Skip to content

Gone phishing: be wary of this password-stealing scam

Are you keeping your password safe?

There’s a new scam in town, in which apps launch a fake system pop-up to ask a user for their Apple ID password. To the untrained eye, it’s indistinguishable from the genuine pop-ups iOS occasionally surfaces to confirm your identity. This is known as a “phishing” attack, in which users are tricked into revealing personal information.

One example of a faked sign-in request

This scam was pointed out by developer Felix Krause, in a blog post describing just how easy it is for any registered developer to create this kind of scam and add it into their apps. His intent is for Apple to see the problem and change how system pop-ups work, but in the meantime, it’s worth being vigilant.

For comparison, this is a genuine sign-in request – pretty identical, huh?

Krause also suggests a way to tell if these kind of messages are genuine. Whenever you see a pop-up password request, hit the Home button to quit the current app and return to the Home screen. If the pop-up disappears along with the app, it may be a phishing attack. If the pop-up remains even on the Home screen, you know it’s a genuine request from Apple for your password. When in doubt, you can always head to the Settings app and log into your Apple ID there instead – that’s always the safest option.

This particular scam can only be launched by an app that you’ve chosen to download, so the risk is fairly low. As ever, Apple does its best to crack down on malicious apps but its always worth being aware of these things so you don’t get caught out.

If you’ve missed them the first time around, it’s worth skimming through our previous reports from earlier this year for more advice on staying safe from these kinds of attack.

How to avoid the latest iMessage scam

The App Store scam making $80k/month

iOS safety: 10 ways to secure your digital life