- Phone phishing scams are becoming more advanced.
- The newest technique involves attackers pretending to call from Apple's help line.
- Because iPhones come with the number for Apple's help line preloaded in contacts, that means that Apple's logo and name pops up on the iPhone caller ID when an attacker manages to successfully fake the call's origin.
- If you get a suspicious call, the best way to protect yourself is to hang up and call Apple (or your bank or carrier) directly.
The next time you receive a call from Apple, it might not be from someone actually working there. In fact, it's much more likely that it's coming from a scammer.
Some scammers have discovered a new technique that takes advantage of the fact that it's easy to fake a call to make it appear as if it's coming from any phone number you choose - even Apple's main help line - the security journalist Brian Krebs reported.
That means when a scam call spoofing Apple's number shows up on your phone, the lock screen will display Apple's name and logo.
It's pretty convincing. But that doesn't mean you should give the caller your password or other private information.
"Folks have a learned trust of caller ID that is unearned," Steven Andrés, who teaches cybersecurity at the Fowler College of Business and a graduate homeland security program at San Diego State University, told Business Insider. "Most consumers don't realize that when a modern phone system places a call, it also sends along the caller ID to be displayed. That means the caller is providing the number, not the phone company."
"If I instruct my phone system to call your iPhone, and I set the caller ID to be 1-800-MY-APPLE, this will match the preloaded contact card which shows the Apple corporate logo, adding incredible legitimacy and increases the likelihood of the victim believing Apple is calling," he continued.
It's not Apple calling. It's just someone taking advantage of the way that the phone system works.
Apple's help line is a "1-800" number. Using widely available and easy-to-use software, a telemarketer or scammer can say its calls are coming from any number it chooses, a technique called caller ID spoofing. It's kind of like how you can write any return address you'd like on a letter.
What makes this scam so scary is that you probably have a contact for Apple in your address book, because the phone number comes preloaded on iPhones, and most people don't even know that that information is in their address book.
Phone phishing scams that spoof Apple are getting very good. No doubt other brands will be spoofed in a similar way, if they are not already. Please read: https://t.co/kWbisuLHMb pic.twitter.com/SuiLeyzeXw— briankrebs (@briankrebs) January 3, 2019
"What's broken here is the cell phone system, and attackers preying on brand loyalty," Andrés said.
According to Apple, its support division never calls up customers unexpectedly, and it's been working with authorities to stamp out these kinds of scams. It also provides some information on its website about recognizing and avoiding emails and fake support calls, along with an email address that enables customers to report likely scams.
Hang up and call backThere is one way to protect yourself from calls like this: don't give out personal information to incoming callers.
Instead, you should hang up the phone and call Apple yourself. This is even more important if you get a spoofed call from your bank or wireless carrier.
"There's very little that everyday consumers can do on the receiving end of the phone call," Andrés explained. "My advice is to not trust that the caller ID is genuine. Say thanks for the information, then call up the number on the back of the credit card."
That's pretty similar to the advice that the FCC gives about spoofed phone calls.
- Never give out personal information such as account numbers, Social Security numbers, mother's maiden names, passwords or other identifying information in response to unexpected calls or if you are at all suspicious.
- If you get an inquiry from someone who says they represent a company or a government agency, hang up and call the phone number on your account statement, in the phone book, or on the company's or government agency's website to verify the authenticity of the request. You will usually get a written statement in the mail before you get a phone call from a legitimate source, particularly if the caller is asking for a payment.
- Use caution if you are being pressured for information immediately.
What makes this new Apple spoof so dangerous is that it's taking advantage of the contact card likely already in your iPhone. Other scams spoof numbers from your area code, but what makes this particular scam so unique is that you're more likely to trust the Apple call because it displays the phone number and brand logo.
The problem isn't a flaw with the iPhone; to properly fix the spoofing problem would require action from wireless carriers to create authoritative records for who is placing calls. But that would likely require a lot of work and additional systems, and it may be years before Congress or other government bodies require them to curtail this problem.
So, in the meantime, it's important to remain suspicious of incoming calls.
"I wouldn't consider preloading the Apple contact information a security bug," Andrés said. "It's convenient as you're very likely to need that number to call for help."