This Week in Scams: New Alerts for iPhone and Android Users and a Major Google Crackdown

McAfee

Nov 14, 2025

7 MIN READ

Welcome back to another This Week in Scams.

This week, have attacks that take over Androids and iPhones, plus news that Google has gone on the offensive against phishing websites.

First up, a heads-up for iPhone owners.

The “We found your iPhone” scam

In the hands of a scammer, “Find My” can quickly turn into “Scam Me.”

Switzerland’s National Cyber Security Center (NCSC) shared word this week of a new scam that turns the otherwise helpful “Find My” iOS feature into an avenue of attack.

Now, the thought of losing your phone, along with all the important and precious things you have on it, is enough to give you goosebumps. Luckily, the “Find My” can help you track it down and even post a personalized message on the lock screen to help with its return. And that’s where the scam kicks in.

From the NCSC:

When a device is marked as lost, the owner can display a message on the lock screen containing contact details, such as a phone number or email address. This can be very helpful if the finder is honest – but in dishonest hands, the same information can be used to launch a targeted phishing attack.

With that, scammers send a targeted phishing text, as seen in the sample provided by the NCSC below …

A smartphone screenshot showing a fraudulent text message claiming a lost iPhone 14 has been located and instructing the recipient to click a link. A large red diagonal stamp reading “Betrug / Fraud” overlays the message, indicating it is a scam. — Source: NCSC, Switzerland

What do the scammers want once you tap that link? They request your Apple ID and password, which effectively hands your phone over to them—along with everything on it and everything else that’s associated with your Apple ID.

It’s a scam you can easily avoid. So even if you’re still stuck with a lost phone that’s likely in the hands of a scammer the point of consolation is that, without your ID, the phone is useless to them.

Here’s what the NCSC suggests:

Ignore such messages. The most important rule is Apple will never contact you by text message or email to inform you that a lost device has been found.

Never click on links in unsolicited messages or enter your Apple ID credentials on a linked website.

If you lose your device, act immediately. Enable Lost Mode straight away via the Find My app on another device or at iCloud.com/find. This will lock the device.

Be careful about which contact details you show on your lost device’s lock screen. For example, use a dedicated email address created specifically for this purpose. Never remove the device from your Apple account, as this would disable the Activation Lock.

Make sure your SIM card is protected with a PIN. This simple yet effective measure prevents criminals from gaining access to your phone number.

Android phone takeover scam

Now, a different attack aimed at Android owners …

A story shared on Fox this week breaks down how a combination of paid search ads, remote access tools, and social engineering have led to hijacked Android phones.

It starts with a search, where an Android owner looks up a bank, a tech support company, or what have you. Instead of getting a legitimate result, they get a link to a bogus site via paid search results that appear above organic search results. The link, and the page it takes them to, look quite convincing, given the ease with which scammers can spin up ads and sites today. (More on that next.)

Once there, they call a support number and get connected to a phony agent. The agent convinces the victim to download an app that will help the “agent” solve their issue with their account or phone. In fact, the app is a remote access tool that gives control of the phone, and everything on it, to the scammer. That means they can steal passwords, send messages to friends, family, or anyone at all, and even go so far as to lock you out.

Basically, this scam hands over one of your most precious possessions to a scammer.

Here’s how you can avoid that:

Skip paid search results for extra security. That’s particularly true when contacting your bank or other companies you’re doing business with. Look for their official website in the organic search results below paid ads. Better yet, contact places like your bank or credit card company by calling the number on the back of your card.

Get a scam detector. A combination of our Scam Detector and Web Protection can call out sketchy links, like the bogus paid links here. They’ll even block malicious sites if you accidentally tap a bad link.

Never download apps from third-party sites outside of the Google Play Store. Google has checks in place to spot malicious apps in its store.

Lastly, never give anyone access to your phone. No bank rep needs it. So if someone on a call asks you to download an app like TeamViewer, AnyDesk, or AirDroid, it’s a scam. Hang up.

Beyond that, you can protect yourself further by installing an app like our McAfee Security: Antivirus VPN. You can pick it up in the Google Play store, which also includes our Scam Detector and Identity Monitoring. You can also get it as part of your McAfee+ protection.

Google takes aim at phishing scams with a lawsuit against an alleged criminal organization

Just Wednesday, Google took a first step toward making the internet safer from bogus sites, per a story filed by National Public Radio.

A lawsuit alleges that a China-based company called “Lighthouse” runs a “Phishing-as-a-Service” operation that outfits scammers with quick and easy tools and templates for creating convincing-looking websites. According to Google’s general counsel, these sites could “compromise between 12.7 and 115 million credit cards in the U.S. alone.”

The suit was filed in the U.S. District Court in the Southern District of New York, which, of course, has no jurisdiction over a China-based company. The aim, per Google’s counsel, is deterrence. From the article:

“It allows us a legal basis on which to go to other platforms and services and ask for their assistance in taking down different components of this particular illegal infrastructure,” she said, without naming which platforms or services Google might focus on. “Even if we can’t get to the individuals, the idea is to deter the overall infrastructure in some cases.”

We’ll keep an eye on this case as it progresses. And in the meantime, it’s a good reminder to get Scam Detector and Web Protection on all your devices so you don’t get hoodwinked by these increasingly convincing-looking scam sites.

Again, scammers can roll them out so quickly and easily today.