Recognize and avoid social engineering schemes including phishing messages, phony support calls, and other scams

Use these tips to avoid scams and learn what to do if you receive suspicious emails, phone calls, or other messages.

Social engineering is a type of targeted attack that relies on impersonation, deception, and manipulation to gain access to your personal data. In this attack, scammers will pretend to be representatives of a trusted company or entity over the phone or through other communication methods. They will often use sophisticated tactics to persuade you to hand over personal details such as sign-in credentials, security codes, and financial information.

Phishing is one common tactic of social engineering that refers to fraudulent attempts to get personal information from you, usually by email. But scammers use any means they can to trick you into sharing information or giving them money, including:

• Fraudulent emails and other messages that look like they're from legitimate companies, including Apple.

• Misleading pop-ups and ads that say your device has a security problem.

• Scam phone calls or voicemails that impersonate Apple Support, Apple partners, and other well known or trusted entities or individuals.

• Fake promotions that offer free products and prizes.

• Unwanted Calendar invitations and subscriptions.

If you're suspicious about an unexpected message, call, or request for personal information, such as your email address, phone number, password, security code, or money, it's safer to presume that it's a scam — contact that company directly if you need to.

If you're concerned about a security issue with your Apple device or account, these resources provide more information that can help.

How to protect your Apple account and devices

Here are some things you can do to avoid scams that target your Apple account and devices.

• Never share personal data or security information like passwords or security codes, and never agree to enter them into a webpage that someone directs you to.

• Protect your Apple ID. Use two-factor authentication, always keep your contact information secure and up to date, and never share your Apple ID password or verification codes with anyone. Apple never asks for this information to provide support.

• Never use Apple Gift Cards to make payments to other people.

• Learn how to identify legitimate Apple emails about your App Store or iTunes Store purchases. If you send or receive money with Apple Cash (U.S. only), treat it like any other private transaction.

• Learn how to keep your Apple devices and data secure.

• Download software only from sources you can trust.

• Don't follow links or open or save attachments in suspicious or unsolicited messages.

• Don't answer suspicious phone calls or messages claiming to be from Apple. Instead, contact Apple directly through our official support channels.

How to report suspicious emails, messages, and calls

• If you receive a suspicious email that looks like it's supposed to be from Apple, please forward it to [email protected].¹

• If you receive a suspicious FaceTime call (for example, from what looks like a bank or financial institution), email a screenshot of the call information to [email protected]. To find the call information, open FaceTime and tap the More Info button next to the suspicious call.

• If you receive a suspicious link to a FaceTime call in Messages or Mail, email a screenshot of the link to [email protected]. The screenshot should include the phone number or email address that sent the link.

• To report a suspicious SMS text message that looks like it's supposed to be from Apple, take a screenshot of the message and email the screenshot to [email protected].

• To report spam that you receive in your iCloud.com, me.com, or mac.com Inbox, mark the spam emails as Junk or move them to your iCloud Junk folder. When you mark an email as junk, you help improve iCloud Mail filtering and reduce future spam.

• To report harassment, impersonation, or other types of abuse that you receive in your iCloud.com, me.com, or mac.com Inbox, send them to [email protected].

• To report spam or other suspicious messages that you receive through Messages, tap Report Junk under the message. You can also block unwanted messages and calls.

• Report scam phone calls to the Federal Trade Commission (U.S. only) at reportfraud.ftc.gov or to your local law enforcement agency.

More information about social engineering attacks, phishing and other scams

Learn how to identify social engineering attacks, recognize phishing messages, handle fraudulent phone calls, and avoid other online scams.

Social engineering attackers use impersonation and manipulation to first gain your confidence and trust. Then, they trick you into handing over sensitive data or providing them with access to your account information. They use a variety of tactics to impersonate a trusted company, entity, or someone that you know.

Watch for these signs to help identify if you’re being targeted as part of a social engineering attack:

• A scammer may call you from what appears to be a legitimate phone number for Apple or another trusted company. This is called “spoofing.” If the call seems suspicious, consider hanging up and dialing the vetted number for the company yourself.

• Scammers often mention personal information about you in an attempt to build trust and seem legitimate. They may refer to information that you consider private, such as your home address, place of employment, or even your Social Security number.

• They will often convey a desire to help you resolve an immediate problem. For example, they may claim that someone broke into your iPhone or iCloud account, or made unauthorized charges using Apple Pay. The scammer will claim they want to help you stop the attacker or reverse the charges.

• The scammer usually creates a strong sense of urgency to avoid giving you time to think and to dissuade you from contacting Apple yourself, directly. For example, the scammer may say that you’re free to call Apple back, but the fraudulent activities will continue and you will be liable. This is false, and designed to prevent you from hanging up.

• Eventually scammers will request your account information or security codes. Typically they will send you to a fake website that looks like a real Apple sign-in page and insist that you verify your identity. Apple will never ask you to log in to any website, or to tap Accept in the two-factor authentication dialog, or to provide your password, device passcode, or two-factor authentication code or to enter it into any website.

• Sometimes, scammers will ask you to disable security features like two-factor authentication or Stolen Device Protection. They will claim that this is necessary to help stop an attack or to allow you to regain control of your account. However, they are trying to trick you into lowering your security so that they can carry out their own attack. Apple will never ask you to disable any security feature on your device or on your account.

How to identify fraudulent emails and messages

Scammers try to copy email and text messages from legitimate companies to trick you into giving them your personal information and passwords. These signs can help you identify phishing emails:

• The sender’s email or phone doesn’t match the name of the company that it claims to be from.

• The email or phone they used to contact you is different from the one that you gave that company.

• A link in a message looks right, but the URL doesn’t match the company’s website.²

• The message looks significantly different from other messages that you’ve received from the company.

• The message requests personal information, like a credit card number or account password.

• The message is unsolicited and contains an attachment.

If you get a suspicious phone call or voicemail

Scammers use fake Caller ID info to spoof phone numbers of companies like Apple and often claim that there's suspicious activity on your account or device to get your attention. Or they may use flattery or threats to pressure you into giving them information, money, and even Apple gift cards.

If you get an unsolicited or suspicious phone call from someone claiming to be from Apple or Apple Support, just hang up.

You can report scam phone calls to the Federal Trade Commission (U.S. only) at reportfraud.ftc.gov or to your local law enforcement agency.

If you see suspicious Calendar events

If you get an unwanted or suspicious calendar invitation in Mail or Calendar, you can report it as Junk in iCloud. If you might have unintentionally subscribed to a spam Calendar, you can delete it.

If your web browser displays annoying pop-ups

While browsing the web, if you see a pop-up or alert that offers you a free prize or warns you about security problems or viruses on your device, don't believe it. These types of pop-ups are usually fraudulent advertisements, designed to trick you into downloading damaging software or giving the scammer personal information or money.

Don't call the number or follow the links to claim the prize or fix the problem. Ignore the message and simply navigate away from the page or close the entire window or tab.

If you're prompted to download software

Use extreme caution if you download content from the internet. Some downloads found on the internet may not contain the software they claim to, or may contain software that you didn't expect or want. This includes apps that ask to install configuration profiles that can then control your device. If installed, unknown or unwanted software may become intrusive and annoying and could even damage your Mac and steal your data.

To avoid unwanted, fake, or malicious software, install software from the App Store or get it directly from the developer's website. Learn how to safely open software on your Mac or remove unwanted configuration profiles from your iPhone, iPad, or iPod touch.