A new year is here, but cybercriminals continue to use familiar tactics, now targeting iPhone users. Reports from Bleeping Computer indicate a surge in phishing attempts aimed at these users, luring them into disabling their device’s built-in security features and clicking on harmful links.
Many of these scams employ deceptive text messages that appear to be from fake delivery agents, masquerading as notifications from the U.S. Postal Service (USPS). Recently, two contributors from Digital Trends experienced such fraudulent messages in North America.

Similar strategies have been reported in various regions, including India, where scammers are posing as DHL or FedEx representatives.
Anyone curious about ‘kathlyn afaf’? They appear to be running a Royal Mail scam via iMessage. The associated email address has come to light… pic.twitter.com/jr5yPGaA3O
— Sanny Rudravajhala (@Sanny_Rudra) January 11, 2024
From insights shared on social platforms, it seems this tactic has been in play for at least the last couple of years. If you examine the messages more closely, you’ll notice a consistent theme:
“Please reply with Y, then exit the message and reopen it to activate the link, or copy the link into your Safari browser.”

This strategy recurs with minor variations in wording. The prompt to reply with a “Y” may seem innocuous, but it cleverly serves to disable iPhone’s phishing protection mechanisms.
Apple’s iMessage incorporates protective measures that automatically block links from unknown senders. Users can only access those links if they add the sender to their contacts or reply to their message.

By responding to these fraudulent messages as instructed, users inadvertently mark the scammer as a “known” contact, making the harmful link clickable. When clicked, it may lead to a website requesting sensitive information, such as credit card details.
Tips to Avoid Falling for the Scam

If you receive a message from a supposed delivery service, do not reply or click any links. Always verify the sender’s name or number. Look for spelling mistakes or personal numbers (including iCloud addresses)—these are telltale signs of deception.
Be mindful of the country code as well; if the message originates from a foreign number, steer clear. For any mail-related inquiries, always check the delivery status or contact customer service using information from the official website.
For any unknown messages, the iMessage app provides an option to report junk at the bottom, followed by a delete option. Keep in mind, once you reply, you will not be able to report it.
@IndiaPostOffice I got this message today and suspect it’s a scam requesting 25 rs directly via iMessage. Just want to confirm with the officials. @Cyberdost pic.twitter.com/4FXX7UZMjT
— Vikash Gathala (@vikashgathala) May 30, 2024
If the message hasn’t been opened, simply swipe left, tap the red trash can icon, and select Delete and Report Junk. For added security, consider blocking the sender as well.
The Cybersecurity and Infrastructure Security Agency (CISA) recently released a detailed advisory aiming to help users protect their devices from various cyber threats. We’ve summarized key takeaways for everyday smartphone users to promote safer digital practices this year.