
(SeaPRwire) – By: Silas Sterling
Apple spends billions framing its product stack as impenetrable. Its ads show parents securing their kids’ iPhones with Activation Lock. Open-source security teams have warned for years about SMS spoofing flaws. But the company still pushes SMS as a valid second-factor verification tool. This commercial pilot’s experience blew that marketing spin straight out of the water.
The attack started on the afternoon of June 25, 2026, with a fake fraud alert text. It looked exactly like a real Apple Card alert. It used the same iMessage bubble and Apple logo as official messages. A caller spoofed the official Apple support line. When the victim asked for proof, the attacker read his full Social Security number and birthdate. That’s when he knew his identity was already stolen.
The attacker didn’t stop there. He added a new trusted phone number ending in 67 to the victim’s Apple ID. He removed the victim’s own number. Every card in Apple Wallet vanished in front of the victim’s eyes. He accessed over 100,000 family photographs, saved notes, and every password in the victim’s Apple keychain. The phone was marked lost and erased itself mid-flight to Honolulu. The victim couldn’t even leave the airport without his device. He used his laptop to WhatsApp his wife in Indianapolis, who ordered him an Uber to escape the terminal.
The victim went to the Honolulu Apple Store with his purchase receipts and IDs. The Genius Bar told him they couldn’t help. Apple’s support process requires the trusted phone number to recover an account. That’s the same number the attacker controlled. The company charges premium prices for its product lineup, but offers no lifeline when its own security locks users out. Open-source communities have called for end-to-end encrypted 2FA alternatives for years, but big tech has dragged its feet.
The thief drained thousands from the victim’s accounts via Walgreens, an Arco gas station, and a Staples location in Los Angeles. He sold the victim’s investments, accessed his PayPal, and filed two credit applications in his name. He scammed his wife in Indianapolis out of thousands of dollars after sending fake payment requests. He erased the victim’s smartwatch three days later, on June 28. He still opens crypto accounts in the victim’s name. Local police could only file a report. An FBI agent confirmed the scale of the spoofing ring, but there’s little chance of full recovery. The real failure isn’t just the attacker—it’s the tech firms that prioritize marketing hype over user security. Stop relying on SMS for your second-factor verification today.
Author bio: Silas Sterling, veteran kernel contributor and editor-in-chief of an open-source security digest focused on consumer platform vulnerabilities.