As email fraud filters become more sophisticated, cybercriminals are turning to Apple’s iCloud to bypass safeguards and deliver phishing messages.
According to BleepingComputer, bad actors are sending fraudulent calendar invites that claim a victim’s PayPal account has been billed for hundreds of dollars and instruct them to review a purchase receipt.
The objective is to pressure the target into calling a fake customer service number to dispute the charge. Once on the phone, bad actors attempt to convince the victim to download software that grants criminals access to personal and financial data, while also creating a gateway to install malware.
Phishing Through Trusted Channels
This type of callback phishing scam is not new, and email filters are increasingly designed to weed out such messages. What makes the iCloud-based attacks particularly threatening is that they are sent from Apple’s legitimate website, giving them a much higher chance of reaching their intended audience.
In the example uncovered by BleepingComputer, the iCloud calendar invite was sent from a Microsoft 365 account controlled by the bad actors. Since the email originiated from an Apple account and was then forwarded by a Microsoft account, it didn’t trigger any red flags. Similarly, these attacks have a greater chance of fooling their targets since they appear to come from legitimate sources.
Suspecting All Communications
Impersonating brands like Microsoft, Apple, Amazon, and PayPal has been a common practice for bad actors. While these attacks were originally easier to spot due to typos or grammatical irregularities, phishing attacks have become increasingly hard to discern.
They are also often coupled with social engineering tactics, where an individual is pressed with urgent language that demands immediate action. The combination of realistic messages and strongarm tactics is too often effective—especially against older consumers.
In addition to fabricated messages, there is a growing trend where cybercriminals exploit loopholes in organizations’ platforms for financial gain. For example, bad actors have sent phishing requests to users on PayPal’s legitimate platform, which appear disturbingly convincing.
As phishing messages become more sophisticated, users must suspect all unsolicited communications, especially those that request immediate action.
