This Surprisingly Convincing Phishing Scam Impersonates Apple’s Support Team.
You may have a keen eye for scams, but scammers are finding new ways to exploit trusted systems to evade detection. For example, attackers are creating legitimate Apple support tickets to steal two-factor authentication (2FA) codes and gain access to iCloud accounts.
A scheme detailed on Medium by security researcher and software product manager Eric Moret demonstrates how social engineering tactics can sow enough fear and confusion to fool even those aware of the warning signs. (Another example is a money transfer scam that cost a financial reporter $50,000.)
How scammers exploit Apple’s support system
The Apple support scam began with an SMS from Apple containing a two-factor authentication (2FA) code, followed by verification notifications on all devices indicating someone was attempting to log into Moret’s account. He then received an automated call from Apple with another two-factor authentication code. The SMS was sent from a five-digit short code, and the call was from a toll-free number. Both of these numbers are used by legitimate companies and are not necessarily indicative of a scam.
However, the next call came from a 404 number in Atlanta. The caller claimed to be from Apple support, stated that Moret’s account had been compromised, and assured him they were already creating a support ticket. During the subsequent 25-minute conversation, Moret received an email confirming the Apple support request (it turns out anyone can create an Apple support ticket impersonating someone else) and was instructed to reset his iCloud password.
He then received an SMS with a link, this time from a 404 number, to close the ticket. Clicking the link took Moret to a phishing site spoofing a legitimate Apple page (the link was appal-apple[dot]com), where he was prompted to enter a six-digit two-factor authentication (2FA) code he had just received via SMS. He then received an email notifying him that an unknown Mac mini had been used to log into his iCloud account. A representative on the phone explained that this was “expected as part of security measures” and “standard procedure.”
Moret then immediately reset the iCloud password to disable the unauthorized device.
Looking back, it’s easy to spot the signs: an unsolicited call about an urgent security issue, a 404 response, a phishing link that wasn’t a genuine Apple subdomain, and a request for an authentication code. But contacting Apple support—with a real ticket number and official emails from apple.com domains—gave enough credibility, and the multiple notifications about two-factor authentication—enough urgency to trigger the request.
This is the problem with social engineering. It manipulates emotions and instincts, which are stronger than logic and reason, leading to actions that are not in our best interests.
How to stay safe
As always, be wary of anyone calling, texting, or emailing you about security or account issues, even if you’ve received legitimate security alerts or they have a case number. Do not click links, enter login information, or provide any codes when asked to do so by these unsolicited callers. Do not accept assurances from anyone over the phone, no matter how calm and confident they may seem.
If you have any concerns, please contact us directly using trusted contact information or open a support ticket yourself. Always carefully check URLs and subdomains, as hackers can use tricks to make them appear legitimate .
Also, keep in mind that simply enabling two-factor authentication isn’t enough to secure your accounts. Some forms are (obviously) easily phishing, so if possible, use multi-factor authentication, such as a hardware key or WebAuthn credentials (biometrics and passwords), rather than codes.