Security Friday: Real Estate Scams, Foreign Hackers, AI students, a Malicious Chrome Extension, and More

Hi Readers, Cullen here. Do you know about the complaint tablet of Ea-nāṣir? It's a letter written almost four thousand years ago complaining about an alleged scam, in which a copper merchant sold copper of inferior quality.

View In Browser

This Newsletter Is Brought to You By:

Privacy & Security   April 25, 2025 Editor's Note Hi Readers, Cullen here. Do you know about the complaint tablet of Ea-nāṣir? It's a letter written almost four thousand years ago complaining about an alleged scam, in which a copper merchant sold copper of inferior quality. The full story is pretty funny and totally worth a read! It's generated a lot of great internet memes (warning, some profanity). The Ea-nāṣir story demonstrates that there have always been scammers. But today, the internet makes it possible for a single unscrupulous individual to reach thousands of potential victims, all from the safety of a distant land where they can't be prosecuted. Fortunately, there are steps we can take to protect ourselves from scams, and foremost among them is just staying educated. This week we're highlighting a story about how some crooks manage to steal the downpayments on houses, and it's both very clever and very hard to detect—unless you know about it. If you have any scams or hacks you think we should share with our readers, let us know at security@iphonelife.com. Stay safe out there! Cullen Thomas, Senior Instructor at iPhone Life IN THIS NEWSLETTER 🗒️✅ Your Security Checklist 🏆🎖️ Test Your Security Skills 📰 Your Weekly Security Update 🤨 This Should Be on Your Radar 📡 🙈 Security Fail of the Week 👎 🍎📱 Security Updates from Apple 🍎   🗒️✅ Your Security Checklist If you take nothing else from this newsletter, do these three things to protect yourself: Do not interface with scam texts. If you receive a text telling you that you have unpaid tolls or that your USPS package has been lost, these are scams. Hide sensitive apps on your iPhone. With iOS 18, you can now hide apps so that they don't show up in Siri Search or in the App Library. Stay private while browsing the web. The iCloud Private Relay feature prevents websites from tracking you and collecting your data. In case you missed it, be sure to check out our free class on cybersecurity for Apple enthusiasts.   🏆🎖️ Test Your Security Skills What should you do in the following scenario? You receive a text message from an unknown number that says, "Is this still Tammy's number?" Assuming your name isn't Tammy, what should you do? 🤔 Reply "Wrong number" Delete it Delete it and report it as spam Scroll to the bottom to see how you did! In partnership with Incogni Keep Your Data Out of the Wrong Hands Right now, your name, phone number, email, even your home address is being bought and sold by data brokers. That's why scammers always seem to have your number. And no, blocking numbers or unsubscribing won't fix it. Incogni automatically deletes data from hundreds of databases. Every day, more of your data gets exposed. Don't wait. Sign up for Incogni today and take back your privacy.     West Virginia Couple Scammed out of Life Savings A West Virginian woman and her husband were scammed out of $255,000 while trying to purchase a new home. After finally finding their dream home, Raegan Bartlo and her husband received an email that appeared to come from their title company requesting a wire transfer. It wasn't until days later that the couple found out that the email was not from their title company after all, and they'd just been scammed out of their life savings. Moneywise has the full story. Unfortunately, when it comes to wire transfers, you can't get your money back, since the funds go directly to the scammer. The only way to stay safe is by avoiding it altogether. The common ways of spotting fraudulent emails, such as checking the email address of the sender and keeping an eye out for spelling or grammatical errors, may not suffice in this case. Scammers know that realtors deal with large sums of money, so they try to hack the realtors' computers to create legitimate email addresses. Since most companies have many email addresses, one more may go unnoticed. Then the scammer waits until a deal is about to close, and sends just one email: the one asking for the wire transfer. Since it comes from a legitimate realtor email address, and may even be a reply to an existing email chain about buying the house, it can be extremely convincing. The Bottom Line: If you must wire transfer money, first call the intended recipient at a number you trust (if the email provided a phone number, do NOT use that one) and make sure it's them, and that the transfer is expected and the routing numbers are correct. Make sure to talk to the person you would normally talk to in setting up the transfer. Be on the lookout for pressure tactics and false urgency. Related: Check If an Email Is Valid on Your iPhone   🤨 This Should Be on Your Radar 📡 Beware of Zoom Remote Control In any normal Zoom call, if somebody shares their screen, then you can click a button to request control over that person's computer. This can be super helpful if you're trying to do tech support, and also for hackers. A new report from a group called The Security Alliance details how crypto thieves have started using Zoom remote control to steal crypto. It's a straightforward scam: they message you pretending to be journalists or podcasts looking to interview you on some pretext, then they set up a Zoom call, and when you join, they ask you to share your screen. When they join the call, they name themselves "Zoom" so that when they click the button to ask you to share your screen, the prompt looks like it's coming from the app itself. Once they've got control of your computer this way, they start grabbing your crypto as quickly as they can. The Bottom Line: If you're in a video call with someone and they take control of your computer, you can just quit Zoom. Be wary of anyone requesting to control your computer in a video call. Take Better Photos, Keep Better Memories (sponsored) How Bad Is It When Foreign Hackers Can Turn Off the Power? A Chinese diplomat acknowledged China's role in the hack of US critical infrastructure systems dubbed Volt Typhoon. The Volt Typhoon hacking campaign targeted utilities like water and power in the USA. Their intent has been widely interpreted as preparing capabilities to do things like turn off the water or power, to be used in case of some hypothetical future conflict, likely over Taiwan. The Bottom Line: In general, hackers are only able to disrupt the computers of a network temporarily, and people are more resilient than computers. Even if hackers were able to disable your power grid, it would very likely not last much longer than a bad lightning storm. Of course, we don't want people doing that, so we should take steps to prevent it. One thing you can do to help prevent these kinds of hacks is update your home Wi-Fi router's firmware. Volt Typhoon and others like to compromise home Wi-Fi routers to use as proxies to help hide their efforts. Whistleblower at NLRB Raises Concerns About Alleged Compromise by DOGE Employees According to an official whistleblower disclosure first reported by NPR, employees at the Department of Government Efficiency (DOGE) allegedly used privileged access to the networks at the National Labor Relations Board (NLRB) to send large quantities of data off-site. They also allegedly disabled monitoring tools and deleted the logs of their activity, steps typical of adversarial hackers who have achieved access and need to cover their tracks. Brian Krebs has a neat and tidy rundown on the factual details of the case so far. The Bottom Line: The data hosted by the NLRB can be sensitive, related to union organizing efforts and ongoing lawsuits. If you or your union has shared sensitive data with the NLRB, then consider taking steps to identify what has been shared and to mitigate any potential risks. In partnership with NordVPN Two Years of Data Protection for 77% Off A VPN service is a crucial part of your online security toolkit and if you don't have one, now is the time to get one. Even smart devices can be a risk to your home network, and a VPN can protect you from hackers. Sign up for NordVPN and get 77% off in an exclusive iPhone Life deal!   Database of All Cybersecurity Vulnerabilities Loses Funding Every now and then, Apple releases a patch that fixes a few security vulnerabilities in its software. Those problems are discovered by independent researchers, security engineers at different companies, and sometimes just freelance bug hunters. Apple often pays a bounty to researchers who catch those vulnerabilities. With so many different organizations searching for vulnerabilities, it can be difficult to coordinate and standardize the efforts. Imagine trying to publish books in a world without any dictionaries. That's where the Common Vulnerabilities and Exposures (CVE) program comes in. The CVE database, which is administered by a nonprofit called MITRE, analyzes every bug report, writes up a quick description, assigns it a name and severity score, and archives it. It's like a dictionary for cybersecurity vulnerabilities. MITRE's main source of funding has historically been the US government, but now that customer has declined to continue the work contract. For the moment, the CVE database is being maintained by volunteers. Read more at KrebsOnSecurity. The Bottom Line: The security of our devices depends on the international collaboration of countless security professionals and hobbyists. Schools Fight Off Hordes of Fake Students Higher education is facing a massive influx of a new kind of scam, where scammers create false identities using genAI tools, then use those false identities to try to apply for financial aid. The result is that admissions officers at universities and teachers in online courses must spend time identifying which students are real and which ones are personas created by scammers. Read more at Voice of San Diego. The Bottom Line: When trying to determine if someone is a real person or the persona of a scammer, the best tool is to insist on a video call. While it is possible to use genAI to create video, doing so in real time is quite difficult. It's best to always insist on a video call with new contacts. Keep Your Data Out of the Wrong Hands (sponsored) US Immigration and Customs Enforcement Builds Compound Database to Enable Tracking 404 media reports that US Immigration and Customs Enforcement (ICE) has a new unified database combining information from multiple law enforcement and non-law enforcement agencies. The database is part of a new application capable of laying out records on a map updated in real time. It also allows the agency to designate targets for arrest, dispatch teams to make arrests, and record the reports made by those teams. This software already contains records gathered from the Social Security Administration; U.S. Citizen and Immigration Services; Federal Bureau of Investigation; and the Bureau of Alcohol, Tobacco, and Firearms, but plans to soon also include information from Health and Human Services, Housing and Urban Development, Department of Labor, and more. The Bottom Line: There are many small steps you can take to prevent your privacy being infringed by apps, services, and advertisers, but if your own government wants to track you, the only thing preventing them from doing that is that separate agencies do not normally talk to each other and trade information without a criminal investigation. Combining databases like this makes tracking much easier, and there is no way to opt out. Defense Secretary Shares Attack Details in a Second Signal Chat A few weeks back, we reported that US Secretary of Defense Pete Hegseth had shared details of an impending military operation using the Signal app, in a group chat created by Mike Waltz, who had accidentally invited an editor at the Atlantic to the chat. Now, it appears the Defense Secretary had allegedly also shared information about attack plans in a second Signal group chat, which included his wife, brother, and personal lawyer. Reuters has more details on the story. The Bottom Line: This second chat makes it fairly clear that the improper use of Signal was not a one-off, but part of a pattern or strategy. The Signal app allows you to set your messages to be automatically deleted after a delay, which is a great feature for private communications. In partnership with iPhone Photography School Take Better Photos, Keep Better Memories Is your creativity limited by your technical skills when it comes to your iPhone camera? Our friends at iPhone Photography School want you to take pictures that not only show what a scene looks like, but also captures how that moment feels. Sign up for the Capture It All course to take pictures you didn't know were possible.   Social App Discord Wants to Scan Users' Faces Popular social app, Discord, has begun asking users in the UK and Australia to verify their ages with either a facial scan or their ID. These two countries recently passed laws requiring age verification from platforms like Discord, where one could encounter sensitive content. While age verification is not a new concept, handing over a scan of your face or ID to a private company is not the most secure way of going about it. After all, if Discord were to suffer a data breach, your ID or facial scan could end up in the wrong hands. The Bottom Line: If you are a Discord user in the UK or Australia, we don't recommend complying with this age verification process. You won't be able to view sensitive content, but other than that, the app should work the same as it always does. CISA to Layoff One-Third of Its Workforce Axios is reporting that the Cybersecurity and Infrastructure Security Agency (CISA) could be letting go of a third of its staff. As its name implies, the CISA is responsible for the US's cybersecurity and protects government infrastructure from hackers. The agency is also reportedly intending to cut many of its contractors who are responsible for hunting down vulnerabilities within government networks. Layoffs at this agency could have serious consequences for our nation's cybersecurity infrastructure. FTC Report on Text Message Scams Says $470 Million Lost in 2024 Remember those unpaid toll scam texts we told you about? How about the missing USPS package texts? Turns out, enough people have fallen for those and a few other text scams to result in $470 million lost last year. The Bottom Line: If you receive texts about unpaid tolls, USPS packages, job offers that seem too good to be true, or fraud alert texts, never interact with them. If you think they could be real, instead, reach out to the company or person you think the text is coming from using a phone number or website you know is legitimate. Otherwise, use the Report Junk button at the bottom of a text. Two Years of Data Protection for 77% Off (sponsored) Chrome Extension Sold, Goes Malicious A Google Chrome extension called "Browser Boost - Extra Tools For Chrome" was once used as a way to enhance your web browsing experience. However, at some point in the last few months, the creator of the extension appears to have sold it, and the new owner has modified it, turning it malicious. The Bottom Line: This is a good reminder of one way that browser extensions can be dangerous. Even if you trust an extension today, there's no telling how the code could be modified tomorrow, and even if the extension is removed from the Chrome Web Store, it will still be installed on your device.   🙈 Security Fail of the Week 👎 Scammers Impersonating the Internet Crime Complaint Center When you are subjected to an internet scam, you should report it to the FBI's Internet Crime Complaint Center (IC3). Now, the IC3 has issued a warning that scammers have begun impersonating the IC3! The scammers reach out through phone calls, emails, or even social media, presenting themselves as representatives of IC3 and offering to help potential victims of fraud recover their lost funds. A bit ironic that the agency used for reporting scams is being impersonated to scam unsuspecting people. The Bottom Line: In the announcement linked above, the FBI offers tips to avoid becoming a victim of this new scam. The IC3 will not contact you directly. If you are contacted directly by the IC3, you are likely being targeted by scammers, in which case you can visit (the real) IC3.gov to report the incident.   🍎📱 Security Updates from Apple 🍎 Everything you need to know about Apple's latest software updates. The most recent iOS and iPadOS is 18.4.1 The most recent macOS is 15.4.1 The most recent tvOS is 18.4.1 The most recent watchOS is 11.4.1 The most recent visionOS is 2.4.1   Security Skills Answer If you said B. Delete it, then you're correct. Innocent-looking messages like this are a common ice-breaking method for scammers to begin developing a relationship with you that they will eventually try to monetize by asking for favors, money, or by offering investment advice. It's not a good idea to respond to these messages at all, because even if you only say "wrong number" (option A) and then ignore the rest of the texts, they have learned that your phone number is a working number. That said, there is always the outside chance that this is really from somebody who got the wrong number, so I'd recommend that you don't automatically report it as spam (option C).   Mission Statement There is far too much security and privacy news to cover it all. When building this newsletter, we look for scams, hacks, trouble, and news to illustrate the kinds of problems Apple enthusiasts may encounter in our private lives, and the self defense we can practice to keep our devices, accounts, and lives secure. Our commentary focuses on practical advice for everyday people. This newsletter was written by Cullen Thomas and Rhett Intriago and edited by Sarah Kingsbury.   Next Steps In case you missed it, be sure to check out our free class on cybersecurity for Apple enthusiasts. Think your iPhone might be infected with a virus? Check out: Answered: Can iPhones Get Viruses? Apple Security Alert Scam: Get Rid of Fake Virus Alerts   Premium Content If you enjoyed this newsletter, you'll love all the security content available on iPhone Life Insider! This premium subscription includes: The complete iPhone Life Privacy & Security Course for Apple Enthusiasts and other free online courses taught by expert instructors In-depth guides on everything from security to iPhone photography to other Apple devices Daily, bite-sized video tips on topics ranging from iCloud security to password management A digital subscription to iPhone Life Magazine, where you'll find articles covering the best security gear, apps, and in-depth how-tos The monthly premium iPhone Life Security Newsletter covering everything you need to know to keep your digital life secure Access to the ad-free version of the iPhone Life Podcast and exclusive bonus content Expert help with all your most pressing Apple Watch questions in our private Ask an Expert Facebook Group Join the Insider community today and save 30 percent! Did we help with your security concerns? With your feedback, we can improve this security newsletter. Let us know how we did: 👍 Yes, this definitely helps me with my security 😐 Some of the content is helpful to me 👎 No, I didn't find this newsletter helpful