Siri Makes Phishing ‘Mind-Bogglingly Simple’ Say Security Researchers

A cybersecurity company has demonstrated how Apple’s Siri AI assistant can be exploited by scammers to assist with phishing attempts.

According to a new report from Fortune, a cybersecurity startup, Wandera, explains how Siri can be used by phishers and scammers to bait unsuspecting users. The method relies on how Siri tries to identify unknown contacts, though the bait is easy to discover if you pay close attention to the details.

Firstly, the attacker will send someone a spoofed email from an impersonated account which must contain a phone number. If the receiver of the email ends up replying to that email, even if it is an automatic out-of-office reply, Siri will start identifying the sender of the email with that name.

“There are two ways to pull off this social engineering trick,” reads the report. “The first involves an attacker sending someone a spoofed email from a fake or impersonated account, like ‘Acme Financial.’ This note must include a phone number; say, in the signature of the email. If the target responds—even with an automatic, out-of-office reply—then that contact should appear as “Maybe: Acme Financial” whenever the fraudster texts or calls next.”

The second way is via text messaging. “If an unknown entity identifies itself as Some Proper Noun in an iMessage, then the iPhone’s suggested contacts feature should show the entity as ‘Maybe: [Whoever],'” the report continues. “Attackers can use this disguise to their advantage when phishing for sensitive information. The next step involves either calling a target to supposedly ‘confirm account details’ or sending along a phishing link. If a victim takes the bait, the swindler is in.”

Apple has apparently been notified of the vulnerability, according to the security researchers, but the Cupertino company does not see it as a “security flaw” but rather a software bug that needs to be fixed.

If you want to protect yourself against such attacks, there is an easy solution: turn off the suggestions for contacts. That makes Siri a little less smart, but if you believe yourself to be gullible, you can potentially save yourself a lot of trouble.