If only all scam calls and text messages were this easy to spot.
Apple’s Messages app has a built-in safeguard to prevent links or phone numbers in unsolicited messages on iPhones from being clickable, and now scammers are trying to trick the unwary into enabling them.
By default, if you receive a text message on an iPhone or other Apple device from an unknown sender, any links therein are disabled. Once you reply to a message, however, the Messages app then allows clickable links, reports Bleeping Computer.
Scammers and other threat actors have developed a way around this restriction that savvy users will spot easily, but novice users might fall for. Often, this “smishing” attack comes in the form of a notice of an unpaid bill for a small amount, or a “failed delivery” notification.
The key to these new scam “warnings” is that they will often ask the recipient to reply “Y” or “N” or some variation in a reply immediately. They will instruct the user to reply, then exit the chat and return to their message in order to click a now-enabled scam link.
Protecting yourself and others from text scams
If the user falls for this trick, the floodgates of other scam messages will quickly follow, now with clickable links and alarming messages that require the user to click those links. Sometimes, the sender will appear to be affiliated with Apple or other tech companies.
The first thing to do if one has fallen for this trick is to block and report the email address or phone number sending the scam messages. The second thing to do is keep a wary eye out for similar messages from other numbers or email addresses, and block and report them as soon as they are received.
The third thing to do is to think of any friends, colleagues, or family members that might also fall for this sort of smishing attack. Let them know what to do if they receive similar messages, and to spread the word to people they think might fall for such a scam.
Such scams often use the scare tactic of a “missing” parcel or an unpaid bill to get users to click scam links. If the user falls for this, the resulting legitimate-looking scam site generally requires the user to enter credit card or bank account information to “pay” a modest fee.
But that’s not what happens. Within minutes or hours, the credit card will be maxed out, or the bank account emptied. In the US alone, some $9 billion was stolen from scam victims in 2022.
Warn those in your contacts that might be vulnerable to such a scam to be extremely cautious if they receive any unsolicited text from any person or entity where an included link has been disabled. Do not reply in any way to the message, just block and report it instead.
If you or someone you know has any doubts that perhaps the message was legitimate, encourage them to contact the sending entity directly by other means to verify that they sent such a text.
