If you're an Apple user and I spoof your phone number in a call to the legitimate Apple Customer Support line (800-275-2273), I can force Apple to send you a system level "Apple Account Confirmation" prompt to all of your signed-in devices.
This approach is commonly used by a prolific voice phishing group to convince targets they really are in a support call with an Apple representative.
Today's deep dive into this weird world was made possible in part by a series of live phishing videos, tutorials and other secrets shared by an insider that show in unprecedented detail how these voice phishing scams can be so convincing.
Please share this story widely, because I learned a ton reporting this and frankly the various methods used by these groups to dox and target people are really slick.
From the story: "Besieged by scammers seeking to phish user accounts over the telephone, Apple and Google frequently caution that they will never reach out unbidden to users this way. However, new details about the internal operations of a prolific voice phishing gang show the group routinely abuses legitimate services at Apple and Google to force a variety of outbound communications to their users, including emails, automated phone calls and system-level messages sent to all signed-in devices."
https://krebsonsecurity.com/2025/01/a-day-in-the-life-of-a-prolific-voice-phishing-crew/
Comments
Displaying 0 of 1 comments
BrianKrebs
In response to this postA lot people stop reading these stories when they realize that most of the targets are cryptocurrency holders. But the truth is these voice phishing techniques would be even more successful on lower-stakes, run-of-the-mill user accounts. It just so happens that phishing crypto users is way more lucrative.
@briankrebs I carry on reading because I get to see shitcoin holders be miserable *and* learn interesting broadly-applicable threat model stuff
by Graham Sutherland / Polynomial ;
Likes: 0
Replies: 1
Boosts: 1