A new phishing scam is catching out even cautious Apple users by exploiting something people instinctively trust: Apple’s own security systems.
The attack begins with a sudden burst of genuine two-factor authentication alerts landing across a user’s iPhone, iPad, and Mac. These codes really do come from Apple, and they’re triggered by repeated login attempts from the attackers. Moments later, Apple’s automated system calls with another legitimate verification code. It all looks like a real intrusion – which is exactly what the scammers want.
Right as the panic sets in, a caller posing as Apple Support steps in to “help.” They speak calmly, reference the real alerts, and explain that Apple has detected suspicious activity. A second call follows, and at the perfect moment a real Apple Support email lands in the victim’s inbox. This email is automatically generated by Apple’s systems in response to the unusual activity, but its timing gives the scammers all the credibility they need.
From there, the victim is guided through resetting their password and is finally sent a link to “close the support ticket.” The site looks legitimate enough, and when it asks for a confirmation code, another genuine 2FA text arrives. Entering it hands the attackers immediate access.
The scam works because almost every signal – the alerts, the call, the case email – is authentic. Only the callers and the final website are fake, but by the time the victim reaches that stage, their guard is already down.
The best defense is to treat any unexpected security call as unverified, no matter how convincing the surrounding alerts seem. If something feels off, hang up and contact Apple directly via the Support app or the official website. And if you receive a suspicious message, you can forward it to reportphishing@apple.com to help Apple tackle these attacks.