Apple Pay scam steals 2FA codes

Apple Pay 2 — Image by Thaspol Sangsee | Shutterstock

Security researchers on Friday are warning Apple users about a sophisticated phishing scam that tricks victims into believing their Apple Pay account has been hacked – then steals their login credentials and two-factor authentication (2FA) codes in real time.

A realistic Apple Pay “fraud alert” could land in your inbox – complete with case number and appointment.
If you call the number, scammers trigger real Apple ID login codes in real time.
One verification code shared over the phone can give attackers access to your payment data.

Key Takeaways by nexos.ai, reviewed by Cybernews staff.

A new blog post from Malwarebytes says scammers begin their attacks by sending a convincing email posing as an urgent Apple Pay fraud alert.

The realistic-looking email ticks all the boxes, say researchers, featuring an official Apple logo, nearly identical formatting, a case ID, timestamp, "and a subject line designed to make the target’s stomach drop.”

How the fake Apple Pay alert works

Warning the recipient that “Apple” has blocked an erroneous payment attempt on their Apple Pay account, the email further creates a sense of urgency, stating the account could be at risk if they don’t respond.

“In some cases, there was even an ‘appointment’ booked on their behalf to ‘review fraudulent activity,’ plus a phone number they should call immediately if the time didn’t work.,” Malwarebytes said.

The researchers say the blocked payments were large dollar amounts – in the hundreds and thousands – designed to create anxiety for the user.

The exact wording of the message (as seen below) warns of “irregular actions connected to your Apple iCloud account: This includes a recent pre- authorization attempt for $142.93 at "APPLE STORE – CA" using Apple Pay,” also adding that there were multiple efforts to “access the account and set up Apple Pay.”

Malwarebytes Apple Pay phishing text — Fake unauthorized transactions submitted by users included an Apple Gift Card purchase for $279.99 and an Apple Store receipt for a 2025 MacBook Air 13-inch laptop with M4 chip priced at $1,157.07. Image by Malwarebytes.

The message also tell the user that “stored photos, data, and card information” are also at risk, and if they don’t talk to an Apple Specialist, the charge could go through with no chance of reimbursement.

“Reach out to us quickly to dispute this transaction,” the email says providing a live phone number.

The real-time 2FA trap

This is where is gets really phishy, so to speak.

If the target is duped by the scam and calls the number, a purported Apple Billing & Fraud Prevention agent guides the victim through a scripted series of “harmless‑sounding checks” designed to verify their identity and account information.

After providing personal details such as “your name, the last four digits of your phone number, what Apple devices you own, and so on,” the call escalates.

It all leads to the critical moment – the scammer asks the victim to confirm their Apple ID email address and read aloud their Apple ID verification codes.

hackers phishing — Scammers are bypassing 2FA in real time in the latest phishing campaign targeting Apple Pay users. Image by Cybernews.

The victim then receives a “real-looking Apple ID verification code” via text – triggered in real time by the scammers as they attempt to log into the victim’s Pay account – allowing them to bypass two-factor authentication.

Still on the line, the fake agents continue to pressure the victim to check their bank accounts and Apple Pay cards, harvesting additional login codes and payment data.

“At scale, campaigns like this work because Apple’s brand carries enormous trust, Apple Pay involves real money, and users have been trained to treat fraud alerts as urgent and to cooperate with ‘support' when they’re scared,” Malwarebytes said.

Don't miss our latest stories on Google News. Add us as your Preferred Source on Google

What to do if you get one

To protect yourself from Apple Pay or similar scams, Malwarebytes recommends users to first, always “ignore unsolicited messages urging you to take immediate action.”

Researchers also note that Apple will never set up a “fraud appointment” via email or ask to fix billing issues by providing an unsolicited phone number.

For users who have already fallen for the scam, Malwarebytes suggests:

Change the Apple ID password immediately from Settings or appleid.apple.com, not from any link provided by email or SMS.
Check active sessions, sign out of all devices, then sign back in only on devices you recognize and control.
Rotate your Apple ID password again if you see any new login alerts, and confirm 2FA is still enabled. If not, turn it on.
In Wallet, check every cardfor unfamiliar Apple Pay transactions and recent in-store or online charges, and monitor bank and credit cards for several weeks
Check if the primary email account tied to your Apple ID is yours, since control of that email can be used to take over accounts.

Users should also remember to always carefully check the sender’s address for subtle discrepancies, never share two-factor authentication (2FA) codes, SMS codes, or passwords with anyone – even if they claim to be from Apple.

Malwarebytes stressed that legitimate companies will never ask for verification codes over the phone.

Unlock more exclusive Cybernews content on YouTube.