The email looks like every other Apple account notification you have ever received. It carries a valid DKIM signature tied to id.apple.com, originates from an Apple-owned IP address, and sails past every spam filter your inbox relies on. But buried inside the message is a phone number that connects to a scam call center, not Cupertino. A phishing campaign first documented by security researchers in 2025 is still active as of April 2026, and it works by turning Apple’s own notification system into a delivery mechanism for tech support fraud.
How the attack abuses Apple’s email pipeline
Traditional phishing relies on forged headers and lookalike domains. This campaign skips all of that. Instead, an attacker registers a new Apple account and manipulates the account-change workflow so that Apple’s servers generate a genuine “account updated” email addressed to the intended victim. The message passes SPF, DKIM, and DMARC, the three authentication checks that email providers use to verify sender legitimacy. Named internal Apple relay hosts appear in the headers, reinforcing the appearance of a routine notification.
Because the email genuinely originates from Apple infrastructure, most security filters treat it as trusted. Researchers at Malwarebytes, who published a detailed breakdown of the technique, classify it as callback phishing: the message itself contains no malicious links or attachments. Instead, it includes an urgent prompt telling the recipient to call a number for “verification.” Once a victim dials in, the scammer impersonates Apple support and requests remote device access, payment for fictitious repairs, or sensitive credentials. The fact that the original email passes every technical authenticity check raises victim trust far beyond what a conventional spoofed message could achieve.
Apple’s guidance, but no direct response
Apple has not publicly addressed the abuse of its account-alert system. The company’s existing anti-phishing documentation, published on a support page covering social engineering schemes, states that Apple will never ask users for passwords, passcodes, or two-factor authentication codes through email or phone. Apple also says it will never ask anyone to disable security features on a device. Users who receive suspicious messages are directed to forward them to [email protected].
Those guidelines remain the closest thing to an official response. Whether Apple has taken backend steps to prevent attackers from weaponizing its notification pipeline, or whether the issue has been raised through Apple’s security research channels, is not publicly known. Apple did not respond to a request for comment at the time of the original Malwarebytes report, and no updated statement has surfaced since.
No hard numbers on victims or losses
Quantitative data on how many people have received these emails or lost money does not exist in public reporting. The campaign’s reach is documented only through independent security analyses and anecdotal user reports. Neither the FTC nor the FBI has published case data tied specifically to this variant, though both agencies maintain standing guidance on tech support fraud. The FTC warns that unsolicited tech support outreach is a scam even when a sender address looks legitimate, and the FBI offers reporting through IC3 for anyone who encounters such schemes.
Tech support scams as a broader category caused more than $1.3 billion in reported losses in 2023, according to the FBI’s Internet Crime Report. That figure covers every variant, not just this Apple-specific method. Readers should treat it as context for the threat category rather than a measurement of this campaign’s individual impact.
Why standard email defenses fail here
The strongest evidence in this story is structural, not statistical. The email headers confirm that SPF, DKIM, and DMARC all pass with Apple-controlled domains and IP addresses. That detail is verifiable by anyone who receives one of these messages and inspects the raw source. It is also the detail that separates this campaign from ordinary phishing: traditional spoofed emails fail at least one of those checks, giving filters a reason to quarantine them. When the message is technically real, the filter has nothing to flag.
This is not the first time a major platform’s notification system has been turned against its users. Google and PayPal have both dealt with similar abuse, where attackers triggered legitimate transactional emails and embedded scam content within fields the platforms did not sanitize. The pattern suggests a systemic weakness in how automated notification systems handle user-supplied input, not a flaw unique to Apple.
What iPhone owners should do right now
Apple’s published guidance functions as a reliable filter regardless of how convincing a sender address looks. Any email or call that asks for a password, a passcode, a two-factor code, or the disabling of a security feature falls outside Apple’s stated practices. If a message passes every technical check but asks for something Apple says it never requests, the message is fraudulent. Do not call any phone number included in an unexpected account alert.
For anyone who has already interacted with one of these emails or called the number provided, the priority is to change the Apple account password immediately through Settings on the device itself, not through any link or phone number in the suspicious message. Enable or verify that two-factor authentication is active. After securing the account, forward the email to [email protected] and file a report with the FBI’s Internet Crime Complaint Center at ic3.gov. Acting quickly limits the window an attacker has to exploit any credentials or access already shared.
The fix Apple still needs to ship
This campaign exposes a gap between what email authentication standards verify and what users assume they verify. SPF, DKIM, and DMARC confirm that a message actually came from the domain it claims. They do not confirm that the person who triggered that message had good intentions. As long as attackers can create accounts and prompt legitimate notification emails directed at arbitrary addresses, those authentication stamps will shield the scammer as effectively as they shield the brand.
A durable fix will need to come from Apple’s side, inside the logic that decides who receives account-change alerts and under what conditions. Rate-limiting alert generation per new account, restricting the recipient field on automated notifications, or adding a verification step before alerts are dispatched to external addresses are all plausible mitigations. Until something changes, the most trustworthy-looking email in your inbox may be the one you should trust the least.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
