Apple ID / iCloud phishing scam

A common phishing target: Apple ID. The scammer sends a text or email claiming your account has been locked, your iCloud storage is full, or that your iPhone has been "marked as lost" by another device. The link leads to a fake Apple ID login page. You enter your password and the 2FA code that Apple sends to your real device. The attacker now controls your Apple ID.

The consequences are large: iCloud photos, contacts, Notes, password backups, Find My (which can be used to track or remotely wipe your devices), and any auto-paid Apple subscriptions. Stolen iPhones become resellable.

• Text or email claiming Apple ID is locked, suspended, or "marked as lost."
• Urgency: "verify within 24 hours."
• Link goes to a non-apple.com domain (e.g., "appleid-secure.co").
• Sender domain isn't @apple.com or @icloud.com.
• The page asks for your password AND the 2FA code shown on another device.
• Caller claims to be Apple Support and asks for your Apple ID password.

1. Apple does not send Apple ID alerts via SMS with login links. They send notifications in iOS directly.
2. Open the Settings app and tap your name — real account alerts appear there.
3. Never enter your Apple ID password on a page reached from a link. Type apple.com directly.
4. Apple Support never asks for your password. That's their explicit policy.
5. If you have an iPhone, real account alerts come as in-system notifications.

• Change your Apple ID password immediately from a different device.
• Sign out of all sessions in Settings → [your name] → Sign Out.
• Revoke trust for any devices you don't recognize.
• Check Find My for unknown devices.
• Check connected services (iCloud sharing, Subscriptions, Family Sharing).
• Enable hardware-key 2FA if available (iOS 16.3+).
• Watch for follow-up calls pretending to be Apple Support — same operators.

• Do not click "verify your Apple ID" links in texts or emails.
• Do not read your 2FA code aloud to anyone.
• Do not disable Find My during a "support" call — that's the scammer prepping to flip a stolen phone.
• Do not assume the Apple logo in an email means it's from Apple.

• FTC: reportfraud.ftc.gov — the broadest US fraud intake; reports flow to thousands of law-enforcement agencies.
• FBI IC3: ic3.gov — the right destination when the scam is internet-enabled (phishing, BEC, romance, crypto).
• CFPB: consumerfinance.gov/complaint — for complaints about banks, money transmitters, payment apps, credit cards, debt collection.
• IdentityTheft.gov — if any identity information (SSN, driver's license, account credentials) was shared.
• Your bank or payment platform. Call the number on the back of your card or use the app's in-product help. Time matters — wires can sometimes be recalled within hours; ACH and Zelle are harder but worth trying.