• 🗒️✅ Your Security Checklist
• 🏆🎖️ Test Your Security Skills
• 📰 Your Weekly Security Update
• 🤨 This Should Be on Your Radar 📡
• 🙈 Security Fail of the Week 👎
• 🍎📱 Security Updates from Apple 🍎

If you take nothing else from this newsletter, just do these three things to protect yourself:

1. Never reply to texts about USPS packages or toll fees. A common scam technique involves sending potential victims realistic text messages about undeliverable packages or unpaid tolls.
2. Use Private Wi-Fi Address whenever possible. Private Wi-Fi Address is a feature that ensures your iPhone has a unique MAC address when connecting to Wi-Fi, helping to reduce tracking and other data collection.
3. Switch your search engine to DuckDuckGo. Google is a privacy-invasive search engine, so we recommend DuckDuckGo as an alternative.

What should you do in the following scenario?

You receive a text from a number you don’t recognize, asking about dinner plans, and addressed to a name that is not your own. 🤔

1. Respond and let them know they have the wrong number.
2. Ignore the message.
3. Block the number.
4. Something else (email us your answer)

Scroll to the bottom to see how you did!

If you’re a regular reader of Security Friday, you know how important end-to-end (E2E) encryption is. E2E means any data sent from one source to another is kept secure and encrypted the entire time, preventing others from accessing your private data and messages. A few years ago, Meta began implementing E2E encrypted messaging across its platforms, but now it’s rolling back this crucial change, starting with Instagram. The company recently announced that it will no longer support encrypted messaging on Instagram starting May 8. According to The Guardian, Meta made this change due to the low number of users who have actually enabled E2E encryption since its introduction. The company suggests that users who want their chats to stay encrypted should install WhatsApp, which does currently offer E2E encryption. Read more about Instagram’s E2E encryption.

The Bottom Line: With this change, Meta will have full access to your private messages sent over Instagram. If any of your Instagram chats currently have E2E encryption enabled, you can download any media or messages that you want to keep, as they may be deleted after May 8. Once that happens, avoid sending any messages you would not want Meta employees to read. If you want to use an E2E-encrypted messaging app, we recommend Signal, iMessage, or WhatsApp.

TikTok Prefers Surveillance to Security

Just as Meta announced an end to E2E encryption on Instagram, TikTok announced it will not implement end-to-end encryption in direct messages. As we discussed above, E2E encryption would protect your private messages, preventing anyone else, including TikTok itself, from reading them. The company has told the BBC that it’s for that very reason that it will not be implementing E2E encryption, since it would prevent the company and law enforcement from accessing direct messages. TikTok claims this will help protect younger users.

The Bottom Line: As with Instagram, we recommend against using TikTok for sending and receiving private messages. For true E2E encryption, use iMessage or install an app like Signal or WhatsApp.

Is Russia Preparing to Shut Down the Internet?

Russia has begun intermittently blocking cellphones in Moscow from accessing foreign websites. This disruption has forced Russian citizens to adapt to living back in the 90s, using pagers and paper maps to replace the apps and services that they normally rely on. Russian authorities are claiming that they’re doing this to combat Ukrainian drone strikes, though, according to the Associated Press, some believe Russia is testing the waters for a complete shutdown of the internet across the country.

The Bottom Line: In some jurisdictions, access to the internet is not guaranteed. If you live in a region like this, be sure you have a backup plan in place for what you’ll use to replace any websites or apps that you normally rely on. And even if you don’t live in an area like this, it doesn’t hurt to be prepared.

Age Verification: Why Is It Such a Hot Topic?

You may have noticed digital age verification becoming increasingly common across apps and websites. An independent investigator, called The TBOTE Project, set out to determine why and, after researching the matter, announced that Meta is behind the lobbying for age-verification legislation. However, since this investigation was performed by an independent (and anonymous) individual, we would recommend taking this story with a grain of salt and checking out the TBOTE Project website for yourself. The site is filled with information and links demonstrating how the Project made this determination.

The Bottom Line: Age verification is a tricky subject. It’s a good idea in theory but most often comes at the expense of personal privacy. Apple has managed to implement age verification that maintains user privacy through its Declared Age Range API. We’re hoping this will encourage others to implement more privacy-focused age-verification methods in areas that require it.

Scammers Recreate Police Stations for Fake Video Calls

When it comes to scams, we often recommend using a video call to verify someone’s identity, since video calls are hard to fake. A scam center in Cambodia went the extra mile to fool its victims by constructing elaborate film sets for conducting scams over video calls. The sets were designed as replicas of police stations from around the world, from which the scammers would conduct video calls to convince potential victims that they were truly being contacted by law enforcement. You can find out more about this scam center and its operations at Bloomberg.

The Bottom Line: It is highly unlikely that the police will ever contact you over video call. If you ever receive a video call from someone claiming to be law enforcement, you’re most likely talking to a scammer. Hang up, and call your local police department’s non-emergency number to verify who is calling you.

British Tourist Charged for Filming Missile Attack

A British tourist in Dubai has been charged for allegedly filming an Iranian missile strike hitting the city. Posting the footage is illegal in the United Arab Emirates (UAE) because it is seen as a danger to national security. A UAE ambassador to the UK claims that such footage could compromise public safety and that the person filming could be hit by debris. The minimum punishment for this type of crime is two years in prison plus a fine of 200,000 UAE dirham (around $54,000). UK authorities are in contact with Dubai law enforcement. You can read more at CNN.

The Bottom Line: We usually encourage filming and documenting to keep your government accountable. However, it’s important to keep in mind that laws surrounding filming in public are different around the world, and some places may outlaw it entirely. Always be sure to research what your country’s laws say about public filming before doing so.

Artificial Intelligence & Data Leaks

Artificial Intelligence is proving to be a serious problem for cybersecurity. A team of security experts called GitGuardian recently released its annual “State of Secrets Sprawl” report, which shows an 81% increase in leaked data from AI. We recommend checking out the full report for yourself. If you’re interested, you can find it on GitGuardian’s blog.

The Bottom Line: Cybersecurity takes a lot of work that artificial intelligence is just not capable of. As always, we recommend avoiding apps that were developed using AI, as they will almost always have weak security, making leaks inevitable.

The EU Creates Its Own Version of Microsoft Office

In an effort to become less reliant on US-based tech companies, the EU has been hard at work on an alternative to Microsoft Office and Google Workspace. Over the past few months, Office.eu has been testing its productivity platform and is beginning to roll it out to companies across Europe, by invitation only. Office.eu says it will be released more widely in the 2nd quarter of 2026. Check out the Office.eu press release for more details.

The Bottom Line: If you live in the EU and you’re looking for an alternative to Microsoft Office, Office.eu seems like a good choice, though you will likely need to wait until later this year to start using it.

Russian Hacking Group Leaks Its Own Data

A Russian Advanced Persistent Threat (APT) called FancyBear leaked its own data for anyone to find. A security researcher called Ctrl-Alt-Intel discovered an exposed directory containing thousands of emails and hundreds of stolen credentials, along with plans for future attack campaigns. FancyBear is responsible for compromising the governments and militaries of countries like Ukraine, Greece, Romania, and others, making this leak pretty surprising. Check Ctrl-Alt-Intel’s report for the full story.

The Bottom Line: No one is immune to security compromise, not even the hackers that usually do the compromising. That’s why it’s so important to mitigate possible attacks by doing things like using a password manager and encrypted messaging apps.

Everything you need to know about Apple’s latest software updates.

• The most recent iOS and iPadOS is 26.3.1
• The most recent macOS is 26.3.1 and 26.3.2 for MacBook Neo
• The most recent tvOS is 26.3
• The most recent watchOS is 26.3
• The most recent visionOS is 26.3.1

Read about the latest updates from Apple.

The correct answers are both B. Ignore the message and C. Block the number. This is a common scam tactic where the scammer pretends to have texted the wrong number. The idea is that you would respond, telling them they have the wrong number, but they will continue texting you in order to build a trusting relationship before asking for money or other information. Even if you don’t fall for the scam, responding at all lets the scammer know that your phone number is active and they can use it to target you with other scams.

There is far too much security and privacy news for us to cover it all. When building this newsletter, we look for scams, hacks, trouble, and news to illustrate the kinds of problems Apple enthusiasts may encounter in our private lives, and the self-defense we can practice to keep our devices, accounts, and lives secure. Our commentary focuses on practical advice for everyday people. This newsletter was written by Cullen Thomas and Rhett Intriago and edited by August Garry.

Want to learn more about password managers and how to use them? Check out:

• What Is the Best Password Manager?
• How to Make a Strong Password