A wave of fraudulent emails disguised as iCloud storage warnings is hitting inboxes in the United States and the United Kingdom, and the goal is not to help anyone free up space. The messages carry subject lines like “Your photos will be deleted,” display Apple’s familiar branding, and include an “upgrade” button that leads to a phishing site built to harvest bank account numbers, card details, and login credentials. Authorities on both sides of the Atlantic have issued alerts about the campaign, which preys on a specific fear shared by hundreds of millions of iPhone owners: losing years of photos, messages, and backups stored in iCloud.
How the scam works
The playbook is consistent. A target receives an email that looks like an official Apple notification, warning that their iCloud storage is full or that their account has been suspended. The message urges immediate action, typically through a button labeled “Upgrade Storage” or “Update Payment Method.” Clicking that button does not open anything belonging to Apple. Instead, it loads a fraudulent website that copies Apple’s fonts, color palette, and page layout closely enough to fool anyone moving quickly. Once there, victims are prompted to enter credit card numbers, banking credentials, and sometimes their Apple ID password.
What makes the scheme effective is not technical sophistication. It is emotional leverage. iCloud holds device backups, photo libraries, saved passwords, and documents for an estimated one billion active Apple devices worldwide. A threat to delete that data triggers an impulse to act first and think later, which is exactly what the attackers are counting on.
What authorities are saying
In Massachusetts, the state attorney general’s office published a consumer alert warning residents about phishing emails that impersonate Apple. The advisory notes that some messages reference recent purchases or subscription renewals to appear more believable, and it urges people never to click links in unsolicited emails. Instead, the office recommends checking account status directly through Apple’s official website or through Settings on an iPhone or iPad. It also directs recipients to forward suspicious messages to [email protected], Apple’s dedicated channel for investigating fraudulent communications.
In the United Kingdom, the National Cyber Security Centre has asked anyone receiving a suspicious iCloud-related message to forward it to [email protected]. The agency says that even a single forwarded email helps analysts identify emerging campaigns, request takedowns of phishing domains, and feed data into broader threat intelligence systems used by internet service providers and law enforcement.
Reporting by The Guardian in April 2026 added real-world detail to those official warnings. The outlet described readers who received emails threatening imminent deletion of their iCloud photos, with the upgrade button leading to a convincingly branded fake login page. Some victims told the paper they only realized they had been scammed after spotting unfamiliar charges on their bank statements, often tied to overseas transactions they had never authorized.
How to spot a fake Apple email
Apple has published guidance on identifying phishing attempts that applies directly to these iCloud storage scams. A few red flags stand out:
- Sender address: Legitimate Apple emails come from domains ending in @apple.com. Phishing messages often use addresses that look similar but include extra words or misspellings, such as @icloud-support-update.com.
- Urgency and threats: Apple does not threaten to delete your data via email or demand immediate payment to prevent file loss.
- Hover before you click: On a computer, hovering over a link reveals the actual URL in the bottom corner of the browser. If it does not point to apple.com, do not click it. On a phone, press and hold the link to preview the destination.
- Generic greetings: Messages that open with “Dear Customer” or “Dear iCloud User” rather than your actual name are a common indicator of mass phishing.
- Spelling and grammar: While some phishing emails are polished, many still contain awkward phrasing or minor errors that a company like Apple would not let through.
What to do if you already clicked
If you opened one of these emails, clicked the link, and entered any payment or login information, speed matters. Here is what security experts and consumer protection agencies recommend:
- Call your bank or card issuer immediately. Report potential fraud, ask for a card freeze or replacement, and review recent transactions for charges you do not recognize.
- Change your Apple ID password. Do this through appleid.apple.com or through Settings on your device. Choose a password you have not used anywhere else.
- Turn on two-factor authentication. If it is not already enabled on your Apple account, activate it now. This adds a verification step that makes it significantly harder for someone to access your account with a stolen password alone.
- Forward the email to [email protected]. This helps Apple investigate the fraudulent domain and work with hosting providers to take it down.
- File a report with your national consumer protection agency. In the U.S., that means the FTC’s fraud reporting portal. In the UK, use Action Fraud.
Acting within hours rather than days can be the difference between a blocked charge and a drained account.
What we still do not know
Despite the official alerts and press coverage, significant gaps remain. No government agency or private researcher has released victim counts, financial loss totals, or geographic breakdowns specific to this campaign. The Massachusetts alert and the NCSC guidance both describe the threat in general terms without disclosing complaint volumes. Apple has not issued a press release or security advisory focused on this particular wave of phishing, though the company routinely works behind the scenes with email providers and domain registrars to disrupt such operations.
Attribution is also unclear. Phishing campaigns like this one are typically run by loosely organized criminal networks that rotate domains, email templates, and hosting providers to stay ahead of takedowns. No law enforcement agency has publicly named suspects or announced arrests connected to these iCloud storage emails. Without indictments or court filings, the question of who is orchestrating the campaign remains open.
Banks have been similarly quiet. No major financial institution has disclosed how often stolen details from iCloud-themed phishing sites lead to completed fraud or chargebacks. That silence makes it difficult to measure the real-world financial toll beyond the individual stories collected by journalists.
Why this keeps working
The pattern behind this scam is not new, but it remains effective because it targets a service people depend on daily and ties the threat to something deeply personal. Nobody wants to lose a decade of family photos or the only backup of their contacts and messages. That emotional weight is the entire mechanism. The emails do not need to be technically advanced. They just need to make you feel like you are about to lose something irreplaceable and that clicking one button will fix it.
The single most reliable defense is also the simplest: pause before you click. If you receive an email about your iCloud storage, close the message, open your iPhone’s Settings app, tap your name at the top, and check your storage status directly. If there is a real problem, Apple will show it to you there. If there is not, you have just saved yourself from handing your bank details to a stranger.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
