Watch out! There are Apple ID SMS phishers about!

“Your Apple ID is due to be expire today”… yeah, right.

Watch out! There are Apple ID SMS phishers about!

It’s not just your bank accounts that online criminals are keen to break into. They would quite like to hijack your Apple ID credentials too.

A number of people have reported receiving a text message from “AppleInc” over the weekend, claiming that their Apple IDs was about to expire – and urging them to click on a link if they wanted to keep it.

Of course, the scammers have chosen their words carefully – making the message appear urgent to encourage as many people as possible to click on the link without properly considering the potential pitfalls.

Sign up to our free newsletter.
Security news, advice, and tips.

The scam was probably even more convincing to the unwary as it used the real first name and last name of recipients.

Apple id sms phishing

[Name] Your Apple ID is due to be expire today. Prevent this by confirming your Apple ID at [URL] – Apple Inc.

Okay, so perhaps you as a regular reader of a security news site wouldn’t fall for such shenanigans – but are you certain that there isn’t someone amongst your family and friends who wouldn’t be susceptible to a moment of muddied thinking, and click on the link without proper caution?

If they did then they would be greeted with a convincing-looking replica of the real Apple ID login page.

Apple expired website

The phoney website pictured above is designed to grab your personal information and pass it straight on to online criminals. They could use those details to commit fraud, or sell your credentials on to other crooks on the computer underground.

That’s obviously even worse news if you have made the mistake of reusing your passwords across the net.

Regardless of what you enter on the username/password screen you will be told that your Apple ID has been “locked for security reasons”.

Locked

To unlock your Apple ID, the phishing site then asks you to enter further personal details including your date of birth, telephone number, address, and credit card details. They even have the gall to ask you to give them an answer to a pre-determined security question.

The security question options? “Mother’s maiden name”, “Driving license number” and “Passport number”.

One obvious question remains. Where did the attackers get the list of names and mobile phone numbers from to target their potential victims with the initial phishing SMS message?

Stay safe people, always be wary of the links that you click on – and, if you haven’t already done so, enable two-step verification on your Apple ID account.

Hat-tip: Thanks to reader Andy for forwarding this phishing attack to me.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

34 comments on “Watch out! There are Apple ID SMS phishers about!”

  1. Bob

    Very, very realistic.

    I've spoken with a colleague (who deals with security incidents) and this rogue website should soon be blocked by the major browsers and anti-virus vendors.

    How long it takes for the domain itself to be removed is anybodies guess.

    1. Bob · in reply to Bob

      I am pleased to report that this page is now blocked in Google Chrome, Firefox and other browsers.

      1. Dean · in reply to Bob

        icloudsecuresupport.com is the site I was sent to, it's identical to the above site. The sms I received from 'imessage' had my full name but no number attached, it's all very convincing…so what gave it away as a scam, that's simple, friends and family having appalling apple customer services but most of all how poorly they are made…quite simply,I'll never ever own an apple product.

  2. ME

    it would be easier to shut down and block the website from domain server.

    1. Bob · in reply to ME

      The Hosting Provider (internet.bs) aren't registered themselves in the UK so it'll be almost impossible for the authorities to have it closed via that route so blocking "from domain server" isn't an option.

      The only other method is blocking via the UK registry (Nominet) but for that they need a court order which can be time consuming.

      It's quickest to get the major vendors to block the site because that provides the best consumer protection.

  3. Doel Jeeks

    If you run a WhoIs on the domain it gives a name and address based in Brighton. How likely is this to be accurate, generally speaking?

    1. Bob · in reply to Doel Jeeks

      It's false. Generally speaking Whois shouldn't be relied upon unless the domain is owned by a registered company.

  4. Martin

    I got a txt message from 07478969834 telling me I had missed a message from apple:
    "You have (1) missed message from Apple. CLICK HERE: …"

    take a look here:
    http://who-called.co.uk/Number/07478969834

  5. Amme

    Just got such a text at 11.45am UK time directing to icloudauth.co.uk. It had my real, full name so this data stolen from somewhere. However, I do not have an Apple Account. Had a look at the site and it's just like your screen shot above. Looked at the registrant on who.is and it is literally registered yesterday, a woman in Chiswick, London, no doubt her details have been stolen. Have reported site to Google phishing page. Site does not come up as dangerous on any of the standard virus checking sites. Cannot identify where the text was sent from.

    1. Bob · in reply to Amme

      Another scam website. It's now been blocked by the major browsers. I doubt the registrant at who.is even exists (i.e. it's unlikely "her details have been stolen") – it's more likely to be a totally fake name/address.

      The 'original' website, as reported in the article (appleexpired.co.uk), has now been taken down permanently.

      1. Amme · in reply to Bob

        she did exist as I found her listed as a company director at that address. It was a private house in Chiswick but the registrant had spelt it as Chisweck. Old listing so maybe she had moved on from there but definitely a real person and a former address at least.

        Glad the reporting process has worked and it got taken down quickly.

        1. Bob · in reply to Amme

          That's what I'm getting at – no details have been 'stolen'. The register at Companies House is accessible to the public.

          Whoever registered the website can enter whatever they like for their Whois record: it's notoriously unreliable. You can use a totally fake name and address as they're not properly checked. All that happens is that a marker is put against the name to say 'validated against third party source' or 'unable to validate'.

  6. BXA

    I received a new message from +44 42 5683 with the url icloudauth.co.uk (already checked the fake WHOIS like above). mine had my "<My Name> <Ex's Name> BF your iCloud ID expires today" which did actually piss me off me a bit because that information is really targeted, theres no information publicly available on the internet regarding my relationship or phone number so I wondered how that information had been obtained.

    I then realised though that its obvious someone has saved my name in their phonebook as that to remember who I was. So its either some rogue app uploading phone book contact info to a server, an exploited app's server or someone who's sync'ed their contacts to outlook and had their PC exploited.

    1. Bob · in reply to BXA

      It could be WhatsApp because they upload all your phonebook to their services. Now their new owners Facebook are in charge they are in the ideal position to make 'relationship connections'. I'm not suggesting Facebook sent you the SMS but I consider it more probable that either they or one of their users have been hacked.

  7. Jason

    How do the scammers know the users name?

  8. AMS

    Similar to BXA, I received an SMS that contained personal information about me. It said:
    <first name> <occupation> <location> your Apple/iCloud ID has been supsended. Please confirm your details at http://mobileicloud.uk to prevent this action. Apple Inc.
    The phone number it originates from does not display (it just says 'WARNING').
    The most bizarre thing is that both my first name and location were misspelled. I suspected that the information had been taken from someone else's phonebook, but why would that person misspell not only my name but my location?

  9. Steve

    Had the one in the article a few days ago.
    They seem to be trying again with the next message:
    "ALERT
    (Name) your Apple ID has been deactivated pending termination. Prevent this by confirming your details at http://icloudmobile.co.uk – iCloud"
    Didn't spell my last name right though :p

  10. Mike

    A friend who relies on me for tech guidance has had this too, last night. The domain was mobileicloud.co.uk which was only registered yesterday.

  11. Barney

    Just happened to me, the tel number this scam/fraud/crim, sent the SMS message from is + 44 25 378
    Just in case the Police are looking into this.

  12. carol

    Just had a text from that very same number +44 25 378 saying "We have deactivated your Apple ID. To prevent deletion confirm your details at http://icloudsecuresupport.com – iCloud Support." preceded by my full name although spelt wrong which is what made me realise it was a scam.

  13. Andy

    A builder friend received one of these yesterday – he was addressed 'Joe Builder' in the message, suggesting the names and numbers are actually harvested from previous victims, presumably taken from their compromised iCloud account, allowing the scam to self-propagate. Clever stuff.

    I'd be interested to know if any non-Apple users have received this? If not, there must be some detection method used to identify the target as an Apple user (this was sent as an SMS not an iMessage so that wasn't it).

    1. Amme · in reply to Andy

      I'm not an Apple user so presuming my name was harvested from someone else's phone contacts.

      1. Andy · in reply to Amme

        Thanks for confirming – in which case it looks like this is indiscriminately 'sent to all' listed in the iCloud sync'd contacts, on the basis it will inevitably hit some Apple users.

  14. George

    Got the same with a new domain appleukwarning.co.uk and this time the sender just says "Apple.com"

    Very real looking especially since it had my first name, it was only the dodgy domain that tipped me off it was a scam.

    I'm guessing they are harvesting details from past victims as offers have suggested. It could also be rogue apps that upload your address book. Happens all the time sadly.

  15. gadget37

    I received this today pointing me at appleukwarning.co.uk – another icloud clone site.

  16. Razor

    Just got a text message today to tell me my paypal was locked i didnt even bother to open it as i dont have paypal haha

  17. Elliot

    There's a new one doing the rounds just got a text saying:

    Your apple account had been suspended. Please verify your information ; http://appleid-uk.com

    Website is obviously a phishing site.

  18. Joshua Jones

    Got a fresh one of these today, also by SMS:

    "Your iAppleID has been suspended because we are unable to verify your information. To unlock it validate your account here: http://bit.do/corNk"

  19. Caroline Gilbert

    Hi I keep receiving text messages from Apple with an Apple I D number is this genuinel who can I call to find out

  20. Santos

    Today 08/11/16
    Phone message, number 425683?
    apple.id.ukicloud.online
    Apple ID has been "locked for security reasons!

  21. Joann

    I just received similar text from AppCare – telling me my Apple ID is due to expire – final notice. I was suspicious and didn't log in, then checked it online and a number of warnings about scam texts

  22. Madison

    Do I have to worry if I opened the link (which I did) or just if I entered my information (which I didn't)?

    1. Graham CluleyGraham Cluley · in reply to Madison

      All of the attacks I have heard about related to phishing information from victims, rather than attempting to infect their devices. So if you didn't enter any information you should be fine. :)

  23. Angie

    how do we stop the texts for your apple ID has been suspended with the link which I havent clicked into and do not have an Apple phone or anything Apple

    I have received 10 texts this morning I delete them and they keep coming AGH!!!

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.