Roger Fingas
The latest scam targeting Apple device users is particularly insidious, appearing to come as a call from the company's real phone support number, according to a well-known security researcher.
Those affected are getting a message from a robodialer claiming their online ID has been compromised, Brian Krebs explained on Friday. Checking the iOS Phone app shows the caller as "Apple Inc." and the number as 1-800-MY-APPLE, just like AppleCare. In fact people who have recently been in contact with the authentic AppleCare will see scam calls listed under the same history.
One person targeted by the scam, Global Cyber Risk CEO Jody Westby, called the "1-866" number mentioned in the message, encountering first an automated system but then a real person, who ultimately placed Westby on hold before disconnecting.
Prior to that call Westby had got in touch with an AppleCare representative, who confirmed that the original call was a fake.
Krebs suggests that that as in most phishing incidents the scammers are likely baiting people into handing over personal details or to get direct payment for bogus services. While blocking the robodialer isn't an option for people who need to talk to Apple, the scam should nevertheless be easy to detect, since Apple doesn't cold-call its support clients and the reply number in the message isn't associated with the company.
AppleInsider Staff
Chip Loder
Christine McKee
Malcolm Owen
William Gallagher
Andrew Orr
19 Comments
Scammers have been using caller ID number manipulation for a long time. In past, I have received(fake) calls with ID/number displayed coming from IRS, Homeland security, Immigration, town police department and my own phone number displayed as me calling me.
My 92 year old dad was getting a ton of calls with "Apple, Inc" in caller ID the day after Christmas. He has no Apple devices whatsoever, so it was an obvious scam.
I happened to search spoofing just a little while ago and found this:
https://docs.fcc.gov/public/attachments/DOC-355848A1.pdf
Some action may be forthcoming, but the document above seems more about clarifying definitions, and asking for further comments.
Apparently, there are legitimate reasons to spoof Caller ID. For example, "domestic violence shelters sometimes alter caller ID information to ensure the safety of their residents." I think law enforcement may do this too. There are already rules that forbid fraudulent use, but they are ignored. Maybe finding some other way to legitimately protect callers without spoofing can be figured out, then the current spoofing technique can be disabled entirely.
Caller ID spoofing is getting to be a major problem - it's time they actually come up with a better system that prevents it.