A new phishing scam is using real Apple Support tickets to try and trick iPhone and Mac users into handing over their personal accounts. According to a story detailed in a post on Medium, Broadcom's Eric Moret came very close to losing his entire Apple account to some very sophisticated scammers who were able to use the iPhone maker's own support system to convince him to willingly hand over authentication codes.
Moret details the steps the scammers took to convince him, from start to (almost) finish when dealing with this phishing scam. It started with multiple alerts including two-factor authentication ones that indicated someone was attempting to break into his iCloud account. This was followed by multiple phone calls from calm, professional sounding Apple "agents" who were helpful in their attempts to assist him with the issue.
When the process to reset his iCloud password had been completed, Moret was told he’d get a link to “close the case.” And that was the part of this new scam that took him to a fake website with the address appeal-apple[.]com. This website informed Moret that his account was currently being secured and that, in order to close the case, all he needed to do was enter a six-digit verification code that would be sent to him via text. When he received it, he entered the code into this fake website which is what ultimately gave the scammers behind this campaign access to his account.
Moret then received an email that told him that his account was being used to sign onto a Mac mini, even though he did not own one – indicating that someone had, in fact, gained access to his account after all. Though the scam caller assured him this was expected, Moret reset his iCloud password a second time which bounced the scammers out of his account. He very, very narrowly missed the attempt to take over his account because he listened to and trusted his instinct at the last moment.
How to stay safe from this phishing scam
The best way to protect yourself from this scam and others like it is to simply avoid responding to unexpected calls or texts – even if the person on the other end is claiming to be from IT or customer support. Instead, hang up or don't reply, and contact the company directly through an independent channel to confirm if your account is really at risk.
Additionally, be wary of anyone who asks you to give out two-factor authentication codes – no one should ever ask you to share these codes. Always double check that websites are genuine, not one that uses the company name alongside other words (like the appeal-apple[.]com example above).
The best antivirus software and the best Mac antivirus software in this case often includes anti-phishing features that alert you to potential scams and flag texts that are suspicious. It's worth looking into these features and enabling them, as well as protecting your accounts with multiple layers of security such as two-factor authentication and using one of the best password managers to securely store all of your most important logins and account details. The best protection though, is to stay informed about the latest scams and to slow down and listen to your instincts when you think there's even a chance you may be dealing with one.
Follow Tom's Guide on Google News and add us as a preferred source to get our up-to-date news, analysis, and reviews in your feeds.
More from Tom's Guide
- UK residents lost £11 billion to scams in 2024 – but NordVPN's call protection feature aims to fix that
- Hackers are infecting older Asus routers with malware — how to stay safe
- Google has patched a critical Chrome zero-day flaw — update your browser immediately
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
