General Discussion
Related: Editorials & Other Articles, Issue Forums, Alliance Forums, Region ForumsHow a Stranger Used One Text Message to Steal My Entire Digital Life -- Time
https://time.com/article/2026/07/07/how-a-stranger-used-one-text-message-to-steal-my-entire-digital-life/by Ryan Pettit
Ryan Pettit is a Hawai'i-based commercial airline pilot with a background in information technology.
For most of us, the honest answer is one. One account sits beneath the others: an Apple ID, a Google login, a phone number that every "forgot password" link routes back to. We would never accept this design anywhere else.
I'm a pilot. No aircraft I have ever flown is permitted a single point of failure: every critical system carries a backup, and often a backup for the backup, so that no single fault can bring the plane down. Redundancy is the first principle of any system that cannot be allowed to fail. And yet millions of people carry their entire financial and personal identity on exactly one such lock, and think nothing of it.
On the afternoon of June 25, 2026, I learned what happens when the lock turns in a stranger's hand. It began, as these things now do, with a text message. It looked entirely official: a fraud alert about a possible unauthorized charge on my Goldman Sachs Apple Card, the credit card tied to my Apple ID. The message asked only that I reply "yes" or "no" to confirm the transaction. This is a routine, familiar request, the kind your bank sends all the time. I replied no.
A few minutes later, my phone rang. The number, the FBI would later confirm, belonged to the genuine Apple Card support line. It had been spoofed so precisely that the messages accompanying the call arrived in the same gray bubbles, with the same Apple logo, that only real Apple support uses in iMessage. Everything my eyes could check told me this was Apple. The man on the line said he was going to send a code to verify my identity, and that I should read it back to him. It is a request that feels routine in the moment, though I now know that no legitimate institution should ever make it.
. . .
hauckeye
(816 posts)LeftInTX
(35,223 posts)It's much harder to verify phishing emails on my phone. One time, I clicked a link. It asked for a password to login. I'm like, "Why are they asking for a password? Why do I need to login? I'm already logged in". So I didn't give it. Crisis averted.
The message was from Facebook, saying they were gonna remove my business page for some reason. Once they had my password, who knows what they could have done.
When I got on my computer, I could see that messsage actually came from sketchy email address/account. I could not "see" that on my phone.
This guy was traveling. He's vulnerable, he's trying to multi-task and get on a plane. He doesn't have time to verifty this or that....
I get those scam texts also.
UpInArms
(55,715 posts)I think I am too stupid to have a single device that knows everything about me
I am sprawled all over the house ... an ipad ... a cellphone ... a laptop running windows 7
there is not one place that has all my passwords except a book that I cut out the interior to form a box where I keep all my stuff written down
PatSeg
(54,255 posts)And it works?
reACTIONary
(7,480 posts)FoxNewsSucks
(12,034 posts)I use it to store and organize my digital videos. It's connected to the "guest" wifi, and I don't use it for anything else. But it does work just fine and from time to time still gets an update.
PatSeg
(54,255 posts)Very interesting, especially considering all the urgent messages over the years warning people to update their operating systems by a certain date because updates would not longer be available.
erronis
(25,208 posts)They aren't trying to take over your machine, PC, Mac, laptop, phone. They want access to your authentication tokens (login, password, multi-factor text message, etc.) and from there they can start to raid your online accounts. They usually already have enough information on you personally (name, address, phone#s, emails, sometimes SSN) so just a little more info from you directly can help them close the loops.
Ms. Toad
(38,979 posts)I am amazed at how many people treat inbound calls and texts as legitimate. If I didn't initiate it, there is no way I am providing any information.
I am also amazed at how many credit card companies use unsolicited class to confirm suspected fraud. I have had my credit cards shut off because I refuse to confirm (or deny) recent purchases when they call me our of the blue. It is ridiculous to expect a response to particularized financial questions asked in an unsolicited call. I tell them that, hang up, call the number on the back of the cad - and if it was a legitimate call, I read them the riot act for using a business model that counts on me being fiscally irresponsible.
AZJonnie
(4,285 posts)And it appears legit and says "Did you just spend $857.38 at Far Flung Trading Company" and you know you did, like 10 seconds earlier, and the purchase was declined, and it makes sense this might trigger the credit card company to flag the purchase (as in this case), you refuse to reply to it, on the premise that it would be fiscally irresponsible to do so? I'm trying to reckon "how so"? Even if it was fake, what is the risk? Not saying you're wrong about it, I'm trying to see if there's something I've missed/not thought about?
About a year ago someone leveraged my Playstation Plus account to buy a bunch of games totaling over $300 and I got a fraud alert and said "No, I did not" and it was all legit (someone really had gotten hold of my password or some such), and soon after got my money (which IIRC was only on hold, not actually charged IIRC) back.
I guess what I mean is apart from the fact you'd be letting a marketer know that this phone number links to a real person, what is the 'exposure' involved in simply affirming or denying a purchase in an amount at a place? What am I missing?
paleotn
(23,261 posts)No call back to the number that left the message. No response to a text. I just call the fraud line directly during their operating hours and they take care of it from there.
It seems with all the seamlessness of one google sign in or Apple ID, both have created a single point of failure. Get that info, which apparently isn't hard to do, and they've got the keys to the literal kingdom. My credit union short circuits all that. Plus asks me about 50 questions my better half doesn't even know all the answers to.
Randomthought
(1,098 posts)Never call number in text or email. Look up the number of bank orcrdit card company yourself.
erronis
(25,208 posts)Ms. Toad
(38,979 posts)Any unsolicited call about financial information. Should be declined. Flip your card over and call the number in the back of the card. Anything that can be resolved by phone you can resolve with a call you initiate.
That way you know you are speaking with someone you have agreed to have a financial relationship with - not someone who randomly got some information about you and is seeking more, in order to perpetrate a fraud.
I don't know the details of everything that can go wrong, but phone numbers and credit cards can both be skimmed, so confirming that whoever is calling has reached a person who is connected to a specific active credit card at a specific phone number helps them build a financial profile connected to you. The more information they have, the easier it is to effectively perpetrate a fraud.
And most of the credit card calls are, unfortunately, legitimate - so they are training people to give, or confirm, financial information to unknown, unsolicited callers. The only way for you to confirm who you are talking to, is for you to initiate the call.
AZJonnie
(4,285 posts)"confirming that whoever is calling has reached a person who is connected to a specific active credit card at a specific phone number helps them build a financial profile connected to you"
In the specific case I described (which is by far the most common instance in which I receive fraud alerts regarding accounts I know are actually mine), the (possible) fraudsters are calling/texting you regarding a credit card purchase you know you actually attempted to make. Which means they *already know* that the phone number and credit card are linked. Therefore, somebody replying 'yes, I attempted to make this purchase' doesn't tell them anything more than what they already know, except that, at least at times, someone or something will reply from this particular phone number. It does not establish that they've reached a person who is connected to the card.
I guess what I'm saying is I absolutely get the logic of not responding to fraud alerts where you know you did NOT make/attempt to make a purchase (obviously especially true when you don't even have such an account). But if you are trying to make a purchase, the merchant says it was declined, and 10 seconds later you get a text that seems to be from your bank saying "did you attempt to make this purchase" and it's the correct card, amount and place you are at, I cannot grok the risk in replying "yes", in order to allow your purchase to go through, and avoid the hassle of your card being shut off.
Though I concede I may be inclined to justify taking an action that I myself do on the regular
Ms. Toad
(38,979 posts)When they grabbed your number and ask them the exact same question about **your** last credit card charge?
They would have been suspicious, and hung up. When you answer their question, you are connecting your number to **your** card, and not one that belonged to one of the other numbers they skimmed.
AZJonnie
(4,285 posts)The one thing that IS secure is that sort of stuff, these hackers can't override credit card terminals. Also, you've switched to talking phone calls, I'm talking about the specific case of texting back 'yes I am making this purchase' when my bank texts and I know the card was just declined. This is really not a fakeable scenario that I'm able to see. You're right there a LOT that are, esp. when it's out of the blue and/or it's not even a real account of yours. This is one case that's really not, as best I can tell.
But of course as you say, some may prefer to not chance it and don't mind restarting a card. Nothing wrong with that
Ms. Toad
(38,979 posts)Or, depending on the technology used, a third party may have installed a card skimmer on the terminal you used, as was popular a free years ago with ATM machines.
And whether it was a vibe call or a text, the risks are the same. The initial contact with the victim in the article was a text.
Ironically, here is one of the main offenders (Chase) identifying unsolicited calls as suspicious activity:
Scammers rely on fear, urgency, and the promise of a quick solution to bypass your better judgement. Recognizing the red flags that mark potential bank impersonation scams is one of the best ways to help protect yourself. Here are some examples of suspicious activity:
Unsolicited contact: If you get an unsolicited call or text from your bank regarding an urgent issue, treat it with caution, you can always hang up and call back using the contact info found on the back of your card or account statement.
Your last comment contradicts the scenario you set up. In your scenario, your card is already declined. So whether you respond to the questions of the unsolicited caller or call the number on the back of the phone the card needs to be restarted. Why would you choose to provide information to someone whose identity you don't know when it takes so little to hang up to ensure you are actually speaking with someone associated with your card.
Bottom line, it is just a stupid risk to take to provide any information in response to an unsolicited call or text (or email, for that matter). Do some searching. You'll find everything I have suggested above being used as part of financial fraud. Ignore it at your own peril.
BWdem4life
(3,179 posts)Thats exactly how it started, with a simple no reply to a text asking to verify a credit card purchase.
Progressive dog
(7,662 posts)I never reply to that kind of a text message or e-mail. I will check my account only by logging in online. I still worry.
Cha
(321,820 posts)I always used Google to check if those official-looking texts from ATT and a lot of the other companies were real, and they always said No.
Now I just Report and Delete them So many scam artists out there.
I can see why he thought it was real, though. TY for this Pilot's harrowing cautionary tale, erronis. It's even more harrowing at the link
Sigh.. All that technology was making me dizzy. I kept hoping somehow the Police or FBI could catch the thief!
erronis
(25,208 posts)waiting to take over if one gets caught.
Have you seen to pictures of the boiler-room operations where hundreds of people are on the phone simultaneously trying to scam people around the world? I've read that many of the scammers themselves are essentially slaves. The masters are of the thiel/trump/epstein class.
Bev54
(13,575 posts)But I have never put my credit card on it. Never will
PatSeg
(54,255 posts)We don't want any unnecessary aps on them, as we feel they are too vulnerable. Honestly, we'd like to go back to dumb phones and just use them for phone calls and text messages. It is interesting to see that is a relatively common trend these days.
I have a PC and a laptop. I don't need more access than that.
BeneteauBum
(1,021 posts)If I get a phone call, I just ask that the paperwork be sent to my PO Box. I dont furnish any information
..my standard replies are: why do you ask and isnt that in the file? Same with email. I have yet to received any written communication from scammers
and to date havent had any theft issues.
All my user names and passwords are genus/species names of my favorite fauna interspersed with notable dates
most over 30 characters long but easy to remember. Example: 19(genus name of golden goddess nudibranch)74(species name for the golden goddess)01. This is recorded as 197401goldengoddess in a notebook in case I need to a reminder. 19Hypseloldoris74edenticulata01
not an active password. Let the hackers figure that out.
Peace ☮️
BunnyMcGee
(493 posts)Makes my head and gut hurt a little too thinking of a few times I fortunately did not respond and then blocked the number.
dalton99a
(96,588 posts)JoseBalow
(10,004 posts)xuplate
(275 posts)These scams are getting very, very sophisticated. A different experience I had was with a scam that identified purchases on my Citibank card, processed through ApplePay, as being made in person in Brazil while I was physically visiting Boston. I had incidences of unauthorized card use that occurred while on 3 separate trips to Boston. On reflection I think they were related to wireless card theft. I now have an RFID blocking card next to my credit cards in my wallet and havent had any reoccurrences. I asked the Citibank fraud representative if they really work and he said yes.
Sector 001
(440 posts)It affected all Apple products that received an I message. No clicks involved.
marble falls
(73,717 posts)Dem_in_Nebr.
(385 posts)The latest one involved a supposed scam by an (unidentified) company that they claimed, had been overcharging its customers, They were trying to reach me because I had been identified as a legitimate claimant.
Fortunately, I just let all unidentified calls go to voice mail but they were trying to reach on email as well. These were in my scam email folder.
It's a bit scary to have them try to reach me by two means of communication.
hlthe2b
(115,462 posts)went to the regional FBI office--who were not helpful. Maybe if I had DJT levels of (stolen/grifted) $$$$. that said, I did manage to get a report out of them for future "protection" and validation. They were interested from the standpoint of the DEA (as mentioned below) but not from my own data compromise and stolen funds.
I still have trouble talking about it because unlike this article, it was not clearly my own single preventable mistake but a unfortunate combination of factors. I was doing a favor covering for a colleague at his clinic and his wifi was inadequately protected but likewise being targeted for DEA numbers--apparently in a planned drug theft ring. But, while they were in his wifi, well... my own cell was connected temporarily to let me access some clinically-relevant, but more general information. It had never occurred to me that his wifi would not be super secured, but... Today, there are readily available VPNs and far more comprehensive security software for cell phones, which I have since acquired and use religiously. But, even three years ago? Not so much.
Well, it is still painful and I will likely never be fully "whole" from the incident--on any level.
So, be careful folks. This article is useful, but do some additional reading too.
erronis
(25,208 posts)That way you just have the phone automatically bring up a VPN when it starts up and doesn't drop it.
I won't recommend a particular VPN and I'm also getting a bit paranoid about them also. Also, some banks and other commerce sites don't like connections that come from a known VPN endpoint, but the VPN can be turned off temporarily during that interaction.
hlthe2b
(115,462 posts)Permanut
(8,782 posts)NeoTrajan
(107 posts)The rule:
No matter WHO sends you a message, by email, by text, facebook/twitter message, or by phone call (especially by phone call)
NEVER click any links
ALWAYS look up the actual, legitimate contact numbers on the actual, legitimate website, and contact your bank/financial org ONLY through those legitimate numbers, period .... NEVER follow the message directions, don't press Y or N or 1,2,3 etc ... Don't use ANY of their information to make contact .... Only the contact numbers YOU provide yourself
Tell the real bank you think you are being scammed, and that you have NO intention of moving any money or changing your PW (yet)
Ask the real bank if there are problems with any of your accounts
I also mentioned hanging up on calls from your legitimate bank, for the same reasons in this story: Even though it's from your bank, it's possibly a part of the scam ... Don't feel obligated to stay on the line: hang up and call the real bank - They won't be mad at you
Following through with those directions completes the scam, and allows them to take over your account, so, just hang up, and call directly to your bank using your own info
BTW, they can target other accounts: Utilities, Streaming channels, ANYWHERE you keep card info
The same rule applies: NEVER do anything by message or by receiving a call, even from those legit orgs: hang up and call directly after finding the real numbers ... You can apologize for hanging up when you call them back
Assume every message is a scam, and act accordingly
erronis
(25,208 posts)Tree Lady
(13,466 posts)Who is not as techie as me. He starts to believe some of them, I said delete everything that comes or show me. I do all of our bills.
No reason anything should be sent to him since I give my number for bills but they still do.
marble falls
(73,717 posts)GoodRaisin
(11,229 posts)1. Answer the phone for anyone not in my contact list. 99% + of unknown callers are scammers. No need to open that door and invite them in to steal from me.
2. Click on links in emails or text messages.
3. Answer the door when unexpected callers ring my doorbell.
4. Put my credit card on my phone or any device. It stays in my RFID blocking wallet.
5. Put my IRA password on my phone or any device. It is safely hidden in my home.
I do check my bank and credit card account for unknown charges frequently. I also check my credit report frequently to make sure no new accounts have been set up in my name. If someone does manage to steal my information and start stealing from me, I will be on top of it fast. So far I have avoided identity theft, not that the thieves havent tried.
AZJonnie
(4,285 posts)"The number, the FBI would later confirm, belonged to the genuine Apple Card support line. It had been spoofed so precisely that the messages accompanying the call arrived in the same gray bubbles, with the same Apple logo, that only real Apple support uses in iMessage."
The terms ("belonged to the genuine" and "only real Apple support uses" ) and "spoofed" are mutually exclusive.
Honestly this article could do a lot better job explaining which action he took caused which problem. Because taking this at face value, it implies literally any text you ever reply to, or any phone call you pick up, puts you in danger of your Apple ID instantly being compromised, and along with it, your SSN. The fact that any of this had anything to do with any supposed fraud alert seems coincidental, and I'm left wondering if the fraudsters could've done the exact same stuff w/o ever calling or texting. I think an important part of the interaction during the texts and phone calls is actually omitted here, perhaps at the request of Apple's lawyers as it could involve a vector they don't want to become known.
erronis
(25,208 posts)And since this pilot is also tech savvy you'd think it would have been included.
Abolishinist
(3,132 posts)is that the number that appeared on his phone was a legitimate number for Apple. I've had this happen on the landline at the office, where it appears the police department or whomever is calling because the number that shows IS their number. Somehow the scammers are able to do this. Add to this the logos or whatever else that showed were familiar to him.
And the following at first did not makes sense either, having him repeat the number. Like, if they knew the number, why have him repeat it, right? But here's the thing, they did NOT know the number, the number was the final piece of what they needed. They had enough info to attempt to get into his account, but they couldn't get by the verification process.
So they started the login, Apple then sent the number to his phone, which when given to the scammers allowed them to enter it and take over.
At least that's my take on it.
LtTx
(109 posts)Luckily about 3 or 4 hours later I started having doubts.. Called and cancelled 31k worth of charges. Pay Pal was also involved. We notified them also 3 hours later. They dismissed our claim outright but the credit cards did not, so PayPal is left holding the bag. Mine involved a Fidelity account and they spoofed Fidelity's number. We reported it to the FBI line and our local sheriff office. Everything looked so legit.