Attackers impersonate Apple iCloud to send fake storage alerts

A wave of phishing emails impersonating Apple's iCloud service is reaching inboxes worldwide, using fabricated account suspension notices and deletion threats to push recipients into entering their banking details on fake payment pages.

What happened

A widespread phishing campaign is sending emails that impersonate Apple's iCloud service, claiming recipients have exceeded their storage limit and that their photos and videos will be permanently deleted unless they immediately upgrade their plan. According to The Guardian, the emails include urgent subject lines such as "We've blocked your account! Your photos and videos will be deleted on [date]" and "Your payment method has expired," followed by a button prompting recipients to update their payment method or manage storage. Clicking the button leads to a phishing website designed to harvest banking and personal details. Attackers often follow up with a second "final warning" email to escalate pressure on recipients who do not respond to the first.

Going deeper

The campaign is structured to exploit a specific vulnerability in user behavior: many Apple device owners regularly receive genuine storage warning emails from Apple, so a fraudulent version of the same message slots naturally into an existing pattern and draws less scrutiny. The sending domains in the fraudulent emails frequently exhibit indicators that deviate from Apple's actual infrastructure, such as references to Ecuadorian or Ukrainian business domains, and several contain grammatical errors, such as "Your account may expire today." Despite these signals, the volume of genuine Apple storage notifications in many inboxes means recipients in a hurry may not pause to verify the sender. According to BleepingComputer, a large-scale version of this campaign observed in January 2026 routed victims through Google Cloud Storage redirector pages before landing them on fake cloud portals that prompted credit card entry, with proceeds funneled to affiliate marketing schemes and credential theft operations. Many emails in that campaign were personalized with the recipient's name, email address, and specific dates to heighten the appearance of legitimacy.

What was said

UK consumer body Which? warned of the campaign in a recent post, stating that "every Apple user needs to know about this nasty scam doing the rounds." When The Guardian approached Apple, the company directed them to guidance on its website covering how to avoid scams targeting Apple accounts and devices. Apple's standard advice is that recipients who believe they have received a fraudulent email impersonating iCloud can report it to reportphishing@apple.com.

In the know

Cloud storage impersonation has become a reliable phishing vector because fear of data loss generates faster reactions than most other lures. The January 2026 campaign, documented by BleepingComputer, used subject lines personalized with recipients' names and specific deletion dates, including phrases like "Your Cloud Account has been locked" and "Your photos and videos will be removed." Senders used randomly generated domains to avoid blocklists, and the underlying phishing pages impersonated generic cloud portals rather than a single brand, widening the potential target pool across platforms, including Google, Microsoft, and Apple users in the same campaign run.

The big picture

For healthcare organizations, cloud storage impersonation phishing presents a specific risk beyond the individual credential harvest. Healthcare employees use personal Apple devices for work communications, BYOD scheduling, and accessing clinical apps through managed mobile programs. A staff member who hands over their Apple ID credentials on a phishing page may expose organizational accounts connected through single sign-on, iCloud Drive documents containing work files, or corporate email accounts synced to the same device. According to Paubox's Top 3 Healthcare Email Attacks report, only 5 percent of known phishing attacks are reported by employees to security teams, meaning most credential harvesting attempts of this kind proceed without any internal notification. Phishing-driven mailbox takeovers exposed 630,000 individuals across healthcare in 2025, and each one began with a single employee following a link they had no reason to distrust.

FAQs

How can a recipient tell whether an iCloud storage email is genuine or fraudulent?

Genuine Apple emails come from domains ending in @apple.com or @email.apple.com. Recipients can verify their actual storage status directly through iPhone Settings without clicking any email link. Apple will never threaten to delete data on a specific date without multiple prior in-app warnings, and legitimate Apple payment requests are always handled through device Settings rather than email buttons.

Why do attackers use deletion threats specifically rather than other urgency tactics?

Personal photos and videos represent irreplaceable data for most people. The threat of permanent loss triggers a faster emotional response than account suspension or payment failure messages, reducing the time a recipient spends assessing whether the message is genuine before acting.

What should an organization do if an employee has entered credentials on a phishing page of this type?

The employee should immediately change their Apple ID password and enable two-factor authentication if not already active. Any work accounts or organizational email accessible through that Apple ID should be audited for unauthorized access, and the incident should be reported to the IT or security team so that any downstream organizational exposure can be assessed.

Why do attackers personalize these emails with names and specific dates?

Generic mass phishing emails are increasingly caught by spam filters trained to recognize templated fraud. Personalizing with the recipient's name, email address, and a specific deletion date makes the message look like a system-generated notification tied to the recipient's actual account, increasing the probability of a click and reducing the chance of automated filtering.

What is the relationship between cloud storage phishing and credential stuffing attacks?

Credentials harvested from phishing campaigns are often tested against other services through automated credential stuffing tools, because many users reuse the same password across Apple, Microsoft, Google, and corporate accounts. A single harvested Apple ID password can therefore provide access to far more than the victim's iCloud storage if the same credentials appear elsewhere.