This Surprisingly Convincing Phishing Scam Imitates Apple Support
You may have a keen eye for spotting scams, but fraudsters are finding new ways to weaponize trust systems to avoid detection. For example, bad actors generate real Apple support tickets to phish for two-factor authentication (2FA) codes and gain access to iCloud accounts.
The diagram, detailed on Medium by security researcher and software product manager Eric Moret, shows how social engineering tactics can sow just enough fear and confusion to fool even those who know the red flags. (The money transfer scam that bilked a financial advice columnist out of $50,000 is another example.)
How scammers exploit Apple’s support system
The Apple support scam began with a text message from Apple containing a 2FA code, followed by verification notifications on all devices, indicating that someone was trying to log into Moret’s account. He then received a robocall from Apple with another 2FA code. The text was sent from a five-digit short code and the call from a toll-free number, both used by legitimate companies and not necessarily red flags of a scam.
The next call, however, came from a 404 phone number based in Atlanta. The caller claimed to be from Apple Support, said Moret’s account was under attack, and assured him they were opening a support ticket. During a 25-minute follow-up call, Moret received an actual Apple Support case confirmation via email (it turns out anyone can create an Apple Support ticket on someone else’s behalf) and was asked to reset his iCloud password.
He then received a link via SMS – from the 404 number this time – to close the ticket. After clicking, Moret was taken to a phishing website that spoofed a real Apple page (the URL was call-pomme).[dot]com), where he was asked to enter a 6-digit 2FA code that he had just received by SMS. An email in his inbox then alerted him that an unknown Mac mini had been used to log into his iCloud account, which the representative on the phone told him was “expected as part of the security process” and “standard procedure.”
Moret then immediately reset his iCloud password to deactivate the unauthorized device.
Looking back, it can be easy to see the signs: the unsolicited call about an urgent security issue, the 404 number, the phishing link that isn’t a real Apple subdomain, the request for an authentication code. But the Apple Support ticket – with an actual case number and official emails from the apple.com domains – provided just enough credibility, and the multiple 2FA notifications just enough urgency to work.
What do you think of it so far?
This is the problem with social engineering. It manipulates emotions and instincts stronger than logic and reason, leading to actions that are not in our best interest.
How to stay safe
As always, you should be wary of anyone who calls, texts, or emails you about a security or account issue, even if you have received genuine security alerts or they have a legitimate case number. Do not click on links, enter your credentials, or provide codes when asked by these unsolicited callers. Do not accept reassurance from anyone on the phone, no matter how calm and confident they may be.
If you are concerned, you should contact us directly using reliable contact information or open support tickets yourself. Always check URLs and subdomains carefully, as hackers can play tricks to make them look legitimate.
Also be aware that simply enabling 2FA is not enough to keep your accounts secure. Some forms are (obviously) easily phished, so if possible you should use a multi-factor authentication method like a hardware key or WebAuthn credentials (biometrics and passwords) rather than codes.
