Overview
- America's cyber defense agency advises users to change passwords, remove SMS two‑factor authentication, and add passkeys across Google, Apple, and Microsoft accounts.
- Recent reports describe attackers triggering legitimate account‑recovery prompts while calling victims and posing as support staff to solicit one‑time codes.
- Apple cautions that “sophisticated tactics” are being used to extract sign‑in credentials and security codes from targets.
- Google states it will not call users to reset passwords or troubleshoot accounts, and official guidance says to hang up on unsolicited support calls.
- Experts note that anyone can initiate an account‑recovery flow that generates prompts, so users should ignore unexpected messages and never share verification codes.