The Apple Support Password Reset Scam

You’ve gotten a message that your device has been signed into. Or maybe just a text or phone call from Apple giving you a verification code. Then Apple calls you, letting you know your account is under attack, and someone will be in touch with you shortly.

They call back and let you know they’re aware of the attack and will help you. In fact, you should get a case number from Apple. They might even have you reset your password to add more credibility.

Once everything’s done,the rep send a text with a link to a website. You’ll be asked to give the case number and then as a final step the website will ask you for the two-factor code you’ve been sent. You fill it in.

Next thing you know, you have been locked out of your account, and the scammers now have control of it.

How did this happen? Well, that final site where you gave them your 2FA (and they have you use the site instead of asking for it to seem less suspicious) was them asking Apple for a password reset. You giving them that 2FA allowed them to go through the password reset process and take control of your account.

How to protect yourself
First of all, and the most important thing: if you get a message on your iDevice that your account has been signed into and you did not sign in (and neither did anybody in your family), change your password Don’t wait! This means that someone has your correct password (due to password reuse or similar)!

Now for the rest of it:

Like many entities, Apple does not call you about your account being under attack. Apple is a huge company and there are millions of accounts and devices. They don’t have time to call users about possible password breaches in real time.
Just because you get a case number doesn’t mean that the person on the other end of the line is real, just that there was an email from Apple with a case number. The scammer knows the case number because they opened the case.
Just because the site looks like Apple’s doesn’t mean that it is Apple’s. For example, while Apple has multiple domains that are (something)-apple[.]com doesn’t mean that a random site with that name is legit. Check the domain against a list of known Apple domains.
Apple does not have you “close out” a case by having you enter the case number and then “confirm” by entering a 2FA code. No business would have the user confirm they are who they say they are like that.
If you are unsure, look up Apple’s contact info, making sure you pick it up from the actual apple.com domain, and call them.