Scam Of The Week: Your Stolen iPhone Has Been Found



iPhone Found ScamBetween 3 and 4 million smartphones are stolen every year. It's your modern-day purse snatching. Many people put their entire private and work lives on these devices that can cost up to 500 bucks. Losing a device or getting it stolen can feel like a disaster, way beyond just the monetary loss.

Cyber thieves count on this panic and abuse their victims twice in this sophisticated iPhone scam. They count on you wanting to prevent a negative consequence and use social engineering to get you. Here is how this Scam Of The Week goes down:

  1. Your iPhone get stolen
  2. You go online and turn on the Find My iPhone Activation Lock
  3. Shortly afterward you get a message that the phone is found but you need to go to this website and verify your Apple ID. You quickly do this.
  4. Gotcha! It is a spoofed Apple iCloud site and when you enter your credentials, these go straight to the scammers who now own your account and unlock the phone.
  5. You've been social engineered and the thieves will sell the phone.  Nothing to do but go to Apple, change your password and set up 2-factor verification for your account but the phone (or iPad) is gone forever.

How can the bad guys do this? Simple -- send an iMessage to the email address that it said it had been locked by, as the default iOS settings mean you can send & receive iMessages to email addresses with an Apple ID. 

The problem is the end-user being in a panic and not noticing the spoofed "From" address. I suggest you send your BYOD employees a message like this one. Feel free to copy/paste/edit:

"If you lose your smartphone, or if it gets stolen, make sure you follow the procedures you were given by the organization. Report the loss or theft immediately to the correct person. If you get a message from an address you do not recognize claiming "Your phone is found", do not click on anything and do not call any number that the message may give you. Specifically, do not log into any site this message tells you to go to and leave your username and password, because that is likely a spoofed site and they are trying to steal your credentials.

Remember, the bad guys try to trick you when you are worried and manipulate you into doing things against your own interest. Online crooks have no shame in abusing their victims twice to get what they want. Think Before You Click!


Stepping employees that have BYOD devices through effective security awareness training is a must these days. Find out how affordable this is for your organization and be pleasantly surprised.

Get A Quote Now

Hat Tip to MalwareBytes




Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews