Apple won't call to ask you to tell them a code you get on your iPhone
A tech YouTube personality was recently the target of an attempted phishing attack, recounting on Twitter how a phone caller impersonated Apple to try and gain access to his iCloud account.
Like many other big companies, Apple's services has become a target for con artists and scammers, who try numerous ways to gain control of user accounts. In one retelling of an attack that took place on Saturday evening, a YouTube personality offers how a phone call attempting a scam took place.
Called at 7:13pm on Saturday, John Rettinger of The Apple Circle received multiple alerts on their phone about two-factor authentication, according to a video posted to Twitter. Rettinger didn't make the request as it was someone else trying to get into his iCloud account, so he declined the code request prompts, and changed his password via his iPhone.
Rettinger then received a phone call, spoofed to make it look like it was coming from Apple itself. The caller, claiming to represent Apple, mentioned they noticed fraud on the account, two attempted password resets, followed by a password reset, and that they were calling to make sure he "was okay."
After stating the attempts stemmed from Vancouver, Canada when Rettinger was in California, the caller then said they wanted to enroll him into "advanced protection," described as a "freeze" on resets on the account "to make sure that you're safe."
The caller then said they would need Rettinger to read out a one-time code to them, a request that was a major red flag for the tech personality. "Never read a code to anybody over the phone," warns Rettinger.
While not mentioned, the "one-time code" was probably the two-factor authentication code prompt that kept appearing on the iPhone.
After telling the caller he didn't feel comfortable reading a one-time code over to a supposed Apple employee and asking if there was another way to do it, the caller then hung up.
Rettinger concludes the video by describing the scam attempt as "pretty advanced," warning his followers to be on the look out for it. He ends the video with a request asking "Apple, if you're watching, fix this?"
Apple offers support for many different scams and phishing attempts on its website, including covering calls. Warning that caller ID usually shows a spoofed phone number for Apple, the scams tend to claim there's suspicious activity on an account or device, and could use flattery, incentives, and threats to secure account credentials.
Apple warns users that, if they receive an unsolicited or suspicious phone call from someone claiming to be Apple or Apple Support, to "just hang up." Users in the United States are also advised to report the scam calls to the FTC, or to their local law enforcement agency.
Owners of iPhones may also want to investigate the various ways spam calls and texts can be minimized or blocked automatically, as a way to cut the chances of being caught up in the fraudulent calls.
Read on AppleInsider
Like many other big companies, Apple's services has become a target for con artists and scammers, who try numerous ways to gain control of user accounts. In one retelling of an attack that took place on Saturday evening, a YouTube personality offers how a phone call attempting a scam took place.
Called at 7:13pm on Saturday, John Rettinger of The Apple Circle received multiple alerts on their phone about two-factor authentication, according to a video posted to Twitter. Rettinger didn't make the request as it was someone else trying to get into his iCloud account, so he declined the code request prompts, and changed his password via his iPhone.
Rettinger then received a phone call, spoofed to make it look like it was coming from Apple itself. The caller, claiming to represent Apple, mentioned they noticed fraud on the account, two attempted password resets, followed by a password reset, and that they were calling to make sure he "was okay."
After stating the attempts stemmed from Vancouver, Canada when Rettinger was in California, the caller then said they wanted to enroll him into "advanced protection," described as a "freeze" on resets on the account "to make sure that you're safe."
The caller then said they would need Rettinger to read out a one-time code to them, a request that was a major red flag for the tech personality. "Never read a code to anybody over the phone," warns Rettinger.
While not mentioned, the "one-time code" was probably the two-factor authentication code prompt that kept appearing on the iPhone.
This just happened. Attempted iCloud hack. Be vigilante. @Apple pic.twitter.com/qtXABIL9vq
-- Jon Rettinger (@Jon4Lakers)
After telling the caller he didn't feel comfortable reading a one-time code over to a supposed Apple employee and asking if there was another way to do it, the caller then hung up.
Rettinger concludes the video by describing the scam attempt as "pretty advanced," warning his followers to be on the look out for it. He ends the video with a request asking "Apple, if you're watching, fix this?"
Apple offers support for many different scams and phishing attempts on its website, including covering calls. Warning that caller ID usually shows a spoofed phone number for Apple, the scams tend to claim there's suspicious activity on an account or device, and could use flattery, incentives, and threats to secure account credentials.
Apple warns users that, if they receive an unsolicited or suspicious phone call from someone claiming to be Apple or Apple Support, to "just hang up." Users in the United States are also advised to report the scam calls to the FTC, or to their local law enforcement agency.
Owners of iPhones may also want to investigate the various ways spam calls and texts can be minimized or blocked automatically, as a way to cut the chances of being caught up in the fraudulent calls.
Read on AppleInsider
Comments
It’s getting harder every day trying to deal with this stuff. Relaying stories related to any new attack strategies that are in the wild here on AppleInsider is very useful for your readers. It won’t end anytime soon, but thanks anyway.
I seriously doubt Apple was watching. And what exactly can Apple do? Isn't the spoofing done via the carrier network?
An elderly couple that I assist constantly get alerts from "Amazon." The simplest solution is hanging up and calling Amazon (or whomever the scammer is claiming to be calling from) to verify any "suspicious activity under your account." And just use common sense.
I've gotten texts from CitiBank about suspicious activity with my account. Which is hilarious as I closed by CitiBank accounts nearly 30 years ago and haven't looked back. Again, use common sense folks. Abort & Report.
We have public service announcements to stop people from lighting fires outdoors. Maybe we need public service announcements telling people not to respond to calls, text or emails. Any benefactor out there want to help? I hear Bill Gates like to provide support for public education.
I don't think it's matter of laziness at all. I think it is a matter of profit, in the cost of man-hours needed to fix the problem, and that effects profit. I don't know that it's just a matter of whipping up a few lines of code and Bob's your uncle.
If that were the case, imspampossible calls would be a huge marketing bullet for a telco. Sign up with us and never get a spoofed call again. A secondary effect might even spur the less savvy to learn a bit about spam calls. Or not.
But if the Government doesn't require it, it won't happen. And they won't require it. That's sheer laziness, and/or a powerful TelCo lobby. Look at the "teeth" in the Do Not Call register and how effective that's been. The department from which I retired still gets spam from their networked copier.
I still get a lot of Robo and human spam calls on my landline and they're been steadily increasing on my cellphone as well. Business must be good.
That's not even a stop gap. With the ability to spoof numbers, any list would be out of date in a matter of minutes. Out of all my cellphone spam calls, maybe 1 in 12 is flagged as Spam Risk. Maybe fewer than that.
Eliminating spoofing and telcos dumping spoofed calls before we ever see them is about the only significant step that will stem the flow. Even then vigorous law enforcement, when that's even possible, will still be needed.
The issue with spoofing is intrinsic in the insecure SS7 signalling protocol — developed when there were just a few trusted global telcos; these days its a free-for-all.