How a flaw in iPhone’s security could leave you locked out

Here's what to do to make sure you don't fall victim to this new scam

Kurt the CyberGuy reveals his Easter basket tips

Tech guru Kurt Knutsson revealed his favorite tech gifts for your Easter baskets on 'Fox & Friends First.'

There's a common misconception that Apple products come with more security than Android. 

Whatever side of the argument you're on, don't let that idea prevent you from keeping your guard up. 

There's a new scam out there targeting iPhone users, and if you're unprepared, you might find yourself permanently locked out.

CLICK TO GET KURT’S FREE CYBERGUY NEWSLETTER WITH SECURITY ALERTS, QUICK VIDEO TIPS, TECH REVIEWS AND EASY HOW-TO’S TO MAKE YOU SMARTER

iphone flaw 1

Scam article on iPhone  (Kurt "CyberGuy" Knutsson)

What is the ‘push bombing/MFA fatigue’ scam?

If you suddenly see a "Reset Password" notification on your iPhone screen that only gives you the option to "Allow" or "Don't Allow," you may be a victim of this latest "push bombing" scam. Scammers have supposedly found a way to exploit this new bug in Apple. Though, it's not totally clear if the bug is the reason.

If you see this notification, and you hit "Don't Allow" (as you should), it only prompts more of these notifications to pop up, like those annoying pop-up window attacks that we used to get back in the day. As you frantically click "Don't Allow" over and over again, your finger could accidentally slip, clicking "Allow."

If you do click "Allow," scammers will be given access to your iPhone account, and you can be permanently locked out of your phone.

IPHONE flaw 2

"Reset Password" notification scam on iPhone  (KrebsOnSecurity)

MORE: HOW TO UPDATE YOUR PASSCODE ON YOUR IPHONE  

Warnings if you're in the Apple ecosystem

This scam isn't just stopping at your iPhone. If you're dedicated to the Apple ecosystem, then it's important to note that users reported experiencing this scam on their other Apple devices, including the Apple Watch.

Not only this, but one user reported that after clicking "Don't Allow" over and over again and the notifications eventually going away, the scammers actually called his iPhone in another attempt to catch him. Generally, Apple Support won't call you out of nowhere.

IPHONE FLAW 3

"Reset Password" notification scam on Apple Watch  (KrebsOnSecurity)

MORE: HOW TO PROTECT YOUR IPHONE CALENDAR FROM DISTRACTING SPAM INVITATIONS

Apple's response to the 'reset password' notification scam

"We are aware of reports that a small number of iPhone users are receiving a high volume of alerts asking if they are attempting to reset their password and have taken steps to address the reported issue," a spokesperson for the company said.

How to outsmart this scam and protect yourself

If you do happen to be targeted by this attack, it’s of the utmost importance that you don’t tap "Allow" on any of these password reset notifications. Dismissing them one after the next will take a while, but they will go away.

If you give up and click "Allow," it will give the hackers behind this campaign complete control over your Apple account. So don't click "Allow" whatever you do. If you need help, you can always reach out to Apple by logging on here.

a mac

A Mac and iPhone on a table 

MORE: 8 WAYS TO LOCK UP YOUR IPHONE'S PRIVATE STUFF

What to do if the prompts persist? 

If the prompts persist, temporarily change your phone number associated with your Apple ID. Keep in mind that this may affect iMessage and FaceTime functionality.

Watch out for scammers posing as Apple Support

If you manage to eliminate the notifications and then get a call from someone claiming to be from Apple Support, it's likely the scammers. Just hang up. Whatever you do, don't give any information to them. If you gave out any personal information like a Social Security number, follow the steps at IdentityTheft.gov. You'll be able to make a report there, and the website will help come up with a recovery plan for you and walk you through each step of gaining your identity back. You can also call Apple directly at 800-275-2273 (in the U.S.) to verify any communication.

AI WORM EXPOSES SECURITY FLAWS IN AI TOOLS LIKE CHATGPT

Reporting scam phone calls 

You can report scam phone calls to the Federal Trade Commission at reportfraud.ftc.gov or to your local law enforcement agency.

Is turning on ‘Apple Recovery Key’ a solution?

According to Krebs on Security, real Apple Support suggests turning on Apple Recovery Key to avoid the notifications, but when one of the victims tried it, it did not stop them. 

Stay tuned at Apple Support's page for updates.

Safeguarding your Apple account 

When setting up an Apple account, it’s common knowledge that a phone number is required. However, once the account is established, this phone number doesn’t necessarily have to be a mobile one. Apple accepts VOIP numbers (such as Google Voice) as valid alternatives. Therefore, one potential mitigation strategy is to change your account phone number to a lesser-known VOIP number.

Important Note: If you opt for a VOIP number, be aware that Apple’s iMessage and FaceTime applications will be disabled for that device unless you also include a real mobile number. 

Additionally, Apple’s password reset system accommodates email aliases. By appending a "+" character after the username portion of your email address and adding a site-specific notation (e.g., This email address is being protected from spambots. You need JavaScript enabled to view it.), you can create an unlimited number of unique email addresses associated with the same account. This technique allows for better organization and tracking of incoming emails.

Tip: When choosing an alias, consider using something less obvious than "+apple" to enhance security and privacy.

Kurt's key takeaways

Security is a never-ending game of cat and mouse, and no device is ever truly invincible. Apple's on the case, but until a fix is here, vigilance is key. If you are bombarded with "Reset Password" prompts, stay calm, resist clicking 'Allow' at all costs and patiently dismiss each notification. Also, be sure to stay updated on Apple's progress for a permanent solution. By following these steps, you can outsmart this scam and keep your Apple ecosystem safe.

Do you think companies like Apple should be held more accountable for security vulnerabilities? Why or why not? Let us know by writing us at Cyberguy.com/Contact

For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/Newsletter

Ask Kurt a question or let us know what stories you'd like us to cover

Answers to the most asked CyberGuy questions:

Copyright 2024 CyberGuy.com.  All rights reserved.

Kurt "CyberGuy" Knutsson is an award-winning tech journalist who has a deep love of technology, gear and gadgets that make life better with his contributions for Fox News & FOX Business beginning mornings on "FOX & Friends." Got a tech question? Get Kurt’s free CyberGuy Newsletter, share your voice, a story idea or comment at CyberGuy.com.

Authored by Kurt Knutsson, Cyberguy Report via FoxNews March 30th 2024