Skip to Content
Security & privacy

Watch out! This elaborate Apple phishing attack will steal your identity

Have you recently received an email about an authorized purchase from your Apple account? You are not alone. There’s a big chance that it’s a new elaborate Apple ID phishing scam that’s spreading around.

In fact, some of our staff members here at have received variations of these phishing messages. They’re so cleverly disguised, I suspect that plenty of people are unfortunately falling for it.

As usual, these crafty crooks are sending out emails and creating websites that look like the real deal. Recognizing these fake messages can be difficult to the untrained ey, but we’re here to help.

Read on and learn about the latest Apple ID phishing scam that’s making the rounds and how to spot it before it’s too late.

Apple app purchase phishing scam

Here’s how this elaborate scam works. The scammers are now sending out phishing emails that are disguised as Apple App Store payment confirmations for apps you did not purchase. The idea behind this scam is that you’ll be more inclined to take the bait if you see unauthorized charges on your account.

Within these emails are links that are supposed to take you directly to the Apple website to view your purchase invoice and dispute the charges.

But note the tip-offs that this is not a legitimate email. The subject line says “Thankyou” and has two periods after “Apple”. An email from Apple would never be this sloppy.

In a more elaborate version of the scam, an attached PDF file appears to be the receipt for a recent app purchase. Aside from the dollar amount of the transaction, conveniently embedded in the PDF file are links for reporting a problem about the purchase and for refunds.

Image Credit: Bleeping Computer

You probably know what comes next, right? All these links redirect to a fake Apple ID login page. Similar to other elaborate phishing scams, the malicious page looks exactly like the real Apple Account management page.

Fake Apple page

Here’s where the real trickery begins. If you attempt to login with your Apple ID credentials, you’ll be directed to a page that says that your Apple ID has been “locked for security reasons.”

Image Credit: Bleeping Computer

Combined with the unauthorized app purchase and your locked account, you might think that your Apple account has indeed been hacked – exactly what these crooks are counting on.

This scam will clean you out

At this point, if you click the “Unlock Account” button, you will be taken to yet another fake verification page that asks for your personal information such as your full name, address, phone number, date of birth, and payment information.

Worse yet, the scammers are going all the way by asking for your sensitive details like your Social Security number, driver’s license number and your passport number, enough to completely steal your identity.

Now, here’s the clever part. Once your information is submitted, you will be redirected to an “Account Verification Complete” page stating that you will be automatically logged out of your Apple account for security purposes. Note: At this point, it’s game over. The scammers have everything they need from you.

Image Credit: Bleeping Computer

You will then land on the real Apple account management page, thinking that the account unlocking process is successful.

Note: Do you think you can spot a phishing scam? See this phishing email scam to see how good scammers can be.

Fake phishing pages are spreading

Elaborate phishing scams that use fake login pages that look like the real deal are becoming more common. To the unsuspecting eye, these pages can be easily perceived as authentic, so I could see many people falling for these scams.

This is why it’s important to carefully check the addresses or URLs of the websites you visit, especially login pages and payment portals.

If you get an unusual email or notification that’s exceptionally alarming, don’t click on its links. It could be a phishing attack.

If you want to verify if there are indeed unauthorized charges on your account, it’s always better to type a website’s address directly into a browser than clicking on a link.

Before you ever click on a link, hover over it with your mouse to see where it is going to take you. If the destination isn’t what the link claims, do not click on it.

More tips to protect yourself against phishing scams:

Stop robocalls once and for all

Robocalls are not only annoying, but they scam Americans out of millions every year. Learn Kim's tricks for stopping them for good in this handy guide.

Get the eBook