Your iPhone might get hacked | New iPhone scam everyone should know about

Warning: New Apple ID Phishing Attack is Hijacking Accounts – Here’s How to Stay Safe with you iPhone

If you own an Apple device, this is a critical warning. A new phishing attack is spreading rapidly, hijacking Apple accounts through a flaw in Apple’s security system. Cybercriminals are using a technique known as multi-factor authentication (MFA) bombing to overwhelm users with Apple ID authentication requests, leading them to make mistakes that result in account takeovers.

In this article, we’ll break down how this attack works, real-life cases of victims, and—most importantly—how you can protect yourself from falling victim.

How the Apple ID Phishing Attack Works

Unlike traditional phishing scams that rely on fake emails or deceptive links, this new attack leverages Apple’s legitimate authentication system against users. Here’s how it unfolds:

1. Mass Notification Flooding: The attacker triggers multiple “Forgot Apple ID Password” requests, bombarding the target’s Apple devices with authentication pop-ups.
2. Spoofed Apple Support Call: The victim then receives a call from a number that appears to be Apple Support. This is a spoofed call using Apple’s real customer service number.
3. Social Engineering Tactics: The scammer claims to be from Apple and informs the victim that their account is under attack. To “secure” their account, the victim is asked to confirm the one-time authentication code they just received.
4. Account Takeover: If the victim shares the code, the attacker uses it to reset the Apple ID password, locking the real owner out and potentially wiping all connected devices.

This method is particularly dangerous because Apple system-level notifications prevent users from ignoring them, making the attack even more intrusive and convincing.

Real Cases of Victims

Security researchers and victims have reported multiple instances of this attack:

• A user on X (formerly Twitter) reported that the authentication pop-ups completely froze his iPhone, Mac, and Apple Watch, making it nearly impossible to use his devices.
• Another victim continued receiving password reset requests even after changing their email, getting a new iPhone, and creating a fresh iCloud account.
• Chris, a cryptocurrency hedge fund owner, experienced an attack where he ignored the first alert but then received over 30 more in rapid succession. He also got a fake Apple Support call, but fortunately, he hung up and contacted Apple directly, preventing the scam from succeeding.

These incidents show that the phishing attack is highly persistent, invasive, and effective, even against tech-savvy users.

How Are Attackers Exploiting Apple’s Security?

According to cybersecurity expert Krebs on Security, attackers appear to be exploiting Apple’s Forgot Password page. Here’s how:

• The Forgot Apple ID Password page allows an attacker to enter an Apple ID email or phone number.
• Apple then displays the last two digits of the registered phone number, which attackers can easily guess.
• A CAPTCHA is in place to prevent spam, but attackers seem to have found a way to bypass this limit, allowing mass requests to flood a target’s devices.
• Once the victim is overwhelmed by notifications, the fake Apple Support call convinces them to give away the reset code.

This bypasses traditional MFA security, making it one of the most effective Apple phishing attacks seen in recent years.

How to Protect Yourself from This Attack

1. Remove Personal Information from Public Search Sites

Attackers scrape data from people search websites to find your phone number and email. To protect yourself:

• Opt out of data broker websites (you can find guides online for manual removal).
• Use services like PrivacyDuck or DeleteMe to automate the process.

2. Use a Unique Email for Your Apple ID

Avoid using your primary email address for Apple ID. Instead:

• Create a new, exclusive email address for Apple.
• Use email aliases (e.g., yourname+apple@yourdomain.com) to make phishing attempts harder.

3. Change Your Apple ID Phone Number to a VoIP Number

Krebs suggests using a VoIP number (like Google Voice) instead of your real phone number. However, this will disable iMessage and FaceTime, so only use this method if you’re at high risk.

4. Ignore Unsolicited Calls from “Apple Support”

• Apple will never call you unless you specifically request support.
• If you receive an unexpected call, hang up and call Apple Support directly at their official number.

5. Enable Advanced Security Features

Apple recommends enabling a Recovery Key, but as seen in some cases, this alone is not enough. Instead, you should:

• Use a strong, unique password for your Apple ID.
• Turn on two-factor authentication (2FA) and never share your verification codes.
• Keep your Apple devices updated with the latest security patches.

Final Thoughts

This new Apple ID phishing attack is one of the most sophisticated and persistent attacks we’ve seen, leveraging Apple’s own authentication system against users. While public figures and crypto investors are at higher risk, any Apple user could be a target.

By following the security steps outlined above, you can significantly reduce your risk of falling victim. Always remember: Apple will never call you first—if in doubt, contact Apple Support yourself.

Stay safe, stay informed, and share this article with friends and family to help them protect their Apple accounts!

Views: 0