Is Apple really encouraging me to click a link that could go anywhere?

Earlier today I was installing an app on my iPad and the iTunes store wanted some “additional security details”.  I set up some questions and answers, feeling reasonably confident that, as I was using the App Store app, the details were actually being taken by Apple.  In addition it requested an optional email address for account recovery but it wouldn’t let me use my normal email address because that’s also used for my Apple ID (so why does that make it invalid for account recovery?)

I supplied a different email address and the App Store accepted the “additional security details” and let me complete my purchase…

Then, I got this email:

From: Apple [appleid@id.apple.com]
Sent: 27 April 2012 14:08
To: Mark Wilson
Subject: Please verify that we have the right address for you

Thank you.

You’ve taken the added security step and provided a rescue email address. Now all you need to do is verify that it belongs to you.

The rescue email address that you gave us is [email address removed] . Just click the link below to verify, sign in using your Apple ID and password, then follow the prompts.

Verify Now >

The rescue email address is dedicated to your security and allows Apple to get in touch if any account questions come up, such as the need to reset your password or change your security questions. As promised, Apple will never send any announcements or marketing messages to this address.

When using Apple products and services, you’ll still sign in with your primary email address as your Apple ID.

It’s about protecting your identity. 
Just so you know, Apple sends out an email whenever someone adds or changes a rescue email address associated with an existing Apple ID. If you received this email in error, don’t worry. It’s likely someone just mistyped their own email address when creating a new Apple ID.

If you have questions or need help, visit the Apple ID Support site.

Thanks again,

Apple Support

(The actual email was prettier than this, for example it contained graphics with Apple logos, and an Apple footer, but the words are reproduced here almost verbatim – in addition to removing my email address, I’ve also edited the verification link to make it invalid, but otherwise that’s the way it was presented).

This email annoys me for two reasons.

  1. I hate security theatre. Real security should involve something I have and something I know. All of Apple’s questions are just about something I know. In effect, it’s just multiple passwords…
  2. Apple have sent me an email asking me to confirm an email address but with no personally identifying information (no “Dear Mark”; no “Dear Mr Wilson”, nothing that confirms my relationship with them), asking me to click a link that could go anywhere. If this were from PayPal we’d be saying “noooo – don’t do it, it’s a phishing attack!”.

I was very careful about checking out the link in the email and it does appear to have been genuine, but Apple has an enormous market of largely unsuspecting and trusting consumers, not all of whom could be described as “IT literate”. By not encouraging any from of “safe computing” Apple is setting a very bad example – and is re-enforcing practices that consumers should be avoiding.  Microsoft has some good advice on their site for symptoms of phishing and several of the symptoms are present in the email I received from Apple.

Earlier today I dismissed an article that quoted Eugene Kaspersky as saying Apple was 10 years behind Microsoft in terms of security [awareness] – too many vested interests at play, I thought. On the other hand, if this afternoon’s email really does represent Apple’s corporate culture towards security, they do have some serious catching up to do…

7 thoughts on “Is Apple really encouraging me to click a link that could go anywhere?


  1. You supplied them a new email address and they sent an email to it to verify it. Seems like a reasonable thing to have done. What should they have done?

    I guess the “click the link … [then] sign in” seems a bit OTT, as they can just embed a unique GUID in the link to authenticate it – or was it that bit what was getting you all het up? :-)


  2. Hi Duncan, I have no problem with validating the email address, but show me something that proves it’s from Apple – how about my last 5 iTunes purchases (for example), use my name (not just “thank you”), and make it very clear that this is a genuine email.

    And anyway, there’s no reason why I should have to use a new email address… just because my Apple ID uses my real email address; it’s not at Apple (i.e. not @me.com or similar), so it shouldn’t matter for recovery purposes…


  3. I couldn’t agree more with your post. I tried signing into my Apple account and looking for a place to verify this information without clicking the link. No such luck. I am more than happy to verify my email address, but not clicking any links in email when I cannot verify the source.


  4. I had the same experience. I did start to verify the “rescue” email address but stopped as I too was suspect. Then today I received exact same email generated letter to my normal Apple email sign in identification asking me to verify that address was the “rescue” address. Interestingly enough filling out the Form the first time would not allow me to use my original email sign-in as a rescue email address. I smell a scam.
    This all happened when I too Installed a purchased app on my iPad.
    I asked my teenage son if he had heard of this. He had and verified the info. He received this info after purchasing an app as well.

    I am a little concerned because my credit card info is on apple account.


  5. I agree Mark, I just sent Apple feedback along the same lines. It’s irresponsible of them to encourage people to blindly follow a link to “validate” critical information. It undermines the efforts of banks and others to educate people about the number one rule of online security – be sure of who you are dealing with!

    Thanks for posting, glad it’s not only me who has a problem with this!


  6. I too received one of these messages and was ultra suspicious especially since I have not given them new email address recently and to make matters worse the address they sent me was just a valid (under gmail rules) variant of my usual i.e. main Apple account ID. When I tried to verify as directed in the email it rejected my password and clicking on any other link produced a broken URL message. So, bottom line, I still don’t know if I have been phished or not!
    I have tried changing my Apple password through my iphone but now it wants me to enter the security code for my card – I’m really not sure what to do.

Leave a Reply