America’s cyber defense agency has issued warnings to users of Google, Microsoft, and Apple services to secure their accounts amid evolving hacker tactics. The agency advises changing passwords, removing SMS-based two-factor authentication, and implementing passkeys to counter these threats.
Hackers are advancing their methods to target user accounts, incorporating legitimate automated messages from Google, Apple, or Microsoft into their schemes. These messages, which appear genuine, serve as a vector for deception, prompting users to divulge sensitive information without suspicion.
Apple has specifically highlighted the use of sophisticated tactics designed to extract personal details from users. Attackers employ these strategies to obtain sign-in credentials and security codes, which grant unauthorized access to accounts. Such methods rely on psychological manipulation to bypass standard security protocols.
Incidents from last month illustrate the severity of these attacks. Hackers activated automated Apple security messages on victims’ devices while simultaneously placing phone calls. In these calls, the perpetrators impersonated representatives from Apple Support, creating an illusion of legitimacy to extract information.
Google account holders encounter parallel risks. A recent query on Reddit described an attacker sending security prompts directly to a user’s phone. The mechanism involves any individual initiating an account recovery process for the targeted Google address, which triggers the automated notifications.
These prompts explicitly instruct recipients to disregard them unless the user themselves started the recovery. This safeguard aims to prevent exploitation, yet attackers circumvent it by timing their actions precisely.
In the documented Reddit case, the attack mirrored recent Apple incidents. An individual contacted the victim over the phone, claiming affiliation with “Google’s security team,” coinciding exactly with the automated prompt’s arrival. This synchronization convinced the victim to vocalize the verification code from the message, resulting in the complete compromise of their account.
Apple provides clear guidance for such scenarios. Users receiving an unsolicited or suspicious phone call from someone purporting to be from Apple or Apple Support should immediately terminate the call, avoiding any further interaction that could reveal credentials or codes.
Google reinforces this protocol with its own policy. The company emphasizes that it never initiates phone calls to users for password resets or account troubleshooting. As stated by Google, “Please reiterate to your readers that Google will not call you to reset your password or troubleshoot account issues.” This direct communication underscores the company’s commitment to user awareness.
Regarding unexpected security prompts, users must verify their origin before responding. If no account recovery process, password reset, or device change has been initiated by the user, these prompts require complete disregard. Clicking on any associated links poses a risk of further exposure.
Sharing codes received in such prompts via email, text, or phone constitutes a critical vulnerability. Legitimate companies do not request this information through these channels. Any concurrent outreach attempting to solicit these details signals an ongoing attack, demanding immediate cessation of engagement to protect the account.
