iPhone, iPad or Apple Account Security Compromised, now what?
This tip is a work in progress, and additional editing and updates are planned.
This tip started from this thread: Scam attempt on iPad - Apple Community
This tip focuses on Apple Account compromises, and how those might also further involve iPhone and iPad compromises.
If your Apple Account has been breached — whether through credential stuffing or phishing or otherwise — the iPhone or iPad or Mac data contents are at risk, but are probably not compromised, but the contents of iCloud aren’t secure. The Apple Account can remote-reset the iPhone and iPad and Mac gear, as well.
Malware on an iPhone or iPad device is quite rare and targeted based on all available evidence, but installing remote access apps is possible, and passwords can be compromised.
Unfortunately, if you did not have two-factor authentication enabled, then you may have completely and irrevocably lost control of the Apple Account. if you see an unknown phone number or unknown security questions associated with the Apple Account, the account is likely unrecoverable; no longer yours.
Using a Virtual Payment Card to Regain Control
One potential means of recovering access from an otherwise successful Apple Account takeover was described elsewhere in the forums by user nonayabusiness, and involves adding a new virtual payment card and then removing all other associated payment cards (which is apparently feasible without account security access), and then using that new payment card to regain account access.
This virtual payment card potentially then gets you to where you can reset the security questions and then the phone number and then enabling two-factor authentication, as well as resetting the security questions.
Ensure this virtual payment card used is only temporarily associated with the account while attempting to revert the takeover, and can be easily revoked, and has a low spending limit.
Check with your payment card provider for how to obtain a virtual payment card, with a low fixed spending limit. These payment cards can be used for kids’ accounts, for instance. You want this card able to be easily revoked, and to not permit spending much money.
Payment provider gift cards won’t work here.
Then add the payment card number to the account: Add a payment method to your Apple Account - Apple Support
Adding the card shouldn't need further authorization.
Then: If you forgot the answers to your Apple ID security questions - Apple Support
One of the available options for the reset should be providing information on an associated payment method.
General Guide
Straight financial scams are common, and those often (mostly? usually? likely?) don’t involve any device or credentials compromises.
Most of these phishing and romance scams and spear-phishing and arrested-your-relative scams work by getting the folks to the scammers’ website, or by directly authorizing remote access into the device via FaceTime or such, and obtaining the ability to transfer from the credentials there. Or by convincing the folks to authorize the financial transfer directly.
If you’re concerned that these folks might have authorized remote access into the iPhone or iPad, or otherwise left a backdoor on the iPhone or iPad or into the Apple Account here, your path will involve a factory reset, re-load just the apps needed and not a backup restore, and resetting all passwords. Remote access is either authorized each time with FaceTime, or similarly through some other added remote access or screen-sharing app. Remote access malware is very rare, and very expensive. DNS shenanigans are certainly possible too, but not at the top of my list of potential shenanigans.
Two-Factor Authentication
Two-factor authentication should be enabled here if not already. Two-factor authentication makes phishing more difficult. You will want to verify all trusted devices associated with the Apple Account should verified too, the trusted telephone numbers verified, and ensure the appropriate Recovery Contacts are enabled.
Once the Apple Account password is changed, and if you choose to be selective about which of your other potentially-compromised passwords are updated, the Passwords app (iOS 18, iPadOS 18, macOS 15, and later) contains a tool that automatically reviews a user’s passwords for compromises, and resolve any issues reported there.
Disable the automatic acceptance of Apple Cash payments to block that whole family of financial scams, too. (The scam: receiving an payment transfer from what will be a compromised payment card, and then requests or demands to return some or all of that transfer. That initial payment then gets clawed back by the payment card provider, and you lose anything you then transferred to the scammers.)
Set your iPhone to send unknown callers to voicemail, and mute unknown text message senders.
It’s also fairly common for folks to re-use their passwords and passcodes (and to also not use iCloud Keychain and the passwords app, or some other password manager), which then causes wider compromises when the re-used passwords is compromised on some website somewhere. See the Passwords app for details.
Specific Recovery Steps
What Apple suggests:
If you think your Apple Account has been compromised - Apple Support
Personal Safety User Guide - Apple Support
While you’re reviewing all of this, adding a Legacy Contact or two can be considered, as well as migrating to iCloud Photos, backups, and the usual and mundane device and data management considerations such as local or (far more likely) iCloud backups.
Related info: Better Securing Your Data, and Apple Account - Apple Community