Notebookcheck Logo

Phishing scam abuses Apple's own notification system

Apple's account change notification system is being exploited to deliver phishing scams inside real emails from Apple's own servers.
ⓘ Freepik.com
Apple's account change notification system is being exploited to deliver phishing scams inside real emails from Apple's own servers.
A phishing campaign is abusing Apple's notification system to deliver scams inside real Apple emails that pass all authentication checks.
Apple Business Security iOS iPad iPad Pro iPhone

A new phishing campaign is exploiting Apple's account change notification system to deliver iPhone purchase scams inside emails sent directly from Apple's own servers. 

The emails pass SPF, DKIM, and DMARC authentication checks and originate from appleid@id.apple.com, making them indistinguishable from legitimate Apple security alerts at the technical level.

How the attack works

The method was first documented and replicated by BleepingComputer. An attacker creates a standard Apple ID and splits a phishing message across the account's first and last name fields, since no single field is large enough to hold the full text. The attacker then triggers Apple's automatic security notification system by making a minor change to the account's shipping information.

Because Apple pulls those user-supplied name fields directly into its alert emails, the phishing message is embedded inside a legitimate notification and delivered from Apple's own mail infrastructure. The email routes through Apple's outbound relay and clears every standard authentication check without issue.

What the email claims

The embedded message tells the recipient that an $899 iPhone was purchased through PayPal on their account, and includes a phone number to call and cancel the transaction. That number does not connect to Apple. Once on the call, victims are told their account has been compromised, and scammers push them to install remote access software or hand over financial details directly.

Why standard detection fails and what to do

Spam filters that score messages based on sender authentication pass this one cleanly. The sender address, domain, and infrastructure all belong to Apple. The structural tells are the only giveaway. The email opens with "Dear User" instead of the recipient's name, references an iCloud address that does not belong to them, and lacks the billing address that genuine Apple purchase receipts always include.

Do not call any number embedded in an unsolicited Apple alert. Check purchase history directly at appleid.apple.com. Apple's legitimate support numbers are listed on apple.com and will never appear inside an account change notification. If a caller asks you to install remote access software, hang up immediately.

Apple has been notified of the issue. No fix is currently in place and the attack remains active.

Google LogoAdd as a preferred source on Google
Mail Logo
static version load dynamic
Loading Comments
Comment on this article

Related Articles

Darryl Linington, 2026-04-23 (Update: 2026-04-23)