Beware of MFA bombing: A new phishing scam targeting Apple users

In a concerning trend, numerous Apple enthusiasts have become the unsuspecting victims of a phishing scheme known as “MFA Bombing.” This cunning attack exploits a loophole in Apple’s password reset system, preying on the shared human traits of impatience and oversight.

How does the scam unfold?

Imagine your day is interrupted by a barrage of “Reset Password” notifications on your iPhone, urging you to “Use this iPhone to reset your Apple ID password.” For those caught in the crosshairs of this scam, such alerts have become a frustrating reality. Parth Patel recounted his ordeal on X, detailing how he was bombarded with up to 100 of these notifications.

The attackers’ strategy hinges on weariness and error. They bombard you with notifications in the hope that, in a moment of frustration or distraction, you’ll mistakenly press “Allow” instead of “Don’t Allow.” Falling into this trap grants the scammer the power to reset your Apple ID password, effectively locking you out of your account and devices.

Should this initial ploy fail, the scammer might escalate their tactics by impersonating Apple Support in a phone call. The aim is to coax you into revealing a one-time password, which they can use to gain control over your Apple ID.

The email addresses and phone numbers linked to your Apple ID are all the scammers need to launch this attack. These details are used on Apple’s page for a forgotten Apple ID password, triggering the relentless notifications. The exact method by which these attackers manage to spam users with multiple alerts remains unclear, though it is suspected that a glitch in the system is being exploited.

Steps to take if you’re targeted

There is no definitive solution to this problem currently. If you receive persistent notifications, remain calm and methodically tap “Don’t Allow” on each one.

Moreover, should you receive an unsolicited call claiming to be from Apple Support, remember that Apple does not make outbound calls unless requested by the customer. Notably, Apple would never ask for your one-time password reset codes over the phone.

This ordeal underscores the importance of vigilance in the digital age. By staying informed and cautious, you can protect yourself from falling victim to such schemes.