Phishing scams targeting Apple users appear to be on the rise again, with many folks receiving emails purporting to come from “iCloud Support” that are veiled attempts to trick users into giving up their passwords, credit card numbers, or other personal information. Subject lines of these spam emails can very. “The importance of backing up your file to iCloud storage” is the latest one targeting namely Bellsouth and SBCglobal users within the AT&T umbrella.

It’s far from the first time we’ve seen scams like this, although they tend to ebb and flow in cycles. A common scam in early 2019 tried to frighten iCloud users into thinking that their account had been compromised or locked out, directing them to a fake password reset link.

Those taken in by these phishing emails often find themselves visiting a page that looks suspiciously like an official Apple website, where they’d be taken through a seemingly ordinary password or account reset procedure. However, since the website isn’t owned by Apple, they’d be providing their Apple ID password to whatever scammers are behind the site and potentially exposing their entire digital life.

The Power of an Apple ID

There’s more information stored behind an Apple ID than many folks realize — especially if you’re well-established in the Apple ecosystem. This includes your personal iCloud Photo Library, everything in your Notes app, email messages if you use iCloud Mail, and even files stored in iCloud Drive — which can include the entire Documents and Desktop folders synced from your Macs.

It’s not just about your personal info, either. Once they have access to your Apple ID and password, scammers can use Find My on the web to track the location of all of your devices — and possibly those belonging to all of your family members.

They can also remote wipe any of your devices, intercept your iMessages and SMS messages, and get at everything in your iCloud Backups, including call history, web browsing history, and more.

Even if you don’t use iCloud for email, having your Apple ID compromised can be worse than a hacker getting access to your email account — which isn’t a good thing either,

How to Protect Yourself

The first and most obvious way to avoid scams like these and to help your friends do so is to be extremely suspicious about any emails, text messages, or warnings you receive. In much the same way that your bank has been telling you for years that it will never ask you to divulge your PIN, Apple will never send you an email asking you to click a link to log into your Apple ID and “verify” your information.

Fortunately, many of these scam messages are easily detected as fakes. Even though they often feature official-looking Apple graphics and logos, things like typos, spelling errors, and openings such as “Dear customer” are dead giveaways.

However, some we’ve seen are so meticulously crafted that they could fool anybody who isn’t a computer security expert. There are still warning signs if you know what to look for, such as hidden “from” addresses, e-mail headers, and the website addresses behind the links, but many people don’t know how to check these things, and a skilled scammer can craft web links that look deceptively accurate at first glance.

The first line of defence against scam messages is to never click links in any emails or text messages that seem even the least bit suspicious.

Instead, if you’re concerned that there might actually be a problem, open a separate browser window — preferably a private browser window — and visit Apple’s website directly to log into your Apple ID. If there’s a problem with your account, Apple will bring that to your attention as soon as you log in.

We also strongly recommend that you enable two-factor authentication (2FA) on your Apple ID.

This feature requires you to enter an additional six-digit verification code each time you log in to iCloud or another Apple site using your Apple ID. This code is sent to your iPhone or iPad after you enter your password to sign in with your Apple ID.

With 2FA, if a hacker does get their hands on your Apple ID password, that six-digit code will appear on your iPhone, and you’ll immediately know that something is up. While some phishing attacks will try to trick you into giving up this code, it’s much more challenging for hackers as they can’t just record your password to try to use it later. Instead, they would need to create a fake “man-in-the-middle” website that immediately passes on your credentials to the real Apple sign-in page to get Apple to send you a valid two-factor code. Then, on top of that, they’d have about 30 seconds to use that intercepted code before it expired.

However, Apple has thought of this and added another protection against these types of attacks: the notification that supplies the six-digit code also shows you where the attempted sign-in is coming from. That’s going to be a huge red flag if you’re located somewhere in North America, yet the notification says that somebody is trying to log in to your Apple ID from Eastern Europe.

iOS 16.2 Adds Even More Protection

With the release of iOS 16.2 a few months ago, Apple tightened things up even further by adding optional end-to-end encryption and a setting to disable access to iCloud Data on the Web.

Known as Advanced Data Protection, this feature encrypts most of your iCloud data in such a way that even Apple can’t get access to it. This includes your iCloud Device backups, Messages, files in iCloud Drive, Notes, Photos, and much more. In fact, iCloud e-mail messages, calendar items, and contacts are the only categories that aren’t encrypted when this feature is enabled. That’s necessary as Apple uses open standard protocols to sync these items to your devices (IMAP, CalDAV, and CardDAV), and these protocols don’t support end-to-end encryption.

Once Advanced Data Protection is enabled, none of this data will be accessible from the iCloud on the web without express authorization from your iPhone. Even trying to log into iCloud.com requires that you toggle on the Access iCloud Data on the Web setting on your iPhone or iPad.

You can also lock down web access to your iCloud without enabling Advanced Data Protection. Here’s how:

1. Open the Settings app on your iPhone or iPad.
2. Select your name at the top.
3. Select iCloud.
4. Scroll down to the bottom and toggle the switch beside Access iCloud Data on the Web to off.
   

If you are using Advanced Data Protection, you can leave this setting on to access your mail, contacts, and calendars via the web. However, since the rest of your data is encrypted, the iCloud web interface cannot access it without the private encryption key stored only on your iPhone (and other trusted personal Apple devices such as your iPad or Mac).

Apple has come up with a clever solution for allowing this, and it’s still quite secure against hackers. If you want to open something like Photos or Notes in iCloud on the web, your iPhone will need to temporarily provide the key to Apple so this information can be decrypted. When you click on one of these restricted categories, you’ll get a prompt on your iPhone asking if you want to allow access.

If you accept the prompt, that content category will be unlocked for the next hour or until you sign out (or you’re automatically signed out due to inactivity). However, each prompt only applies to a single category, so even if you allow access to your Photos, you’ll be prompted again if you switch to looking at your Notes.

Needless to say, if this prompt shows up when you’re not logged into iCloud.com, you’ll immediately know something is up — and you should visit Apple’s website from a trusted browser and reset your Apple ID password immediately.