Here's what to do to make sure you don't fall victim to this new scam
There's a common misconception that Apple products come with more security than Android.
Whatever side of the argument you're on, don't let that idea prevent you from keeping your guard up.
There's a new scam out there targeting iPhone users, and if you're unprepared, you might find yourself permanently locked out.
Scam article on iPhone (Kurt "CyberGuy" Knutsson)
What is the ‘push bombing/MFA fatigue’ scam?
If you suddenly see a "Reset Password" notification on your iPhone screen that only gives you the option to "Allow" or "Don't Allow," you may be a victim of this latest "push bombing" scam. Scammers have supposedly found a way to exploit this new bug in Apple. Though, it's not totally clear if the bug is the reason.
If you see this notification, and you hit "Don't Allow" (as you should), it only prompts more of these notifications to pop up, like those annoying pop-up window attacks that we used to get back in the day. As you frantically click "Don't Allow" over and over again, your finger could accidentally slip, clicking "Allow."
If you do click "Allow," scammers will be given access to your iPhone account, and you can be permanently locked out of your phone.
"Reset Password" notification scam on iPhone (KrebsOnSecurity)
MORE: HOW TO UPDATE YOUR PASSCODE ON YOUR IPHONE
Warnings if you're in the Apple ecosystem
This scam isn't just stopping at your iPhone. If you're dedicated to the Apple ecosystem, then it's important to note that users reported experiencing this scam on their other Apple devices, including the Apple Watch.
Not only this, but one user reported that after clicking "Don't Allow" over and over again and the notifications eventually going away, the scammers actually called his iPhone in another attempt to catch him. Generally, Apple Support won't call you out of nowhere.
"Reset Password" notification scam on Apple Watch (KrebsOnSecurity)
MORE: HOW TO PROTECT YOUR IPHONE CALENDAR FROM DISTRACTING SPAM INVITATIONS
Apple's response to the 'reset password' notification scam
"We are aware of reports that a small number of iPhone users are receiving a high volume of alerts asking if they are attempting to reset their password and have taken steps to address the reported issue," a spokesperson for the company said.
How to outsmart this scam and protect yourself
If you do happen to be targeted by this attack, it’s of the utmost importance that you don’t tap "Allow" on any of these password reset notifications. Dismissing them one after the next will take a while, but they will go away.
If you give up and click "Allow," it will give the hackers behind this campaign complete control over your Apple account. So don't click "Allow" whatever you do. If you need help, you can always reach out to Apple by logging on here.
A Mac and iPhone on a table
MORE: 8 WAYS TO LOCK UP YOUR IPHONE'S PRIVATE STUFF
What to do if the prompts persist?
If the prompts persist, temporarily change your phone number associated with your Apple ID. Keep in mind that this may affect iMessage and FaceTime functionality.
Watch out for scammers posing as Apple Support
If you manage to eliminate the notifications and then get a call from someone claiming to be from Apple Support, it's likely the scammers. Just hang up. Whatever you do, don't give any information to them. If you gave out any personal information like a Social Security number, follow the steps at IdentityTheft.gov. You'll be able to make a report there, and the website will help come up with a recovery plan for you and walk you through each step of gaining your identity back. You can also call Apple directly at 800-275-2273 (in the U.S.) to verify any communication.
AI WORM EXPOSES SECURITY FLAWS IN AI TOOLS LIKE CHATGPT
Reporting scam phone calls
You can report scam phone calls to the Federal Trade Commission at reportfraud.ftc.gov or to your local law enforcement agency.
Is turning on ‘Apple Recovery Key’ a solution?
According to Krebs on Security, real Apple Support suggests turning on Apple Recovery Key to avoid the notifications, but when one of the victims tried it, it did not stop them.
Stay tuned at Apple Support's page for updates.
Safeguarding your Apple account
When setting up an Apple account, it’s common knowledge that a phone number is required. However, once the account is established, this phone number doesn’t necessarily have to be a mobile one. Apple accepts VOIP numbers (such as Google Voice) as valid alternatives. Therefore, one potential mitigation strategy is to change your account phone number to a lesser-known VOIP number.
Important Note: If you opt for a VOIP number, be aware that Apple’s iMessage and FaceTime applications will be disabled for that device unless you also include a real mobile number.
Additionally, Apple’s password reset system accommodates email aliases. By appending a "+" character after the username portion of your email address and adding a site-specific notation (e.g.,
Tip: When choosing an alias, consider using something less obvious than "+apple" to enhance security and privacy.
Kurt's key takeaways
Security is a never-ending game of cat and mouse, and no device is ever truly invincible. Apple's on the case, but until a fix is here, vigilance is key. If you are bombarded with "Reset Password" prompts, stay calm, resist clicking 'Allow' at all costs and patiently dismiss each notification. Also, be sure to stay updated on Apple's progress for a permanent solution. By following these steps, you can outsmart this scam and keep your Apple ecosystem safe.
Do you think companies like Apple should be held more accountable for security vulnerabilities? Why or why not? Let us know by writing us at Cyberguy.com/Contact
For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/Newsletter
Ask Kurt a question or let us know what stories you'd like us to cover
Answers to the most asked CyberGuy questions:
- What is the best way to protect your Mac, Windows, iPhone and Android devices from getting hacked?
- What is the best way to stay private, secure and anonymous while browsing the web?
- How can I get rid of robocalls with apps and data removal services?
Copyright 2024 CyberGuy.com. All rights reserved.
Kurt "CyberGuy" Knutsson is an award-winning tech journalist who has a deep love of technology, gear and gadgets that make life better with his contributions for Fox News & FOX Business beginning mornings on "FOX & Friends." Got a tech question? Get Kurt’s free CyberGuy Newsletter, share your voice, a story idea or comment at CyberGuy.com.