Here's the scam email:
The reason this one got me is because it's a receipt for purchases. In the past year I got a similar email from Amazon where someone had gotten into my account and bought about $100 of digital games before I managed to call Amazon and straighten everything out.
The first thing I did with this scam was click on the button circled in red above because it said "you will be billed each month unless you cancel now". This took me to the following screen which looked very similar to Apple's website:
I was asked to put in my user name and password. My password didn't work because it's not an Apple website so I was then given the following screen. It was way past my bedtime and I was tired so I should not have been doing this without a clear head.
I don't log into my Apple page very often so I thought this was a reset password page. I was confused as to why they needed all this information and even though it felt wrong I still put in my full name, address, birthday, Visa info and social security number. No where did it even ask for a password so I really don't know what I was thinking in filling this out and as soon as I hit send I panicked.
Then I did damage control.
Here are some things you can do if you've given away your personal information, or had it stolen through a credit breach (which seems to be all to frequent these days):
1. I called my Visa card to cancel the card and said my information had been stolen.
2. I changed my Apple email and password just in case they were able to grab that information when I initially tried to log in on the first page.
3. Set up Fraud Protection on my credit reports. Fraud alert messages notify potential credit grantors to verify your identification before extending credit in your name in case someone is using your information without your consent. I set up an account with ProtectMyID.com which is a part of Experian and signed up for their service to get my credit report and set up fraud protection. I could not find a way to set up fraud protection without signing up for their service. Once you have an account it still takes some effort to get to the correct page. They have a section called ID Theft Protection that has 6 steps that the website will help you with but when you want an immediate resolution at 10pm at night it's best to find the page where you can sign up for Fraud protection. There is no search function in this website so I went back to Google and looked up "Experian Fraud Protection" and eventually got to this page. At this point you might even think you are signing up for Experian but I was taken to ProtectMyID.com which isn't exactly a bad thing since I was able to achieve my two goals of getting fraud protection set up and seeing my credit report.
If step 3 sounds crazy then I have to agree, it seems like alot of hoops to jump through just to get fraud protection and I guess it's because they are trying really hard to get you to sign up for a monthly plan. I've not figured out how to sign up for Fraud protection without signing up for service.
I read in this Consumer Reports that ID protection companies are NOT very helpful in protecting your ID and this page gives some great tips on do-it-yourself safeguards.
Fraud protection will last for 90 days and the credit website you report to first, will report to the other two credit report websites. The Consumer Reports page I referred to above, recommends staggering requests for credit reports to every 4 months, that way you can cycle through the 3 companies 3 times per year.
I do realize that there is a website where you can get Free Credit Reports but you have to mail a request form with ID and wait for them to mail your reports so I'll do this in the next 3-4 months as Consumer Reports has recommended.
Finally, step 4 is to eliminate the email used in the scam. It's over 10 years old and gets a ton of scam emails. I think it's time to wind this email account down and use new ones that are not as infected with junk mail.