Ignore that call from “Apple” about an iCloud breach

Earlier on Monday, my wife let me know that “Apple Support” had called about iCloud security. She was dubious, and rightly so. “Apple” then called five more times (and counting). Suffice it to say, it wasn’t Apple, but fraudsters trying to piggyback on reports that a major breach of iCloud credentials could render hundreds of millions of accounts vulnerable.

Apple says no such breach occurred, and security researchers, like Troy Hunt of HaveIBeenPwned.com, say the group trying to extort Apple likely has reused credentials from other sites’ password leaks. (We recommend turning on two-factor authentication at iCloud regardless.)

However, media reporting an potential iCloud security failure makes unsolicited calls claiming to be from Apple more credible. My wife wasn’t taken in, but also didn’t immediately dismiss the call. She hung up, and then told me about it. We have Apple devices and both use iCloud, and we have regular issues with iCloud not working precisely as we expect.

While Macworld readers may already know these sorts of calls are a scam, it’s vital to alert friends, family, and colleagues about such calls and help immunize them from falling for it. Many of these services sound and act professional, and have been victimizing Windows users for years.

Below are some of the “tells” for me that it was a fraud, and that you can teach others about:

Apple called unsolicited: I’ve never had Apple call me—a consumer—for any reason I can recollect unless I called them first, and it’s always a human being calling back. Apple notes this on its phishing tips page: “If you get an unsolicited call from someone claiming to be from Apple, hang up and contact us directly.” (Microsoft, Google, and others never place unsolicited calls, either.)

The call was automated: The call used a fairly cheap sounding computer-synthesized voice. An Apple automated call would be much higher quality, and probably use a real person (or at worst, a Siri analog).

We never give this number out: This is a home line we use effectively as a backup and for outgoing calls only. I can check via the Apple ID site which phone numbers I have provided, too.

The message didn’t provide details: It offered an unfamiliar 855 toll-free number, and didn’t provide an apple.com address at which more details could be found or verified.

The message offered to put me through “to a support adviser right now”: This is not what Apple calls its staff, nor a likely thing for Apple to offer.

The Caller ID number didn’t say Apple on it: Caller ID can be faked (there’s no verification process), but the number displayed is from Milwaukie, Wisconsin. I also feel bad for the person whose number was impersonated. I found a real person’s name associated with the number via a reverse search and his address.

The Caller ID number has a shady history: The 855 number provided, when I searched on it via Google, has been used for at least a week with “Apple Support” scams.

They called back multiple times: If I wasn’t sure at first, the five additional calls throughout the day make it clear it wasn’t Apple.

A common threat

These scams are abundant in a lot of different ways, though they typically target Windows users, either through unsolicited calls or pop-up messages on sites of dubious quality, because of the sheer number of Windows users. They try to get you to let them connect to your computer via a reverse screen share using one of the many free sites that provide person-to-person screen sharing and control.

Then, they claim to have scanned your computer, found malware, and ask for payment so they can “fix” your computer. In the process, they install adware and sometimes malware, as well as charge a high or recurring fee on your credit card or both.

Try to help those you know train themselves to be alert for scams, whether they come from an unsolicited call or via a pop-up, and call or text you (or, with work, an IT support person) first before they provide any personal information or credit-card details. These scams rely on fear and plausibility. By teaching people what to look for and, most importantly, to confirm details and wait before acting, you can help subvert them.