A new phishing scam is using real Apple Support tickets to try and trick iPhone and Mac users into handing over their personal accounts. According to a story detailed in a post on Medium, Broadcom's Eric Moret came very close to losing his entire Apple account to some very sophisticated scammers who were able to use the iPhone maker's own support system to convince him to willingly hand over authentication codes.
Moret details the steps the scammers took to convince him, from start to (almost) finish when dealing with this phishing scam. It started with multiple alerts including two-factor authentication ones that indicated someone was attempting to break into his iCloud account. This was followed by multiple phone calls from calm, professional sounding Apple "agents" who were helpful in their attempts to assist him with the issue.
The sneaky part is that the scammers were able to exploit a flaw in Apple's Support system and create genuine support tickets from a real Apple email address which reassured Moret that he was actually dealing with legitimate agents who wanted to help him. Unfortunately though, this flaw allows anyone to create an Apple Support ticket for the company's customers without verification by using an employee email address from which these fake support emails are then sent out to potential victims from.
That gave the scammers the ability to create an air of authority and authenticity when communicating with Moret during a 25-minute phone call in which they guided him through the process of resetting his iCloud password to "protect" him from the attack they had in fact created.
When the process to reset his iCloud password had been completed, Moret was told he’d get a link to “close the case.” And that was the part of this new scam that took him to a fake website with the address appeal-apple[.]com. This website informed Moret that his account was currently being secured and that, in order to close the case, all he needed to do was enter a six-digit verification code that would be sent to him via text. When he received it, he entered the code into this fake website which is what ultimately gave the scammers behind this campaign access to his account.
Moret then received an email that told him that his account was being used to sign onto a Mac mini, even though he did not own one – indicating that someone had, in fact, gained access to his account after all. Though the scam caller assured him this was expected, Moret reset his iCloud password a second time which bounced the scammers out of his account. He very, very narrowly missed the attempt to take over his account because he listened to and trusted his instinct at the last moment.
How to stay safe from this phishing scam
The best way to protect yourself from this scam and others like it is to simply avoid responding to unexpected calls or texts – even if the person on the other end is claiming to be from IT or customer support. Instead, hang up or don't reply, and contact the company directly through an independent channel to confirm if your account is really at risk.
Additionally, be wary of anyone who asks you to give out two-factor authentication codes – no one should ever ask you to share these codes. Always double check that websites are genuine, not one that uses the company name alongside other words (like the appeal-apple[.]com example above).
The best antivirus software and the best Mac antivirus software in this case often includes anti-phishing features that alert you to potential scams and flag texts that are suspicious. It's worth looking into these features and enabling them, as well as protecting your accounts with multiple layers of security such as two-factor authentication and using one of the best password managers to securely store all of your most important logins and account details. The best protection though, is to stay informed about the latest scams and to slow down and listen to your instincts when you think there's even a chance you may be dealing with one.
Follow Tom's Guide on Google News and add us as a preferred source to get our up-to-date news, analysis, and reviews in your feeds.
