Apple Pay users targeted in coordinated phishing campaign

A coordinated phishing operation is using text messages, phone calls, and fraudulent sites to compromise Apple Pay users.

What happened

Security reporting indicates a sophisticated phishing campaign targeting Apple Pay users through a combination of text messages, phone calls, and fake emails that impersonate Apple security communications. The campaign begins with SMS messages alerting users to purported suspicious Apple Pay activity, followed by phone calls from individuals posing as Apple support representatives. In some cases, victims are directed to fraudulent websites mimicking official Apple login pages, designed to capture Apple ID credentials, payment information, and two-factor authentication codes. Attackers use psychological pressure and legitimacy cues drawn from Apple’s branding and security terminology to persuade victims to disclose sensitive information, using coordinated multi-channel tactics rather than relying solely on email-based phishing.

Going deeper

The operation combines multiple social engineering tactics, including smishing (phishing sent via SMS), vishing (fraud conducted through phone calls), and credential harvesting through fake websites designed to look legitimate. Attackers create urgent scenarios, such as warnings about unauthorized Apple Pay transactions, to pressure victims into responding quickly, then continue communication through emails and calls to obtain login details or authentication codes. The spoofed websites often use HTTPS encryption, shown by a padlock icon, which only means the connection is encrypted and does not confirm the site is genuine. Successful defense depends on user awareness, verifying sender identities, and avoiding sharing credentials or security codes in response to unexpected messages.

What was said

Cybersecurity analysts who investigated the campaign observed that attackers “demonstrate a deep understanding of Apple’s legitimate security protocols, making their fraudulent communications difficult to distinguish from authentic warnings.” The assessment indicates that the scheme’s use of coordinated messaging and calls increases the likelihood of success compared with traditional single-vector phishing attacks. There was no official public statement from Apple addressing this specific campaign at the time of reporting.

In the know

Apple also sent out multiple threat notifications last year to users targeted in advanced spyware campaigns, according to France’s national Computer Emergency Response Team (CERT-FR). The agency said four alerts were issued on March 5, April 29, June 25, and September 3.

The notifications warned that users’ devices may have been compromised using sophisticated techniques that required no user interaction. Apple delivered the alerts via email, text message, and a warning banner shown when users logged into their Apple accounts.

CERT-FR said the campaigns targeted high-profile individuals, including journalists, lawyers, human rights defenders, politicians, and senior executives in strategic sectors, with at least one device linked to a victim’s iCloud account compromised in some cases.

The big picture

The multi-channel Apple phishing operation aligns with findings from the Paubox 2025 Healthcare Email Security Report, which describes modern fraud as organized and automated at scale. Even as healthcare organizations invest more in cybersecurity, 82% of IT leaders say they worry about missing a real threat because security teams are overwhelmed by the volume of alerts, a condition known as alert fatigue, where constant warnings make genuine attacks harder to spot. The report also notes that 88% of healthcare workers have clicked on a phishing link at least once, showing how attackers continue to rely on layered social engineering techniques that take advantage of human error.

FAQs

What makes this phishing campaign more sophisticated than traditional scams?

The campaign uses multiple coordinated channels, text, voice calls, and spoofed websites, to sustain trust and pressure victims into revealing credentials, increasing its effectiveness beyond basic email phishing.

What is smishing, and how is it different from regular phishing?

Smishing is phishing conducted via SMS or text message rather than email, which often bypasses email-based defenses and exploits users’ tendency to trust mobile notifications.

What should users look for to spot fraudulent communications?

Legitimate Apple communications never request full credentials, passwords, or authentication codes via text or unsolicited phone calls; discrepancies in phone numbers or domain names are strong red flags.

Could stolen credentials be used for other attacks once harvested?

Yes, attackers may use compromised Apple ID and payment credentials for unauthorized transactions, identity theft, or account takeover across linked services if multi-factor authentication is circumvented.

What preventative steps can individuals take?

Users are advised to verify communications through official channels, enable all available security features, including biometric verification and two-factor authentication, and report suspicious messages directly to service providers.