Apple Account Change Alerts Abused to Send Phishing Emails

A sophisticated phishing campaign is exploiting Apple's legitimate account change notification system to deliver fraudulent iPhone purchase scams inside genuine Apple emails — bypassing spam filters and dramatically increasing the credibility of the attack.

How the Attack Works

The campaign exploits a flaw in how Apple triggers account security notifications. Attackers modify a target account's shipping address to include a phishing message within the name or address fields. This change triggers Apple to send a legitimate security alert email to the account owner — and the phishing content is embedded directly in that notification.

The phishing message included within the alert claims the recipient has just purchased an iPhone 16 Pro for $899 via PayPal, and instructs them to call a provided phone number if they did not authorize the purchase. When victims call, they are socially engineered into surrendering:

Apple ID credentials
Payment card details
One-time verification codes (effectively handing over account access in real-time)

Why This Is Dangerous

Standard phishing campaigns must spoof the sender or use look-alike domains. This attack is different:

Email comes from Apple's real servers — sender authentication (DKIM, DMARC, SPF) all pass
No malicious links or attachments — nothing for URL scanners to flag
Bypasses most spam and anti-phishing filters — the email is, technically, a legitimate Apple notification
High perceived legitimacy — victims see a genuine Apple email format, correct logos, real Apple footers

Security researcher Brian Krebs and BleepingComputer both confirmed the technique: attackers are actively abusing Apple's real notification infrastructure, not spoofing it.

Reported Financial Impact

Victims have reported losses ranging from $500 to $5,000+, with some cases involving complete Apple account takeover within minutes of the phone call. Once attackers gain account access via stolen credentials and MFA codes, they can:

Lock the legitimate owner out of the account
Access iCloud data, photos, and documents
Make unauthorized purchases using stored payment methods
Use Find My to locate or remotely lock Apple devices

How to Recognize the Scam

Legitimate Apple communications follow these rules:

Apple Will	Apple Will Never
Send change alerts for account modifications	Ask you to call a phone number in an alert email
Include your name on file in communications	Request your password, MFA code, or payment details by phone
Link to apple.com for account actions	Use urgency tactics or claim unauthorized purchases

The presence of a phone number in an Apple notification email is an immediate red flag — Apple does not include callback numbers in automated security alerts.

Mitigation Steps

If you receive a suspicious Apple notification:

Do not call any phone number listed in the email
Navigate directly to appleid.apple.com (type it manually) to verify account activity
Report the email to reportphishing@apple.com
Change your Apple ID password if you suspect your account was modified

Proactive protections:

Enable two-factor authentication with a hardware security key if possible
Review your trusted phone numbers under Apple ID settings — remove any you don't recognize
Use an alias email for your Apple ID that is not publicly associated with your identity
Enable Advanced Data Protection on iCloud to limit what Apple (or attackers) can access

Reporting to Apple

Forward the suspicious email directly to:

reportphishing@apple.com

Include the full email headers if possible. Apple's security team uses these reports to identify and disrupt ongoing abuse of their notification infrastructure.

Broader Context

This attack technique — embedding phishing content in legitimate service notifications — is increasingly common. Similar campaigns have abused Google Calendar invites, PayPal invoice notifications, and Amazon shipping alerts. As email security controls improve, attackers are pivoting to legitimate sending infrastructure as a bypass method.

Organizations should train employees to be suspicious of any unexpected notification that includes a phone number to call — regardless of how legitimate the sending email address appears.

Source: BleepingComputer

How the Attack Works

Apple ID credentials
Payment card details
One-time verification codes (effectively handing over account access in real-time)

Why This Is Dangerous

Standard phishing campaigns must spoof the sender or use look-alike domains. This attack is different:

Email comes from Apple's real servers — sender authentication (DKIM, DMARC, SPF) all pass
No malicious links or attachments — nothing for URL scanners to flag
Bypasses most spam and anti-phishing filters — the email is, technically, a legitimate Apple notification
High perceived legitimacy — victims see a genuine Apple email format, correct logos, real Apple footers

Security researcher Brian Krebs and BleepingComputer both confirmed the technique: attackers are actively abusing Apple's real notification infrastructure, not spoofing it.

Reported Financial Impact

Lock the legitimate owner out of the account
Access iCloud data, photos, and documents
Make unauthorized purchases using stored payment methods
Use Find My to locate or remotely lock Apple devices

How to Recognize the Scam

Legitimate Apple communications follow these rules:

Apple Will	Apple Will Never
Send change alerts for account modifications	Ask you to call a phone number in an alert email
Include your name on file in communications	Request your password, MFA code, or payment details by phone
Link to apple.com for account actions	Use urgency tactics or claim unauthorized purchases

The presence of a phone number in an Apple notification email is an immediate red flag — Apple does not include callback numbers in automated security alerts.

Mitigation Steps

If you receive a suspicious Apple notification:

Do not call any phone number listed in the email
Navigate directly to appleid.apple.com (type it manually) to verify account activity
Report the email to reportphishing@apple.com
Change your Apple ID password if you suspect your account was modified

Proactive protections:

Enable two-factor authentication with a hardware security key if possible
Review your trusted phone numbers under Apple ID settings — remove any you don't recognize
Use an alias email for your Apple ID that is not publicly associated with your identity
Enable Advanced Data Protection on iCloud to limit what Apple (or attackers) can access

Reporting to Apple

Forward the suspicious email directly to:

reportphishing@apple.com

Include the full email headers if possible. Apple's security team uses these reports to identify and disrupt ongoing abuse of their notification infrastructure.

Broader Context

Organizations should train employees to be suspicious of any unexpected notification that includes a phone number to call — regardless of how legitimate the sending email address appears.

Source: BleepingComputer

Apple Account Change Alerts Abused to Send Phishing Emails

How the Attack Works

Why This Is Dangerous

Reported Financial Impact

How to Recognize the Scam

Mitigation Steps

Reporting to Apple

Broader Context

Traffic Violation Scams Switch to QR Codes in New Phishing Texts

Cybercriminals Target Accountants to Drain Russian Firms' Bank Accounts

Drift $280M Crypto Theft Linked to 6-Month In-Person DPRK Infiltration

Apple Account Change Alerts Abused to Send Phishing Emails

How the Attack Works

Why This Is Dangerous

Reported Financial Impact

How to Recognize the Scam

Mitigation Steps

Reporting to Apple

Broader Context

Traffic Violation Scams Switch to QR Codes in New Phishing Texts

Cybercriminals Target Accountants to Drain Russian Firms' Bank Accounts

Drift $280M Crypto Theft Linked to 6-Month In-Person DPRK Infiltration