Indian man lost Apple iPhone due to phishing attack despite having Find My iPhone enabled

We’ve all heard stories about how Apple’s Find My helped people find lost or stolen devices. In many cases, when even the police looked helpless, Apple’s Find My service helped consumers. But today we are faced with a bizarre and frightening incident in the heart of India’s capital, Delhi. An iPhone user named Vedant had his iPhone stolen while riding his bike to calibrate the GPS on his smartwatch via iPhone. The incident took place around 7:50 pm on the Vikaspuri outer ring road, opposite the Confectionery Palace. He quickly attempted to use Find My iPhone via Mac within 20 minutes of the incident, only to find that his phone was turned off and no location data was being transmitted.

He followed standard protocols according to the law. He reported the incident to the Delhi Police within an hour and contacted the telecom operator to block the existing SIM card. In the meantime, he also switched to a spare iPhone and turned on “Lost Mode”for his stolen iPhone. He turned on Lost Mode so that if anyone connects their iPhone to any Wi-Fi, they’ll get a notification and no one can use the iPhone or reset it.

Now the person lost their iPhone on Saturday night and on Monday at 4:50 pm they received a text message saying “Your lost iPhone 12 Blue has been found and temporarily turned on.”The text also included a link that he had to follow to find the location of his lost iPhone. He followed the link and saw that the area near Safdurjang was displayed, and then he was asked to enter his iCloud. When he signed in, the same location was shown, and a moment later he received an email stating that his iCloud account was being accessed from an unrecognized Windows PC. Although he immediately changed his Apple ID password and removed the unknown device, his stolen iPhone had already been removed from his account and Find My was disabled as well.

So what went wrong? Vedant fell victim to a phishing scam combined with the exact roadmap the scammers used. On Saturday night, his iPhone 12 was seized and after the attackers got their hands on the phone before the SIM card could be locked, they took out the SIM card and used it in another phone to call someone and get the phone number victims. Once they got the victim’s phone number, they just started patiently waiting for the victim to get a new SIM card with the same phone number. They did not use the stolen iPhone at all.

Two days later, when the scammers were sure that the victim should have been reissued a number via a new SIM card, they sent the victim a phishing link where he himself provided his Apple ID and password. Once the scammers got his Apple ID and password, they logged into his account from a Windows PC and removed his lost iPhone 12 from the account so that Lost Mode can no longer work and they can do whatever they want with the stolen iPhone. Here is the complete chain in which he recounted the entire incident.

https://twitter.com/vedantkhanduja/status/1458130983056666629

Mysmartprice turned to Vedant to listen to the whole story and understand the facts with greater clarity. We asked him if he told Apple about his services, to which he replied that he called Apple Care and explained everything, and the call lasted about an hour. We also asked him if the webpage where he provided his Apple ID and password looked genuine, and he replied, “Yes, it looked super authentic with a user interface that matched the original Apple user interface. Even while signing into iCloud, everything looked very authentic. The only catch with the link was that it didn’t end in. com because there was a hyphen after. com.

Thus, it is quite clear that he was the victim of a carefully coordinated phishing scam where the scammers actually used a stolen SIM card to get the victim’s phone number to send a phishing link. However, the scammers seem to be using a fairly reputable SMS gateway, as the text Vedant received was from the same service address from which he receives OTP for Microsoft Outlook. Notably, Vedant works as a social media specialist for a well-known agency in Delhi.

Note: The Twitter thread mentioned in this article may contain links that we strongly advise against avoiding. Readers should not follow links they don’t recognize. This is the first defense against phishing. While it now appears that the phishing link is redirecting to iCloud, you never know when something will go wrong.

CDN CTB