How To Protect Yourself From The Latest 'Reset Password' iPhone Scam
There are a few things the iPhone can do that Android can't, and while features tied in to Apple's ecosystem like SharePlay and AirDrop are extremely useful, the biggest advantage of owning an iPhone has always been better security. Apple is generally praised for its stance on privacy and protection, but the iPhone's large user base makes it a lucrative target for hackers and scammers regardless.
A password-related scam targeting iPhone users has been on the rise, particularly focusing on high-profile individuals such as CEOs and the founders of startups. A post shared by Parth on X (formerly Twitter) claims that he, alongside other founders, have been targeted by a sophisticated phishing attack designed to compromise their Apple ID, which could subsequently have led to disastrous consequences for any of their linked businesses and other personal accounts.
Last night, I was targeted for a sophisticated phishing attack on my Apple ID.
This was a high effort concentrated attempt at me.
Other founders are being targeted by the same group/attack, so I’m sharing what happened for visibility.
🧵 Here’s how it went down:
— Parth (@parth220_) March 23, 2024
Not only will losing access to your Apple ID lock you out of the account, but will also grant it to a potentially harmful individual. Your Apple ID is linked to countless services, including iMessage, iCloud, and even a slew of third-party apps. Staying safe and avoiding such attacks is therefore imperative, but to do so, it's good to be aware of how the phishing attack actually works.
How does the iPhone password reset scam work?
Multi-factor authentication is considered extremely secure because it requires the user to present at least two modes of verification before they can perform specified actions. Usually, this involves approving a prompt sent to your phone or confirming a one-time password delivered to your phone number. The process of resetting your Apple ID also requires a similar process: you first head to Apple's iForgot portal, enter your email or phone number, verify the provided captcha, and then approve the request sent to your linked Apple device.
This means anyone with access to your email account can theoretically initiate the password reset process. The prompt on your iPhone has options to "Allow" or "Deny" it, and choosing the latter will dismiss the request. The phishing attack involves bombarding the user's Apple device with tens and hundreds of such prompts, and the way Apple handles account-level actions will prevent you from using your device until you've manually denied every single request.
Despite making the right move, Parth stated that the scammer then called him with what seemed to be Apple Support's official phone line. The "representative" on the other end then pushed him to verify a one-time password sent to his phone. Using information available on People Data Labs, the scammer is able to verify the victim's personal details — down to their home address and date of birth.
Here's how to be safe
Fortunately, the attacker wasn't able to get the best of Parth, but it's evident how big of a security flaw this is. One accidentally tap of the screen could cost you your Apple ID and everything that's linked to it. While this scam seems to be targeting specific individuals with publicly available data, it's best to follow a few practices to safeguard yourself from such malicious attacks.
Let's start with the obvious one — never approve a password reset prompt on your iPhone, iPad, Apple Watch, or MacBook that wasn't sent by you. Furthermore, if you receive a seemingly legitimate call from someone who claims to work for Apple, just hang up. Remember, Apple Support doesn't contact you unless you raise a complaint and set an appointment first.
An investigation carried out by KrebsOnSecurity regarding the same MFA scam reveals other individuals who have also been targeted. Attempts were made by the victims to create a new Apple ID (something you may need to do yourself one day) and switch to a new iPhone altogether, but the user was spammed with the same password reset requests again. This leaves the phone number associated with your account the only vulnerability — one that can also be leaked to public databases online. Associating a lesser-known phone number to your Apple account, or using Hide My Email on your Apple devices, could shield you from such scams.