A sophisticated new phishing campaign is targeting Apple Pay users, leveraging high-quality email design and social engineering to bypass security measures.
Unlike typical scams that rely on poorly spelled emails and suspicious links, this campaign uses a “hybrid” approach involving both email and phone fraud, often called “vishing”, to steal Apple IDs and payment data.
Phishing Attack
The attack begins with an email that appears authentic. It features official Apple branding, correct formatting, and a professional layout.
The subject line usually triggers immediate anxiety, signaling a high-value purchase, such as a 2025 MacBook Air M4 ($1,157.07) or a significant gift card transaction.
The email claims that Apple has “blocked” this transaction. However, it requires the user to verify their identity to prevent account suspension.
Crucially, instead of asking the user to click a link, the email instructs them to call a “Billing & Fraud Prevention” phone number.
Some emails even claim an “appointment” has been booked for the user to review the fraud.
When a victim calls the number, they are connected to a scammer posing as an Apple support agent.
The conversation is scripted to build trust. The fake agent confirms the user’s name and device details to sound legitimate.
Once trust is established, the technical takeover begins. The attacker attempts to log into the victim’s Apple ID from their own computer, as reported by Malwarebytes.
This triggers a legitimate Two-Factor Authentication (2FA) code sent to the victim’s phone. The scammer then asks the victim to read this code aloud, claiming it is needed to “verify the account” or “stop the fraud.”
By handing over this code, the victim inadvertently grants the attacker full access to their Apple ID.
The scammer can then exploit linked payment methods in Apple Wallet or lock the user out of their devices entirely.
Red Flags and Defense Strategies
Security researchers warn that Apple never schedules “fraud appointments” via email and does not ask users to call phone numbers listed in unsolicited messages.
To stay safe, users should observe the following guidelines:
- Inspect the Sender: Even if the display name says “Apple Support,” check the actual email address. Phishing emails rarely come from an official @apple.com domain.
- Guard 2FA Codes: Never share verification codes with anyone over the phone. Apple support staff will never ask for your password or 2FA code.
- Verify Independently: If you receive a billing alert, do not call the number in the email. Go to appleid.apple.com or check your official banking app to verify transactions.
If you believe you have interacted with this scam, immediately change your Apple ID password, sign out of all active sessions in your settings, and contact your bank to dispute any unauthorized charges.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google
