Get all your news in one place.
100’s of premium titles.
One app.
Start reading
Tom’s Guide
Tom’s Guide
Technology
Anthony Spadafora

iMessage under attack from scammers sending phishing messages — don’t fall for it

IPhone 15 Pro Max shown in hand.

When it comes to phishing, you’re probably thinking about scam emails in your inbox — but messages on your smartphone (and the links they contain) can be just as dangerous.

With iMessage on the best iPhones, Apple includes built-in phishing protection to keep you safe from scams and malware in messages sent from unknown senders that aren’t in your contacts. Rightfully so, as hackers and other cybercriminals love targeting our phones given that they now hold so much sensitive data.

According to a new report by BleepingComputer though, hackers have now come up with a clever new way to disable Apple’s phishing protection in iMessage. This means that when you tap on a malicious link in one of their messages, your iPhone will no longer prevent you from being taken to known phishing sites.

Here’s everything you need to know about this new phishing campaign and how you can avoid falling for it altogether.

Disabling protection with a reply

(Image credit: Future)

There has been a surge in SMS phishing (smishing) attacks over the past few months that try to trick users into replying to messages from unknown senders.

When you receive a phishing message on your iPhone, iMessage automatically disables any links contained within it. This is done to keep you safe, since many people might fall for the fake sense of urgency used in these messages.

Although the types of phishing messages observed by BleepingComputer aren’t using any new tactics, they now include a message at the end which reads:

"Please reply Y, then exit the text message, reopen the text message activation link, or copy the link to Safari browser to open it,”

If you’ve dealt with a legitimate business over text before, you’re probably familiar with texting “Yes” or “No” to continue the conversation. Here, the hackers behind this campaign are using the same method but with a twist.

By responding to one of these phishing messages (either with a “Y” or an “N”), you can unknowingly disable iMessage’s built-in phishing protection. BleepingComputer even confirmed this with Apple.

Once an iPhone user has responded, they will then be able to tap on the malicious link in the message and head right to a phishing site without their phone stopping them.

How to stay safe from phishing

(Image credit: wk1003mike/Shutterstock)

According to BleepingComputer’s research into the matter, this tactic has been used by hackers and scammers over the past year. However, there was a surge in messages like this that started this summer and hasn’t seemed to slow down since.

When it comes to phishing, whether it be in your messages or in your inbox, the first and most important thing to remember is to keep a level head. Don’t let that false sense of urgency make you do something rash. Instead, carefully read over the message, look for spelling and grammatical errors and then take a step back and ask yourself if this message really applies to you.

Did you order a package that might have been delayed? Do you even do business with the company in question? By answering questions like these, you can quickly de-escalate the situation.

From there, you absolutely want to avoid clicking on any links a phishing message may contain. Likewise, you don’t want to respond to this type of message because if you do, the hackers behind it might think you’re gullible and continue to string you along. For instance, they might ask you to provide more information like personal or financial details.

While your iPhone has built-in phishing protection, you may also want to consider signing up for the best antivirus software to help you stay safe from phishing. Even though there’s no such thing as an iPhone equivalent of the best Android antivirus apps due to Apple’s own restrictions around malware scanning, some security apps for iOS do have phishing protection. Alternatively, if you have an Apple computer as well, the best Mac antivirus software from Intego is able to scan your iPhone or iPad for viruses but only when it’s connected to your Mac via a USB cable.

For phishing messages from unknown senders, the best course of action is often just to delete the message and move on. By improving your own cyber hygiene and becoming more knowledgeable about phishing attempts, you’ll be able to spot a scam without having to interact with a dangerous message or email at all.

More from Tom's Guide

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.