Think naming the wrong movie as Best Picture at the Oscars is embarrassing? What about giving away your personally identifiable information (PII) in order to get a refund on movies you never actually paid for?
The Fortinet report cites a user who was sent a phishing email containing a fake receipt claiming the recipient spent nearly US$100 on five movies. The spam email offered a link that users could click to request a full refund if the transaction was not authorised – implying possible fraudulent activity on the target's iTunes account. The link led to a phishing page asking for such PII as the user's name, address, birth date, phone number, payment card information, social insurance number, and mother's maiden name.
Clicking the cancel transaction button transmits the data to the scammers in plain text, at which point the user is redirected to the legitimate Apple website. According to Fortinet, the scam is reminiscent of 2015 iTunes phishing emails that targeted UK and Australian users with fake receipts for books and songs – except this iteration is even more convincing due to the scam's use of recent movie titles and its lack of overt mistakes.