India's Ministry of Home Affairs issued a warning regarding a phishing campaign targeting owners of lost or stolen iPhones [1, 2].
This alert highlights a critical vulnerability in user psychology, where hackers exploit the desperation of individuals trying to recover missing hardware to gain unauthorized access to personal accounts [1, 2].
The campaign involves the distribution of fake Apple Support SMS messages [1, 2]. These messages are designed to appear as official communications from the tech company, which can deceive users into trusting the content [2]. According to the ministry, the messages contain malicious links that direct users to fraudulent websites [1, 2].
Once a user clicks these links, the websites prompt them to enter sensitive information. The primary targets of these phishing pages are Apple ID credentials and one-time passwords (OTPs) [1, 2]. By capturing these details, attackers can bypass security layers and seize control of the user's account [2].
Government officials said that the attackers specifically target people who have already reported a device as lost or stolen [1]. This precision allows the scammers to create a sense of urgency, a common tactic in social engineering, to trick users into providing their login details without verifying the sender [2].
Users are advised to avoid clicking on links in unsolicited text messages and to use only official Apple channels for device recovery [1, 2]. The ministry said that official support typically does not initiate contact via SMS to request account passwords or OTPs [2].
“Hackers exploit the urgency of users trying to locate or secure a missing iPhone”
This campaign demonstrates a shift toward highly targeted social engineering. By focusing on users in a state of distress—those who have lost a device—attackers increase the likelihood that a victim will bypass standard security instincts. This underscores the growing risk of 'smishing' (SMS phishing) as a primary vector for account takeover in India.
