No, a free iPhone 12 is not waiting for you — avoid this scam

iPhone 12
(Image credit: EverythingApplePro)

NOTE: We've been hearing rumors that these "package is waiting for you" text messages are somehow connected to human trafficking. They are not. They're just a regular old phishing scam.

In the most recent chapter in the annals of SMS phishing scams, aka "smishing," we have the saga of the fake Apple iPhone 12 giveaway.

Sophos' Paul Ducklin, an information-security luminary in his own right, wrote about this smishing attempt recently on his employer's Naked Security blog. It seems someone on the Sophos team got a text message stating that a package for them — actually, someone with a different name — was waiting for them to pick it up.

Step 1 of an SMS-text-driven phishing scam.

(Image credit: Future)

Ducklin walks the reader through the scam, from the first click on the link in the SMS message, to a website where a phony chatbot says that you have been selected to get a free Apple iPhone 12, to the survey you have to take, and finally to the point where you can "claim" the iPhone reward.

But of course, you'll have to provide an email address, password and credit-card number first. And, of course, the iPhone 12 doesn't yet officially exist. It likely won't be announced by Apple until mid-October.

Step 2 of an SMS-based phishing scam.

(Image credit: Future)

Sound familiar? We've been getting these texts too, along with a whole lot of others touting fake Viagra and CBD oil. In fact, the screenshots on this page are not from Sophos, but from your correspondent's own phone. (Our particular scammer couldn't seem to decide whether we were supposed to get an iPhone 11, 11 Pro or Xs.)

The lure of a new iPhone isn't that alluring to me, as I'm an Android fan, but going through the steps of this scam is a fun little exercise. Ultimately, this is just a phishing scam that wants to harvest your username, password and credit-card information. 

Step 6 of an SMS-based phishing scam.

(Image credit: Future)

You may wonder for which online service the username and password the username are supposed to be for. The answer is that it doesn't really matter. 

So many people (yes, we've all done it) reuse passwords for so many different websites that almost any username-password combination is bound to be useful to crooks. To avoid becoming the latest victim, be sure to use one of the best password managers.

Step 8 of an SMS-text-driven phishing scam.

(Image credit: Future)

These miscreants feed the phished credentials into automated "credential stuffing" algorithms that hammer websites like Facebook, Google or PayPal with thousands of credentials an hour. They're bound to get into more than a few times. 

So how do you protect yourself from such (frankly obvious) scams? First, remember that if it sounds too good to be true, then by dadgum, it is.

Step 9 of an SMS-text-driven phishing scam.

(Image credit: Future)

Second, never give away any passwords or credit card numbers to any website that you are brought to by a text message or instant message. Would you give the same information to a random stranger who stopped you in the street?

You can't really stop these scam texts, unfortunately. The numbers they're texted from aren't real, and blocking the numbers will do no good. All you can do is not respond to them and hope the scammers move on to greener pastures.

Step 10 of an SMS-text-driven phishing scam.

(Image credit: Future)
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.