For every attempt by the Good Guys to thwart phishing or security breaches, the Bad Guys will do their best to trick unsuspecting users—and even those who think they know better—into giving up their credentials.
For instance, Apple has recently implemented a two-factor login option that links login attempts to specific hardware registered by users. If you login via one of your registered devices, things run as before. But login attempts from unregistered devices trigger a text message containing a security code that lets you login once from a different device.
If you don't fully understand how all this works, then the following phishing email that arrived this morning might fool you into thinking someone has used your Apple ID to download a $30 Miley Cyrus album (yikes!) from iTunes:
Subject: About your last Transaction
Your Apple Email ID, was just used to purchase "´´Bangers´´ Album by Miley Cyrus ($ 29,99 ) from the iTunes Store on a computer or Apple Iphone that had not previously been associated with that Apple ID.
If you made this purchase, you can disregard this email. It was only sent to alert you in case you did not make the purchase yourself.
If you did not make this purchase, we recommend that you go to http://apple.com/support/cancel_pending_transaction to cancel the transaction, Confirm that you're the owner of the account and then follow the instructions.
Despite a couple misspellings, the crooks did try to mimic an Apple look via stylesheets: a grey box background for the message body.
Trouble is, the operational link behind the visible one—viewable by rolling the mouse pointer atop the link or, for iOS mail, pressing and holding the link—is to a site that has nothing to do with Apple. Rather, the site is in Indonesia, and has been hijacked by crooks from someplace else. If you were to follow the real link, your browser would be redirected to a URL whose start might fool users into thinking it's Apple, but is, in fact a Brazilian site:
This just goes to show you that even if you do the right thing, such as sign up for two-factor logins, you must still be hypervigilant against the mind games that crooks use to trick you out of your login credentials. Any time an email arrives from anywhere that talks about logging in or passwords, alarm bells should go off in your head. The only thing you should click for that email is the Delete button. Use your bookmark to access the subject site to see if your account needs attention.