If you use Apple Pay, watch out for this clever phishing scam

iPhone and Mac users may think they’re immune to online attacks because of the high level of security provided by Apple products. (That’s not quite true, but that’s a discussion for another day.) This ignores, however, the dangers of phishing, which relies on tricking users into giving away vital data rather than overcoming a device’s defences.

This is important to understand because some phishing scams can be extremely competent and difficult to spot, and even experienced tech users may be fooled. Such as a new campaign, covered this week by AppleInsider, which uses Apple Pay and a fake “blocked transaction” to create a sense of urgency and bully victims into revealing their account and payment info.

The scam begins with an email. The sender poses as an Apple employee, reinforcing this impression by using official-looking logos and formatting, and a display name that seems like it comes from an official Apple domain. (If you check this by hovering over the address, you’ll see it comes from another domain entirely.) They claim to be contacting you to warn of possible fraud… but the only fraud is the one they’re trying to perpetrate.

The email talks about a high-value Apple Pay purchase. Something went wrong with this, the sender claims: it originated from an unknown device at an unknown location, or was suspicious in some other way. So Apple blocked the payment and prevented that device from accessing the Apple Pay account in the future. But here’s the rub: if the recipient of the email doesn’t take action within a certain period of time to confirm it was a fraudulent attempt, Apple will assume it was actually fine and go ahead and process the transaction. You’re going to lose a large sum of money if you don’t act now.

This, as with almost all phishing attempts, is designed to create a sense of urgency. If the clock is ticking, the victim is less likely to take time to consider whether the email is legitimate, to seek advice or help from others, or even to contact Apple via its publicly available details. Instead, many users will do as they are instructed: Call the phone number in the email.

Needless to say, the number is not legitimate. It doesn’t lead to Apple support, but to someone who is part of the scam. And they will do everything they can to persuade you to reveal your Apple ID and other details (potentially including your banking information, which is where the “purchase” comes in handy) that enables them to gain access to your accounts.

How to avoid getting caught out

This particular phishing campaign is likely to catch some people, given the generally high standard of impersonation at its various stages. But there are plenty of clues that should reveal its malign intentions. The fake display name has already been mentioned. AppleInsider also notes “awkward phrasing such as Hello {Name},” impossible IP addresses, and a phone number that clearly has nothing to do with Apple, as a quick Google shows.

Also, Apple will send a push notification through the Wallet app to inform you of any declined purchases. And they will never approve a potentially fraudulent transaction because you haven’t responded to a message.

More generally, any message that relies so heavily on creating a sense of urgency should be regarded with suspicion. It’s important to respond to such messages carefully, rather than rushing. Double-check all the details in the email. Google the numbers given, and some phrases from the message to see if it’s a common scam. Speak to a friend or loved one if they are more technically adept than you. For more advice, read How to protect yourself from phishing emails.

In this case, contacting Apple itself (using the contact details on its website, of course, rather than the phone number given in the message) should quickly reveal that there’s nothing to worry about. Except for the phishing scam you just avoided.