You may have a keen eye for spotting scams, but fraudsters are finding new ways to weaponize trusted systems to avoid detection. For example, threat actors are generating real Apple support tickets to phish two-factor authentication (2FA) codes and gain access to iCloud accounts.
The scheme, detailed on Medium by a security researcher and software product manager Eric Moret, shows how social engineering tactics can sow just enough fear and confusion to trick even those who know the red flags. (The money transfer scam that conned a financial advice columnist out of $50,000 is another example.)
How scammers are exploiting Apple’s support system
The Apple support scam started with a text message from Apple containing a 2FA code, followed by verification notifications across devices, indicating that someone was trying to log into Moret’s account. He then received an automated call from Apple with another 2FA code. The text was delivered from a five-digit short code, and the call from a toll-free number, both of which are used by legitimate businesses and not necessarily red flags of a scam.
The next call, however, came from an Atlanta-based 404 phone number. The caller claimed to be from Apple Support, stated that Moret’s account was under attack, and assured him that they were opening up a support ticket. During a follow-up call lasting 25 minutes, Moret received a real Apple Support case confirmation via email (it turns out anyone can create an Apple support ticket in someone else’s name) and was directed to reset his iCloud password.
He was then sent a link via text—from the 404 number this time—to close the ticket. After clicking through, Moret was directed to a phishing website that spoofed a real Apple page (the URL was appeal-apple[dot]com), where he was prompted to enter a 6-digit 2FA code he’d just received via text. An email to his inbox then alerted him that an unknown Mac mini had been used to sign into his iCloud account, which the rep on the phone told him was “expected as part of the security process” and “standard procedure.”
Moret then immediately reset his iCloud password again to kick the unauthorized device off.
It may be easy in hindsight to see the signs: the unsolicited call about an urgent security issue, the 404 number, the phishing link that isn’t a real Apple subdomain, the request for an authentication code. But the Apple support ticket—with a real case number and official emails from apple.com domains—lent just enough credibility, and the multiple 2FA notifications just enough urgency, to work.
What do you think so far?
That’s the problem with social engineering. It manipulates emotions and instincts that are stronger than logic and reason, leading to actions that are not in our interest.
How to stay safe
As always, you should be wary of anyone who calls, texts, or emails you about a security or account issue, even if you have received real security alerts or they have a legitimate case number. Don’t click links, enter credentials, or provide codes when prompted by these unsolicited callers. Don’t accept reassurance from anyone on the phone, no matter how calm and confident they sound.
If you are concerned, you should reach out directly using trusted contact information or open support tickets yourself. Always check URLs and subdomains carefully, as hackers can play tricks to make them look legit.
Also, know that simply having 2FA enabled isn’t enough to keep your accounts secure. Some forms are (obviously) easily phished, so if possible, you should use a multi-factor authentication method like a hardware key or WebAuthn credentials (biometrics and passkeys) rather than codes.
