iMessage under attack from scammers sending phishing messages — don’t fall for it

iPhone 15 Pro Max shown in hand
(Image credit: Tom's Guide)

When it comes to phishing, you’re probably thinking about scam emails in your inbox — but messages on your smartphone (and the links they contain) can be just as dangerous.

With iMessage on the best iPhones, Apple includes built-in phishing protection to keep you safe from scams and malware in messages sent from unknown senders that aren’t in your contacts. Rightfully so, as hackers and other cybercriminals love targeting our phones given that they now hold so much sensitive data.

According to a new report by BleepingComputer though, hackers have now come up with a clever new way to disable Apple’s phishing protection in iMessage. This means that when you tap on a malicious link in one of their messages, your iPhone will no longer prevent you from being taken to known phishing sites.

Here’s everything you need to know about this new phishing campaign and how you can avoid falling for it altogether.

Disabling protection with a reply

Messages on an iPhone running iOS 18

(Image credit: Future)

There has been a surge in SMS phishing (smishing) attacks over the past few months that try to trick users into replying to messages from unknown senders.

When you receive a phishing message on your iPhone, iMessage automatically disables any links contained within it. This is done to keep you safe, since many people might fall for the fake sense of urgency used in these messages.

Although the types of phishing messages observed by BleepingComputer aren’t using any new tactics, they now include a message at the end which reads:

"Please reply Y, then exit the text message, reopen the text message activation link, or copy the link to Safari browser to open it,”

If you’ve dealt with a legitimate business over text before, you’re probably familiar with texting “Yes” or “No” to continue the conversation. Here, the hackers behind this campaign are using the same method but with a twist.

By responding to one of these phishing messages (either with a “Y” or an “N”), you can unknowingly disable iMessage’s built-in phishing protection. BleepingComputer even confirmed this with Apple.

Once an iPhone user has responded, they will then be able to tap on the malicious link in the message and head right to a phishing site without their phone stopping them.

How to stay safe from phishing

A fishing hook resting on a laptop keyboard.

(Image credit: wk1003mike/Shutterstock)

According to BleepingComputer’s research into the matter, this tactic has been used by hackers and scammers over the past year. However, there was a surge in messages like this that started this summer and hasn’t seemed to slow down since.

When it comes to phishing, whether it be in your messages or in your inbox, the first and most important thing to remember is to keep a level head. Don’t let that false sense of urgency make you do something rash. Instead, carefully read over the message, look for spelling and grammatical errors and then take a step back and ask yourself if this message really applies to you.

Did you order a package that might have been delayed? Do you even do business with the company in question? By answering questions like these, you can quickly de-escalate the situation.

From there, you absolutely want to avoid clicking on any links a phishing message may contain. Likewise, you don’t want to respond to this type of message because if you do, the hackers behind it might think you’re gullible and continue to string you along. For instance, they might ask you to provide more information like personal or financial details.

While your iPhone has built-in phishing protection, you may also want to consider signing up for the best antivirus software to help you stay safe from phishing. Even though there’s no such thing as an iPhone equivalent of the best Android antivirus apps due to Apple’s own restrictions around malware scanning, some security apps for iOS do have phishing protection. Alternatively, if you have an Apple computer as well, the best Mac antivirus software from Intego is able to scan your iPhone or iPad for viruses but only when it’s connected to your Mac via a USB cable.

For phishing messages from unknown senders, the best course of action is often just to delete the message and move on. By improving your own cyber hygiene and becoming more knowledgeable about phishing attempts, you’ll be able to spot a scam without having to interact with a dangerous message or email at all.

More from Tom's Guide

Anthony Spadafora
Managing Editor Security and Home Office

Anthony Spadafora is the managing editor for security and home office furniture at Tom’s Guide where he covers everything from data breaches to password managers and the best way to cover your whole home or business with Wi-Fi. He also reviews standing desks, office chairs and other home office accessories with a penchant for building desk setups. Before joining the team, Anthony wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Read more
A person typing on a computer while hackers use phishing to steal a file from their computer
Phishing: What is it, and how to avoid it
A hacker typing quickly on a keyboard
Hackers are posing as Apple and Google to infect Macs with malware — don’t fall for these fake browser updates
Malware
New macOS malware uses Apple's own code to quietly steal credentials and personal data — how to stay safe
A hacker typing on a computer
FBI issues serious warning to iPhone and Android users — stop doing this ASAP
A hacker typing quickly on a keyboard
Hackers can steal your accounts, and all it takes is a double-click — don’t fall for this new form of clickjacking
An email icon open on a laptop screen
New Google Calendar notification attack could be hiding in your inbox — here's how to protect yourself
Latest in Online Security
Windows
240 million Windows 10 users are vulnerable to six different hacker exploits — protect yourself now
Victims of Identity Theft
FTC says Americans lost $12 billion to scams last year and these were the worst ones — here's how to stay safe
Apple iPhone 16 Plus Review.
Apple just released an emergency security update for a flaw used in an ‘extremely sophisticated attack’ — update your devices right now
A person trying to set up a new Wi-Fi router
Thousands of TP-Link routers have been infected by a botnet to spread malware
An image of a CAPTCHA
Hackers are using reCAPTCHA to trick users into infecting their own PCs with malware — how to stay safe
A smartphone screen displaying the Android name and logo next to a sign reading 'MALWARE'.
Fake Google Play Store pages are spreading Trojan malware that can steal your financial data
Latest in News
Gemini logo on smartphone
Google is giving away Gemini's best paid features for free — here's the tools you can try now
Samsung Galaxy S23 Ultra
Older Samsung phones are finally getting One UI 7 — here's all the devices
A photo of Apple CarPly in use
Apple CarPlay just got a welcome upgrade in iOS 18.4 — what you need to know
Billy Bob Thornton in Landman
‘Landman’ season 2 is official after Paramount Plus renews Taylor Sheridan drama
Everybody Live With John Mulaney
Netflix top 10 shows — here's the 3 worth watching right now
the Orbea Denna on a gravel track
Orbea's new e-bike is designed to tackle both road and gravel — and you can build your own