About Apple threat notifications and protecting against mercenary spyware

Apple threat notifications are designed to inform and assist users who may have been individually targeted by mercenary spyware attacks.

Apple threat notifications are designed to inform and assist users who may have been individually targeted by mercenary spyware attacks, likely because of who they are or what they do. Such attacks are vastly more complex than regular cybercriminal activity and consumer malware, as mercenary spyware attackers apply exceptional resources to target a very small number of specific individuals and their devices. Mercenary spyware attacks cost millions of dollars and often have a short shelf life, making them much harder to detect and prevent. The vast majority of users will never be targeted by such attacks.

According to public reporting and research by civil society organizations, technology firms, and journalists, individually targeted attacks of such exceptional cost and complexity have historically been associated with state actors, including private companies developing mercenary spyware on their behalf, such as Pegasus from the NSO Group. Though deployed against a very small number of individuals — often journalists, activists, politicians, and diplomats — mercenary spyware attacks are ongoing and global. Since 2021, we have sent Apple threat notifications multiple times a year as we have detected these attacks, and to date we have notified users in over 150 countries in total. The extreme cost, sophistication, and worldwide nature of mercenary spyware attacks makes them some of the most advanced digital threats in existence today. As a result, Apple does not attribute the attacks or resulting threat notifications to any specific attackers or geographical regions.

If Apple detects activity consistent with a mercenary spyware attack, we notify the targeted users in two ways:

• A Threat Notification is displayed at the top of the page after the user signs into appleid.apple.com.

• Apple sends an email and iMessage notification to the email addresses and phone numbers associated with the user’s Apple ID.

These notifications provide additional steps that notified users can take to help protect their devices, including enabling Lockdown Mode.

Mercenary spyware attacks are exceptionally well funded, and they evolve over time. Apple relies solely on internal threat-intelligence information and investigations to detect such attacks. Although our investigations can never achieve absolute certainty, Apple threat notifications are high-confidence alerts that a user has been individually targeted by a mercenary spyware attack, and should be taken very seriously. We are unable to provide information about what causes us to issue threat notifications, as that may help mercenary spyware attackers adapt their behavior to evade detection in the future.

Apple threat notifications will never ask you to click any links, open files, install apps or profiles, or provide your Apple ID password or verification code by email or on the phone. To verify that an Apple threat notification is genuine, sign in to appleid.apple.com. If Apple sent you a threat notification, it will be clearly visible at the top of the page after you sign in.

If you have received an Apple threat notification

We strongly suggest you enlist expert help, such as the rapid-response emergency security assistance provided by the Digital Security Helpline at the nonprofit Access Now. Apple threat notification recipients can contact the Digital Security Helpline 24 hours a day, seven days a week through their website. Outside organizations do not have any information about what caused Apple to send a threat notification, but they can assist targeted users with tailored security advice.

Guidance for all users

All users should continue to protect themselves from general cybercriminals and consumer malware by following best practices for security:

• Update devices to the latest software, as that includes the latest security fixes

• Protect devices with a passcode

• Use two-factor authentication and a strong password for Apple ID

• Install apps from the App Store

• Use strong and unique passwords online

• Don’t click on links or attachments from unknown senders

If you have not received an Apple threat notification but have good reason to believe you may be individually targeted by mercenary spyware attacks, you can enable Lockdown Mode on your Apple devices for additional protection. If you require emergency cybersecurity assistance for other reasons, the Consumer Reports Security Planner website offers a list of emergency resources that may be able to assist you.