Apple Pay Phishing Using Fake Apple Support Calls to Steal Payment Details
A phishing campaign targeting Apple Pay users is using realistic-looking emails to push victims into calling a fraudulent “Apple Support” phone number, shifting the attack from link-clicking to vishing (voice phishing). The lure commonly claims a high-value Apple Store charge was attempted or stopped, and includes plausible details (e.g., case ID, timestamp, and an “appointment” to review the activity) to create urgency and legitimacy.
Malwarebytes reported the operation’s objective is to extract login/verification codes and payment data during the phone interaction, enabling attackers to take over the victim’s Apple account and potentially access associated data and linked payment methods. Follow-on reporting highlighted the use of Apple branding and invoice-style formatting (including high-ticket purchase claims) to increase conversion, and emphasized the potential impact of account compromise beyond payment theft (e.g., access to stored personal data and connected services).
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Attackers abuse Apple account alerts to send authenticated callback phishing emails
Attackers were found inserting scam text and a phone number into Apple ID profile fields, then triggering an account shipping-information change so Apple sent a legitimate security notification containing the attacker-controlled content. The emails were delivered through Apple's own infrastructure and passed SPF, DKIM, and DMARC checks, making the callback phishing lure appear highly credible.
Apple warns iPhone users about expanding social engineering scam wave
Apple warned users in the US and Europe about a growing scam campaign using official-looking text messages about Apple Pay or account issues, followed by calls with fraudsters impersonating Apple support or investigators. The company said it would never ask users to share passwords or 2FA codes, approve unsolicited authentication prompts, or disable protections, and provided official reporting channels for scam messages and calls.
Malwarebytes reports and analyzes the Apple Pay vishing campaign
Malwarebytes analysts publicly documented the campaign, describing its use of fake Apple Support interactions and assessing that the attackers' goal was to steal login codes and payment details. The reporting also included defensive guidance such as not sharing 2FA codes, changing Apple ID passwords, and monitoring financial activity.
Attackers use vishing calls to steal Apple ID codes and payment data
During the phone calls, scammers posing as Apple fraud or billing agents attempted to collect personal details, Apple ID email addresses, two-factor authentication codes, and payment information. If successful, the operation could enable Apple account takeover and access to linked payment methods and account data.
Phishing campaign targets Apple Pay users with fake fraud alert emails
A social engineering campaign began targeting Apple Pay users with emails impersonating Apple and claiming a high-value charge had been stopped. The messages directed recipients to call a phone number instead of clicking a malicious link, creating urgency around supposed fraud.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
Apple Pay Scam Security Reminder Text Message
onlinethreatalerts.com
Open sourceNew Apple Phishing Scam Uses Fake $899 iPhone Purchase Alert
techrepublic.com
Open sourceApple account notifications abused for iPhone purchase phishing scams | brief | SC Media
scworld.com
Open sourceApple account change alerts abused to send phishing emails
bleepingcomputer.com
Open sourceNew Apple Scam Hits Millions of iPhone Users Worldwide, Draining Bank Accounts
techrepublic.com
Open sourceReal-time vishing exploits Apple Pay | SC Media
scworld.com
Open sourceA week in security (February 2 - February 8) | Malwarebytes
malwarebytes.com
Open sourceBeware of Apple Pay Phishing Attack that Aims to Steal Your Payment Details
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Consumer Brand Impersonation Phishing and Tech-Support Scams Targeting Apple and Avast Users
Multiple **brand-impersonation phishing** campaigns are targeting consumers by abusing trust in *Avast* and *Apple* to drive victims into disclosing payment or account details. One campaign uses a near-identical fake *Avast* portal aimed at French-speaking users, presenting a fabricated **€499.99** “subscription charge” and a short cancellation window to induce urgency; the site validates entered card numbers using the **Luhn algorithm** and uses a **Tawk.to** live-chat widget (ID `689773de2f0f7c192611b3bf`) to pressure victims in real time into submitting full card details (including CVV) under the pretense of processing a refund. Separate *Apple*-themed scams use **phishing-to-phone** and **SMS** lures to route victims to scam call centers and harvest credentials and financial information. One email purporting to be from an “**Apple Fraud Prevention**” team attempts to panic recipients into calling a fake support number, while an “**Apple Security Alert**” Apple Pay text claims a suspicious **$143.95** Apple Store transaction and urges an immediate call to a `+1 850-85*` number to “cancel” the charge. Another tactic abuses iOS Calendar subscriptions (“**iPhone Calendar Scam**”) to flood devices with fake security/prize alerts that push users to click malicious links; guidance emphasizes unsubscribing from the rogue calendar and avoiding interacting with the spam invites.
Mar 31, 2026
Consumer-Facing Phishing and Payment Scams Using Fake Support and Fraud Alerts
Multiple reports describe **social-engineering scams** that impersonate trusted brands and payment providers to drive victims into credential theft or direct monetary loss. A “crypto compensation” lure abuses a legitimate-looking *Yandex* poll as an entry point, then redirects victims to a fake Bitcoin payout page claiming an approved `0.943 BTC` transaction and imposes a small “commission”/fee to withdraw funds—classic advance-fee fraud wrapped in a polished, multi-step funnel (including a fake chat “support agent”). Separately, Japanese-language phishing emails impersonating **ANA**, **DHL**, and **myTOKYOGAS** show consistent infrastructure patterns (notably `.cn` domains in sender and landing-page URLs), suggesting a single operator or shared kit targeting Japanese-speaking recipients. Several consumer scam advisories highlight **SMS-based fraud alerts** that push targets to call attacker-controlled phone numbers, where scammers pose as “support” to steal **Apple ID/2FA codes** or payment details, or to coerce victims into moving money. One PayPal-themed case escalated to cash withdrawals handed to a courier after a victim called a number from an unsolicited text, illustrating how “fraud department” pretexts can transition from phishing to **cash-out theft**. Additional warnings cover lookalike payment sites (e.g., `payyourbill.aps medical.com`) and generic guidance on what to do after clicking a phishing link; these are broadly consistent with the same theme (phishing/payment fraud) but are not tied to a single, specific campaign or actor across all items.
Jun 19, 2026
Apple Account Smishing Campaign Uses Lookalike Domains in Korea
ESTsecurity’s Alyac blog warned of a smishing campaign using **Apple-themed text messages** that claimed an Apple ID had been accessed from another location or showed suspicious account activity. The messages were marked as international-origin texts and directed recipients to fraudulent lookalike domains including `ap****-kr.com` and `app****.cc`, attempting to lure victims into credential theft through fake Apple login pages. Alyac said the alerts were compiled from user-submitted reports through the AlyacM app as part of its weekly smishing roundup. In the same reporting period, the company also highlighted a separate lure impersonating **Danal**, threatening court appearance over alleged long-term unpaid debt and referencing a payment amount and bank account details, underscoring continued use of both financial-pressure and brand-impersonation tactics in Korean mobile phishing campaigns.
May 24, 2026