It feels like we are reaching peak iPhone 12, with the launch of Apple’s latest smartphone likely to be launched in October. Perhaps unsurprisingly, as someone who is contemplating switching from Android to iOS, my interest has primarily focused on iPhone 12 security features. However, there’s one security aspect to the iPhone 12 media coverage that has gone mostly unreported, and that’s the risk of getting scammed as the release date draws ever closer.
Researchers at Sophos have uncovered one particular scam that could prove very tempting and very costly.
Would you accept a text message invite, meant for someone else, and apparently from an Apple Chatbot, if it offered the opportunity to trial an iPhone 12 for free?
Smishing attack uses reverse authentication psychology
Paul Ducklin, the principal research scientist at Sophos, has investigated a ‘smishing’ scam that uses just this approach to part victims from their credit card details. Smishing takes phishing out of the email realm and drops it right onto your phone via text message instead.
The unfortunate truth of the matter is that while awareness of email phishing has increased so that we are less likely to click a link or open an attachment, the same cannot be said of smishing. Perhaps it’s the condensed message format that provides an additional sense of urgency, combined with the feeling that a text message is somehow more personal, which makes smishing so dangerous.
Then there’s some creative ‘reverse authentication’ psychology, more of that in a moment, at play within the mechanics of the messaging. Throw in the fact that URL shorteners are commonplace because of that maximum character limitation, disguising the actual destination, and the scene is set for the iPhone 12 free trial scam.
Here’s how the iPhone 12 free trial scam works
Ducklin started investigating after Sophos picked up a text message that appeared to have been sent to the wrong number by mistake. “Dear Christopher,” it said, “we have your package in a queue,” and added a delivery address and a link to click. I’d like to think most people would run a mile if they saw that in their email inbox, but the scammers are working on the principle that enough recipients will let curiosity get the better of them when it’s a text message. Upon clicking the link, which was obfuscated by a URL shortener, Ducklin discovered the real psychological trickery began.
This is where that ‘reverse authentication’ psychology comes in, by presenting the user with what appears to be a series of messages from an Apple chatbot. The chatbot seems to be talking to ‘Christopher,’ and the conversation is about him being selected to take part in a free trial of the new iPhone 12. “Congratulations, you received an opportunity to be in the testing group for our newest iPhone 12 as part of the Apple 2020 testing program,” the messages reveal.
All ‘Christopher’ has to do is click another link for more information and to accept the invitation, the supposed chatbot says. That link being disguised as an Apple 2020 promotion address. The reverse authentication at play is that you have to prove your identity before going any further. To do that, you need to confirm your name and address, or rather the name and address of Christopher. Of course, the original parcel queue message contained all this detail, which is designed to get the better of somebody looking to take advantage of this case of mistaken identity and claim that free iPhone 12.
Once you’ve passed the authentication test and claimed the iPhone 12, it’s just a matter of confirming, or in this case changing, the delivery address and agreeing to a low-value courier delivery charge. This then takes you to a special offer website and a credit card payment form. You know what happens next: enter your card details and security number. Now the fraudsters have all they need to start profiting from your actions.
Spread the word to scupper the scam
We all like to think we wouldn’t get caught out like this, especially if we are tech-savvy or keep up to date with technology and cybersecurity news. However, as Ducklin pointed out, not everyone falls into those criteria, and we probably all know someone who might just let curiosity and an otherwise unaffordable freebie trump common cyber sense.
“Friends don’t let friends get scammed,” Ducklin said, “that’s why we deconstructed this smishing scam in detail and made a video of the process. You can show it to the people who rely on you for advice about cybersecurity and let them see how it plays out – without having to click through yourself.”
Apple has a support page regarding phishing scams, including details of how to report any such messaging.