Losing your beloved iPhone can be a stressful and emotional experience, especially when it’s stolen. For many of us, the first instinct after losing our iPhone is to track it using tools like Apple’s Find My iPhone to find out where it is located. But what happens when thieves turn this very tool against you? This is exactly what happened to a friend of mine whose iPhone 13 Pro Max was stolen recently.
After their iPhone was stolen, we tried calling their number to see if someone might answer and possibly return it (though we knew this was unlikely). The person who stole the phone eventually answered and demanded money to return it. However, what caught my attention was the link they sent, which appeared to lead to Apple’s Find My iPhone page.
The Fake “Apple Find My” Website
After receiving a link that led to a page resembling the “Apple Find My” website, I was curious and tapped it to see where it would take me. At first glance, this page looked legitimate—clean design, Apple’s logo, and everything. But something felt off. As someone with experience in cybersecurity, I quickly realized it was a clever trick designed by thieves to steal the passcode needed to unlock the stolen device.
My friend, panicking and eager to recover their phone, almost fell for the scam. I’m certain they would have entered their passcode on the fake page if I hadn’t been there with them. This experience was a wake-up call about how easily cybercriminals exploit the panic and urgency that follow a theft. That’s I’m sharing this story – I want to help to anyone reading avoid falling victim to similar tricks.
How This Scam Works
In this scam, the thieves aim to trick the victim into providing the 6-digit PIN needed to unlock the stolen iPhone. If the Stolen Device Protection feature isn’t enabled on the stolen phone, they can potentially reset the Apple ID, giving them full control of the device. But how do they convince the victim to share their code?
Thieves create fake websites that closely resemble Apple’s Find My iPhone page. These websites are designed to look authentic, mimicking the designs, logos, and layouts typically found on an Apple-designed webpage. Once you try to contact them, they send you a link that prompts you to input your iPhone’s passcode. In the particular link sent to us, the page looked legitimate at first glance.
However, the URL was the first clue that it was a scam—it had a .biz extension and other strange characters, making it clear that this wasn’t an Apple website. Additionally, the page was suspicious because it asked for the passcode regardless of which element was clicked—a behavior that didn’t align with how Apple typically designs its services. As someone familiar with Apple products and services, this inconsistency made it clear to me that the page was fraudulent.
Why Such Scams Are Effective
- Emotional Manipulation: The panic and hope that follow a phone theft make victims act quickly without thinking critically. Thieves rely on this emotional vulnerability to trick users into entering sensitive information like their device passcode.
- Exploiting Trust: Most people trust official-looking websites, especially when they mimic trusted brands like Apple. This trust often prevents victims from noticing subtle signs of phishing, such as typos in the URL and some of the minor design inconsistencies.
How to Protect Yourself from Similar Scams
- Use Official sites only: When you lose your iPhone or any other device, it is crucial to take a deep breath and avoid acting out of panic. In the process of recovering the iPhone or reporting it as stole, you should only use the official Find My iPhone app to track your device.
- Verify Before You Share Information: Check the URL for inconsistencies (e.g., spelling errors or extra characters). Be cautious of poorly written messages or websites with unusual formatting.
- Enable Stolen Device Protection Features: Apple introduced the “Stolen Device Protection” feature to the iPhone last year with iOS 17.3. With this feature enabled, you must authenticate with Face ID before resetting your Apple Account password or resetting the device. This means that even if thieves somehow guess your passcode, they will not be able to change your Apple Account password.
- Use 2FA: You should also ensure to set up two-factor authentication (2FA) for your Apple Account to add an extra layer of security.
- Report Stolen Devices Immediately: Notify your carrier to block the device and prevent unauthorized use. Then, mark the device as stolen using the official “Find My” page. If the device contains a lot of sensitive information, it’s also a good idea to remotely reset it.
- Report Suspicious Links: Just as I have done, you should also report suspicious links or messages to Apple by emailing reportphishing@apple.com. This helps ensure such links are blocked on iPhones, protecting others who might otherwise fall victim.