Did I receive a fake “Find My iPhone” SMS through Apple’s official messaging channel?

Hello~ Thief trying to get you to release information that will allow them to use your iPhone…

Recognize and avoid social engineering schemes including phishing messages, phony support calls, and other scams - Apple Support

Scammers just doing what scammers do…

~Katana-San~

but in my case my device was stolen

You didn't say that before. Only that you received a message.

In that case, as Katana-San mentioned, the crooks sent the message hoping you'd fall for a fake site to enter your user ID and password in so they could release the phone.

Any such message, no matter who, or where it says it's from, is a scam. Neither Apple or any law enforcement agency will send any such message.

Which brings us back to, 'How did they get your number?'. The only way that can happen is you entered such a message to show on the lock screen. Such as, "If found, please call xxx.xxx.xxxx."

Muhammad1918 wrote:

Great question!

The SMS came through the same Apple message thread that normally delivers OTPs same sender ID, same format , so it looked completely legit.

Apple support later confirmed it was spoofed. That’s what made it really alarming — you can’t tell the difference when it appears to come from a trusted channel.

Appreciate your interest!

Hello once more~ I treat everything as a scam until I can prove otherwise…it’s the world that we live in.

~Katana-San~

Your phone got stolen, and you got a phishing message. That’s very common. Routine, even. These thefts can involve established (illicit) businesses, with established web services and tools.

The thieves got your phone number from swapping the SIM, most likely. That likely also got them a trusted device. (This is also why SIM PINs can be helpful, as can be not-easily-swappable eSIMs.) (Also why marking a device as stolen best happens quickly.)

As can happen with longer telephone numbers, and with email sending addresses, telephone short codes can also get spoofed: sending-number spoofing.

Spoofing? Interceptions? There have been some fairly substantial scams involving SS7 control of a telephone switch in the past decade or so. This used to intercept SMS two-factor codes, and leading to thefts.

This is also also part of why there’s been a push for using passkeys, and for using two-factor authentication not based on SMS or RCS, too. This can involve hardware tokens, among other paths.

Two-factor authentication using SMS is still absolutely better than using no two-factor authentication, though.

Use of words like “possible” can be misleading too, as many things are possible. Can the telephone system be compromised? Yes. Can your iPhone or can Apple itself be compromised? Yes. Can it rain twenty-five weekends in a row? Yes. Can I win a billion-dollar lottery? Yes. Well, assuming I also buy a ticket. Many things are possible. Rather fewer are likely.

Katana-San wrote:

Muhammad1918 wrote:

I understand that bro , but in my case my device was stolen and the message sent to me the next day of the incident ..

Hello again ~ MrHoffman has fully explained…also note everyone helping here may not be a “bro”.

Some people find the term “bro” problematic or derogatory, and that for various reasons, yes.

However, just to clarify, my SIM was actually an eSIM, and it was active on the lost iPhone at the time of the incident. So there was no physical SIM swap involved, and the attackers were somehow able to target my number and send the spoofed message through a channel that looked exactly like Apple’s official OTP route.

Getting a trusted device is bad. If the passcode is known, worse.

Muhammad1918 wrote:

This is what made it so deceptive — the message didn’t just look legitimate, it came from the same Apple sender ID used for real OTPs, and the link opened a real location page, not a suspicious login form upfront.

Short codes can be spoofed. Websites can be spoofed, as well.

Or you got a legitimate notification as the thieves were completing their acquisition of the stolen iPhone.

That’s why I’m concerned whether this might go beyond typical spoofing and involve a more serious vulnerability in the delivery channel itself.

SMS is a known trash fire, and has been a known trash fire for many years.

SMS is better than no two-factor authentic too, but not as good as two-factor with more reliable delivery.

This is why passkeys, and hardware tokens, and other paths for implementing two-factor authentication are being encouraged. Not SMS. This particularly for those at higher risk of account take-overs, including those with higher-value accounts.

Fascinating! How can I know when a text is sent "through Apple’s official messaging channel?"

Thousands, likely millions of people have gotten the same scam.

Literally, anyone who has your email address or phone number can send you a message.

A breach has nothing to do with a message. See the previous answer.

How could a thief know your number? Scammers routinely amass lists of phone numbers and email addresses by the millions and sell them to each other. They then send out scam emails or messages to every single one in the list. Or, they just send out scam messages to numerically incremented phone numbers, whether they exist or not. They don't care how many bounce as a non-existent number or email address.

How can I know when a text is sent "through Apple’s official messaging channel?"

If you got a text message on an iPad or Mac in Apple's Messages app, then it came through Apple's messaging system. There's nothing even slightly unusual about it. It's what the app is for and what it does.

Muhammad1918 wrote:

I understand that bro , but in my case my device was stolen and the message sent to me the next day of the incident ..

Hello again ~ MrHoffman has fully explained…also note everyone helping here my not be a “bro”.

~Katana-San~

Hello~ Agreed…

~Katana-San~