Apple’s own account-security email system is being weaponized in a clever new phishing scam, and it’s making fake “purchase” warnings look completely legitimate.
The campaign abuses Apple’s account change notification feature to slip a scam message into an email that is actually sent from Apple’s real mail infrastructure. That means the message can arrive from appleid@id.apple.com and still pass standard email authentication checks like SPF, DKIM, and DMARC. To most email systems, and to many people, it looks like a genuine Apple security alert because, technically, it is a real Apple email.
How the scam gets inside a real Apple email
The trick relies on how Apple builds certain automated notifications. A scammer first creates a normal Apple ID account. Then, instead of putting a phishing message in a separate email, the attacker inserts the scam text into the Apple ID profile itself by splitting the message across the account’s first name and last name fields (since one field alone may not allow enough characters).
Next, the attacker triggers Apple’s automated notification by making a small change to the account, such as updating shipping information. When Apple sends the standard “account change” alert, it pulls the user-provided profile fields into the email content. The result is a phishing message embedded inside a genuine Apple notification email, delivered through Apple’s own servers.
What the phishing email says
The embedded text claims that an iPhone purchase—often listed as an $899 transaction—was made using PayPal, and urges the recipient to call a phone number to cancel the charge. That number is not Apple support.
If the victim calls, scammers typically escalate the pressure by claiming the Apple account has been compromised. From there, they may try to convince the person to install remote access software or to hand over sensitive financial and account details directly.
Why this bypasses typical spam and phishing defenses
Many spam filters and email-security tools heavily weigh authentication signals, such as whether a message is coming from the real domain and whether it passes SPF/DKIM/DMARC. In this case, those checks can come back clean because the email is actually sent from Apple’s infrastructure.
That’s why the biggest red flags aren’t technical—they’re in the content and formatting. Signs it’s a scam can include:
The email greeting you with “Dear User” instead of your actual name
It references an iCloud email address that isn’t yours
It doesn’t include the kind of billing details Apple normally provides in real purchase receipts, such as a billing address
What to do if you receive one of these Apple “purchase” alerts
Do not call any phone number shown inside an unsolicited Apple account notification, even if the email appears authentic. Instead, verify everything directly through your Apple account.
Check your purchase and account activity by visiting appleid.apple.com and reviewing recent changes and transactions. If you need support, use only the official Apple support contact methods found on Apple’s website—not a number included in a surprising email.
If anyone on the phone asks you to install remote access software or requests payment information to “secure” your account, end the call immediately. That’s a strong indicator you’re dealing with a scammer.
Apple has reportedly been made aware of the problem. At the time of reporting, the attack is still active and there is no confirmed fix in place, so staying cautious with unexpected Apple security emails is especially important right now.
