SMS phishing in iMessage: Fraudsters target iPhone users

The scam has actually been known for a long time: a package notification comes via SMS, there is supposedly a problem with the delivery or the supposed package is stuck in customs. To receive the package, you have to follow a link and provide personal information on a website. Of course, the package notification is not real, it is a so-called smishing attempt – phishing via SMS. The aim is to trick users into disclosing personal information, such as passwords or credit card details, on a phishing website.

How Mimikama Now reported, there is currently another wave of phishing messages with alleged package notifications. Cybercriminals have developed a new smishing method in which they specifically want to trap iMessage users via fake SMS messages. The approach is primarily aimed at circumventing iMessage’s security measures.

This is how the smishing method works in iMessage

Apple’s iMessage app, through which iPhone users usually receive text messages, offers protection against links from unknown sources by default. Links from unknown senders are deactivated in the app. However, this protection is removed when users reply to a message or add the sender to contacts.

The attackers try to provoke a reaction from the recipient in order to lure them to the phishing link despite the protective measures. For example, the message includes a request to send a “Y” for “Yes.” As soon as the recipient responds, included links in the message history are activated. Alternatively, recipients will be asked to copy the link and open it directly in Safari.

Protection against SMS phishing

To avoid falling victim to the phishing trap, users should take a few precautionary measures. Specifically for iPhone users, a reply will disable iMessage protection and enable links.

In general, you should not click on links in SMS. Important requests do not typically come via SMS, and companies will not ask you to provide personal information this way. Caution is particularly advised when a quick reaction is required and time pressure is therefore built up.

When you receive a message, examine it critically: Are you actually expecting a notification? Who did the message come from? How does the company typically send such notifications? Is the content legitimate?

Before you provide passwords, credit card information, or anything similar, make sure you are on the correct website. Check the URL that appears in the browser’s address bar. Instead of clicking on a link in an SMS – or copying the link from the SMS – you should enter the company’s Internet address that you know directly in the browser anyway.

To further minimize the risk, it also makes sense to set up two-factor authentication for online accounts. This means the accounts are additionally protected, even if cybercriminals were able to steal your access data.