• Fake messages on Apple, Google, and Microsoft
• Targeting user data theft

The U.S. Cybersecurity Agency warns users of Google, Microsoft, and Apple services about a wave of sophisticated digital attacks targeting their accounts, recommending securing them by changing passwords, disabling SMS-based two-factor authentication, and using security keys.

The agency points out that attackers are now exploiting even official-looking messages and alerts from the three companies to deceive victims.

Apple confirms that the new attacks rely on “advanced methods to trick users into revealing personal information, such as login credentials or security codes.”

These methods surfaced last month when hackers triggered Apple’s automated security messages alongside a phone call claiming to be from the company’s support.

Google account users face the same threat; a Reddit user asked how an attacker could reach their phone via “Google security alerts.”

It appears that anyone can initiate a recovery process for any email account, which explains why these notifications appear and should be ignored if the user did not initiate them.

In recent incidents, these alerts were accompanied by a direct call from someone claiming to be from the “Google Security Team,” attempting to convince the victim to share the two-factor verification code, ultimately leading to account compromise.

Apple and Google emphasize a clear policy: if an unexpected or suspicious call claiming to be from the company is received, it must be terminated immediately, as these companies do not call users to request password resets or account problem fixes.

Unexpected security alerts should be ignored unless the user themselves initiated an account recovery, password change, or added a new device.

Users should refrain from sharing verification codes or interacting with any party contacting them simultaneously with these notifications, as this usually indicates a hacking attempt.