- Some iPhone owners have been hit with an elaborate new phishing scam, Krebs on Security reports.
- The scam involves repeated alerts telling users to reset their Apple password and a spoofed call.
- Apple suggests ignoring suspicious messages and calling the company directly if suspicious.
There's a new phishing scheme targeting Apple owners, and it's pretty elaborate — and annoying.
Some iPhone owners have received unprompted and repeated notifications to allow a reset of their Apple ID password, a form of attack known as "MFA bombing," according to a report from cybersecurity research and news website Krebs on Security.
Since the notifications come from the Apple device, users can't use their phone until they deny or accept the request to reset.
One user, Parth Patel, posted on X, formerly Twitter, that he received over 100 notifications asking him to reset his password. Patel told Business Insider that he's a cofounder of an AI startup still in stealth.
The scammer's attempts to gain access to his Apple account didn't end there.
Patel said after 15 minutes of alerts, he received a spoofed call from the Apple Support phone number, telling him again that he needed to reset his password.
"I was obviously still on guard, so I asked them to validate a ton of information about me, before answering any of their questions," Patel said. "They got a lot right, from DOB, to email, to phone number, to current address, historic addresses…."
Patel said in his social media post that the only detail they got wrong was his name — which confirmed for him that it was a scam.
Patel told BI that the goal of the scam was likely to get the user to reset their Apple ID password using a one-time code sent over text message. If the user used the one-time code, the attackers could reset the password on the account, lock the user out, and even wipe all their Apple devices.
Another iPhone owner quoted in Krebs on Security said he experienced a similar situation and ended up replacing his phone and making a new Apple account after the phishing attempt, but still received the password-reset requests — leading him to believe the scammer was relying on knowing his phone number to carry out the scheme.
Apple said it has taken steps to address the reported issue.
"We are aware of reports that a small number of iPhone users are receiving a high volume of alerts asking if they are attempting to reset their password," an Apple spokesperson told Business Insider.
Apple said scammers often used spoofed calls to claim suspicious activity on an account or device. They aim to get information, money, or even Apple gift cards.
A good rule of thumb is that if you didn't personally try to reset your Apple password, you shouldn't be receiving a request to allow your password to reset. Even if the notifications are annoying and frequent — which should be a red flag anyway — resist the urge to tap "accept" to be rid of them.
Customers should assume any suspicious message, call, or request for personal information is a scam and hang up, according to Apple. Apple also said that you should call the company directly if you feel suspicious.
US customers can report scam phone calls to the Federal Trade Commission at reportfraud.ftc.gov or to local law enforcement agencies.