A new cyberattack is targeting iPhone users, with criminals attempting to obtain individuals’ Apple IDs in a “phishing” campaign, security software company Symantec said in a warning on Monday.
Cybercriminals are sending text messages to iPhone users in the US that appear to be from Apple but are actually an attempt to steal victims’ personal data.
“Phishing actors continue to target Apple IDs due to their widespread use, which offers access to a vast array of potential victims,” Symantec said. “These credentials are highly valued, providing control over devices, access to personal and financial information, and potential revenue through unauthorized purchases.”
Consumers are also more likely to trust communications that appear to come from a trusted brand such as Apple, warned Symantec, which is owned by Broadcom, a maker of semiconductors and infrastructure software.
The malicious SMS messages appear to come from Apple and encourage recipients to click on a link and sign in to their iCloud accounts. For example, a phishing text might read: “Important Apple iCloud request: Visit login[.]authentic connection[.]info/icloud to continue using your services.” Recipients are also asked to complete a CAPTCHA challenge to appear legitimate before being directed to a fake iCloud login page.
Such cyberattacks are commonly referred to as “smishing” schemes, where criminals use fake text messages from supposedly reputable organizations instead of email to trick people into sharing personal information, such as account passwords and credit card details.
How to protect yourself
Be careful when opening any text messages that appear to be sent by Apple. Always check the source of the message — if it’s from a random phone number, the iPhone manufacturer is almost certainly not the sender. iPhone users should also avoid clicking on links that invite people to access their iCloud account; go directly to the login pages instead.
“If you’re suspicious of an unexpected message, call or request for personal information such as an email address, phone number, password, security code or money, it’s safer to assume it’s a scam – contact this company directly if should,” Apple said in a fraud prevention post.
Apple urges users to always enable multi-factor authentication for their Apple ID for added security and to make it more difficult to access your account from another device. It’s “designed to ensure that you’re the only person who has access to your account,” Apple said.
Apple adds that its own support representatives will never send its users a link to a website and ask them to sign in or provide their password, device password, or two-factor authentication code.
“If someone claiming to be from Apple asks you for any of the above, they are a scammer engaging in a social engineering attack. Hang up or otherwise stop contacting them,” the company said.
Other tips for avoiding scams, according to government watchdogs:
- Set your computer and mobile phone to automatically update your security software
- Never click on links, reply to text messages, or call unknown phone numbers
- Never reply to unrecognized text messages, even if you are asked to “send SMS STOP” to end the messages
- Delete suspicious texts
- If you receive a text message purporting to be from a company or government agency, check your account or go online to verify contact information
The key to safety: “Stop before you engage and avoid the urge to answer,” according to the Federal Communications Commission.
