Have you received a weird spam call or voicemail claiming to be from Apple support, notifying you of suspicious activity with your Apple iCloud ID? The computer-generated recording may even sound creepy to some victims, and its goal is to snare you into giving up your iCloud ID and password as part of a new phishing campaign.
Phishing scams targeting Apple IDs and passwords are not new, ranging from text message scams to clever phishing websites, but what appears to be making headway is a new method of calling your iPhone in attempt to trick you into giving up your secret information. What's happening is you'll receive a call from a random or unknown number, such as 646-434-5603 or 844-282-0419, and if you don't pick up the scammer or hacking group will even leave a voicemail phishing for your iCloud ID and password.
While it appears the phishing campaign has flown somewhat under the radar for the past month, with just a few reports made to Check Who Called, they also just picked the wrong target—calling me—and I'm all too eager to blow the lid off the scammer's spam call operation. (If you received a similar call and found this page before calling back, good on you! Saving you from the headache of this scam is a win in my book.)
While I don't expect this story to stop scammers from continuing to spam call people, Apple users need to be aware of this ongoing phishing campaign.
Here's the spambot voicemail they left on my phone:
Transcript of the voicemail:
Hi, I am Jennifer, and I am calling you from online support Apple. This is to inform you that we have noticed some suspicious activity with your iCloud ID. We have been getting the notification on our main server from past few days. We seriously recommend you to call the 844-282-0419. I repeat, 844-282-0419. We request you not to use your computer or other Mac devices before speaking to our certified technicians. For help and support please call us.
The first thing I noticed about this voicemail was that it was more creepy than professional, and obviously not from Apple. There's just no way Apple support would ever contact a customer using a disturbing computer-generated voice, asking you not to tell anyone they called, and to only call them back for help and support. Not surprisingly, just as is the case with most spam emails and phishing websites, the voicemail itself was riddled with grammatical errors and poorly spoken English.
This is a clear attempt to terrify you into calling the number back and giving up your Apple iCloud credentials.
Unfortunately, this spammer or phishing group is likely contacting hundreds of thousands or possibly millions of people in hopes of snagging just a few iCloud IDs and passwords; and worse, this method does work and some people have and will likely become victims.
How scammers use social engineering to trick you
Phishing scammers commonly use social engineering, also known as social hacking exploits, to trick you into providing them with your personal information. Sometimes they begin the con by asserting authority, as is the case with these spam calls: By claiming to be from Apple support, their hope is that this gives you the illusion that they have authority to receive further information from you, which they will no doubt pressure you into giving up if you were to call the number back.
As a hook, the attacker is also reaching out to you under a pretext, claiming to be receiving notifications of suspicious activity with your iCloud ID. If you have an iCloud account, the scammer hopes that by being vague about what they're talking about, you'll fill in the gaps and jump to your own conclusions about what scary things might be happening to your iCloud account—when, in fact, nothing scary is happening unless you call them back and give up your information.
While these kinds of social engineering scams can be frightening, knowing how to identify such fraud is the first step to protecting yourself. (RELATED: Social Engineering: Beware of 'Tech Support' Scams.)
How to protect yourself from phishing spam calls
Spam calls like this are a good reminder that computer security is not just about protecting your machine from malware. There is a lot of data on your machine, and specifically in your iCloud account, that is valuable to hackers, and attackers don't necessarily have to go to the trouble of creating malware to get it from you.
But there is good news: It can be fairly easy to protect yourself by making a few simple improvements.
The best defense against phishing attacks is to remain vigilant and be aware that scammers will use any methods available to try and con you into giving up personal information. If you get a spam call like the one mentioned above and they leave a voice message, do not under any circumstances call it back—just delete it. Know that Apple will never, ever call you about alleged suspicious iCloud activity.
Apple also mentions on its website, as a general rule, "Never send credit card information, account passwords, or extensive personal information in an email unless you verify that the recipient is who they claim to be." The same can be said, of course, for Apple users contacted over the phone. If you reached this story only after giving up your iCloud ID and password, or otherwise believe that your Apple account has been compromised, visit this website to change your password immediately:
If for a number of reasons you're concerned about malware on your iPhone, Intego VirusBarrier for Mac allows you to scan files and attachments on iOS devices, and finds and eradicates malware found in document directories on iPhones and iPads.
Lastly, if you haven't already done so, a sound method of protection is to activate Apple's two-factor authentication for your iCloud account. This will provide you with an additional layer of security and make your Apple ID more difficult to hack.
Have you been notified by phone of suspicious activity with your iCloud ID? Did you fall victim to this spam call? We want to hear you story! Drop us a comment below.