What to do if Apple contacts you about malware or security

Although Apple rarely gets in touch directly with users, except in its routine promotional emails, in recent months more have been reporting that they have received emails and messages apparently from Apple. This article considers how you should respond.

Probably a scam

The majority of emails and almost all messages purporting to be from Apple are scams. Some of them are more obvious, others may at first appear quite convincing, but ultimately there’s something about all of them that doesn’t ring true.

Late last year there was a spate of emails, not iMessage messages, warning users about problems with iCloud, in particular that their allocation was almost full and needed to be cleared out. Some of those at least came from what appeared to be a legitimate Apple email address, although it wasn’t one normally used to contact customers in this way. No one seems to know who sent them, or why, but these appear to have been automated messages sent in error.

The great majority of Apple’s official emails are sent from no_reply@email.apple.com, and a careful look through the text source and message headers should make it clear that other messages are forged, in which case you should delete them.

If you can’t see anything wrong to suggest the message isn’t genuine, verify its contents using an independent method. For example, if it claims that your iCloud allowance is almost used up, don’t click on any links in the message, but log into your iCloud account through iCloud.com.

There, click on your account in the tile at the upper left. If there might be a problem over storage in iCloud Drive, then click on Storage there to view how your space is being used, and how much remains free. You can also check your Apple ID settings and more, to verify the reason for someone sending you an email in the first place. If what you see on iCloud.com doesn’t tally with what they claim, then you know that it’s a scam or error.

Phishing

If the email or message refers to anything about security or malicious software, then it’s almost certainly a phishing attack. Don’t even think about clicking on any links provided, and, if in Messages, forward that message to Apple’s scam and phishing team. Apple provides full instructions and addresses in this article.

One of the best ways to scan for phishing attacks is to read your email messages in source. Although this feature is hidden away in Mail, access it using View > Message > Raw Source. Other mail clients may give the option to view the body of all messages as text, making this even easier, as you can immediately see the true destination of each of its links. That’s one reason that I use Postbox as my preferred email client.

Malware reports

With one notable exception, Apple doesn’t know whether your Mac or devices have any malware, and can’t tell you if they do. Any message that tries to tell you otherwise is phishing or scam. macOS now has three built-in systems that check for malware:

XProtect, which checks executable code when it’s being loaded to run, particularly if it has a quarantine flag and hasn’t yet been run on that Mac. If that picks up anything, it reports this to you in an alert, telling you to delete that app or file, and blocks you from running it. It doesn’t phone home to Apple.
XProtect Remediator runs on macOS Catalina and later, and every 24 hours or so makes a series of scans to check for known malware. It doesn’t send its reports to Apple, but records them in the log, and they can be read by some security software. Check its latest reports using my free XProCheck.
XProtect’s latest Behavioural detection system, or Bastion, currently only seems to record rule violations in its local database, and it isn’t believed to send any reports to Apple.

Apple threat notifications

The one exception to these general rules is if you receive a threat notification from Apple, as explained here. These consist of an email and iMessage notification to the email addresses and phone numbers associated with your Apple ID. Each provides advice as to what additional measures you can take in response, but will never ask you to click any links, open files, install apps or profiles, or provide your Apple ID password or verification code by email or over the phone.

Instead, if you think you have received a threat notification from Apple, sign in to iCloud.com, where you should see confirmation that those messages are genuine.

This is a new scheme Apple has started recently, for those users for whom Apple has reason to believe are being targeted by “mercenary spyware” produced by well-funded groups like NSO. Apple has, apparently, already sent notifications to users nearly 100 countries warning them of the threat to their Macs and devices. These are targeted attacks on individuals who may already be under surveillance as journalists, activists, or similar.

Summary

If you receive emails sent to the addresses known to Apple, and messages to Messages, notifying you of a threat against you, confirm this in iCloud.com and follow the advice given. Otherwise, it’s most likely to be a scam or phishing attack.

6Comments

Add yours

1

thymine02rising on April 12, 2024 at 3:05 pm

Thank you. Happy Spring

FYI link at the bottom of phishing article doesn’t seem to work. Search bar briefly showed eclectic light – then support.apple “The page you are looking for cannot be found”

LikeLiked by 1 person
- 2
  
  hoakley on April 12, 2024 at 3:19 pm
  
  Thank you. It feels like summer here, albeit briefly.
  I have checked both the Apple links in the above article, and they both work correctly. The first of them was incorrect first thing this morning, but I was quickly alerted to the problem and corrected it within the hour.
  Howard.
  
  LikeLike
3

Thymine02rising on April 12, 2024 at 3:34 pm

Yes, link is good now. (Opps , I meant paragraph) My trust in apple may have led me to bite on the safari update scam a bit ago. Even after I had done it, I didn’t realize until I read about here. Thanks for the reminders!

LikeLiked by 1 person
- 4
  
  hoakley on April 12, 2024 at 5:15 pm
  
  You’re welcome. These new notifications, although rare, are a significant change. I wonder how long it will be before the scammers try out something similar.
  Howard.
  
  LikeLike
5

Shee on April 14, 2024 at 12:37 am

Hi Howard, I apologize for the somewhat off topic comment, but I sent you a very detailed email asking for your help regarding 3rd party antivirus software on Mac but haven’t received a response and not sure if it got filtered into your spam? I sent the email on Monday, April 8th. Really hoping you can help me, please.

LikeLiked by 1 person
- 6
  
  hoakley on April 14, 2024 at 6:19 am
  
  I’m sorry – I have received it, but the question you’re asking isn’t simple to answer, and I’m still trying to work out the best advice that I can give you. I’ll respond later today as well as I can.
  Howard.
  
  LikeLike