Apple device owners are falling victim to a phishing hack known as "multi-factor authentication (MFA) bombing," which aims to steal their personal data, according to reports. Several Apple users have recently reported being targeted by scammers who take advantage of Apple's password reset feature, exploiting it to spam victims with numerous notifications requesting a password reset for their Apple ID.

When users press the "Allow" option, scammers are brought one step closer to resetting the victim's credentials as the device could be used to create a new Apple ID password. However, even selecting "Don't Allow" on all the notifications does not solve the issue.

In a concerning twist, those who opted against allowing their passwords to be reset received subsequent phone calls from the scammers posing as Apple's support team. The scammers' goal was to obtain the user's device and send a password reset code, which they would then convince the user to share with them. Armed with this information, the scammers could effortlessly reset the Apple ID password and gain full access to the victim's account.

While it remains uncertain what scammers would do if victims did not press "Allow" on the notification, it is likely that they would still attempt to deceive the target by posing as Apple support, convincing them to reset their password and disclose it to the hackers.

Phishing attacks have long been used as a method to exploit unsuspecting victims, but in recent years, scammers have increasingly turned to phishing as an effective way to steal passwords, delete data, and extort money. According to security provider SlashNext, mobile phishing attacks experienced a staggering 61% year-over-year increase within a six-month period in 2022. That translates to approximately 255 million phishing attacks targeting mobile users during that period alone.

The extent of the impact from this MFA bombing attack on Apple users remains unclear. Reports indicate that iPhone, Apple Watch, and Mac users have all received these deceptive notifications, suggesting no specific device is exempt from the attack. Complicating matters further, there is currently no straightforward solution to prevent such attacks.

One of the victims cited in the report sought assistance from Apple, who advised them to create a recovery key—a 28-character code required to change an Apple ID password. However, even after generating the recovery code, notifications from the scammers could still be triggered, indicating a flaw within Apple's password reset feature. Until Apple addresses this issue, hackers can continue to exploit the vulnerability and target unsuspecting users.

As of now, Apple users are left with no option but to remain vigilant and informed. If individuals receive an influx of password reset requests they did not initiate, it is crucial to consistently choose the "Don't Allow" option on the notifications. Succumbing to the temptation of choosing "Allow" simply because other apps or services are temporarily restricted plays into the fraudsters' scheme. Even if the "Allow" option is avoided, users should be prepared for potential scammer calls and, under no circumstances, answer or provide any information to callers.

Moreover, Apple has explicitly stated that the company does not contact its users directly. Therefore, if individuals receive a call from the number 1-800-275-2273 (Apple's legitimate support line that scammers are impersonating), it is imperative to avoid picking up the call and refrain from sharing any information with the caller.

With the growing threat of phishing attacks and the ongoing exploitation of Apple's password reset tool, users must remain cautious and implement strict security measures to safeguard their personal information and accounts.