Apple iPhone and iPad users have been warned not to fall for fake emails and texts that aim to trick them into handing over their iCloud login so scammers can access all their personal information stored in the cloud. The messages claim to be from Apple and typically warn the user that their account has been "restricted in order to safeguard your information" and urge the recipient to "verify and update your account" using the link provided. It is similar to the thousands of "your PayPal account has been suspended" emails, but what appears to have caught out many this time is the fact the texts look as though they have come from Apple – and have arrived on phones that have never received other scam texts before. Tony Neate who runs the government-supported Get Safe Online website says: "This is particularly manipulative as it threatens to deactivate your cloud drive account – a place where many of us store our most cherished and important documents, things that we just cannot risk losing. "Like other phishing scams this case is complex and targeted, and by pretending to be from a legitimate organisation, fraudsters can manipulate your emotions to make you act in a way you might not have done in another situation.
Apple customers are being targeted in a series of new scams involving invoices containing fake iTunes, App Store or Netflix purchases. The bogus emails – likely to have been sent to thousands of people - are aimed at stealing your bank details by making people think someone has gone shopping using your Apple account. The invoices seen by MailOnline and all headed with the Apple logo and using its distinctive font, say the user has bought music on iTunes or purchased a new annual Netflix subscription. Victims scared they have been defrauded have clicked on a'refund' link where they fill in their card details, which are sent to cyber criminals. Apple today warned people to ignore the emails and says they would never ask for bank details or the three-digit security code on the back of your card by email.
Anyone searching for a primer on how to spot clever phishing links need look no further than those targeting customers of Apple, whose brand by many measures remains among the most-targeted. Past stories here have examined how scammers working with organized gangs try to phish iCloud credentials from Apple customers who have a mobile device that is lost or stolen. Today's piece looks at the well-crafted links used in some of these lures. KrebsOnSecurity heard from a reader in South Africa who recently received a text message stating his lost iPhone X had been found. The message addressed him by name and said he could view the location of his wayward device by visiting the link https://maps-icloud[.]com -- which is most definitely not a legitimate Apple or iCloud link and is one of countless spoofing Apple's "Find My" service for locating lost Apple devices.
Malicious iOS apps can easily create fake login pop-ups that look exactly like the ones used by Apple, an expert cautioned. The login boxes usually appear when you try to install or update an app, and ask you to enter your Apple ID password before you can continue. If you input your password into one of the fake boxes, the attacker could steal it and use it to access your credit card information. You can protect yourself from the fake pop-up scam by never inputting passwords into an Apple pop-up. Instead, you should go into your iPhone's settings menu and enter it there to confirm it's a real request from Apple.
Customer support scams have been rampant over the past years and are wildly successful when done right. The security blog, KrebsonSecurity recently reported the advent of a new phone-based voice phishing scam with a focus on Apple users. In August of 2018, we saw an iOS phishing scam targeting iPhone users, so this is obviously not the first Apple support scam reported. Jody Westby, the CEO of Global Cyber Risk LLC, attested to receiving automated calls on her iPhone. Despite being spoofed, the call shows the Apple logo, physical and web address and the legitimate phone number.