Watch out, iPhone fans – a new SMS attack could steal your Apple ID. Here’s how to stay safe

The best iPhones are hugely popular devices, and that makes Apple fans key targets for scammers and fraudsters. Fall victim and you could end up losing your Apple ID (now called an Apple Account), your money and more.

That’s been perfectly illustrated by a new attack that uses SMS messages to steal your Apple ID – and all the data it contains. First noted by Broadcom, the attack involves “a threat actor distributing malicious SMS messages in the United States.” This attack – known as “smishing” – tells recipients that they need to sign in to iCloud to “continue using your services.” It then directs you to a spoof website that imitates the real iCloud site. If users log in, their usernames and passwords are stolen.

Apple is keenly aware of threats to its customers, and the company has just released a slate of tips and advice on how to avoid falling victim to malicious tricksters. In a new post on the company’s support website, Apple explains what social engineering scams are, including phishing SMS messages of the type identified by Broadcom, as well as fraudulent calls masquerading as coming from support staff. The article also contains a wide range of tips and advice on how to avoid falling for scammers’ tricks and losing vital information that could be exploited by bad actors.

If you’re worried about the incident spotted by Broadcom, Apple has a key piece of advice: “If you’re suspicious about an unexpected message, call, or request for personal information, such as your email address, phone number, password, security code, or money, it’s safer to presume that it’s a scam – contact that company directly if you need to.” Erring on the side of caution could be the difference between safety and scam.

How to stay safe

Apple's Craig Federighi discussing security at the Worldwide Developers Conference (WWDC) 2022.

(Image credit: Apple)

Phishing is a very common tactic that usually involves tricking you into believing that a scammer is a genuine company representative, with the goal of inducing you to hand over important private info. The fraudster could send you an email stating that you need to claim a (fake) prize or might call you pretending to be from Apple support and asking you to hand over your account password, for example.

Usually, social engineering scams are all about two things: trust and urgency. The scammer wants you to believe that they are trustworthy so that you’ll feel comfortable giving them money or vital login details. As well as that, they want you to feel rushed so that you don’t have time to consider if you are being taken advantage of.

With that in mind, Apple’s article contains information on what you can do to protect yourself and how you can report a scam attempt, whether or not it was successful. For instance, Apple says that if a scammer’s email is not sent from the web address of the company it claims to be from, it is probably fraudulent. You can mark suspicious messages and calendar invitations as junk, report scam calls to the FTC, and block unwanted callers from your phone. Apple’s guide also provides a list of official Apple email addresses you can contact to report scams of various types.

Importantly, if you believe your Apple ID (or any other account) has been compromised, you should change your password as soon as possible to lock the fraudsters out. Secondly, the Have I Been Pwned website lets you enter your email address to check if it’s been compromised, and it can be used hand-in-hand with Apple’s advice. Follow those tips and you’ll stand a greater chance of staying safe and beating the scammers.