Security Friday: Tax Scams to Avoid, Retirement Accounts Hacked, and More…

Hi Readers, Cullen here. Have you already filed your taxes? I still need to do it. Tax season is a big opportunity for scammers, because scams depend on uncertainty and urgency, and everyone feels those things about filing their taxes.

View In Browser

This Newsletter Is Brought to You By:

Privacy & Security   April 11, 2025 Editor's Note Hi Readers, Cullen here. Have you already filed your taxes? I still need to do it. Tax season is a big opportunity for scammers, because scams depend on uncertainty and urgency, and everyone feels those things about filing their taxes. That's why we're highlighting an article outlining some of the season's top scams. Scroll down to catch it! Also, that unpaid toll scam is back. Do you have an interesting scam story? Email us at security@iphonelife.com. Cheers! Cullen Thomas, Senior Instructor at iPhone Life IN THIS NEWSLETTER 🗒️✅ Your Security Checklist 🏆🎖️ Test Your Security Skills 📰 Your Weekly Security Update 🤨 This Should Be on Your Radar 📡 🙈 Security Fail of the Week 👎 🍎📱 Security Updates from Apple 🍎   🗒️✅ Your Security Checklist If you take nothing else from this newsletter, do these three things to protect yourself: Use Hide My Email to keep your email address private. The Hide My Email feature creates a dummy email that automatically forwards messages to your primary address. Remove your location from photos before sharing them. Your photos can record the location in which they are shot, so it's a good idea to remove it before sharing them. Lock sensitive apps with Face ID. You can protect your privacy by requiring Face ID or your iPhone passcode to open specific apps, like a banking app or a healthcare app. In case you missed it, be sure to check out our free class on cybersecurity for Apple enthusiasts. In partnership with Surfshark Stop Malicious Code Before It Loads Don't you hate it when you click on an interesting article, but there are so many ads you can't even read it? We recommend a service called CleanWeb to block ads, trackers, and malware. It runs in the background on your device, stopping malicious code before it loads. You keep visiting your favorite sites — just with more privacy and a lot less clutter.     🏆🎖️ Test Your Security Skills What should you do in the following scenario? When creating a new account, which of these would it be better to use your real email address for, and not one generated by Hide My Email? 🤔 Your bank A new video streaming service Your grocery store Scroll to the bottom to see how you did!   Tax Season, Tax Scams In the US, Tax Day is April 15. Scammers are always looking for ways to follow the news and to find ways to trick people out of their money, and tax season provides both. The IRS has produced an article outlining the top 12 scams to watch out for this tax season. The Bottom Line: Don't take tax advice from social media. Use well-established tax preparation services if you are going to, and don't click links in text messages or emails with urgent-sounding alerts about your taxes. Instead, remember to file on time, and to use the familiar portal to log in to your preferred tax filing service. Two Years of Data Protection for 77% Off (sponsored)   🤨 This Should Be on Your Radar 📡 Hack Drains Retirement Accounts In Australia Four major managers of retirement accounts called superannuities were hit with cyber attacks last week. While the vast majority of account holders are safe, a small group of victims lost huge sums of money. Details are sparse in how the attack was perpetrated, or how it might have been prevented. See 7NEWS for more. The Bottom Line: While we don't know how this attack happened, it's always a good idea to use strong multifactor authentication on the accounts where you manage your investments, retirement funds, and bank accounts. Baltimore Hospital Worker Allegedly Installed Spyware on Coworkers Devices In a truly nasty episode, a pharmacist at the University of Maryland Medical Center allegedly hacked numerous devices at the hospital. A lawsuit, filed by the victims, details how they believe he used malware on hospital computers to capture their passwords, then used their passwords to gain access to their home networks for the purpose of recording video and images of coworkers in compromising and intimate activities at home. The victims learned of this when contacted by the FBI, which is conducting its own investigation. The Bottom Line: Do not reuse passwords. When installing cameras for security or baby monitoring in your home, make sure that they are secured with multifactor authentication, or better yet, that they are not accessible over the internet. If someone has physical access to a device, they can usually find a way to install malware on it, but using Mac computers with disk encryption and strong unique passwords can help. In partnership with Incogni Data Removal Just Got Personal As cyber threats and scams evolve, so must our tools to fight them. That's why Incogni is offering a brand new service: custom data removals. Any time you find yourself in a place online where you shouldn't be, you can submit that site to Incogni and they will get you off that site*. Get Incogni Unlimited and reclaim your privacy from anywhere that exposes you. *Exceptions include social media, government records, blogs, and forums.   It's Not an Unpaid Toll. It's a Scam Scam texts claiming we have an unpaid toll have been arriving on our phones since last year, but they're still coming, and maybe even in greater numbers than ever before, according to Bleeping Computer. Our staff writer based in Hawaii got one, and there aren't even toll roads in Hawaii. As we reported in April of 2024, these scams hope to trick you into thinking you've got an unpaid toll and logging in to their website. They'll take your login, and if you pay the fraudulent toll, they'll take your money. The Bottom Line: Tell your friends and family about this scam, and warn them not to trust text messages that claim you have an unpaid toll. Make sure they know to visit the real toll road website to check their account balance, and never click any link in an unsolicited text message. Small Win for Apple in Case Against UK Government You might remember back in February, Apple disabled Advanced Data Protection for users in the UK after the government demanded the company create a backdoor into encrypted user data. Apple has since taken legal action against the UK government, and, in a small win, the Investigatory Powers Tribunal has ruled that the legal proceedings of this case will be public rather than being held in secret. While this doesn't currently change anything about Advanced Data Protection or the UK government's order for a backdoor, it is a step in the right direction. Stop Malicious Code Before It Loads (sponsored) Malware Hiding Behind Fake reCAPTCHA Boxes Malwarebytes has come across a new strategy that is being used to deliver malware to Windows devices. This strategy works by making you think you're clicking a reCAPTCHA checkbox, which actually copies a line of code to your clipboard. The fake reCAPTCHA box will then instruct you to press the Windows Key and R Key, which opens the Run dialogue box, a tool in Windows that is used to run code. The instructions tell you to then press Ctrl + V (which pastes the code into the Run box) and hit enter. This, of course, will then run the malicious code and install malware onto your machine. Thankfully, this trick is currently only targeting Windows users, so if you use a Mac, there's not much to be worried about. Although, it would not be difficult for bad actors to adapt this strategy to the Mac, so it's important to stay vigilant. The Bottom Line: Whether you're a Windows or Mac user, do not listen to instructions that tell you to open programs and paste text into them. A legitimate reCAPTCHA box will never ask you to open a separate app to verify that you are not a bot. How to Detect and Remove an Android Spyware App For your friends with Android phones, Zack Whittaker at Tech Crunch has an excellent article detailing how a stalkerware app makes it hard for the victim to remove the app, and also how you can remove it safely. The mechanism that the app uses to prevent the victim from uninstalling it would not work on an iPhone. In partnership with NordVPN Two Years of Data Protection for 77% Off A VPN service is a crucial part of your online security toolkit and if you don't have one, now is the time to get one. Even smart devices can be a risk to your home network, and a VPN can protect you from hackers. Sign up for NordVPN and get 77% off in an exclusive iPhone Life deal!     🙈 Security Fail of the Week 👎 Dating Apps Stored Sensitive Images in Cloud Storage with No Password Cybersecurity researchers discovered an unsecured database on the web containing hundreds of thousands of images from four dating apps. The folder, which could be accessed by anyone with the link, included images from private messages and ones that moderators had blocked or removed, as well as those from public profiles and posted in comments. All four dating apps were made by the same company, M.A.D Mobile. The researchers notified the company in January, but the issue was not resolved until the researchers went to the press. The Bottom Line: First of all, maybe don't use any dating apps developed by M.A.D Mobile anymore. But always remember that images you post to social networks, including dating websites, are no longer under your control once they've been posted.   🍎📱 Security Updates from Apple 🍎 Everything you need to know about Apple's latest software updates. The most recent iOS and iPadOS is 18.4 The most recent macOS is 15.4 The most recent tvOS is 18.4 The most recent watchOS is 11.4 The most recent visionOS is 2.4 Data Removal Just Got Personal (sponsored)   Security Skills Answer The correct answer is A. Your bank. Your bank will already control access to your funds, and if you use a charge card or debit card, then they can track every purchase you make. The email address you give them should be one that you can protect with strong multifactor authentication and a unique password, so that you can recover access if you need to. B. a new streaming service, and A. your grocery store, may both collect data to profile you, but if you use an email generated by Hide My Email, information brokers may find it more difficult to correlate those activities behind the scenes.   Mission Statement There is far too much security and privacy news to cover it all. When building this newsletter, we look for scams, hacks, trouble, and news to illustrate the kinds of problems Apple enthusiasts may encounter in our private lives, and the self defense we can practice to keep our devices, accounts, and lives secure. Our commentary focuses on practical advice for everyday people. This newsletter was written by Cullen Thomas and Rhett Intriago and edited by Sarah Kingsbury.   Next Steps In case you missed it, be sure to check out our free class on cybersecurity for Apple enthusiasts. Want to protect your iPhone if it's ever lost or stolen? Check out: What Is Stolen Device Protection & Is It Better Than Find My? Stolen or Lost iPhone: Everything You Need to Do   Premium Content If you enjoyed this newsletter, you'll love all the security content available on iPhone Life Insider! This premium subscription includes: The complete iPhone Life Privacy & Security Course for Apple Enthusiasts and other free online courses taught by expert instructors In-depth guides on everything from security to iPhone photography to other Apple devices Daily, bite-sized video tips on topics ranging from iCloud security to password management A digital subscription to iPhone Life Magazine, where you'll find articles covering the best security gear, apps, and in-depth how-tos The monthly premium iPhone Life Security Newsletter covering everything you need to know to keep your digital life secure Access to the ad-free version of the iPhone Life Podcast and exclusive bonus content Expert help with all your most pressing Apple Watch questions in our private Ask an Expert Facebook Group Join the Insider community today and save 30 percent! Did we help with your security concerns? With your feedback, we can improve this security newsletter. Let us know how we did: 👍 Yes, this definitely helps me with my security 😐 Some of the content is helpful to me 👎 No, I didn't find this newsletter helpful