Apple Gives Tips on Avoiding Phishing Scams Amid Warnings of New SMS Threat

[MacRumors]

Apple this month refreshed the security support document that provides iPhone, iPad, and Mac users with tips on how to recognize and avoid social engineering schemes like phishing messages and fake support calls.

The updated information follows recent reports of "smishing" attacks targeting Apple IDs. Malicious actors have been sending out SMS text messages that attempt to get users to provide their Apple ID usernames and passwords on a fake iCloud website.

Apple's guidelines provide key information that all users should be aware of to protect themselves, such as a recommendation to ignore messages with suspicious links. Apple says that it will not ask for Apple ID passwords or verification codes, and users should contact Apple directly rather than answering a suspicious phone call or message claiming to be from Apple.

Further, Apple will not ask users to log into any website, to tap Accept in the two-factor authentication dialog, or to enter a two-factor code into a website. Apple will also not request that users disable features like two-factor authentication, Find My, or Stolen Device Protection. Apple's security tips:

• Never share personal data or security information like passwords or security codes, and never agree to enter them into a webpage that someone directs you to.
• Protect your Apple ID. Use two-factor authentication, always keep your contact information secure and up to date, and never share your Apple ID password or verification codes with anyone. Apple never asks for this information to provide support.
• Never use Apple Gift Cards to make payments to other people.
• Learn how to identify legitimate Apple emails about your App Store or iTunes Store purchases.
• Learn how to keep your Apple devices and data secure.
• Download software only from sources you can trust.
• Don't follow links or open or save attachments in suspicious or unsolicited messages.
• Don't answer suspicious phone calls or messages claiming to be from Apple. Instead, contact Apple directly through official support channels.

Scammers will go to great lengths to get personal information, so Apple recommends watching out for tricks like creating a sense of urgency through scare tactics like stolen personal information or unauthorized charges. Scammers are after login information and security codes, so that information should not be entered on a website accessed through a link in a text or an email.

Apple also warns against downloading unrecognized, unsafe software and configuration profiles and following instructions on pop-ups. Users who receive a pop-up should ignore the message and close the entire window or tab.

Apple has further instructions on how to spot social engineering schemes, the forms those schemes can take, and how to report suspicious emails, messages, and phone calls. There is a separate support document on what to expect from Apple Support and the kinds of information Apple will not request.

Article Link: Apple Gives Tips on Avoiding Phishing Scams Amid Warnings of New SMS Threat

 

[JapanApple]

“Download software only from sources you can trust”
these are words to live by

 

[Fuzzball84]

Fishing scams have proliferated but I still don’t see many people down at the pier or by the lake these days.so I have no idea how so many people are getting scammed when participation is down 🤔

In all seriousness… only visits sites you trust, download from sites you trust and never take a risk if something doesn’t feel right.

 

[Unity451]

"Smishing" is about the most un-menacing word I can think of. Beware of the Smishers! (by Dr. Seuss)

 

[Realityck]

Took a week for this news to show up on most press/news services

original source July 2nd. (link was in the OP)

Apple IDs Targeted in US Smishing Campaign

Phishing actors continue to target Apple IDs due to their widespread use, which offers access to a vast pool of potential victims. These credentials are highly valued, providing control over devices, access to personal and financial information, and potential revenue through unauthorized...

www.broadcom.com

Copy Link
Phishing actors continue to target Apple IDs due to their widespread use, which offers access to a vast pool of potential victims. These credentials are highly valued, providing control over devices, access to personal and financial information, and potential revenue through unauthorized purchases. Additionally, Apple's strong brand reputation makes users more susceptible to trusting deceptive communications that appear to be from Apple, further enhancing the attractiveness of these targets to cybercriminals.
These campaigns are mostly conducted via email although increasingly also through malicious SMS. A very recent case saw a threat actor distributing malicious SMS messages in the United States.
Observed malicious SMS:

• Apple important request iCloud: Visit signin[.]authen-connexion[.]info/icloud to continue using your services.

Typically, smishing actors restrict access to their malicious websites to users on mobile browsers and specific regions to evade detection by monitoring systems. However, in this instance, the malicious website is accessible from both desktop and mobile browsers. To add a layer of perceived legitimacy, they have implemented a CAPTCHA that users must complete. After this, users are directed to a webpage that mimics an outdated iCloud login template.

 

[now i see it]

The scams always follow the same game plan. They’re easy to spot.

Always starts out with some sort of threat to create fear and anxiety.
In the past there were some that claimed you had come into tins of money.
Then -always- there’s a link that they provide to “fix” the problem or just a phone number.

Is it a Scam?
Threat or ridiculous + link = yes.
Easy.

 

[JosephAW]

Turn off link preview. That way you can hover on a link to see what it is.

 

[macfacts]

I thought messages go through apple servers, can't apple see one number is "robo calling" people and just block those messages.

 

[ifxf]

Another reason not to put all your eggs in 1 basket. Only use Apple for devices and software. Use other companies for email, banking, cloud, streaming, music, etc.

 

[The_Gream]

Good thing I am good and paranoid (not sure if it is from all the humans I have been around in life or EVE Online), but I avoid pretty much every weird text or email.

Though I do try to have fun with those crazy “Oh I am so sorry. my secretary must have typed the number in wrong.” All the text come across as if written by a non native English person. I now tell them I am a luft balloon pilot for a company that transports hogs. Flying Pigs or Hog High.

 

[anthony131]

Why don’t they send these sorts of announcements out via email? This is the first I’ve heard of such events. Would love my colleagues and family to be made aware of this.

 

[kerr]

Would be good if Apple could do their part.

iCloud, Apple TV+, software/rental purchases: email from no_reply@email.apple.com with Apple logo and blue verified checkmark. Great!

Hardware purchase: dodgy looking email from au_cons_do_not_reply@asia.apple.com, no evidence to suggest it's legitimate even though it is. Gmail understandably sends such emails to spam folder.

 

[coolfactor]

More proof that everything in the Universe exists in balance. For every good person, there appears to be an evil one. 🤪

 

[coolfactor]

Would be good if Apple could do their part.

iCloud, Apple TV+, software/rental purchases: email from no_reply@email.apple.com with Apple logo and blue verified checkmark. Great!

Hardware purchase: dodgy looking email from au_cons_do_not_reply@asia.apple.com, no evidence to suggest it's legitimate even though it is. Gmail understandably sends such emails to spam folder.

The "apple.com" root domain is pretty good evidence that it's legit, although there are sneaky ways around that, too.

 

[johannnn]

Download software only from sources you can trust.

And this is why I, as a European, will never install Epic Store or Alt Store or Optional Store och Shift Store or whatever all thousand different stores will be called.

Great supporting document btw. I should give it to my less tech savvy family and grand parents.

 

[iPhoneFan5349]

I thought messages go through apple servers, can't apple see one number is "robo calling" people and just block those messages.

I can’t even block the number because it has no actual number

 

[madmin]

Smish smash I was taking a bath
On about a Saturday night
Rub dub just relaxing in the tub
Thinking everything was alright
Well I stepped out of the tub
Put my feet on the floor
Wrapped my Vision Pro around me
and it opened the door, and then a
Smish smash I jumped back in the bath
Well how was I to know a third party app store was allowed
There was a smishing and a smashing, reeling with the feeling
Moving and grooving, wheeling and a stealing, yeah

 

[Jonnod III]

I have an email address only used for my Apple ID. So all the phishings sent to my main email address are obviuos.

 

[jasonsmith_88]

Apple will do anything except add sms/call filtering.

 

[svish]

Good set of tips. Always good to be careful.

 

[Strebor]

It's time Apple mail and iMessage start to investigate URLs in mails. If www.ups.com is visible, but the link goes to some a different domain, like to.com/234567890 then it's obvious there is something phishy going on and the mail is a phishing mail. Apple Mail and iMessage should put a warning beside the URL. Also allow me to configure what to do with such mails (send to spam, or just put a warning sign beside URLs).

This also goes for mail services like Google Workspace, Gmail. Microsoft 365, Outlook, Yahoo and others.

 

[Strebor]

More proof that everything in the Universe exists in balance. For every good person, there appears to be an evil one. 🤪

I think there are a lot more good ones than evil ones.
It's just that some of the evil ones manage to get more power than is good all.

 

[polyphenol]

Just this morning, I had a phone call from a withheld number. I get very few calls so thought it possibly genuine but entirely prepared to terminate.

It was a genuine call from my water company.

Why do companies still withhold numbers? Just a generic presentation number would be so much more sensible.

(When I used to get lots more calls, I'd not even answer such calls.)

 

[softeky]

Apple will also not request that users disable features like two-factor authentication, Find My, or Stolen Device Protection.

Thanks for the article. Apple does, however, request that Find My is disabled when an Apple Watch is unpaired and moved to a different account. Not a completely surprising request for this particular task though. This step is probably not automated to better thwart device theft as this step also requires the provision of an ID account password.

 

[Apple_Robert]

It's time Apple mail and iMessage start to investigate URLs in mails. If www.ups.com is visible, but the link goes to some a different domain, like to.com/234567890 then it's obvious there is something phishy going on and the mail is a phishing mail. Apple Mail and iMessage should put a warning beside the URL. Also allow me to configure what to do with such mails (send to spam, or just put a warning sign beside URLs).

This also goes for mail services like Google Workspace, Gmail. Microsoft 365, Outlook, Yahoo and others.

I don’t want Apple reading my email regardless of the cause.