There’s a common misconception that Apple products come with more security than Android. Whatever side of the argument you’re on, don’t let that idea prevent you from keeping your guard up. There’s a new scam out there going after iPhone users, and if you’re unprepared, you might find yourself permanently locked out.
What is the “push bombing”/”MFA fatigue” scam?
If you suddenly see a “Reset Password” notification on your iPhone screen that only gives you the option to “Allow” or “Don’t Allow”, you may be a victim of this latest “push bombing” scam. Scammers have supposedly found a way to exploit this new bug in Apple (though, it’s not totally clear if the bug is the reason).
If you see this notification and you hit “Don’t Allow” (as you should), it only prompts more of these notifications to pop-up, like those annoying pop-up window attacks that we used to get back in the day. As you frantically click “Don’t Allow” over and over again, your finger could accidentally slip, clicking “Allow”. If you do click “Allow”, scammers will be given access to your iPhone account, and you can be permanently locked out of your phone.
Credit: Krebs On Security
MORE: HOW TO UPDATE YOUR PASSCODE ON YOUR IPHONE
Warnings if you’re in the Apple ecosystem
This scam isn’t just stopping at your iPhone. if you’re dedicated to the Apple ecosystem, then it’s important to note that users reported experiencing this scam on their other Apple devices; even their Apple Watch.
Not only this, but one user reported that after clicking “Don’t Allow” over and over again and the notifications eventually going away, the scammers actually called his iPhone as another attempt to catch him. Generally, Apple Support won’t call you out of nowhere.
Credit: Krebs On Security
MORE: HOW TO PROTECT YOUR IPHONE CALENDAR FROM DISTRACTING SPAM INVITATIONS
Apple’s response to the ‘reset password’ notification scam
We are aware of reports that a small number of iPhone users are receiving a high volume of alerts asking if they are attempting to reset their password and have taken steps to address the reported issue.
How to outsmart this scam and protect yourself
If you do happen to be targeted by this attack, it’s of the utmost importance that you don’t tap “Allow” on any of these password reset notifications. Dismissing them one after the next will take a while, but they will go away.
If you give up and click “Allow”, it will give the hackers behind this campaign complete control over your Apple account. So don’t click ‘Allow’ whatever you do. If you need help you can always reach out to Apple by logging on here.
MORE: 8 WAYS TO LOCK UP YOUR IPHONE’S PRIVATE STUFF
What to do if the prompts persist?
If the prompts persist, temporarily change your phone number associated with your Apple ID. Keep in mind that this may affect iMessage and FaceTime functionality.
Watch out for scammers posing as Apple support
If you manage to eliminate the notifications and then get a call from someone claiming to be from Apple Support, it’s likely the scammers. Just hang up. Whatever you do, don’t give any information to them. If you gave out any personal information like a social security number, follow the steps at IdentityTheft.gov. You’ll be able to make a report there and the website will help come up with a recovery plan for you and walk you through each step of gaining your identity back. You can also call Apple directly at 800.275.2273 (in the US) to verify any communication.
Reporting scam phone calls
You can report scam phone calls to the Federal Trade Commission at reportfraud.ftc.gov or to your local law enforcement agency.
Is turning on ‘Apple Recovery Key’ a solution?
According to Krebs on Security, real Apple Support suggests turning on Apple Recovery Key to avoid the notifications, but when one of the victims tried it, it did not stop them. But, stay tuned at Apple Support’s page for updates.
Safeguarding your Apple account
When setting up an Apple account, it’s common knowledge that a phone number is required. However, once the account is established, this phone number doesn’t necessarily have to be a mobile one. Apple accepts VOIP numbers (such as Google Voice) as valid alternatives. Therefore, one potential mitigation strategy is to change your account phone number to a lesser-known VOIP number.
Important Note: If you opt for a VOIP number, be aware that Apple’s iMessage and FaceTime applications will be disabled for that device unless you also include a real mobile number.
Additionally, Apple’s password reset system accommodates email aliases. By appending a “+” character after the username portion of your email address and adding a site-specific notation (e.g., cyberguy+example@use.startmail.com), you can create an unlimited number of unique email addresses associated with the same account. This technique allows for better organization and tracking of incoming emails.
Tip: When choosing an alias, consider using something less obvious than “+apple” to enhance security and privacy.
Kurt’s key takeaways
Security is a never-ending game of cat and mouse, and no device is ever truly invincible. Apple’s on the case, but until a fix is here, vigilance is key. If you are bombarded with “Reset Password” prompts, stay calm, resist clicking ‘Allow’ at all costs, and patiently dismiss each notification. Also, be sure to stay updated on Apple’s progress for a permanent solution. By following these steps, you can outsmart this scam and keep your Apple ecosystem safe.
Do you think companies like Apple should be held more accountable for security vulnerabilities? Why or why not? Let us know in the comments below.
FOR MORE OF MY SECURITY TIPS, SUBSCRIBE TO MY FREE CYBERGUY REPORT NEWSLETTER HERE.
RELATED: DON’T CLICK THAT LINK! HOW TO SPOT AND PREVENT PHISHING ATTACKS IN YOUR INBOX
Don’t click that link! How to spot and prevent phishing attacks in your inbox
🛍️ SHOPPING GUIDES:
KIDS | MEN | WOMEN | TEENS | PETS |
FOR THOSE WHO LOVE:
COOKING | COFFEE | TOOLS | TRAVEL | WINE |
DEVICES:
LAPTOPS | TABLETS | PRINTERS | DESKTOPS | MONITORS | EARBUDS | HEADPHONES | KINDLES | SOUNDBARS | KINDLES | DRONES |
ACCESSORIES:
CAR | KITCHEN | LAPTOP | KEYBOARDS | PHONE | TRAVEL | KEEP IT COZY |
PERSONAL GIFTS:
PHOTOBOOKS | DIGITAL PHOTO FRAMES |
SECURITY
ANTIVIRUS | VPN | SECURE EMAIL |
CAN'T GO WRONG WITH THESE:
3 comments
Tech companies should definitely be held accountable for keeping their devices safe. If a hacker-proof device cannot be made, tech companies need to rethink the whole system. Is there a way to deliver without using the WWW? Don’t ask for personal info that you cannot keep secure.
No matter how hard they try hackers love nothing better than a challenge. As long as they’re vigilant about security breaches I’m okay with their efforts.
Tech companies (particularly iPhone) should absolutely be responsible for the breaches. Part of that $1000+ that people for iPhones should be security. It is iPhone who promotes the security of their phones.