America’s Cybersecurity and Infrastructure Security Agency (CISA) has issued fresh warnings urging users of Google, Microsoft and Apple accounts to secure their digital identities immediately. The agency recommends that people change passwords, disable SMS-based two-factor authentication (2FA) and enable passkeys, citing a rise in sophisticated attacks that combine social engineering and legitimate automated messages.
The danger, experts say, is that a message appearing to come from Google, Apple or Microsoft may no longer be trustworthy — hackers are now triggering genuine system alerts while simultaneously calling victims and impersonating official support staff
How attackers combine real alerts with fake calls
Apple has confirmed that attackers are using “highly sophisticated tactics” designed to pressure victims into handing over login credentials, security codes and access to their devices. In several cases reported globally, hackers triggered automated Apple alerts at the exact moment they placed spoofed calls pretending to be from Apple Support.
A similar case was shared on Reddit recently, where a Google user received automated Google Security Prompts while simultaneously receiving a call from someone claiming to be from Google’s security team.
This is possible because anyone can initiate an account recovery attempt, which automatically sends prompts to the registered device. This makes the pairing of a legitimate prompt with a fraudulent call especially convincing.
Google emphasises that it never calls users to reset passwords, stating:
“Google will not call you to reset your password or troubleshoot account issues.”
The rule is simple: If you get the call, it’s an attack
Microsoft issues new warning as attacks escalate
Adding to the Apple and Google alerts, Microsoft has now issued a warning about an attack chain that begins with social engineering and ends with fileless malware being deployed on the victim’s computer.
According to research from SpiderLabs, the scheme works as follows:
- Victims receive a spoofed Microsoft Teams call from someone appearing to be senior internal IT staff.
- The attacker convinces the user to launch Quick Assist, allowing remote access.
- The user is redirected to a fake “verification” page, hosted on a malicious domain.
- A disguised malware file named updater.exe is installed, leading to deeper system compromise.
Cybersecurity analysts warn that this type of impersonation attack is expected to grow rapidly, especially as remote workplaces normalise support calls and online troubleshooting.
What users must do to stay safe
Across Apple, Google and Microsoft platforms, the core safety advice remains consistent:
1. Never trust unsolicited calls
If someone claims to be from “Apple Support”, “Google Security Team” or “Microsoft IT”, hang up immediately.
No major tech company calls users to request codes, reset passwords or take control of devices.
2. Ignore unexpected security prompts
If you did not:
- request a password reset,
- initiate account recovery, or
- sign in from a new device,
do not approve the prompt.
Do not click links or engage with callers contacting you at the same time. It is always an attack.
3. Stop using SMS-based 2FA
SMS authentication is vulnerable to SIM-swaps and interception. Replace it with:
- passkeys,
- device-bound prompts, or
- hardware security keys.
4. Strengthen password hygiene
Use long, unique passwords for each account and update them periodically.
5. Be cautious with remote-access tools
Never open Quick Assist, AnyDesk, Chrome Remote Desktop or similar tools for unknown callers.
The threat ahead
Cybersecurity researchers caution that these combined-attack scams are only becoming more convincing. Scammers increasingly rely on real system notifications, deepfake audio and spoofed contact details to bypass user suspicion.
CISA, Apple, Google and Microsoft all repeat the same warning:
Do not take these calls. Do not share codes. Do not approve unexpected prompts.
Online security, they stress, now depends as much on user awareness as on company safeguards.