It’s a new year, but bad actors are still at it with an old trick repackaged for iPhone users. Bleeping Computer reports a rise in phishing attacks targeting iPhone users that involves tricking them into disabling built-in protections and clicking on malicious links.
In an increasing number of cases, text messages appear to come from fake delivery agents posing as service messages from the U.S. Postal Service (USPS). Two Digital Trends contributors have received such sham messages recently in North America.
We have also come across reports of a similar tactic being deployed in other regions, including India, where online frauds are posing as DHL or FedEx employees.
Anyone fancy finding out who ‘kathlyn afaf’ could be?
They are trying to Royal Mail scam people but gone via iMessage so their email address has popped up… pic.twitter.com/jr5yPGaA3O
— Sanny Rudravajhala (@Sanny_Rudra) January 11, 2024
From the user posts that we have seen on social forums so far, the tactic has been in use for at least the past couple of years. If you look closely at the samples attached below, you will notice a pattern in the scammy text messages:
“Please reply Y, then exit the SMS and open it again to activate the link, or copy the link to your Safari browser and open it.”
This is a recurring theme, with slight modifications in the language. Reply with a Y looks harmless on the surface, but it’s a clever way of disabling the built-in phishing protection protocol on iPhones.
Apple has created a system for iMessage that automatically blocks links in messages from unknown senders. You can only open those links if you add the sender to your contact list (identifying them as a known contact) or reply to it.
When you reply to a message, as the fraudulent message asks, iMessage switches the bad actor to a “known” status. Now, the link is active. Once you tap on it, the URL opens in a browser of your choice.
In some cases, the spammy message asks users to copy-paste the URL into the Safari browser. Now, where the link leads remains uncertain. As per a few reports, users are led to a page where they are required to enter their credit card information.
How to avoid the scam
If you receive a text from a supposed mail service, do not reply or click on the link in the message. Start with the sender’s name or number. If there’s a spelling error, or if it’s a personal number (or iCloud address), it’s certainly a sham.
Also, pay attention to the country code. If it’s coming from another country, avoid interacting with it at all costs. If you have any active mail assignments, always check the progress or reach out to customer care via the details mentioned on the company’s official website.
Every time you receive a message from an unknown sender, the iMessage app shows a Report Junk option at the bottom, followed by the delete prompt in the next step. Do keep in mind that you can’t report a message after replying to it.
@IndiaPostOffice I received this today, I know its some kind of scam as it is asking for 25 rs directly and its sent using iMessage using thus mail id but still I want to confirm this with officials. @Cyberdost pic.twitter.com/4FXX7UZMjT
— Vikash Gathala (@vikashgathala) May 30, 2024
If you haven’t opened the message yet, simply swipe left on it, select the Bin-shaped red delete icon, and then select Delete and Report Junk. As an added layer of assurance, you can also go ahead and block the sender.
A few weeks ago, the government’s Cybersecurity and Infrastructure Security Agency (CISA) released a detailed advisory on keeping your phone safe from all kinds of cyberattacks. We compiled the core findings for an average smartphone user, and you should check that out to cultivate safe digital habits this year.
