Cybercriminals have found a cunning way to bypass Apple iMessage’s built-in phishing protection, targeting users with SMS phishing scams (smishing) that lure victims into re-enabling disabled links. This tactic exploits a combination of user behavior and iMessage’s features, leaving many unsuspecting people vulnerable to scams.
Apple’s iMessage is designed to automatically disable links in messages from unknown senders to protect users from phishing attacks. However, if a recipient replies to the message or adds the sender to their contacts, these protections are removed, and links become clickable again.
The Clever Manipulation: Tricking Users to Respond
A sharp rise in smishing attacks over the past few months shows how criminals are evolving their methods. They’re no longer just sending suspicious links—they’re crafting messages designed to make users respond and inadvertently disable Apple’s safeguards.
Take, for example, two common scams observed recently: one about a fake USPS shipping issue and another regarding unpaid road tolls. Both came from unknown senders, so iMessage automatically disabled the links. But these messages included an instruction: reply with “Y” to activate the link.
It’s a seemingly harmless request, especially for those accustomed to replying “Yes,” “No,” or “STOP” to manage subscription texts or appointment confirmations. However, this simple action tells the scammers two things:
- The recipient is engaged. They’ve proven they read and respond to texts, making them a prime target for future scams.
- Phishing protection is gone. The links, once disabled, are now live and ready to trap users.
Who Is Most at Risk?
While tech-savvy users may spot these scams, the tactic is particularly effective against less vigilant or vulnerable populations. Older adults, for example, may not recognize the signs of a phishing scam and could mistakenly trust a seemingly urgent message about a missed delivery or unpaid toll.
In fact, BleepingComputer reported one such incident where an older individual showed them a phishing message, unsure if it was real. This highlights how attackers rely on confusion and urgency to prompt a reaction.
Even without clicking the now-enabled link, replying confirms to the scammer that the number is active and monitored, putting the recipient at greater risk for future phishing attempts.
Why Smishing Is Becoming So Common
The rise of smishing aligns with our growing reliance on mobile devices for daily activities—shopping, banking, and even work communication. Threat actors are targeting mobile numbers because texts often feel more personal and immediate than emails, making them harder to ignore.
Apple’s iMessage protections, while effective, are not foolproof. They rely on users following best practices, such as avoiding interaction with unknown senders. But scammers are leveraging behavioral tricks that bypass these protections.
How to Protect Yourself
To avoid falling victim to these tactics, it’s essential to stay vigilant and remember a few key points:
- Never reply to suspicious messages. If a link is disabled, that’s a warning sign. Don’t enable it by replying.
- Verify messages with the source. If the text claims to be from a company or organization, contact them directly through their official website or phone number.
- Educate vulnerable individuals. Share information about these scams with family and friends who may be more susceptible.
- Use built-in reporting tools. Many messaging apps allow you to report phishing attempts. This helps improve spam filters and alerts others.
The Bigger Picture: Balancing Security and Usability
Apple’s iMessage feature to disable links from unknown senders is a smart move, but it relies on user understanding to remain effective. By tricking users into replying, cybercriminals expose a critical flaw in how protections are applied.
While no system is perfect, awareness and education are the best defenses. Technology can only do so much; it’s up to individuals to recognize the signs of a scam and act cautiously.
Cybercrime tactics are constantly evolving, but staying informed is your best shield. If something feels off about a message, trust your instincts and double-check before taking any action.