Apple users are being targeted by a new phishing campaign that misuses legitimate account alert emails to trick them into calling fake support numbers.
Quick Summary – TLDR:
- Cybercriminals are abusing official Apple account alert emails to deliver phishing messages.
- The emails pass security checks and land directly in users’ primary inboxes.
- Victims are urged to call fake support numbers and may lose money or data.
- The attack uses callback phishing and social engineering instead of malicious links.
What Happened?
Hackers have found a way to manipulate Apple’s automated account alert system to send phishing messages that appear completely legitimate. These emails are generated by Apple’s own infrastructure, making them harder to detect and more convincing to users.
🚨 BREAKING: #BreakingNews Apple account change alerts abused to send fake iPhone purchase phishing scams within legitimate emails from Apple’s servers, boosting scam legitimacy and bypassing spam filters.#Apple #Tech #Phishing #Cybersecurity pic.twitter.com/M4jDV7xRx5
— Archange Shadow (@Archange_Shadow) April 19, 2026
How the Scam Works?
The attack begins with threat actors creating an Apple account and inserting a phishing message into profile fields such as the first name or address. Since these fields allow custom text, attackers split their scam message across multiple sections to fit the system limits.
Once the message is set, the attacker triggers a routine account update, such as changing shipping information. This action prompts Apple to send a standard account change notification.
Because Apple includes user provided details in these alerts, the phishing message becomes part of the official email. The result is a warning that looks authentic but contains a fake purchase claim and a phone number to call.
Some messages claim that an $899 iPhone purchase via PayPal has been made. The goal is simple, create panic and push the recipient to act quickly.
Why These Emails Are Hard to Detect?
Unlike traditional phishing emails, these messages are not spoofed. They are sent from Apple’s actual email servers and pass key authentication checks such as SPF, DKIM, and DMARC.
This means:
- The sender address is legitimate.
- The email passes standard security filters.
- There are no suspicious links to flag.
Most email security systems are designed to detect fake domains or malicious URLs. In this case, the attack avoids both, allowing the message to land directly in the main inbox.
Another tactic involves using mailing lists to distribute these emails to multiple targets. Even though the original notification may be tied to the attacker’s account, it still appears credible to recipients.
Subscribe To Our Newsletter!
Be the first to get exclusive offers and the latest news.
The Role of Callback Phishing
This campaign relies on a method known as callback phishing. Instead of asking users to click a link, the email urges them to call a support number.
Once on the call, scammers may:
- Ask for credit card or banking details.
- Claim the account has been compromised.
- Instruct users to install remote access software.
- Attempt to steal funds or sensitive data.
In earlier campaigns, similar tactics have led to malware infections and financial losses.
A Growing Trend in Phishing Tactics
This is not the first time attackers have exploited legitimate systems. A similar campaign previously abused iCloud Calendar invites to send fake purchase notifications.
What makes this campaign notable is how it leverages trusted infrastructure to bypass traditional defenses. It highlights how attackers are shifting toward more sophisticated social engineering methods.
How to Stay Safe?
Users should remain cautious when receiving unexpected account alerts, especially those involving large purchases or urgent actions.
Here are a few safety tips:
- Do not call phone numbers listed in unexpected emails.
- Log in to your account directly through the official website.
- Verify recent purchases using trusted sources.
- Be wary of urgent or alarming messages.
If something feels off, it probably is. Taking a moment to verify can prevent serious consequences.
SQ Magazine Takeaway
I think this is one of the smartest phishing tactics we have seen recently. It does not rely on fake emails or shady links. It uses trust against the user. That makes it far more dangerous.
If a message comes from a verified source, most people lower their guard. That is exactly what attackers are counting on. This is a reminder that even legitimate emails can carry threats if the system itself is being misused.
