“Your iPhone Has Been Hacked” is a fake web browser notification designed to trick users into installing dangerous software. In fact, it is a completely false statement that is designed to infuse fear and make the victim follow the scammers’ orders. In this post, I’ll explain why it’s a scam, how it works and give a couple of recommendations on how to avoid it.
“Your iPhone Has Been Hacked” Overview
“Your iPhone Has Been Hacked” is a deceptive online scam designed to manipulate users into believing their devices have been compromised. The scam relies on fear-mongering tactics, displaying alarming messages that falsely claim an iPhone has been hacked and is under surveillance by cybercriminals.
The website that displays the alarm pretends to be some sort of antivirus scan service. The background and displayed threats may differ from one case to another, yet the overall structure remains the same. It’s pretty common scheme, that continuously circulates on the internet. This makes me believe that the campaign is run by a more or less homogenous group of scammers.
In reality, no website can perform such an analysis, making these warnings completely fraudulent. The primary goal of this scam is to trick users into following the instructions issued by fraudsters. They typically lead to installing untrusted software, often disguised as security tools or system cleaners.
Such apps typically do nothing but send obscene amounts of notifications and ask the user to pay “to fix the issues/remove the viruses”. No malware is in fact present on the device, and all these notifications are nothing but attempts to scare the user.
How does it work?
The scam operates by leveraging malicious advertising networks and social engineering. When a user visits a webpage involved in this scheme, they are immediately presented with a pop-up message claiming their iPhone has been hacked.
The pop-up often urges immediate action, such as downloading a specific security tool or calling a fake support number. This psychological pressure tactic is designed to make emotional users act impulsively.
Once users close the pop-up, the scheme doesn’t stop. They may be redirected to additional fraudulent pages that promote fake antivirus software (for iPhone???), and other potentially unwanted applications (PUAs). If the user agrees and installs the app, it starts creating annoyances, bombarding users with intrusive ads and tracking their browsing habits.
Some types of unwanted software on iPhones take advantage of the device’s calendar system to flood users with intrusive event notifications. The app request access to the calendar under the guise of a useful feature, such as reminders or event planning. Once granted permission, it populates the calendar with numerous events that generate intrusive notifications. These notifications often contain ads, fake virus alerts, or prompts to click on suspicious links.
Another technique does not rely on traditional app installations but instead abuses iOS’s built-in calendar subscription feature. When a user interacts with a malicious website — often through pop-ups, or fake CAPTCHA — the site prompts an automatic subscription to a rogue calendar feed. This method does not require explicit user consent in the form of an installation or permission request.
Once subscribed, the user’s calendar fills up with numerous scheduled events, each containing misleading notifications. These events frequently include phishing links, fake security warnings, urging users to click on them. Because iOS treats these calendar events as legitimate, they persist even after being dismissed. Additionally, since calendar events support dynamic updates, new spam entries continuously appear as long as the malicious subscription remains active.
This technique is effective because it exploits user behavior rather than a direct software vulnerability. iOS allows users to add third-party calendar subscriptions without displaying prominent warnings, making it easy for attackers to abuse this feature.
How To Avoid This Scam?
As a rule, users often fall victim to this scam by visiting unreliable websites, clicking on deceptive advertisements. Intrusive online advertisements can also serve as a gateway to these scams. Many seem legitimate at first glance but redirect users to fraudulent websites that push unwanted software.
To avoid such scams, users should be cautious when encountering alarming security alerts online and remember that no website can detect malware or hacking activity on a device. Using an ad blocker and keeping software updated can help mitigate exposure to such threats.
If a user subscribes to such a calendar, he must manually unsubscribe from the rogue calendar under Settings > Calendar > Accounts and ensure they do not interact with any links within the spam notifications.
