We're highlighting these three skills because they're basic cyber self-defense for regular people, but they also would have prevented some of the stories you'll read about below.

• Check sender’s contact information. The internet is full of fakes. When you make contact with a new person, take the extra time to check their phone number and address against white pages records. Run a reverse image search on any profile pictures to see if they are stolen.
• Call them back. Scammers can fool caller ID and make their phone number look like anything they want, but they can only seem to call you from a number, they can’t receive calls to that same number. If somebody calls you from a tech company or the government, call them back at the official number listed on the official website.
• Insist on a video call. When developing new relationships online, insist on a video call and learn to spot deep fake video. Video is much harder to fake than audio.

For a complete list of our top security recommendations, join our upcoming live course: Privacy & Security for Apple Enthusiasts, March 27-April 11 on insider.iphonelife.com, all included in your iPhone Life Insider subscription.

Major Changes to iOS App Store in Europe

iOS 17.4 is due out any day. With it will come Apple’s implementation of changes demanded by the European Union’s Digital Markets Act, a law which forces Apple to allow iPhone users more third-party options for software, intended to make competition easier for smaller rivals on the iOS platform. iPhone users in the EU can expect that they will be able to install third party app stores, which will let them install a potentially larger and less curated collection of third party apps. Apps from third party stores will still be scanned for vulnerabilities using Apple’s automated process, but will skip the manual portions of Apple’s checking process. Such apps also will not use the App Store purchase system, making it potentially easier to get tricked into spending money and harder to get a refund. Users in the EU will also be able to select different default web browsers, and will see changes to how websites load when they’re saved to the Home Screen. These changes only apply to iPhone users in the EU.

The Bottom Line: Users outside the EU should not see these changes. If you are in the EU then we would recommend avoiding third party app stores for the time being, as we don’t yet know how secure or private any of them might be. The increased consumer choice enforced by the Digital Markets Act is probably a net positive, but it does come with an increase of risk. For comparison, Mac computers already have third party app stores, and are more at risk than iPhones, but not to any catastrophic degree.

VisionOS 1.0.2 Patches Security Bug

Apple patched the operating system for their new Vision Pro augmented reality headset only days after the device’s release. This was the same bug in Webkit, the internet browsing engine used by Safari, that was patched in iOS 17.3 (and the rest of Apple’s devices around the same time). Malicious actors could craft web pages that would let them start executing code on the device, and Apple is aware of a report that malicious actors may have done so.

The Bottom Line: Updates are your friend. Always keep an eye out for that update notification.

Courier-Enabled “Phantom Hacker” Scams

The FBI has issued a warning about a new criminal scheme that operates on the fear of hackers to trick victims into giving away thousands. The scam follows a pattern where the scammers call the victim first pretending to be a tech company, perhaps Amazon, wanting to verify activity on accounts in the victim’s name. This tells the victim that they have had their identity stolen, but it’s only phase one of the scammer’s plan. Next they call the victim pretending to be a US government official, and ratchet up the urgency and the pressure. The victim is warned that to protect their assets from digital looters they should take all their wealth out of the digital realm as much as possible, converting to gold or other precious material. Then the scammers send a courier to pick up the precious material, promising that the courier will safely deposit it somewhere nice and secure, and that the victim will get it back if they ask. Needless to say, the promised vault is like the big farm upstate where goldfish go after they’ve learned to swim upside down: a one-way vacation.

The financial advice columnist over at The Cut fell for this scam and wrote it up in detail. Her account conveys how remarkably slick and convincing the scammers can be, even with what seems, from a distance, to be an outrageous story.

The Bottom Line: No legitimate government agent will ever tell you to drain your bank accounts, then turn it over to them. Be wary of any unsolicited phone call, especially when they try to convey an extremely urgent matter. In addition to the impersonation of government agents, this scam depends on an exaggerated fear of hackers and their capabilities, rooted in Hollywood myth. While it is certainly possible for a hacker to open a new line of credit using your stolen identity, credit monitoring services will notice.

Warning: Fraudulent Activity on Your Account

The scam is fairly simple: the scammer calls to tell you that there has been suspicious activity on your bank account and they need to lock your debit card. It looks like they’re calling from your bank’s phone number. They don’t ask for your whole card number (obviously unsafe), nor do they ask for the final four digits (which would be safe to give them). Instead they ask for just enough digits to get you into trouble. Most of your debit card number is based on which type of card it is and what bank issued it, so they just need the rest. Once they’ve got your card number, they race off to an internet spending spree. It looks simple, but bonafide internet legend Cory Doctorow fell for this scam over the holidays. He then turned it into an excellent blog post that’s well worth a read since it’s both entertaining and educational.

To pull off this scam, the scammer needs to know your phone number, your name, which bank you use, what type of debit cards the bank issues (visa, mastercard, etc) and they need to be able to make their call look like it’s coming from the phone number your bank would use. That’s a lot of info and it likely takes a fair amount of effort to get it all together for each potential victim. Scammers will take the time, but they often don’t have to. A single leak of customer data from a credit union or healthcare provider may supply the scammer with everything they need.

The Bottom Line: This event emphasizes our recommendation number 2: Never give out information to someone who calls you, no matter what they say. Call them back at the official number that can be found on the company’s web site.

Romance Scams in the Air

Romance scams are responsible for $1.3 billion of grift in 2022 alone, reports the U.S. Federal Trade Commission (FTC). Scammers constantly evolve their techniques, but the FTC has analyzed 8 million romance scam reports submitted to them to produce a very helpful writeup of how romance scams look and how to avoid them. The cruel affair usually starts with a fake persona on social media, in dating apps, or any other place where you might expect to meet a stranger online. It progresses to romance, of the digital variety: playful messaging, words of kindness, details about a family and life, all fake. Human connection is the bait. The hook comes on the end of a set of fairly predictable lines. As explained in the FTC’s report, here are modern scammer’s favorite lies:

• I or someone close to me is sick, hurt, or in jail
• I can teach you how to invest
• I’m in the military far away
• I need help with an important delivery
• We’ve never met, but let’s talk about marriage
• I’ve come into some money or gold
• I’m on an oil rig or ship
• You can trust me with your private pictures

Some of these lines lead by fairly obvious paths straight to theft. We’ve talked about “I can teach you how to invest” before when we’ve discussed pig butchering. If you’re sending someone bond money because they’re “in jail” when they are not, then it’s clear how the grift works. Remember that the line doesn’t come right away: they wait until they’ve made a firm and trusting connection. Other lines are a little less obvious: pretending to be on an oil rig or ship or in the military is a prelude to eventually claiming that they don’t have access to their own bank accounts because of some semi-plausible bureaucratic mess. They’ll ask for your help buying their (fake) kid a birthday present, or paying the customs fees on a package, or any of a hundred different things somebody stuck far from home might need help with.

The private pictures are a special case. Compromisingly private pictures are used as blackmail material in a racket called sextortion, which mostly targets people under 30 on Instagram and Snapchat.

The Bottom Line: Verify identities when engaging with strangers online. A few techniques can help: search their profile pictures in google images to see if it’s been stolen from somewhere else; try a phone number lookup on their number; and most importantly, insist on a video call. Anyone requesting that you wire them money or read them the numbers off a gift card you’ve purchased is a scammer.

Deep Fakes on the Rise, Taylor Swift, Joe Biden, Your Boss

This month, generative AI was used in three high-profile scams. Sexually explicit images were generated of celebrity Taylor Swift and circulated on X (formerly twitter). There was no financial goal, just cruelty. X tried to crack down on the images by blocking searches for Taylor Swift by name, but their efforts were ineffective. AI was used to create fake audio of President Joe Biden urging voters in New Hampshire not to vote for him in the state primary. This was linked to a company in Texas, and prompted the FTC to update its regulations to outlaw phone calls using deep faked audio. Finally, in a world first, an employee of a company in Hong Kong was convinced to wire $25 million to scammers who used deep fake videos of his boss and other company employees in a video conference call to convince him the wire transfer was authorized.

The Bottom Line: AI generated deep fake images, audio, and video, are here. They work. They’re convincing. It is now possible to generate images, audio, or video of almost anyone doing almost anything, though the programs need a lot of source material to train them so it works best for public figures. Of audio, video, and images, video is the most difficult for the programs to produce, so insisting on a video call is still the best way to be certain you’re talking to a real person. In a video call, pay attention to the quality of the image. Deep fake programs still generate videos that look like they are low resolution, akin to what you would see in a Zoom call with a poor connection.

Home Routers Hacked by China, Russia, for Influence Campaigns and to Prepare an Attack On U.S. Critical Infrastructure

Any device directly connected to the internet is a potential target for hackers. They love devices like your home Wi-Fi router or your smart-home light bulb, because if that device has a vulnerability, then they can gain control of that device. Once they’ve got a local foothold on your network, they can connect that device by VPN to other devices they’ve compromised. Individually, the computers in smart light bulbs or home WI-Fi hubs may not be very fast, but if hackers get enough of them, then their network can distribute the tasks and become quite useful. For example, they can use the network to hide their activity so it seems to come from your residential IP address instead of their real address.

In early February, the FBI announced a coordinated a takedown of one such network. These were consumer routers, people’s home Wi-Fi hubs, that had been compromised by a Chinese state hacker group called Volt Typhoon, and were being used by China to prepare to attack critical infrastructure in the United States as potential cover for a hypothetical future invasion of Taiwan. Shortly later, the U.S. Justice Department coordinated the takedown of a different network of smart devices that had been compromised by a Russian state hacker squad known as Fancy Bear.

The Bottom Line: Keep your home Wi-Fi router up to date and make sure it has a strong and unique password. When purchasing smart devices, prefer those that exclusively connect through Apple’s HomeKit, which greatly improves their security. If possible on your home router, consider disabling the unsecure UPnP protocol for smart devices (instructions for how to do that will depend on your router, and are outside the scope of this newsletter). These steps protect your devices and your privacy, and (remarkably) there is an outside chance they might also contribute slightly to global stability.

Push Notifications Can Send More Info Than We Thought

Normally, apps on an iPhone are not allowed to do anything when they’re not front and center with the phone unlocked. If the device is locked or if the app is in the background, it will have very limited ability to gather information. However, security research company Mysk has found that since iOS 10, receiving a push notification will permit an app to “wake up” for a few seconds so it can properly fill in the details of the alert, for example with the profile photo of the person who just liked your Facebook post. This momentary window has been exploited by app developers that harvest and sell user data, including X (formerly twitter), Facebook, and TikTok. These apps use the moments of processing time meant for a push notification to send information about your device back to their servers. The data harvested in this way is not compromising on its own—it’s likely just used to tailor your advertising experience on the respective platforms—but in aggregate it could be used to identify you and your use habits. In the wrong hands and aggregated with other data, that could help scammers convince you they’re legitimate or be used by stalkers to track your movements. However, we have no evidence yet that push notifications have been used in this way.

The Bottom Line: Social media giants, especially X, read small amounts of information every time their app serves you a push notification. You can disable push notifications in the Settings app, on an app by app basis.

So-Called “Mother of All Breaches” Contains Billions of Old Records, Some New

Many of us have been victims of data breaches. In fact, I would be surprised if someone had never had their data leaked in some capacity. Now, cybersecurity researcher Bob Dyachenko, together with Cybernews, discovered what they are calling "the mother of all data breaches.” According to them, 12 terabytes and more than 26 billion records, including usernames and passwords, have been leaked from companies such as Tencent, LinkedIn, X (formally Twitter), Adobe, Zynga, Canva, and many more. While this leak comprises mostly old data from previous data breaches, SpyCloud Labs has identified around 1.6 billion “distinct” files, meaning that the breach may contain some new data. However, it is currently unknown which of these new records belong to which leak, so it is recommended to stay on the lookout for any suspicious activity, such as phishing attempts or spam emails.

If you are accustomed to using password managers and different passwords for every account, a data breach like this is unlikely to have a huge impact on you. However, if you happen to use the same username and password combination across multiple sites, anyone who gains access to the data in this breach could potentially use that information to log in to your other accounts.

The Bottom Line: To protect against breaches like this, it is important to use strong, unique passwords for all your accounts and to enable multi-factor authentication where available. A password manager (such as Bitwarden or iCloud Keychain) makes this easy and secure. To check what data of yours has been leaked, you can visit havibeenpwned.com. Despite its silly name, it is a trusted service that collects known data breaches.

Add an Account Recovery Contact

If you use iCloud at all, then losing access to your Apple ID account and its attached iCloud storage would be a real nightmare. iCloud can store your photos, contacts, app purchases, the locations of your devices, and even your passwords for other accounts (if you use iCloud Keychain to save your passwords), even your backups of your device data.

Protect yourself from losing access to all that by designating an Account Recovery Contact. Go to Settings > Apple ID > Password & Security > Account Recovery and tap the button labeled Add Recovery Contact. Your phone will let you designate a contact who will receive a special code you can use to securely recover your account if you’re ever locked out.

There is far too much security and privacy news to cover it all. When building this newsletter, we look for scams, hacks, trouble, and news to illustrate the kinds of problems Apple enthusiasts may encounter in our private lives, and the self defense we can practice to keep our devices, accounts, and lives secure. Our commentary focuses on practical advice for everyday people. This newsletter is written by me, Cullen Thomas, with contributions from Rhett Intriago, edited by Donna Schill.