ras-slava - Fotolia
How does the iPhone phishing scam work?
An iPhone phishing scam leads users to believe malicious incoming calls are from Apple Support. How can enterprises protect their employee against this threat?
A new iPhone phishing scam starts with an automated call that displays an extremely convincing Apple logo. How does this scam work and how can users avoid it?
The telephone network in use today was designed long before traditional information security existed, and that gap is reflected throughout the system's current infrastructure. But even the more modern aspects of the existing telephone network face serious security challenges.
Unfortunately, many people continue to believe the phone network is secure and, consequently, they have no idea of the harmful and dangerous issues that can occur. Indeed, many old-school hackers started out by focusing on telephone-related vulnerabilities -- for example, phone phreaking -- as part of their computer networking education.
Fast-forward to today and people are being victimized by more sophisticated criminals who have learned to engineer phone-based attacks such as SIM swapping, eavesdropping, vishing, smishing and many others. Among these intrusions is a social engineering attack on iPhone users, an event security consultant Brian Krebs recently covered in a blog post.
The iPhone phishing attack is an extension of general tech support scams where a user receives a phone call warning him about some impending problem. In this case, the caller ID on the user's iPhone displays the call -- along with some other identifying details -- as originating from Apple Support, which makes the user believe the call is legitimate. In reality, the ID has been spoofed.
The scary part, according to Krebs, is that if the recipient is an iPhone user who then requests a call back from Apple's legitimate customer support webpage, the fake call gets indexed in the iPhone's recent calls list as a previous call from the legitimate Apple Support line.
Enterprises have many legitimate reasons to specify the caller ID source for a phone call, but as this iPhone phishing attack and many others have demonstrated, this functionality can be abused. People may want to be wary of information displayed on caller ID, as that functionality can be easily manipulated.
Enterprises that want to reduce the chance their customers will fall victim to these types of attacks can implement a tracking number or voice-authorization password. Calls from financial institutions are particularly troubling. A user who receives a call from his or her bank should verify the identity of the calling party before sharing any information.