Vote 2020 graphic
Everything you need to know about and expect during
the most important election of our lifetimes

Don't Fall for This Sneaky Lost iPhone Scam

Illustration for article titled Dont Fall for This Sneaky Lost iPhone Scam

Phishing scams have a history of employing some impressive web design skills to trick people into giving up their Apple ID credentials. But a new attack, thoroughly detailed by Joonas Kiminki at Hackernoon, shows just how far, and how convincing, these scams can be.


After having his iPhone stolen from a rental car, Kiminki did the reasonable thing and notified Find My iPhone to receive alerts once the phone was back online. Almost two weeks later, he received a notification that his phone was found, and that he just needed to provide his Apple ID credentials in order to see the location. Except it wasn’t an Apple site, but instead a very convincing fake.

Kiminki was obviously thrilled that his phone had been found, and says he only paused because of the curious URL at the top of the page that prompted him for credentials. Once he dug into the source code, he found that his Apple details would’ve been sent to a sketch-as-hell email account tied to some random business in Nassau.


This kind of scam isn’t completely new idea, but maybe the most convincing. Take a look at this other ruse, posted on Reddit back in April, next to the one that tried to fool Kiminki:

Scam from April (left) compared to Kiminki’s scam
Scam from April (left) compared to Kiminki’s scam

Both look like they come straight from Apple. Both are fake. The only real giveaway is the URL, which should be highlighted green and say “Apple Inc.” Since Kiminki is a web professional, he saw through the deception. I like to think I would too, but I’m honestly not so sure. It would likely depend on which stage of grief I’m in over my lost Apple device.

Seeing as these are two separate phishing scams in just the last few months, Apple and Google should probably warn users—like the millions and millions of people who are not web professionals—that iPhone stealing asshats like this exist and to take caution whenever services like Find My iPhone are activated.


But at the very least, use a lockscreen. Do it. Do it now.

[Hackernoon h/t Jamie Condliffe]


Share This Story

Get our newsletter



I don’t know my iCloud password - I only know my Laspass password. Lastpass won’t fill out my credentials unless it recognizes the URL. I’ve only seen the behavior on fake Paypal sites - it’s handy, and definitely something I push on less technical family members as a safety method for avoiding scams...