Scammers who prey on Apple iMessage users via phishing (or smishing) messages are doubling down on a novel tactic that tricks their victims into disabling built-in security. Spotted by BleepingComputer, a series of such phishing attacks have surged since last summer, especially over the past few months, putting unsuspecting users at greater risk of being scammed.
Here’s how the tactic works. By default, Apple’s built-in security disables any links in a text message from an unknown sender. That protection includes links to websites, email addresses, and phone numbers. But if the recipient replies to the message or adds the sender to their contact list, those links become valid and active. And that’s the aspect being exploited by scammers.
Also: The best VPN services (and how to choose the right one for you)
In two screenshots posted by BleepingComputer, one phishing message uses a fake USPS failed delivery notification that’s been popular among cyber crooks. The other claims the recipient is on the hook for unpaid highway tolls. In both cases, the interesting part is found in the instructions at the bottom: “Please reply Y, then exit the text message and open it again to activate the link, or copy the link to your Safari browser and open it.”
Typing Y or another character or word to respond to the message and then opening it again disables the phishing protection. So, even typing Stop, Cancel, or something similar to prevent future texts would bypass built-in security. Copying the link to Safari does the same thing. Once active, the link would then take the unlucky user to a malicious website or download malware, often to steal sensitive information.
Even if the recipient doesn’t fall for the scam, replying to a phishing message tells the scammer the phone number is valid, opening the door for more messages.
Also: Proton Pass review: A highly secure password manager with easy-to-overlook flaws
How do you deal with phishing texts? First, never respond directly to the sender. Second, delete and report the message as junk, which sends it to both Apple and your carrier. Finally, you can always call or email the alleged sender, whether USPS, FedEx, or someone else, to confirm whether the message is legit or fraudulent.