A text message lands on your iPhone: someone just charged $999 to your account for a device you never ordered. Before you can process the shock, your phone rings. The caller ID shows your bank’s name. A calm, professional voice says they’re from the fraud department and they’re here to help. All they need is your login or a one-time security code to “reverse” the charge.
It’s a scam, and as of spring 2026, it is still catching people off guard.
Federal agencies have tracked this two-step scheme for years. It pairs a fake purchase alert, often styled to look like an Apple or bank notification, with a spoofed phone call designed to extract credentials and drain accounts. The technique keeps working because it exploits a natural reaction: panic over an unauthorized charge, followed by relief when someone who sounds like a bank employee offers to fix it.
How the attack works
The FBI’s Internet Crime Complaint Center (IC3) has outlined the playbook in a public service announcement. It starts with an unsolicited text that mimics a fraud alert or purchase confirmation. The message may reference a specific product, like an iPhone or MacBook, and include a link or phone number to “dispute” the charge.
Victims who engage, whether by tapping a link, replying, or calling back, are connected to a scammer posing as a fraud specialist. The caller’s number is spoofed to match the bank’s real customer-service line, lending false credibility. From there, the impostor walks the victim through steps that sound protective but are designed to hand over account access: reading back a one-time passcode, confirming login credentials, or authorizing a “temporary” transfer to a “safe” account.
Once the scammer has what they need, they move fast. Funds are routed through instant-payment platforms and peer-to-peer services that settle in minutes, making recovery extremely difficult after the transfer completes.
Why it keeps working
The design is psychologically layered. A $999 charge you didn’t make triggers genuine alarm, especially if you’ve recently used your card online or worry about identity theft. The follow-up call arrives while that anxiety is fresh, and the spoofed caller ID removes the one cue most people rely on to verify legitimacy. By the time the scammer asks for a passcode, the victim has already accepted the caller as a real bank employee.
In many cases documented by regulators, scammers even coach victims through their bank’s own security checks. If the bank sends a legitimate verification code, the impostor instructs the victim to read it aloud, claiming it’s needed to “cancel” the fraudulent charge. That code actually lets the scammer reset passwords or approve high-value transactions. Some victims have reported losing savings or retirement balances in a matter of minutes.
What federal data shows
A June 2023 analysis by the Federal Trade Commission found that bank impersonation was the single most reported type of text message scam in 2022, with consumers reporting $330 million in total losses from text-based fraud that year. The FTC noted that these attacks typically begin with a message mimicking a trusted institution, then escalate into direct contact where the scammer pressures the victim to share codes, passwords, or other sensitive information.
The agency has also warned that scammers increasingly use layered impersonation to target older adults and people who rely heavily on mobile banking, sending what look like legitimate alerts about suspicious transfers and then following up with calls or chat messages that appear to come from the same institution.
No federal dataset breaks out iPhone-branded purchase alerts as a separate category. The FTC’s figures cover all text scams, and the FBI’s advisory describes the fraud-alert-to-callback pattern without naming specific products. That means the exact scale of Apple-themed lures is not quantified in public data. But the pattern fits squarely within what both agencies describe: scammers impersonate major brands and tech companies to manufacture urgency, then pivot to bank impersonation to extract money. Given the size of Apple’s user base and the trust consumers place in App Store and Apple Pay notifications, iPhone-themed hooks are a logical and widely reported variation.
It’s also worth noting that both the FTC analysis and the FBI advisory draw on data from 2022 and earlier. Neither reflects conditions in 2025 or 2026, though consumer advocates and security researchers say the underlying tactics have only grown more sophisticated in the years since.
How to protect yourself
The guidance from the FTC and FBI is consistent and straightforward:
- Don’t tap links in unsolicited texts. If a message claims there’s a problem with your account, go directly to your bank’s app or website. Don’t use any link or phone number in the message itself.
- Don’t trust caller ID. Scammers can spoof any number, including your bank’s real customer-service line. If someone calls about a suspicious charge, hang up and call your bank using the number on the back of your debit or credit card.
- Never share one-time passcodes or login credentials over the phone. Your bank will not call you and ask for these. A caller who requests them is not from your bank.
- Be skeptical of urgency. Scammers create time pressure (“your account will be locked in 30 minutes”) to override your judgment. A real fraud department will give you time to verify.
- Report suspicious texts to Apple. Forward phishing messages to [email protected]. On iPhone, you can also report junk messages directly from the Messages app by tapping “Report Junk” beneath the conversation.
If you’ve already engaged with a scammer
Anyone who shared credentials, read back a security code, or authorized a transfer should act immediately:
- Contact your bank’s fraud department using a verified number and request a freeze on affected accounts.
- Change passwords for your online banking and any accounts that share the same credentials.
- Monitor your accounts and credit reports for unauthorized activity.
- File a complaint with the FTC through its online fraud reporting portal. Reports can be filed even if no money was lost, and they help federal agencies track emerging patterns.
- File a report with the FBI’s IC3, especially if funds were transferred.
Under federal Regulation E, banks are generally required to investigate and reimburse unauthorized electronic transfers. However, transactions the victim authorized, even under false pretenses, can fall into a gray area. If your bank denies a dispute, you can escalate the complaint to the Consumer Financial Protection Bureau.
The bottom line: a text about a purchase you didn’t make is not a set of instructions to follow. It’s a prompt to verify your accounts through channels you trust. The scammer’s entire strategy depends on you reacting before you think. The simplest defense is to slow down, hang up, and call your bank yourself.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
