A new scam has emerged, specifically targeting iPhone users with emails claiming to be from Apple, urging caution in dealing with these fraudulent messages.
In a widespread warning, iPhone users globally should be wary of calendar invites that may appear to come from Apple. These invites can potentially contain scams designed to compromise bank accounts. With approximately 1.8 billion users, this threat could impact many if not properly addressed.
The tactic of sending deceptive communications to steal login information and financial resources is not a novel approach. However, scammers are becoming increasingly sophisticated in evading spam filters.
The latest phishing effort involves using iCloud Calendar invites to deliver callback phishing emails disguised as purchase receipts. Alarmingly, these invites are sent using Apple’s email servers, making them harder to distinguish from legitimate communications.
This direct approach means these emails bypass typical spam filters, making it essential for users to be cautious before clicking any links.
Apple has alerted users following an incident where a suspicious email was shared with Bleeping Computer. The email falsely claimed a PayPal purchase had been made, urging the recipient to call a number to dispute the charge.
“Hello Customer, Your PayPal account has been billed $599.00. We’re confirming receipt of your recent payment,” the email read, according to Forbes.
This variant of the “callback phishing scam” leverages iCloud Calendar invites, tricking users into calling back, allowing attackers to falsely claim the user’s account is compromised and prompt them to download malicious software, thereby stealing data or funds.
Bleeping Computer noted, “The threat actor included the phishing text within the Notes field and then invited a Microsoft 365 email address that they controlled.”
Jamie Akhtar, CEO and co-founder of CyberSmart, explained that these invites appear legitimate due to being sent from Apple’s servers, passing authentication checks and being difficult for traditional filters to block.
Javvad Malik, lead CISO advisor at KnowBe4, shared advice on avoiding such scams, suggesting users question the legitimacy of unexpected communications. “Ask if this communication was expected, is it trying to spike emotion, and is there an artificial time limit pushing you to act now? If the answer is yes to any, stop and self‑verify via a known channel. And treat calendar invites with the same skepticism as email.”