For many iPhone users, Apple’s “Find My” feature is a lifeline when a device goes missing. However, cybercriminals are now exploiting that trust by sending messages that appear to be part of the recovery process.
Posing as Apple Support officials, scammers attempt to extract login credentials that can unlock cloud backups, personal photos, financial information, and other sensitive data.
The latest phishing campaign flagged by the Indian Cybercrime Coordination Centre (I4C), set up by the Ministry of Home Affairs, suggests that smartphone theft and credential theft are increasingly interconnected, with criminals using one crime to facilitate the other.
The National Cybercrime Threat Analytics Unit of I4C recently identified a sophisticated phishing campaign targeting Apple iPhone users whose devices have been lost or stolen and are in the possession of perpetrators.
I4C, in its advisory, said the perpetrators impersonate Apple Support officials and exploit victims’ urgency to locate or secure their missing devices through fraudulent SMS messages containing phishing links. These messages closely resemble legitimate “Find My iPhone” or Apple Support notifications and redirect users to counterfeit Apple login pages designed to steal Apple ID credentials and one-time passwords (OTP).
Once the stolen devices are compromised, attackers gain unauthorised access to victims’ accounts and remove the linked Apple IDs from the devices.
Gaining access to digital identity
“Most people assume the theft ends when the phone leaves their possession. In reality, that is often when the social engineering begins. A stolen device can reveal a surprising amount of information even when locked: a phone number displayed on the SIM card, notifications appearing on the lock screen, emergency contact details, or clues from incoming messages,” said Dr Sanjay Katkar, Joint Managing Director, Quick Heal Technologies.
Story continues below this ad
Katkar further added that criminals use these fragments to build credibility and then send phishing messages claiming that the device has been located. The objective is not necessarily gaining the device itself. It is gaining access to the digital identity connected to it. Once an attacker convinces the owner to trust the message, the theft moves from the physical world into the digital one.
“Once a device has been lost or stolen, the individual experiences helplessness and desperation, which is a psychological opening for the cyber criminal. Striking at the right time with a page look-alike of ‘Find My Device’ page, the criminal can extract sensitive information at a time when the guard is down,” Ankush Tiwari, CEO and Founder of pi-labs, told indianexpress.com.
“Phishing attacks work effectively when they are customised to the situation. A lost device is an excellent alibi from a cybercriminal’s point of view. The government advisory is timely, and the crux of the matter is not to panic into divulging information when you are in fear, anger, or similar extreme emotions,” Tiwari added.
“The scam works because it shows up at exactly the wrong moment. A message claiming the phone has been found feels credible because it’s arriving when the victim wants it to be true,” opines Vikram Raichura, Founder and Managing Director of Helo.ai by Vivaconnect.
Story continues below this ad
What happens next?
“Phishing websites are designed to capture credentials before passing the victim to a legitimate-looking page or displaying an error message. The moment an Apple ID and password are entered, attackers gain the keys to a much larger ecosystem of personal data. This can include cloud backups, photos, contacts, stored credentials, and connected devices. In the case of a stolen iPhone, attackers often try to obtain Apple ID credentials to remove security protections such as Activation Lock. Once that happens, the device becomes significantly more valuable to resell, while the victim faces the risk of account takeover, identity theft, and fraud,” Katkar said.
Raichura notes, “Once credentials and verification codes are shared, the issue moves beyond device theft. Attackers gain access to the Apple account, disable security protections, and make the device easier to reuse or resell. The bigger risk is that a stolen phone can quickly become a compromised digital identity.”
He adds, “The common thread in most phishing scams is pressure. Unexpected messages, urgency-driven language, suspicious links, unfamiliar sender IDs, and requests for passwords, OTPs, or verification codes should all be treated with caution. The moment a message tries to rush you that is the moment you should slow down.”
Scams becoming common in India
“These scams are becoming far more targeted and common in India. Traditional phishing relied on sending the same message to thousands of users and hoping someone clicked. Today’s attackers use context. A lost phone, a missed delivery, a banking alert, or a KYC update all provide believable scenarios that increase engagement. We are also seeing cybercriminals use AI-generated content to improve the quality of messages, remove obvious errors, and personalise communication. As smartphones increasingly become the gateway to banking, payments, and digital services, compromising the user behind the device has become more profitable than stealing the device itself,” Katkar opined.
Story continues below this ad
Red flags
🚩 Urgency is the biggest red flag. Messages claiming that a lost iPhone has been found and demanding immediate action are designed to trigger panic and bypass rational decision-making.
🚩 Be wary of links received through SMS, WhatsApp, or other messaging platforms, especially those directing users to login pages.
🚩 Never enter Apple ID credentials, passwords, or OTPs on websites reached through unsolicited messages.
🚩 Check the website address carefully. Fraudsters often use domain names that closely resemble legitimate Apple websites to deceive users.
Story continues below this ad
🚩 Unexpected requests to log in to an Apple account, particularly after a device has been reported lost or stolen, should be treated with suspicion.
🚩 Messages that create pressure to act within minutes or warn of severe consequences for inaction are common phishing tactics.
🚩 If a message appears to be from Apple, verify the information through official Apple channels, or the Find My app, rather than clicking on embedded links.
Recommended Precautions
📌 Avoid clicking links received via SMS (especially from international SMS headers) or unsolicited messages & carefully check the URL before entering credentials.
Story continues below this ad
📌 Request for blocking lost/stolen mobile at CEIR Portal (https://www.ceir.gov.in/Request/CeirUserBlockRequestDirect.jsp)
📌 Do not enter OTPs on unverified websites, nor disclose OTPs to anyone.
📌 Use Apple’s official “Find Devices” service page (https://www.icloud.com/find)
📌 Do not remove devices from your Apple ID without verification and ensure “Find My iPhone” remains active.
Story continues below this ad
📌 Always activate two-factor authentication (2FA), use strong passwords and keep devices updated with the latest security patches.
Also Read: The Safe Side: How ads on your social media feed might be scams
What to do in case you fall prey to this scam?
Act immediately if you have entered your credentials on a suspicious website. The faster you respond, the lower the risk of account compromise.
📍Change your Apple ID password without delay and sign out of any unauthorised sessions if possible.
📍 Review the list of trusted devices linked to your Apple account and remove any devices you do not recognise.
Story continues below this ad
📍 Check account recovery settings, including recovery email addresses and phone numbers, for any unauthorised changes.
📍 Monitor banking, payment, and financial applications linked to the device for suspicious transactions or login attempts.
📍 Keep a close watch on email, cloud storage, and other accounts that may share the same password or recovery information.
📍 Be alert for signs of identity theft or financial fraud, as cybercriminals often move quickly after obtaining credentials.
📍 Use trusted security solutions that can detect and block malicious links, phishing websites, and suspicious activity before significant damage occurs.
📍 Report phishing attempts immediately to https://cybercrime.gov.in/ or call the 1930 cyber helpline number.
“These scams will keep coming unless we respond with something out of the box. Precautions have to become second nature. You have to assume nothing can be trusted by default. Think of it like a firewall: trust nothing unless verified. Until you set that default in your mind, you cannot match the uniqueness of these scammers,” notes Kaushal Bheda, Director, Pelorus Technologies.
“What makes these scams effective is that they don’t ask people to believe something unbelievable. They ask people to believe something they desperately want to be true. The theft creates urgency. The phishing attempt exploits it,” Raichura adds.
The safe side
As the world evolves, the digital landscape does too, bringing new opportunities—and new risks. Scammers are becoming more sophisticated, exploiting vulnerabilities to their advantage. In our special feature series, we delve into the latest cybercrime trends and provide practical tips to help you stay informed, secure, and vigilant online.
