Lost iPhone Provides ID Thieves Great Opportunity to Go Phishing

There is an account of someone online who was relieved of his iPhone while vacationing in Italy. It was stolen out of the rental car when he was away for a couple of hours. While these things happen all the time, what happened to him later is quite interesting. His story provides a couple of lessons. The first one is a good reminder. Don’t leave your smartphone unattended in your car. That just invites theft; even if you live in a small town in the middle of the U.S. where you know most of the people in town.

Once this person discovered his phone was missing, he went into Find My iPhone and entered his phone number and a note to call him in case it was found. Essentially what ended up on the lock screen was “This iPhone has been lost. Please call me” with a phone number and button to press to call. After that, he simply went on with his vacation confident that his data was secure and that no one could activate the phone.

Eleven days later, he received a text and email that his phone had been found. What was in the email was a very professionally done message with a link that he was to click in order to see the last location of his iPhone. Sounds great, until he clicked the button. He started to enter his Apple ID credentials and before he got too far, he had second thoughts. That was because he suddenly realized it was a phishing scam.

He noticed the address at the top of the screen and it didn’t look like Apple would use it. It was “show-iphone-location.com.” It also had no indicator that the site was using a secure certificate, as the Apple site would. He also looked up the owner of the site and it was registered to someone in the Bahamas. There were other warning signs as well, but you get the picture.

If you use the “Find My iPhone” feature on your device, use caution about what you put into the text box should you need to use that app. Never enter your email address, because that allows someone to potentially phish for sensitive details. In addition, be a bit on edge about any telephone calls you may receive from Apple claiming someone found your iPhone. It is highly unlikely that Apple would call you. They might send email to the address you have on file in your account and they might even text you, but it’s doubtful they’d place a phone call. That said, should you receive one tell the caller thank you and hang up. Contact Apple separately using a number on their official support site. Never give anyone who calls you unexpectedly or unsolicited, sensitive information or login credentials.

In this story, the victim assumed that the thieves got his name from the “Medical ID” information stored on his phone, before he had a chance to lock the device. There is a place where you can put in certain information such as your name, blood type, allergies, and emergency contact information that is available even when the iPhone is locked. If the thieves indeed used that, they could have found his name there and searched online. Since his name is very unique, they could have figured out his email address using online searches and social engineering.

However, if the phone has been locked in the Find My iPhone app, it only shows on the lock screen what is written in the boxes when you filled it in iCloud. So if you don’t add your name, email address, social media handles, or any other identifying information, thieves won’t know how to find you in other ways.

Also, when filling in the medical ID section, consider putting in limited information. Since it could very well save your life, some information such as allergies to medications might be very useful. However, using your first name and the first names of your emergency contacts might be preferred over including last names too.

If you are one of those people who don’t lock their phone, it is highly recommended that you do. Had this one not been, whoever took it could have run off with a wealth of information. After all, think about all the details we keep in them these days: Our name, contact numbers, email addresses, banking and financial apps, access to home security systems, health data, social media apps with automatic login selected, etc. Which brings us back to the first tip and just don’t leave valuables in your vehicles.

© Copyright 2017 Stickley on Security