HackWatch
! High riskPH Phishing

Apple Account Change Alerts Exploited to Deliver Phishing Emails Disguised as Legitimate Notifications

Verification-lure coverage focused on fake messages, cloned pages and account defense steps.

Phishing signal detected. Verify the sender independently, avoid login links and rotate credentials if any code or password was exposed.
Apple Account Change Alerts Exploited to Deliver Phishing Emails Disguised as Legitimate Notifications - HackWatch phishing alert image
HackWatch phishing alert image for: Apple Account Change Alerts Exploited to Deliver Phishing Emails Disguised as Legitimate Notifications
Marcin Pocztowski

Infrastructure Security Editor

Marcin Pocztowski

Infrastructure and Vulnerability Response

By: Artur Ślesik

Published: Apr 19, 2026

Updated: Apr 24, 2026

Incident status: Active threat

Corroborating sources: 1

Technical review credentials: Security+ evidence | RHCSA evidence | JNCIS-SEC evidence

Trust note:This alert is maintained under HackWatch's editorial policy, with visible source records, a named responsible editor and a correction channel for disputed facts.

The published article is checked against public sources before publication, and material corrections are reflected in the article update date.

Technical reviewer note: Marcin Pocztowski reviewed this alert on Apr 24, 2026 for server impact, affected-version evidence, privilege or code-execution claims and realistic patch priority. His remediation note follows the same discipline he would use around Juniper routers and production servers: verify scope, preserve useful logs, reduce exposed management access and only then apply the fix or compensating control supported by the 1 corroborating source.

Review our editorial policy or send corrections to [email protected].

Active threat. The incident should still be treated as active until confirmed mitigation or patch adoption is verified.

Cybercriminals are abusing Apple’s official account change notification emails to distribute phishing scams that impersonate iPhone purchase confirmations. By leveraging Apple’s own email servers, attackers increase the credibility of their messages and improve their chances of bypassing spam filters, putting Apple users at heightened risk of credential theft and fraud.

What happened

Security researchers have uncovered a phishing campaign that exploits Apple’s official account change alert emails to deliver fraudulent messages. Attackers are sending fake iPhone purchase confirmation emails that appear to originate from Apple’s legitimate servers. These emails are crafted to look like genuine account change notifications, tricking recipients into clicking malicious links or divulging sensitive information.

Confirmed facts

  • The phishing emails are sent from Apple’s own email infrastructure, making them appear authentic.
  • The messages mimic Apple’s account change alerts, specifically those related to device purchases.
  • The scam emails contain links designed to steal Apple ID credentials or other personal data.
  • Because the emails come from Apple’s servers, they have a higher chance of bypassing spam and phishing filters.
  • The phishing campaign targets Apple users broadly, exploiting the trust users place in Apple’s security notifications.

Who is affected

All Apple account holders receiving account change notifications are potential targets. Users who have recently made purchases or account changes may be more likely to receive and trust these emails. The campaign poses a significant risk to any individual with an Apple ID, as compromised credentials can lead to identity theft, unauthorized purchases, and further account breaches.

What to do now

  1. Verify the sender: Check the email headers and sender address carefully. Official Apple emails typically come from domains such as `@apple.com`.
  2. Do not click links directly: Instead of clicking on links in the email, navigate to Apple’s website manually by typing the URL into your browser.
  3. Check your account activity: Log in to your Apple ID account directly to verify any recent changes or purchases.
  4. Enable two-factor authentication (2FA): This adds an extra layer of security to your Apple ID.
  5. Report suspicious emails: Forward phishing emails to Apple at `[email protected]`.
  6. Update passwords: If you suspect your credentials have been compromised, change your Apple ID password immediately.

Why this matters

Phishing remains one of the most effective methods attackers use to gain unauthorized access to accounts. By exploiting trusted communication channels—such as Apple’s own notification emails—attackers increase the success rate of their scams. This not only threatens individual users but also undermines trust in Apple’s security measures. Compromised Apple IDs can lead to financial loss, identity theft, and unauthorized access to personal data stored in iCloud and other Apple services.

What defenders should verify

  • Confirm that email authentication protocols (SPF, DKIM, DMARC) are correctly configured and enforced for Apple’s domains.
  • Monitor for any unusual spikes in account change notification emails that could indicate abuse.
  • Review email filtering rules to detect and quarantine phishing emails even if they originate from legitimate Apple servers.
  • Educate users about the risks of phishing emails that appear to come from trusted sources.

Prevention

  • Always verify the authenticity of account change emails by checking the sender’s domain and email headers.
  • Avoid clicking on links in unsolicited emails; instead, access accounts directly through official websites or apps.
  • Implement and enforce two-factor authentication on all Apple IDs.
  • Regularly update passwords and avoid reusing credentials across multiple services.
  • Use security software that can detect phishing attempts and malicious links.
  • Stay informed about the latest phishing tactics targeting Apple users.

Sources and corroboration

This article is based on reporting from BleepingComputer, which detailed the abuse of Apple’s account change notification system to send phishing emails disguised as legitimate purchase alerts. The findings have been corroborated by cybersecurity researchers analyzing email headers and phishing campaigns targeting Apple users.

---

For further information and to report suspicious emails, users can visit Apple’s official security page and forward phishing attempts to `[email protected]`.

Sources used for this article

BleepingComputer

Artur Ślesik

Real reviewer profile

Artur Ślesik

Founder of HackWatch.io and WEB-NET; Editorial Reviewer

Open reviewer profile

Artur Ślesik is the founder of HackWatch.io and WEB-NET, a real named reviewer with 17+ years of experience building and maintaining web portals.

Coverage focus: Secure web portals, phishing prevention, user-facing recovery guides and practical web-security review

Editorial disclosure: This is a real named founder profile. HackWatch does not claim unverified security certifications, SOC employment history or CERT incident-response credentials for Artur. Security guidance is grounded in public sources, HackWatch tooling and first-hand web-portal experience.

Artur leads this phishing alerts coverage lane at HackWatch. This article is maintained as part of the ongoing editorial watch around "Apple Account Change Alerts Exploited to Deliver Phishing Emails Disguised as Legitimate Notifications".

Secure web portals and publishing operationsPhishing prevention and account-safety guidanceUser-facing recovery playbooks