Cybercriminals are employing a new tactic in their smishing (SMS phishing) campaigns: tricking Apple iMessage users into replying to texts, thereby disabling the platform’s built-in phishing protection.
iMessage automatically disables links in messages from unknown senders as a security measure. However, replying to such a message or adding the sender to your contacts list will enable these links.
Recent smishing attacks, such as those mimicking USPS shipping issues or unpaid road tolls, instruct recipients to reply with “Y” to enable a disabled link. This plays on the common user behavior of replying to texts to confirm appointments or opt-out of services.
By replying, users inadvertently disable iMessage’s security for that specific text, potentially exposing themselves to malicious links and scams. Even if the user doesn’t click the enabled link, their response signals to attackers that they are susceptible to phishing attempts.
Security experts advise against replying to texts with disabled links from unknown senders. Instead, users should contact the purported sender directly to verify the message’s legitimacy.