Apple has urged iPhone users to beware of a devastating scam that allows attackers to steal their digital life.
The company has updated a support document amid the ongoing use of so-called “smishing” attacks that try and steal people’s information.
The messages look like legitimate texts from Apple. They usually suggest that they need to urgently log in to solve some sort of problem.
But the login page it directs users to is actually a fake iCloud website, which then steals those details. Once that happens, the attackers may be able to get full access to everything stored within the account.
Apple notes that those attacks can use “sophisticated tactics” that will help persuade people that they need to hand over personal information “such as sign-in credentials, security codes, and financial information”.
Those tactics might include emails that look like they have come from a company, such as Apple, or they might come in the form of phone calls that claim to be from Apple support. They might also come in the form of pop-ups that suggest a device has a security problem that needs to be fixed.
In those emails and calls, attackers might look like they are calling from a legitimate phone number using a tactic called spoofing. They might also share personal information that makes them seem legitimate.
Apple advises that anyone receiving any message they are suspicious about should contact that company. It is “safer to presume that it’s a scam”, the company warns.
Users should also never share personal data or security information, or put them into a webpage that someone directs you to, it warns. It is safest to also use two-factor authentication – and keep it secure – which will help keep attackers out of an account even if they do get the password.
It also advises never to use Apple gift cards to make payments, check that any emails are legitimate, download software only from trusted sources and not follow links, or open or save attachments, in any messages that are suspicious.
Apple asks that that suspicious emails, messages and calls should be reported to the company. It lists a host of email addresses that can be used to send them on, in the same support document.