While most people are pretty savvy when it comes to avoiding scams, the usual advice–don’t click on strange links or provide information to a person or company you don’t know, etc–sometimes doesn’t cut it.
Especially when the scam is incredibly sophisticated.
According to a recent Krebs on Security article, a new phone-based phishing scam that spoofs Apple Inc. is more convincing than the average scam.
How does it work?
According to the article, it starts with an automated call that appears to be from Apple. The call appears quite authentic and displays Apple’s logo, address and real phone number. The call warns the recipient about a supposed data breach.
“The scary part is that if the recipient is an iPhone user who then requests a call back from Apple’s legitimate customer support Web page, the fake call gets indexed in the iPhone’s ‘recent calls; list as a previous call from the legitimate Apple Support line,” the article reads.
According to the article, Jody Westby, the CEO of the Washington, D.C.-based Global Cyber Risk LLC, said she received an automated call on her iPhone warning that multiple servers containing Apple user IDs had been compromised. According to Krebs on Security, the message said she needed to call a 1-866 number before doing anything else with her phone.
The scam is worrisome because the information appears to be legitimate, which leads many people to think the call is actually coming from Apple support.
Krebs said Westby contacted Apple and was informed that the call was almost certainly a scam, and that Apple would never contact a customer that way. Interestingly enough, Krebs says that when Westby looked at her iPhone’s recent calls list, she saw the legitimate call from Apple had been lumped together with the scam call that spoofed Apple.
“I told the Apple representative that they ought to be telling people about this, and he said that was a good point,” Westby told Krebs. “This was so convincing I’d think a lot of other people will be falling for it.”
KrebsOnSecurity says it called the number that the scam message asked Westby to contact (866-277-7794).
“An automated system answered and said I’d reached Apple Support, and that my expected wait time was about one minute and thirty seconds. About a minute later, a man with an Indian accent answered and inquired as to the reason for my call,” he says.
“Playing the part of someone who had received the scam call, I told him I’d been alerted about a breach at Apple and that I needed to call this number. After asking me to hold for a brief moment, our call was disconnected.”
Krebs says that while this is a scam intended to phish for personal information and part people from their money, it’s remarkable that Apple’s own devices can’t tell the difference between a call from Apple and someone trying to spoof Apple.
So, how do you avoid this scam?
If you have been contacted by Apple and believe the call is fraudulent, call Apple support for confirmation–do not call the number that has called you first (this also applies to situations in which you receive a suspicious call from someone purporting to represent a bank or telecommunications company).
If you have received a strange call from Apple, report it to the company and the Canadian anti-fraud centre.
If you believe you are a victim of a scam, you can also contact local police to report the matter.