Spotify Phishing Scams Are on the Rise: Here’s How You Spot One

With hundreds of millions of users worldwide, it’s no surprise that scammers use Spotify’s name and reputation to trick people.

Phishing scams involving Spotify have risen considerably, but there are a few ways you can avoid them.

What Is a Spotify Phishing Scam?

Spotify phishing scams arrive in your inbox disguised as a regular message from Spotify. They typically claim something has happened to your account, your account password, or your account payment method and that immediate action is needed.

The two most common email subjects I’ve received are “Important ! We noticed unusual activity in your Spotify account” and “Your Premium payment failed,” both designed to trick you into clicking the link in the email. I’ve included images of these Spotify phishing emails below so you can check out what they look like.

However, the email is fake, and the link takes you to a fake payment portal designed to steal your banking information. Note that when I scroll over the supposed link to reset my account or verify my details, the URL is a long, random alphanumeric string. It almost looks legit—but has nothing to do with Spotify at all.

Now, I don’t advise you to do this, but when I clicked through this link, my browser warned me that I was about to open a phishing link and that I should stop immediately.

How to Spot a Spotify Phishing Scam

While Spotify phishing emails are on the rise, they don’t bring anything new to the phishing email format. That is to say, while they can look convincing at a glance, they’re easy to spot when you give them a little scrutiny, and it’s all about those little details.

1. Sender Address: Official Spotify emails come from an account marked “[email protected]”. For example, if you receive a Spotify password reset, that’s the account the reset link will be sent from (see the above image). Email addresses can be spoofed, but any email provider worth it’s salt will block the usage of registed domains like Spotify’s using common email security protocols.
2. Fake Links: As mentioned above, if you hover your mouse over any link in the Spotify phishing email, it’ll show the URL. Spotify’s password reset emails originate from “accounts.spotify” and anything else is fake. In conjunction with the sender address, this should make filtering out phishing emails an easier process.
3. Spelling and Grammar: Poor spelling and grammar were once simple methods to spot any phishing email. The rise of AI tools has made it much easier for scammers to accurately create properly formatted phishing emails, so don’t rely on this.
4. Do You Have an Account?: I have a Spotify account, so receiving emails about the platform isn’t out of the question. However, if you don’t have a Spotify account and you still receive an email, you can disregard it.
5. Immediate Action: All phishing emails attempt to create panic and worry, suggesting something needs actioning immediately. It doesn’t; take a moment to check the other factors, and you’ll save yourself a bunch of time, effort, and potentially money.

Phishing emails are an annoying fact of life. There are a few ways you can avoid phishing emails, but if your email has ever been leaked as part of a data breach (or sold on by a website or service), they’ll appear in your inbox whether you like it or not.

Just remember the golden rule: if you don’t know where the email came from, don’t click the links.