A coordinated wave of SMS/iMessage phishing is impersonating Apple’s Find My / “device found” notifications to trick victims into entering Apple ID credentials on credential-harvesting pages. The attackers frequently reuse details visible on a phone’s lock screen (model, color, contact text) to make messages appear legitimate. Their primary goal is to obtain Apple IDs to remove Activation Lock or fully take over accounts. Security teams should treat this as a high-value social-engineering scenario and add tailored “lost device” simulations to their phishing programs.

Background — what happened

Switzerland’s National Cyber Security Centre (NCSC) and several security outlets have documented an uptick in messages that claim a lost iPhone has been located and include a link to “view the location.” The links lead to pages that mimic Apple’s Find My / Apple ID login UI. When victims enter credentials, attackers capture them and use the account access to remove Activation Lock, erase devices, or pivot to associated services. Reporting and advisories have appeared across multiple vendors and CERTs during November 2025.

Why this is effective (threat model)

• High emotional urgency: Owners of lost or stolen phones are motivated and less cautious when they think recovery is possible.

• Data-driven personalization: Lock-screen messages and lost-mode contact fields can expose device model, color, and contact details. Attackers reuse those details to increase perceived legitimacy.

• High operational value: Apple ID control lets attackers disable Activation Lock — the primary protection that ties a device to its owner — enabling erasure and resale or broader account takeover.

Attack flow — technical summary

1. Victim marks device as lost or the device becomes physically accessible to an adversary.

2. Attacker obtains lock-screen or reported contact details (method unclear; could be opportunistic or through access to device metadata).

3. Attacker sends SMS/iMessage: “We found your iPhone — view location” with a link to a credential capture page.

4. Victim clicks → phishing page mimics Find My/Apple ID login; credentials submitted are exfiltrated to attacker-controlled infrastructure.

5. Attacker uses credentials to remove Activation Lock, erase device, or take over other linked services (email, iCloud, backups).

Real-world evidence & advisories

• NCSC (Switzerland): Week 44 advisory summarises multiple incidents and stresses the attacker goal of bypassing Activation Lock via credential theft.

• BleepingComputer / Tom’s Guide / Bitdefender / Malwarebytes: Published investigative and user-focused write-ups showing message examples and remediation advice.

Indicators of compromise (IoCs) & detection signals

Use the following indicators in detection rules, phishing filters, and analyst playbooks.

Mitigations — what ClearPhish recommends

For SOC / Detection teams

• Block or flag inbound messages with patterns like “found your iPhone” or that reference device models + “found/located”. Add high-priority rules for external domains impersonating Apple.

• Enrich alerting with post-click telemetry: capture click-through, form-submit attempts (mock), and referrer domains to measure real exposure.

• Whitelist legitimate Apple endpoints (apple.com, icloud.com) at email/URL filtering tiers while blocking lookalikes and homoglyph domains.

For end users

1. Never click links in unsolicited texts claiming your device was found. Open the official Find My app or navigate to icloud.com/find from a trusted browser.

2. Enable Lost Mode from a trusted Apple device or iCloud to lock and message the phone.

3. Use strong, unique Apple ID passwords and enable two-factor authentication (2FA) — do not rely on SMS-based 2FA alone.

4. If credentials were entered on a suspicious page: change Apple ID password from a trusted device immediately, revoke unknown devices on the Apple ID device list, and contact Apple Support. Report phishing to reportphishing@apple.com.

Recommended incident playbook (concise)

1. Detect suspicious message click or credential submit event.

2. Force immediate Apple ID password reset and invalidate all active sessions.

3. Revoke device access and re-enroll 2FA.

4. Run account pivot checks (email forwarding, backup email/phone changes, linked third-party apps).

5. Notify impacted user(s) and provide tailored coaching.

Final take

This campaign is a textbook example of high-payoff social engineering: a low-cost, high-reward lure (recover your phone) combined with simple personalization from available device metadata. Because the end objective (bypass Activation Lock via credential theft) directly monetizes stolen devices, attackers will continue refining these lures. The defensive priority is clear: realistic simulations (with personalization), URL-domain enforcement, and fast account recovery playbooks. ClearPhish recommends you add the provided simulation matrix and IoC table to your next phishing rotation and detection ruleset.

Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.