iPhone or iPad Security Compromised, now what?
This tip is a work in progress, and additional editing and updates are planned.
This tip started from this thread: Scam attempt on iPad - Apple Community
If your Apple Account has been breached, the iPhone or iPad app contents are probably fine, but the contents of iCloud probably aren’t. Malware on device is quite rare and targeted based on all available evidence, but installing remote access apps is possible, and passwords can be compromised.
Unfortunately, if you did not have two-factor authentication enabled, then you may have completely and irrevocably lost control of the Apple Account. if you see an unknown phone number or unknown security questions associated with the Apple Account, the account is likely unrecoverable; no longer yours.
Straight financial scams are common, and those often (mostly? usually? likely?) don’t involve any device or credentials compromises.
Most of these phishing and romance scams and spear-phishing and arrested-grandchild scams work by getting the folks to the scammers’ website, or by directly authorizing remote access into the device via FaceTime or such, and obtaining the ability to transfer from the credentials there. Or by convincing the folks to authorize the financial transfer directly.
If you’re concerned that these folks might have authorized remote access into the iPhone or iPad, or otherwise left a backdoor on the iPhone or iPad or into the Apple Account here, your path will involve a factory reset, re-load just the apps needed and not a backup restore, and resetting all passwords. Remote access is either authorized each time with FaceTime, or similarly through some other added remote access or screen-sharing app. Remote access malware is very rare, and very expensive. DNS shenanigans are certainly possible too, but not at the top of my list of potential shenanigans.
Two-factor authentication should be enabled here if not already. Two-factor authentication makes phishing more difficult. You will want to verify all trusted devices associated with the Apple Account should verified too, the trusted telephone numbers verified, and ensure the appropriate Recovery Contacts are enabled.
Once the Apple Account password is changed, and if you choose to be selective about which of your other potentially-compromised passwords are updated, the Passwords app (iOS 18, iPadOS 18, macOS 15, and later) contains a tool that automatically reviews a user’s passwords for compromises, and resolve any issues reported there.
Disable the automatic acceptance of Apple Cash payments to block that whole family of financial scams, too. (The scam: receiving an payment transfer from what will be a compromised payment card, and then requests or demands to return some or all of that transfer. That initial payment then gets clawed back by the payment card provider, and you lose anything you then transferred to the scammers.)
Set your iPhone to send unknown callers to voicemail, and mute unknown text message senders.
It’s also fairly common for folks to re-use their passwords and passcodes (and to also not use iCloud Keychain and the passwords app, or some other password manager), which then causes wider compromises when the re-used passwords is compromised on some website somewhere. See the Passwords app for details.
What Apple suggests:
If you think your Apple Account has been compromised - Apple Support
Personal Safety User Guide - Apple Support
While you’re reviewing all of this, adding a Legacy Contact or two can be considered, as well as migrating to iCloud Photos, backups, and the usual and mundane device and data management considerations such as local or (far more likely) iCloud backups.