Multi-factor authentication is considered extremely secure because it requires the user to present at least two modes of verification before they can perform specified actions. Usually, this involves approving a prompt sent to your phone or confirming a one-time password delivered to your phone number. The process of resetting your Apple ID also requires a similar process: you first head to Apple’s iForgot portal, enter your email or phone number, verify the provided captcha, and then approve the request sent to your linked Apple device.
This means anyone with access to your email account can theoretically initiate the password reset process. The prompt on your iPhone has options to “Allow” or “Deny” it, and choosing the latter will dismiss the request. The phishing attack involves bombarding the user’s Apple device with tens and hundreds of such prompts, and the way Apple handles account-level actions will prevent you from using your device until you’ve manually denied every single request.
Despite making the right move, Parth stated that the scammer then called him with what seemed to be Apple Support’s official phone line. The “representative” on the other end then pushed him to verify a one-time password sent to his phone. Using information available on People Data Labs, the scammer is able to verify the victim’s personal details — down to their home address and date of birth.