A Spotify Email #Scam Is Making The Rounds

Having just returned from vacation, I see that a number of scams have entered my inbox. The one that I will speak about today is a Spotify scam that claims that they can’t bill you for using Spotify:

As usual the quality of the English in this email is suspect. Which should be the first hint that this is a scam. The second sign that this is a scam is this:

This isn’t sent from Spotify as the email domain is “app.mail.com” rather than Spotify.com.

But if you take those two things out of the mix, the look of the email mostly fits the style that Spotify uses in their communications. Thus I can see how someone might fall for it.

Now, if you don’t have a Spotify account, and you get this email, the correct response should be to delete it and move on with your day. And even if you do use Spotify, those two things that I pointed out should make you delete this email anyway. But what do the threat actors want? I’m betting that this is a phishing email to steal your personal information or financial details. So let’s find out if that’s true (which by the way you should never, ever do).

This is a pretty good copy of the Spotify page. There are some errors but I can see if someone isn’t looking closely enough that they could fall for this. And by closely enough, I mean this:

This should be Spotify.com. But it isn’t. Which means that this is a phishing page.

And as I expected, here’s where the threat actors try to steal your credit card details. I typed in a bogus credit card number and it let me get to this page:

This makes you think that it’s doing something. But it’s not. If you’ve typed in your actual credit card details, you’ve been pwned. I believe that this and the next page are just for show to keep you on the hook:

You’re supposed to get a text message via the “Verified By Visa” service that Visa has. And this is where things get interesting. I entered a bogus credit card number earlier in this process which the website identified as being a Visa card. And that would be correct as the number that I entered was a Visa card. But I found it interesting that they didn’t validate that the credit card number was valid up front. I am guessing that they are doing the validation on the back end of this scam by using the “Verified By Visa” service to do that. I assume that they has similar checks for MasterCard, Discover, and AMEX.


So now that we know what the threat actors in this scam are up to, my usual advice applies. If you see this email or one like it, look for the things that I pointed out earlier in this article to confirm that it’s a scam, and then delete the email and move on with your day.

UPDATE: The same threat actor has put out a new version of this email. It looks like this:

They also made one other change to the email. Which is the email address that it was sent from:

Clearly they made that adjustment to make the scam more convincing. The rest of the scam remains the same.

Leave a Reply

%d bloggers like this: