update if I had not made the purchase to click on the link to cancel to let them cancel the order. When I clicked on the link I was directed to a page requesting my payment details to receive a full refund. I realised that this was a scam closed the link and deleted the email other might not come to the same conclusion so please share this with everyone