Matt Mullenweg, of WordPress fame (and infamy), was almost phished in a sophisticated scheme that used Apple’s own support structure to enable the diabolical attack:

What made the attack impressive was the next move: The scammers actually contacted Apple Support themselves, pretending to be me, and opened a real case claiming I’d lost my phone and needed to update my number. That generated a real case ID, and triggered real Apple emails to my inbox, properly signed, from Apple’s actual servers. These were legitimate; no filter on earth could have caught them.

Then “Alexander from Apple Support” called. He was calm, knowledgeable, and careful. His first moves were solid security advice: check your account, verify nothing’s changed, consider updating your password. He was so good that I actually thanked him for being excellent at his job.

That, of course, was when he moved into the next phase of the attack.

It’s a harrowing tale that was thwarted primarily because Mullenweg remembered the first rule of Apple support:

Apple will never call you first.

Apple is more likely to unceremoniously shut down your account if it suspects fraud or any other shenanigans, forcing you to call them. If you get a call or text from anyone claiming to be from Apple, assume it’s a scam and call Apple support directly. The number is at the bottom of apple.com: 1–800-MY-APPLE (1–800–692–7753).

John Gruber, when linking to this at Daring Fireball, wrote:

One of the tells that alerted Mullenweg that this was a scam was that he knew he hadn’t initiated any of it, so his guard was up from the start. Another is that the scammer texted him a link pointing to the domain “audit-apple.com” (which domain is now defunct). That domain name looks obviously fake to me. But to most people? Most people have no idea that whatever-apple.com is totally different than whatever.apple.com.

Gruber is right about the (important but rarely understood) distinction between the two domain names, but it’s worth noting that Apple does use several domains in the form of whatever-apple.com. For example:

• appleid.cdn-apple.com
• icons.axm-usercontent-apple.com

There are a total of eleven “something-apple.com” domains (most of them *.cdn-apple.com), plus a couple of oddities, like apple-mapkit.com and token.safebrowsing.apple, so while “audit-apple.com” does indeed seem suspicious, it’s not entirely implausible that it could have been real.

(Apple maintains a list of its legitimate domains for network administrators. From what I can tell, Apple never uses hyphenated domains for customer-facing links.)

The truth is, you shouldn’t rely on visually inspecting domain names to determine their authenticity, as they’re easily spoofed. If you get an email from Apple and you’re at all suspicious, type apple.com into your browser and navigate to the relevant section from there.

A final suggestion: Use a password manager. If you inadvertently click a link that asks for your login credentials, and your password manager doesn’t fill them in, proceed with caution: it’s quite likely a phishing attempt. While not foolproof, a password manager is a good backstop against fraudulent domains. Get one. (Naturally I prefer the built-in Apple Passwords app, but I (still) have hundreds of accounts in 1Password, and others have recommended Bitwarden, LastPass, and more.)