Phishing Scam Targets iMessage: How Hackers Steal Personal Data from Apple Users

January 13, 2025 | Cybersecurity
By Ashwani Mishra, Editor-Technology, 63SATS

iMessage, hailed as one of the most secure messaging services, protects over 8 billion iPhone users with built-in phishing safeguards. These protections automatically disable links from unknown senders, shielding users from malicious attacks. However, cybercriminals have found a way to bypass these safeguards, exploiting users’ trust with cleverly crafted phishing messages.

The New Phishing Tactic: Disabling iMessage Protection

According to a report from BleepingComputer, hackers are sending fake text messages to iMessage users, often posing as businesses or government entities. Messages might claim issues like “shipping delays” or “unpaid tolls” to create urgency. The goal? To trick users into replying to the message, which disables iMessage’s phishing protection.

Hackers embed a simple instruction in their messages: “Please reply Y, then exit the text message, reopen the activation link, or copy the link to Safari browser to open it.” This seemingly innocent step fools users into thinking they’re confirming a legitimate request. In reality, replying enables access to malicious links.

How the Scam Works

When a phishing message arrives, iMessage disables any embedded links, protecting users from potentially harmful websites. But the hackers’ twist is cunning: by responding with a “Y” or “N,” users unknowingly deactivate iMessage’s built-in protection. Once the safeguard is disabled, clicking on the link takes the user directly to a phishing site, exposing them to malware and data theft.

Why This Scam Is So Effective

The tactic mimics legitimate business communications, where users often reply “Yes” or “No” to continue a conversation or confirm an action. This familiarity makes users more likely to trust the message, even when it comes from an unknown sender.

Apple confirmed to BleepingComputer that replying to these messages disables iMessage’s phishing safeguards, allowing the malicious links to function. This clever exploitation of human behavior makes the scam particularly dangerous, especially for users who may not scrutinize the authenticity of each message.

A Surge in Attacks

While phishing scams are not new, BleepingComputer reports a significant rise in these attacks since the summer of 2024. The surge suggests that hackers are increasingly targeting Apple users, capitalizing on their trust in iMessage’s security.

How to Stay Safe from iMessage Phishing Scams

To protect yourself from falling victim to these phishing attacks, follow these key tips:

Do Not Respond to Unknown Messages: Avoid replying to messages from unknown senders, even if they seem urgent or legitimate.

Verify Links Independently: If you receive a link claiming to address a pressing issue, avoid clicking it directly. Instead, visit the official website or contact the organization through verified channels.

Enable Two-Factor Authentication (2FA): Strengthen your Apple account by enabling 2FA, which adds an extra layer of protection against unauthorized access.

Keep iOS Updated: Ensure your iPhone’s software is always up to date, as updates often include security patches to address vulnerabilities.

Be Skeptical of Urgent Requests: Hackers often use urgency to pressure users. Take a moment to evaluate the message before taking any action.