What happened
Swiss National Cyber Security Centre (NCSC) has issued a warning that threat actors are sending SMS or iMessage‑based phishing texts to owners of Apple iPhones that claim their lost or stolen device has been found. The message mimics the Find My service, may include the iPhone model, color, storage size, and other details gleaned from the lock screen, and links to a fake page designed to harvest the user’s Apple ID credentials.
The attackers’ ultimate goal is to gain access to the Apple account, disable Activation Lock, and either enable resale or erase the device.
Who is affected
Owners of iPhones whose devices have been lost or stolen, or who have displayed contact information on the lock screen via the Find My feature. The scam appears to target users of Apple devices globally, although the warning originates from Switzerland’s NCSC.
It also affects any organization whose employees bring their own device (BYOD) iPhones, especially if those devices host corporate data or are linked to enterprise Apple IDs.
Why CISOs should care
- This type of social engineering targets the very endpoint that often contains sensitive corporate data or access (e.g., via iPhones used for business).
- Compromising an Apple ID linked to a corporate device can lead to account takeover, data exfiltration, device wipe, or enable attackers to impersonate the user or enroll the device in a malicious mobile device management (MDM) system.
- It highlights the real-world risk of endpoint loss, including weak authentication or account hygiene. Even if the device is locked, the lock screen information, as well as phishing, can defeat device-protection features like Activation Lock.
- For organizations with mobile-first or hybrid work models, this highlights the need for a security posture and awareness that extends beyond email phishing (i.e., SMS/iMessage phishing, also known as “smishing”).
3 Practical actions
- Educate mobile-device users: Advise employees that if they receive an unsolicited “your iPhone has been found” message, especially one containing a link, they should treat it as a phishing attempt. Make it clear that companies like Apple will not send SMS/text links for lost devices. Consider including examples of these texts in your awareness campaign materials to illustrate their relevance.
- Review and secure mobile-device settings: Instruct users to enable Lost Mode immediately via Find My iPhone if a device is lost, and ensure Activation Lock remains enabled. Also, minimize information placed on the lock screen (e.g., contact email or phone number) that could aid attackers.
- Enforce multifactor and mobile-account protections: Ensure all Apple IDs used for work (or personal devices used for work) have strong, unique passwords and MFA enabled. Monitor for any unusual Apple ID login attempts or account changes (e.g., “erase iPhone” commands, removal of Activation Lock). Evaluate mobile‑device management (MDM) or mobile threat detection (MTD) controls that can detect phishing events or unauthorized account changes on iOS devices.