Beware of this New Phishing Scam Using ‘Legitimate’ Apple Emails

Scammers have increased their level of sophistication yet again. This summer, hackers were messaging users posing as Apple support, and then earlier this month, security watchdogs warned fraudsters were planning to exploit the scheduled test of the UK government’s emergency alert text notification system.

Now, hackers have found a new way to abuse Apple’s iCloud Calendar invite messages to dupe unsuspecting recipients. These messages come directly from Apple’s own servers, likely bypassing spam filters, making the fraudulent messages even more difficult to detect.

This Limited-Time Microsoft Office Deal Gets You Lifetime Access for Just $39

Sick and tired of subscriptions? Get a lifetime license for Microsoft Office Home and Business 2021 at a great price!

These phishing messages are included in the “Notes” section of an Apple calendar event. The hacker sends the invite to a Microsoft 365 email address they control, which is then forwarded to a larger list of potential victims. Microsoft uses a specific technology that allows these forwarded messages to pass checks used by email services that would otherwise either mark the message as “spam” or automatically redirect the email to the spam or junk folder. This means the victim is receiving a message from a legitimate Apple e-mail address.

Naturally, many of us are unlikely to suspect a message purportedly from Apple to be malicious. However, that’s the goal. In this case, the “Notes” section of the calendar message includes a message stating a charge has been made against the recipient’s PayPal account, along with a phone number to call to discuss the payment. During the phone call, the scammer will ask the victim to download and run software so they can initiate a refund.

While this is a run-of-the-mill phishing attempt, the use of Apple’s internal system and domain makes the message appear more credible than other tactics. By now, many of us are immediately suspicious of unsolicited calls or texts from unrecognized numbers and emails from unknown senders. This time, the messages are more likely to reach the recipient’s inbox, increasing the likelihood someone will see and respond to it.

While iCloud Calendar Spam isn’t new, this technique is unique in that it’s tied into the invite e-mails that are automatically sent out by Apple’s servers. Previous calendar-related scams relied on push notifications sent directly in the iPhone Calendar app. Apple seems to have successfully blocked most of these, so it appears the scammers have moved on to a new tactic.

Beware of any calendar invites from unknown senders. No company will contact you regarding suspicious account activity via a calendar invite. As usual, never call any phone number included in a suspicious message, or click on any links in the message, email, or text. Keep your iOS up to date and consider taking the added precaution of signing up for a trusted antivirus programs.