Hackers lean into social engineering to attack Apple security — Jamf

Every Mac, iPhone, or iPad user should do everything they can to protect themselves against social engineering-based phishing attacks, a new report from Jamf warns. In a time of deep international tension, the digital threat environment reflects the zeitgeist, with hackers and attackers seeking out security weaknesses on a scale that continues to grow. 

Based on extensive research, the latest edition of Jamf’s annual Security 360 report looks at security trends on Apple’s mobile devices and on Macs. It notes that we’ve seen more than 500 CVE security warnings on macOS 15 since its launch, and more than 10 million phishing attacks in the last year. The report should be on the reading list of anyone concerned with managing Apple’s products at scale (or even at home).

Security begins at home

With phishing and social engineering, protecting personal devices is as important as protecting your business machines. According to Jamf, more than 90% of cyberattacks originate from social engineering attacks, many of which begin by targeting people where they live. Not only that, but up to 2% of all the 10 million phishing attacks the company identified are also classified as zero-day attacks — which means attacks are becoming dangerously sophisticated. 

This has become such a pervasive problem that Apple in 2024 actually published a support document explaining what you should look for to avoid social engineering attacks. Attackers are increasingly creative, pose as trusted entities, and will use a combination of personal information and AI to create convincing attacks. They recognize, after all, that it is not the attack you spot that gets you, it’s the one you miss.

Within this environment, it is important to note that 25% of organizations have been affected by a social engineering attack — even as 55% of mobile devices used at work run a vulnerable operating system and 32% of organizations still have at least one device with critical vulnerabilities in use across their stack. (The latter is a slight improvement on last year, but not much.)

The nature of what attackers want also seems to be changing. Jamf noticed that attempts to steal information are surging, accounting for 28% of all Mac malware, which suggests some degree of the surveillance taking place. These info-stealing attacks are replacing trojans as the biggest threat to Mac security. The environment is similar on iPhones and iPads, all of which are seeing a similar spike in exploit attempts, zero-day attacks, and convincing social-engineering-driven moves to weaponize digital trust.

The bottom line? While Apple’s platforms are secure by design, the applications you run or the people you interact with remain the biggest security weaknesses the platform has. Security on any platform is only as strong as the weakest link in the chain, even while attack attempts increase and become more convincing and complex. 

Defense is the best form of defense

Arnold Schwarzenegger allegedly believes that one should not complain about a situation unless you are prepared to try to do something to make it better. “If you see a problem and you don’t come to the table with apotential solution, I don’t want to hear your whining about how bad it is,” he says.

With that in mind, what can you as a reader do today to help address the growing scourge of Apple-focused malware? Here are some suggestions from Jamf:

• Update devices to the latest software.
• Protect devices with a passcode.
• Use two-factor authentication and strong passwords to protect Apple accounts.
• Install apps only from the App Store.
• Use strong and unique passwords online.
• Don’t click on links or attachments from unknown senders.

And, of course, don’t use older, unprotected operating systems or devices — certainly not when handling critical or confidential data.

Layer up, winter is coming

Organizations can build on these personal protections, of course. Apple devices need Apple-specific security solutions, including endpoint management solutions; enterprises should adopt device management; and they should prepare for the inevitable attacks by fostering a positive, blame-free culture for incident reporting and by eliminating inter-departmental siloes. Investment in staff training is important, too. 

It is also important to understand that in a hybrid, multi-platform, ultra mobile world there is no such thing as strict perimeter security anymore. That’s why it is essential to secure endpoints and implement zero-trust. It’s also why it is important to adopt a new posture toward security — there is no single form of effective security protection. At best, your business security relies on layers of protection that together form an effective and flexible security defense.

You can follow me on social media! Join me on BlueSky,  LinkedIn, and Mastodon.