"Ever miss a call from Apple?"

My wife texted me this question, along with a screenshot showing she had missed a call from  Apple. It looked legit, even showing that it came from the official Apple support number, 1(800) MYAPPLE. 

 inline image

It definitely wasn't.

Fortunately, my wife didn't answer or call back. Actually, if she had called back she would have gotten a totally legitimate Apple sales or support person, which makes the whole thing that much more impressive. Everything about this call seems real. 

Before we go any further, here's the bottom line: if you get a call that says it's from Apple Inc., unless you've asked Apple for a support callback, it's a scam. They definitely aren't calling to alert you to any "suspicious activity," 

This one's been around.

This actually isn't a particularly new scam, but it appears to be increasing in frequency enough that Apple has actually warned iPhone users not to answer Apple support calls unless they specifically requested one from the company's support page.

If you do answer, the person on the other end will let you know that they are from Apple and are calling to let you know your account has been compromised. They'll then let you know they want to help you secure your account by verifying your information.

The whole thing is a phishing scam, to gain your Apple ID and password, which could then conceivably be used to access other services like your iCloud, email, and even your billing information. 

Apple Pay is encrypted on the individual device, so a hacker would have to actually have possession of a device previously set up for Apple Pay before they could access that. But stored payment information on the Apple Store, App Store, or the iTunes store, would be vulnerable. 

Most of the time these types of phishing attacks aren't particularly sophisticated. They prey on people's trust of a company like Apple, as well as the fear of having their information compromised. The irony is that it's that same fear that leads people to put their information at risk. 

How to protect yourself.

This is a good reminder that most reputable companies won't simply call you, or email you and ask you to provide information. If you wouldn't click on a link in an email asking you to verify your information (and you definitely shouldn't), then don't do it over the phone. Even if it looks like the caller is someone you might otherwise trust. 

It's also a good reminder that you should absolutely set up two-factor authentication (TFA) on your Apple ID, which will notify and prompt you to approve any attempt to use your Apple ID on a new device. Even if you're not using Apple products, TFA is available on all Google products as well as many third-party options.