In the middle of his fascinating piece ‘A Day in the Life of a Prolific Voice Phishing Crew’, Brian Krebs (Krebs On Security) writes about a victim getting scammed because the scammers successfully posed as Apple customer support:

In the first step of the attack, they peppered the target's Apple device with notifications from Apple by attempting to reset his password. Then a "Michael Keen" called him, spoofing Apple's phone number and saying they were with Apple's account recovery team.

The target told Michael that someone was trying to change his password, which Michael calmly explained they would investigate. Michael said he was going to send a prompt to the man's device, and proceeded to place a call to an automated line that answered as Apple support saying, "I'd like to send a consent notification to your Apple devices. Do I have permission to do that?"

The victim gives his permission. The scammers then call Apple’s customer support number while spoofing the victim’s phone number and use Apple’s automated system to trigger an alert on all the victim’s devices. The message that appears is legitimately “from Apple”:

In essence, the voice phishers are using an automated Apple phone support line to send notifications from Apple and to trick people into thinking they’re really talking with Apple.

I can understand why someone who is busy or distracted or just unaware of the potential for being scammed can fall for this. To be (somewhat) fair to Apple, the message says (emphasis added):

Would you like to confirm your Apple Account and allow Apple to access your device serial numbers to expedite your interaction? If you did not contact Apple, do not confirm this request.

with two buttons, “Confirm” and “Don’t Confirm”. A close reading suggests you should select Don’t Confirm, as you did not contact Apple (“Apple” contacted you), but most people will either misread—or not read—the full dialog, relying on the logical progression of:

1. I’m talking to someone who says they’re from Apple;
2. They say they’ll send me a confirmation;
3. Here’s a confirmation request on my devices.

As Krebs writes of this particular victim:

[…] this technique fooled the target, who felt completely at ease that he was talking to Apple after receiving the support prompt on his iPhone.

“Okay, so this really is Apple,” the man said after receiving the alert from Apple. “Yeah, that’s definitely not me trying to reset my password.”

So a few reminders:

• If you get a call from someone claiming to be from some company’s customer service, don’t provide them any information. End the call and call the company’s published customer service line directly. (A simple “I’m sorry, I’m in the middle of something and can’t talk right now. Let me call you back in 10 minutes” will get them off the line quickly.)
• Don’t approve notifications on your device without reading and understanding what you’re approving. If you did not do something that would trigger a notification, assume it’s an attempt at phishing.
• Never enter passwords or confirmation codes on a website you can’t verify is real. Using a password manager helps here because they only trigger on the sites they were saved for; “apple.com” or “support.apple.com” and not “p1234-apple[.]com,” for instance.

Specific to Apple, it’s worth reading their support document “What to expect when in contact with Apple Support.”

An aside: I was very amused to read the scammers using the classic customer support phrase “go ahead and” (as in “go ahead and click OK”). It’s a phrase I’ve tried to excise from my lexicon (and from that of the support teams I’ve led), but having used it for 30-something years, it sometimes slips in uninvited. It’s practically a customer support shibboleth: If you don’t use it, are you really in customer support?