How Does the Apple 'Reset Password' Scam Work?
In recent times, iPhone users have been facing scams targeting their devices' security. While Apple's ecosystem boasts unparalleled features and security measures, its popularity makes it an attractive target for hackers and scammers. Among the latest threats is a password-related scam, particularly targeting high-profile individuals like CEOs and startup founders.
Last night, I was targeted for a sophisticated phishing attack on my Apple ID.
— Parth (@parth220_) March 23, 2024
This was a high effort concentrated attempt at me.
Other founders are being targeted by the same group/attack, so I’m sharing what happened for visibility.
🧵 Here’s how it went down:
According to reports on social media platforms, including X (formerly Twitter), individuals have fallen victim to sophisticated phishing attacks aimed at compromising their Apple IDs. Such attacks pose severe risks, potentially granting unauthorized access to sensitive personal and business accounts linked to the Apple ID.
Understanding the scam
Multi-factor authentication adds an extra layer of security by requiring users to provide two forms of verification before accessing their accounts. Typically, this involves approving a prompt sent to their phone or confirming a one-time password delivered via SMS. Similarly, resetting an Apple ID password involves a similar process: users verify their identity through Apple's iForgot portal, which includes entering their email or phone number, completing a captcha, and approving the request on their linked Apple device.
However, this system can be exploited. If someone gains access to a user's email account, they can theoretically initiate the password reset process. The prompt on the user's iPhone offers options to "Allow" or "Deny" the request, but repeatedly denying prompts can render the device temporarily unusable. Despite taking the correct action, victims may still fall prey to scammers posing as Apple Support representatives. These scammers may use personal information obtained from sources like People Data Labs to manipulate victims into verifying one-time passwords, compromising their security further.
To protect yourself from the iPhone 'Reset Password' scam, it's essential to follow certain security practices. Firstly, never approve password reset prompts on your Apple devices unless you have initiated the process yourself. Additionally, exercise caution with unsolicited calls claiming to be from Apple Support, as legitimate interactions usually require prior complaints or appointments. Furthermore, consider implementing additional security measures such as associating a lesser-known phone number with your Apple account or utilizing features like Hide My Email to safeguard your identity and personal information.
The severity of the issue
While some individuals thwart these scams, others have faced persistent attempts to compromise their accounts. Despite efforts to create new Apple IDs or switch to new devices, victims have been inundated with repeated password reset requests, indicating a vulnerability in Apple's account security system. As reports of such scams continue to surface, it raises questions about the effectiveness of Apple's security measures and the vulnerability of users' personal information. Concerned users are calling for enhanced safeguards and proactive measures to mitigate the risks posed by these scams.
In a similar incident, another case has come to light involving a fraudulent iPhone repair scheme. Recently, a U.S. court handed down a significant sentence to two individuals found guilty of orchestrating a $3 million scam by sending counterfeit iPhones to Apple under the guise of repairs.
Haotian Sun and Pengfei Xue, both residents of Maryland, were convicted by a federal jury for their involvement in the elaborate scheme, as reported by the U.S. Attorney's Office for the District of Columbia. The scam, which began in 2017, saw Sun and Xue obtain counterfeit iPhones from Hong Kong and submit approximately 5,000 fake devices to Apple and authorized service providers over two years. To evade detection, they resorted to tactics such as spoofing serial numbers and using various aliases to conceal their identities. Assistant U.S. Attorney Kondi J. Kleinman and trial attorney Ryan Dickey led the prosecution of the case, according to official sources.
Court documents revealed that Zhimin Liao, an accomplice in the scheme, personally visited numerous Apple stores across the United States in an attempt to exchange hundreds of counterfeit iPhones and iPads. Similarly, Zhiting Liao, another associate, made similar attempts at over 200 Apple stores across multiple states and even Canada. Moreover, the involvement of the wives of the Liao brothers, who have pleaded guilty, adds another layer to the complex web of deceit. According to prosecutors, the defendants sought to exchange over 10,000 counterfeit products at various stores throughout the eight-year duration of the operation. The authentic iPhones obtained through the scam were subsequently exported to foreign countries, resulting in a substantial loss of approximately $3 million for Apple.