Skip to content

Unpacking Phishing Scams: Spotify Phishing Scam

Whilst carrying out one of my routine Microsoft 365 Defender Quarantine checks this morning I came across a lovely example of one of the better phishing examples I’ve seen in quite some time.

The email of course was tagged as High Confidence Phishing by Microsoft which means the system is doing its job but for those who may not be so lucky to have the benefit of such technologies (the team here at Deployus are always happy to discuss any concerns around Cyber Security matters) it could be something that someone could easily fall for.

So, what was found? A quite legitimate looking email advising that your Spotify account and a renewal issue. Of course, looking at the links, these were not directed to Spotify at all and should be the first sign of a phishing attempt besides the sender address being spotify@mail.com. Otherwise quite a good looking and legitimate looking email.


Clicking on those links take you to a very legitimate log-in page, which does not even require any valid credentials of course. Once this page is passed you’ll get the below, a Verify Your Payment Details page, all looking very Spotify and legitimate.

From there once details are entered it’ll head to a fake verification code, which of course won’t work and by then the scammers are off spending your hard earned money.

At the end of the day the scammers are trying harder, continue to target high volume use services and you’re not just always being phished for your user credentials; credit cards and even any form of ID is a valuable and saleable commodity in the current digital landscape.

 

Have Any Questions? 

To learn more about scams and cyber attacks, check out our blog post on the Current Online Scams in Australia and how you can protect yourself. 

If you have any further questions regarding phishing attacks or other cybersecurity concerns, require cyber security training for your organisation or wish to carry out phishing simulations on your workforce, please don’t hesitate to contact us today or head to our website to learn more about our services. 

FAQs

While bank accounts hold the most money, services like Spotify or Netflix are “low-hanging fruit.” People are less likely to be on high alert when receiving an email about a music subscription than they are about a bank transfer. 

  • Volume: Almost everyone has a streaming subscription, so hackers can send millions of emails and hit thousands of real users. 
  • Credential Stuffing: Hackers know people reuse passwords. If they steal your Spotify login, they will immediately try that same email and password on your Amazon, PayPal, or work email accounts. 

Not necessarily. Just clicking a link can sometimes cause problems even if you don’t type in your credit card number. 

  • Tracking: When you click, the hacker now knows your email address is “active” and that you are willing to click links. This will make you a target for more dangerous scams in the future. 
  • Malware: Some “malicious” websites are designed to download a small piece of virus software to your device now the page loads, which can track your typing or steal your photos. 

Pharming is a more advanced version of a scam. In a regular phishing scam, you are sent to a fake website with a weird URL (like spotify-updates.net). In a pharming attack, hackers “poison” your internet settings so that even when you type “www.spotify.com” into your browser, you are secretly sent to a fake version of the site without knowing it. This is why it is important to keep your computer’s security software and router settings up to date. 

Yes, this is called “Smishing” (SMS Phishing). You might get a text saying your subscription has expired, or a “payment has failed,” followed by a short link. 

  • Urgency: These texts often sound very scary or urgent to make you act without thinking. 
  • Hidden Links: Because phone screens are small, it is harder to see the full website address, making it easier for scammers to hide fake URLs. 
  • Rule of Thumb: Never click a link in a text message. If you are worried about an account, open your browser and go to the official website yourself. 

If you have 2FA turned on, a hacker cannot get into your account with just your password. 

  • The Second Key: They would also need the secret code that is sent to your phone or generated by an app. 
  • Real-time Alert: If you suddenly get a 2FA code on your phone when you aren’t trying to log in, it’s a “red flag” that someone has your password and is trying to break in. You should change your password immediately.Â