This morning I received an e-mail claiming to be from Apple. The e-mail said that my Apple ID has been suspended. This is obviously a scam, but I wanted to check it more thoroughly.

Screenshot of the e-mail below:


First I wanted to see if my Apple ID had really been suspended. I started the iTunes app and logged into my account successfully. This kind of simple test can save you from a lot of trouble.

This e-mail has three alarming signs:

  • Sender: Apple doesn’t use e-mail addresses. Note that many e-mail clients do not show the sender’s e-mail address by default
  • Spelling: the word “therefor” is valid, but not commonly used. Therefore I consider it as a spelling mistake
  • It was sent to an e-mail address that is not linked to my Apple ID

The source code of the e-mail reveals the sender’s IP address and related domain name It also reveals where the “check here to validate your account information” link points to: Virustotal detection ratio for this URL is 7/65. The link leads to a phishing site:

apple-id-phishing-10-2015You should carefully check the address bar, because it might reveal the true nature of the website:

  • No secure connection (https) is used. Most phishing sites do not support secure connections
  • The long domain name:
    It is very common to add the name of the target site ( and some technical jargon like “auth.cgi-key” to the URL. The attacker’s domain is The rest is put there just to fool users

Virustotal detection ratio for the phishing URL is 4/65.

Further reading: Identifying fraudulent “phishing” email by Apple