If you’re an iPhone user, you might believe you’re completely safe from scams, but the reality is different. Hackers and scammers have been targeting iPhone users for years, mainly because there are so many of us.
Recent reports suggest there are about 1.3 billion active iPhone users worldwide. And when you consider the wealth of personal information on our devices, it’s easy to see why hackers and scammers are so attracted to our phones.
Scams are constantly changing and evolving.
In this guide, I’ll talk about some of the more recent and most common scams targeting iPhone owners and explain how they work so you can avoid them. Plus at the end, I’m going to share some general tips to help keep you, your phone, and your data as safe as possible.
Contents
- The Smishing Threat
- The MFA Bombing Threat
- The Passcode Threat
- 10 General Tips to stay safe
- 1. Enable Automatic Updates
- 2. Be mindful of personal information
- 3. Silence unknown callers
- 4. Be cautious with links
- 5. Verify everything
- 6. Beware of Social Engineering
- 7. Don’t store sensitive information in Notes/Photos
- 8. Block spam email senders
- 9. Don’t send money to strangers
- 10 – Enable Two-Factor Authentication
- Some final thoughts
The Smishing Threat
Recently, researchers at Symantec warned iPhone owners about a new phishing threat and provided steps to stay safe. This threat, known as "Smishing," involves phishing via SMS rather than email, hence the name ‘Smishing’.
Here’s how it works:
You receive an SMS on your iPhone that appears to be from Apple, urging you to address something important related to your iCloud.
Trusting Apple, you click the link, which takes you to a fake iCloud website that looks legitimate, complete with a captcha code. The site asks for your Apple ID information, which you enter as you normally would if you were logging into iCloud on the web.
The problem is that none of it is real. The text isn’t from Apple, the link leads to a fake site, and the information you provide is captured by hackers. Given the personal data stored in iCloud, including login details and banking app passwords, hackers can easily exploit this information.
So why is Symantec talking about this now, when phishing is nothing new? The key issue is the delivery method. While email phishing is well- known and email clients have strong spam filters in place, SMS messages don’t have the same level of protection. Since companies increasingly use SMS for legitimate communications, people are more likely to fall for this scam.
So, how can you avoid falling victim? Be cautious of any messages claiming to be from Apple. Companies using SMS for mass messaging must now verify themselves.
For example, I got an SMS from Apple the other day, in relation to a purchase that I’d made. An SMS from Apple about a recent purchase should show "Apple Notifications" with a verification tick,. Always verify the sender and the context of the message. If you receive an unexpected message, don’t follow the link. I was expecting a text from Apple because I knew I’d just bought something, but had I not, this would have made me suspicious. If this happens to you, log into your Apple Store account directly to check for any information.
Remember, Apple will never ask for your personal information, like your Apple account password, or one-time codes, via phone or SMS. If Apple needs you to do something with your account, they will direct you to log in on their official website. Always access your account through official channels.
The MFA Bombing Threat
Earlier this year, a threat targeting iPhone owners made the news. It has since died down, partly because Apple has taken steps to limit the problem. This threat is known as MFA bombing. Here’s what happens:
Instead of receiving SMS messages or emails, you get bombarded with system-level messages, specifically MFA (multi-factor authentication) messages. An MFA message is a pop-up asking if you want to proceed with changing the password associated with your Apple ID. You can either allow it or deny access. While the message is on your screen, you can’t use your phone, and because of the way iCloud works, the notification would appear on all of your connected devices too. The scam works by bombarding you with these messages, sometimes sending hundreds in a short time. This is also called MFA fatigue because the constant need to press deny can make you susceptible to a follow-up attack.
When this was reported in March, Twitter user Parth Patel shared his experience of being targeted by a hacking group.
The hackers bombarded Parth’s Apple account with around a hundred password reset requests, each prompting him to either allow or deny the reset. These were Apple system-level alerts. Although Parth suspected something unusual, he wasn’t too concerned initially. He thought it might be a mistake or someone trying to access his account, but thanks to the two-factor authentication, they couldn’t get in.
The system-level prompts stopped, but about 15 minutes later, he received a call from a number matching Apple’s customer support number. The caller claimed to be from Apple, wanting to help secure his account.
Parth was suspicious and asked for validation. The caller provided a lot of correct information, including his email, phone number, address, and date of birth. However, the caller then used a name that wasn’t actually his, but was instead a name that had been incorrectly associated with him on some online databases. He recognised this, and realised it was a scam.
He ended the call and reported the incident. Importantly, he didn’t give out any information, so he didn’t fall victim.
So, how does this scam work? First, it’s not a random attack. Scammers do some preparation, unlike SMS or email phishing, which is all about volume. Parth is a company founder with a lot of information online.
Scammers target individuals by gathering as much information as possible to answer potential verification questions. They look for details like date of birth, email address, phone number, current and previous addresses, and workplaces. This information is often publicly available through LinkedIn, people directories, or social media.
Once they have enough information, they exploited a weakness in Apple’s system, allowing multiple password reset requests in a short period. If you request a password reset, an MFA request is sent to all Apple devices linked to your iCloud account. You would press allow and follow the steps to change your password. Captcha codes are supposed to prevent bots from sending multiple requests, but scammers can bypass them and send hundreds of requests quickly.
The goal is not to make you press allow, but rather to exhaust you with constantly pressing deny. After this, they call you, from a spoofed number, pretending to be from Apple, and offer help, which you are of course now grateful for. During the call, they use gathered information to convince you they’re genuine. They might ask you to approve the next prompt, triggering a one-time password (OTP) sent to your device. The scammers then use this OTP to reset your Apple account.
To avoid this scam, remember it’s targeted and not random. Your phone number is often the main connector. Some people change their number temporarily to avoid being targeted, though this is pretty inconvenient. Also, be aware of how much information about you is publicly available. Google your name in quotes, with terms like phone number, home address, or email address to see what matches, and then contact sites showing your details and ask them to remove it.
Also, maintain a healthy does of skepticism when receiving calls, texts, or emails from any company. Apple doesn’t make outbound calls unless you’ve contacted them first, asking them to do so. If you doubt a call, tell the caller you’ll hang up and call Apple support yourself. A real support worker will be fine with this, while a scammer will need to keep you on the line.
And most importantly, NEVER share your OTP, your one time passcode with anyone. Apple states this in their messages. It is yours alone, and being asked to share it is a clear sign of a scam.
The Passcode Threat
This threat was first reported last year. The good news is that Apple have taken steps to rectify this issue, but with a major caveat. That’s why we’re discussing it in this article. This threat is known as the passcode threat, where thieves aim to get your phone and the four or six-digit passcode you use to access it to change your Apple ID. They do this for two main reasons. First, it gives them access to your phone, making it easier to wipe the device and resell it. But there’s a more ominous reason for wanting your passcode.
Obtaining your passcode allows them to remove any biometrics like Face ID or Touch ID and replace them with their own. This gives them pretty much unlimited access to many apps on your device, including banking apps, allowing them to transfer money from your accounts or go on a spending spree using Apple Pay and your cards.
They can also use the passcode to change the password and email associated with your Apple ID. This would have disastrous consequences, essentially locking you out of your phone and all your connected devices like your MacBook, iPad, Apple Watch, and Apple TV.
The best case is regaining access later with minimal damage, but the worst case is hackers could delete or hold your content for ransom. If you’re like me and have thousands of photos, all of your videos and memories in here, you know how valuable those are.
This is a multi-stage attack involving multiple people, though you’ll likely only notice one. Scammers target crowded areas like bars, especially on busy nights. They’ll engage you in conversation and try to see you enter your passcode. They might do this subtly or directly, as shown in a Wall Street Journal video where a former scammer, now in prison explained his tactics.
He targeted drunk people, offering them drugs and then using the opportunity to enter his phone number into their phone, to set him up as their dealer. Once handed the phone, he would lock it "accidentally" and ask for the passcode to get back in. The user would usually trust him enough to give it. The goal is to quickly get the six-digit passcode and the phone, often by pickpocketing or robbing them later. The
group targets inebriated people because they are less likely to call the police immediately, giving scammers time to change the passcode, email, password, Face ID, and Touch ID, making the phone essentially theirs. They then look for banking apps to transfer money or spend using Apple Pay. Once they’ve exhausted all options, they erase and sell the phone.
And look, I know what you’re thinking: you don’t take drugs, so you would never fall victim to this because you would never speak to somebody like this at a bar. But keep in mind that’s just one of the methods they use. They could also approach groups of friends and offer to take a photo of them with one of the phones, then use the exact same tactic we just talked about. So don’t get complacent here.
Apple has taken steps to combat this, but there’s a major caveat. This issue made headlines last year, prompting Apple to respond. Scammers exploited a vulnerability where they could change too much user information with just the passcode. Apple created a setting called Stolen Device Protection. When enabled, additional security requirements are needed when your iPhone is away from familiar locations, like your home or at work for example. The idea is that by doing this, they’re more likely to target phone thieves, rather than people innocently making changes at home. The feature requires Face or Touch ID for major account changes, eliminating the passcode fallback. It also adds a security delay, requiring an hour wait and a second biometric authentication to change your Apple ID password.
So, good news, right? Well, not quite. Stolen Device Protection isn’t enabled by default. You have to go and set it up. Check your iPhone by going to Settings, then Face ID and Passcode or Touch ID and Passcode to see if it’s on. If not, enable it for extra security. Also, I think this is setup on a per-phone basis. So I had this enabled on my phone, but recently replaced my iPhone, and noticed that when I checked, it wasn’t switched on for this new phone.
Other lessons we can learn from this scam include using a more complex passcode than the typical four or six-digit numeric code. Avoid obvious codes like all zeros or 123456, because these are the first ones that a scammer will try. A longer passcode with letters and numbers is harder to remember, and harder for scammers to obtain. Also, never tell someone your passcode, especially a stranger. Your passcode ensures only you can access your device. You wouldn’t give a stranger the key to your house, don’t give them the key to your phone.
In terms of phone theft, maintain caution when using your phone in public. We spend as much on our phones as we do on laptops these days, but we treat them with much less care. Don’t leave your phone unattended or use it in ways that make it easy to steal.
Lastly, don’t store your sensitive information in the Notes app or the Photos app. Use the passwords section of the Settings app in iOS 17 or the dedicated password app in iOS 18. This app is locked to biometrics, providing more protection than the Notes app, which is essentially plain text anyone with your phone can access.
10 General Tips to stay safe
1. Enable Automatic Updates
Always allow automatic updates on your iPhone. Go to Settings > General > Software Update, and make sure automatic updates are enabled. If you don’t want the full iOS to update automatically, at least allow security responses and system files to update. Apple often releases security patches quickly to fix flaws, so it’s crucial to install these updates to stay safe.
2. Be mindful of personal information
Be aware of what personal information you’re sharing online and what’s already available. Google your name in quotes followed by terms like phone number, email address, or home address to see what information is out there. If you can find it, others can too. Take steps to remove this information if possible and be cautious about what you share on social media, especially if your accounts are public.
3. Silence unknown callers
Don’t answer calls from numbers you don’t recognize. Use the "Silence Unknown Callers" setting: go to Settings
Phone > Silence Unknown Callers and toggle it on.
This sends unknown numbers straight to voicemail. Be aware that you might miss important calls from unknown numbers, so you may need to manage this setting carefully.
Alternatively, you can screen calls by letting them ring out and then googling the number to see if it’s a scam, this is a method that I use all the time.
4. Be cautious with links
Exercise extreme caution when asked to follow a link in a text message or email. Even if the source seems legitimate, like an email from your energy provider, it’s safer to go directly to the website and log in from there instead of following the link.
5. Verify everything
If you receive a call from someone claiming to be from a company, and you don’t expect the call, let them know that you’re going to hang up and call their official customer hotline. Legitimate representatives won’t mind, but scammers will want to keep you on the line.
6. Beware of Social Engineering
Be aware of scammers manipulating you to give up personal information. For example, scammers might send texts pretending to be your children in trouble, this is a big one going around on WhatsApp at the moment. Verify the situation by calling the number that your children usually contact you from. Again, verify, verify, verify.
7. Don’t store sensitive information in Notes/Photos
Never store sensitive information, like credit card numbers or PINs, passports or social security numbers in your Photos or Notes apps. Use secured locations like the passwords section of the Settings app or a dedicated passwords app with biometric locking.
8. Block spam email senders
Block senders of spam emails as they come through to your inbox. Tap on the sender at the top of the screen and choose to block the contact.
It might sound pointless, but this can reduce the amount of spam you receive as spammers often use the same email addresses multiple times, and they’ll often stop targeting you, when they see that you never open an email.
9. Don’t send money to strangers
Never send money to someone you don’t know, and if you’re paying for a service or a product, only pay invoices. Scammers often ask for money via methods that are hard to recover, like PayPal friends and family or Western Union.
10 – Enable Two-Factor Authentication
Ensure two-factor authentication is enabled on your iCloud account. Go to Settings, tap your name, choose "Sign in and Security," and enable two-factor authentication. This adds an extra layer of security for any significant changes to your Apple ID.
Some final thoughts
The last point I want to make is that you shouldn’t be afraid to use your iPhone. Comments on articles like this often say things like, "This is why I only use my iPhone as a phone," or, "This is why I never submit personal information online." That’s not the point I’m trying to make.
What I’m saying is you need to exercise caution when using your device.
The number one piece of advice I can give you is to verify everything.
Don’t assume everyone asking for information online is trustworthy. If you’re unsure about something, stop, take a beat, and verify the information yourself before taking any action. A legitimate person won’t mind you taking the time to verify, but a scammer will try to prey on your trust and push you to act quickly.