Recognise and avoid social engineering schemes, including phishing messages, phoney support calls and other scams
Use these tips to avoid scams and find out what to do if you receive suspicious emails, phone calls or other messages.
Social engineering is a type of targeted attack that relies on impersonation, deception and manipulation to gain access to your personal data. In this attack, scammers will pretend to be representatives of a trusted company or entity over the phone or through other communication methods. They will often use sophisticated tactics to persuade you to hand over personal details, such as sign-in credentials, security codes and financial information.
Phishing is one common tactic of social engineering that refers to fraudulent attempts to get personal information from you, usually by email. But scammers use any means they can to trick you into sharing information or giving them money, including:
Fraudulent emails and other messages that look like they're from legitimate companies, including Apple.
Misleading pop-ups and ads that say your device has a security problem.
Scam phone calls or voicemails that impersonate Apple Support, Apple partners and other well known or trusted entities or individuals.
Fake promotions that offer free products and prizes.
Unwanted Calendar invitations and subscriptions.
If you’re suspicious about an unexpected message, call or request for personal information, such as your email address, phone number, password, security code or money, it’s safer to presume that it’s a scam – contact that company directly if you need to.
If you’re concerned about a security issue with your Apple device or account, these resources provide more information that can help.
If you believe that your Apple Account has been compromised, or if you may have entered your password or other personal information on a scam website, change your Apple Account password immediately and ensure that two-factor authentication has been enabled.
How to protect your Apple account and devices
Here are some things you can do to avoid scams that target your Apple account and devices.
Never share personal data or security information, such as passwords or security codes, and never agree to enter them into a web page that someone directs you to.
Protect your Apple Account. Use two-factor authentication, always keep your contact information secure and up to date, and never share your Apple Account password or verification codes with anyone. Apple never asks for this information to provide support.
Never use Apple Gift Cards to make payments to other people.
Find out how to identify legitimate Apple emails about your App Store or iTunes Store purchases. If you send or receive money with Apple Cash (US only), treat it like any other private transaction.
Find out how to keep your Apple devices and data secure.
Only download software from sources you can trust.
Don't follow links or open or save attachments in suspicious or unsolicited messages.
Don’t answer suspicious phone calls or messages claiming to be from Apple. Instead, contact Apple directly through our official support channels.
How to report suspicious emails, messages and calls
If you receive a suspicious email that looks like it's supposed to be from Apple, please forward it to reportphishing@apple.com.1
If you receive a suspicious FaceTime call (for example, from what looks like a bank or financial institution), email a screenshot of the call information to reportfacetimefraud@apple.com. To find the call information, open FaceTime and tap the next to the suspicious call.
If you receive a suspicious link to a FaceTime call in Messages or Mail, email a screenshot of the link to reportfacetimefraud@apple.com. The screenshot should include the phone number or email address that sent the link.
To report a suspicious SMS text message that looks like it’s supposed to be from Apple, take a screenshot of the message and email the screenshot to reportphishing@apple.com.
To report spam that you receive in your iCloud.com, me.com or mac.com Inbox, mark the spam emails as Junk or move them to your iCloud Junk folder. When you mark an email as junk, you’re helping to improve iCloud Mail filtering and reduce future spam.
To report harassment, impersonation or other types of abuse you receive in your iCloud.com, me.com or mac.com Inbox, send them to abuse@icloud.com.
To report spam or other suspicious messages that you receive through Messages, tap Report Junk under the message. You can also block unwanted messages and calls.
Report scam phone calls to the Federal Trade Commission (US only) at reportfraud.ftc.gov or to your local law enforcement agency.
Find out how to identify social engineering attacks, recognise phishing messages, handle fraudulent phone calls and avoid other online scams.
Social engineering attackers use impersonation and manipulation to first gain your confidence and trust. Then they trick you into handing over sensitive data or providing them with access to your account information. They use a variety of tactics to impersonate a trusted company, entity or someone you know.
Watch for these signs to help identify if you’re being targeted as part of a social engineering attack:
A scammer may call you from what appears to be a legitimate phone number for Apple or another trusted company. This is called “spoofing”. If the call seems suspicious, consider hanging up and dialling the vetted number for the company yourself.
Scammers often mention personal information about you in an attempt to build trust and seem legitimate. They may refer to information that you consider private, such as your home address, place of employment or even your National Insurance number.
They will often convey a desire to help you resolve an immediate problem. For example, they may claim that someone has broken into your iPhone or iCloud account, or made unauthorised charges using Apple Pay. The scammer will claim they want to help you stop the attacker or reverse the charges.
The scammer will usually create a strong sense of urgency to avoid giving you time to think and to dissuade you from contacting Apple yourself, directly. For example, the scammer may say that you’re free to call Apple back, but the fraudulent activities will continue and you will be liable. This is false and designed to prevent you from hanging up.
Eventually scammers will request your account information or security codes. Typically, they will send you to a fake website that looks like a real Apple sign-in page and insist that you verify your identity. Apple will never ask you to log in to any website, or to tap Accept in the two-factor authentication dialogue, or to provide your password, device passcode or two-factor authentication code, or to enter it into any website.
Sometimes, scammers will ask you to disable security features, such as two-factor authentication or Stolen Device Protection. They will claim that this is necessary to help stop an attack or to allow you to regain control of your account. However, they are trying to trick you into lowering your security so they can carry out their own attack. Apple will never ask you to disable any security feature on your device or on your account.
How to identify fraudulent emails and messages
Scammers try to copy email and text messages from legitimate companies to trick you into giving them your personal information and passwords. These signs can help you identify phishing emails:
The sender’s email address or phone number doesn’t match the name of the company it claims to be from.
The email address or phone number they used to contact you is different from the one you gave that company.
A link in a message looks right, but the URL doesn't match the company's website.2
The message looks significantly different from other messages you’ve received from the company.
The message requests personal information, such as a credit card number or account password.
The message is unsolicited and contains an attachment.
If you get a suspicious phone call or voicemail
Scammers use fake Caller ID info to spoof phone numbers of companies such as Apple and often claim that there's suspicious activity on your account or device to get your attention. Or they may use flattery or threats to pressure you into giving them information, money and even Apple gift cards.
If you get an unsolicited or suspicious phone call from someone claiming to be from Apple or Apple Support, just hang up.
You can report scam phone calls to the Federal Trade Commission (US only) at reportfraud.ftc.gov or to your local law enforcement agency.
If you see suspicious Calendar events
If you get an unwanted or suspicious calendar invitation in Mail or Calendar, you can report it as Junk in iCloud. If you have unintentionally subscribed to a spam Calendar, you can delete it.
If your web browser displays annoying pop-ups
While browsing the web, if you see a pop-up or alert that offers you a free prize or warns you about security problems or viruses on your device, don't believe it. These types of pop-ups are usually fraudulent advertisements, designed to trick you into downloading damaging software or giving the scammer personal information or money.
Don't call the number or follow the links to claim the prize or fix the problem. Ignore the message and simply navigate away from the page or close the entire window or tab.
If you're prompted to download software
Use extreme caution if you download content from the internet. Some downloads found on the internet may not contain the software they claim to, or may contain software that you didn't expect or want. This includes apps that ask to install configuration profiles that can then control your device. If installed, unknown or unwanted software may become intrusive and annoying and could even damage your Mac and steal your data.
To avoid unwanted, fake or malicious software, install software from the App Store or get it directly from the developer's website. Find out how to safely open software on your Mac or remove unwanted configuration profiles from your iPhone or iPad.
1. To report an SMS text message, take a screenshot of the message and send it via email. If you forward a message from Mail on your Mac, include the header information by selecting the message and choosing Forward As Attachment from the Message menu.
2. To confirm the destination of a link on your Mac, hover your pointer over the link to see the URL. If you can't see the URL in the status bar in Safari, choose View > Show Status Bar. On your iOS device, you can touch and hold the link.
Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.