Phishing scams have a history of employing some impressive web design skills to trick people into giving up their Apple ID credentials. But a new attack, thoroughly detailed by Joonas Kiminki at Hackernoon, shows just how far it can go, and how convincing these scams can be. After having his iPhone stolen from a rental car, Kiminki did the reasonable thing and notified Find My iPhone to receive alerts once the phone was back online. Almost two weeks later, he received a notification that his phone was found, and that he just needed to provide his Apple ID credentials in order to see the location. Except it wasn't an Apple site, but instead a very convincing fake.
Kiminki was obviously thrilled that his phone had been found, and says he only paused because of the curious URL at the top of the page that prompted him for credentials. Once he dug into the source code, he found that his Apple details would have been sent to a sketch-as-hell email account tied to some random business in Nassau.
This kind of scam isn't completely new idea, but maybe the most convincing. Take a look at this other ruse, posted on Reddit back in April, next to the one that tried to fool Kiminki:
Scam from April (left) compared to Kiminki's scam
Both look like they come straight from Apple. Both are fake. The only real giveaway is the URL, which should be highlighted green and say "Apple Inc." Since Kiminki is a web professional, he saw through the deception. I like to think I would too, but I'm honestly not so sure. It would likely depend on which stage of grief I'm in over my lost Apple device.
Seeing as these are two separate phishing scams in just the last few months, Apple and Google should probably warn users — like the millions and millions of people who are not web professionals — that iPhone stealing arsehats like this exist and to take caution whenever services like Find My iPhone are activated.
But at the very least, use a lockscreen. Do it. Do it now.