What the scam looks like

The email arrives with an Apple-looking logo, a panic-inducing subject line, and a button that takes you to a fake Apple ID sign-in page. The fake page captures your Apple ID email, password, and often a two-factor verification code. Within minutes, the attacker logs in from a different device, changes the password, locks you out, and either drains the iCloud-linked payment methods or holds the account for ransom.

Apple does send legitimate security emails. The difference is that Apple's real emails never threaten account closure within 24 hours, never ask you to click a button to "verify" your identity, and never link to a domain other than apple.com or icloud.com.

The 8 message variants in active rotation

1. The classic lock

"Your Apple ID has been locked for security reasons. To unlock your account, please verify your identity within 24 hours."

2. The unrecognized sign-in

"We detected a sign-in to your Apple ID from a new device in Russia (or China, Nigeria, depending on what the attacker thinks scares you most). If this was not you, click here to secure your account."

3. The payment hold

"Your Apple ID has been temporarily disabled because we could not verify your payment information. Update your billing details to continue using iCloud and the App Store."

4. The receipt with a question mark

"Thank you for your purchase of [some expensive app, often $89.99 or a year-long subscription]. If you did not authorize this purchase, click here to cancel."

This variant gets the highest click rate because the user does not feel they are being asked to log in. They feel they are disputing a fraudulent charge.

5. The iCloud storage scare

"Your iCloud storage is full. To prevent loss of your photos and contacts, upgrade your plan now."

6. The Find My alert

"Find My iPhone has located your missing device in [city]. Click here to remotely lock it."

This one targets users who actually have a lost device. The emotional urgency is real, so the user does not pause to verify the sender.

7. The Apple Music renewal

"Your Apple Music subscription auto-renewal failed. Please update your payment method to avoid service interruption."

8. The two-factor request

"A verification code was sent to your trusted device. Please confirm to complete sign-in."

This variant follows a successful credential-phish. The attacker already has your password and is now prompting you in real time to enter the 2FA code they triggered from their device.

How to spot the fake in 10 seconds

  • Sender domain. Real Apple emails come from @email.apple.com, @insideapple.apple.com, or @apple.com. Anything else (like @apple-id-security.com, @appleid-verify.net, @id-apple.support) is a scam.
  • Link destination. Hover over the button without clicking. The destination URL must contain apple.com or icloud.com as the actual domain. A URL like apple.com.verify-account.xyz is NOT Apple. The real domain is whatever comes immediately before the first single slash after https://.
  • Greeting. Apple addresses you by your full real name. Generic openings like "Dear Customer," "Dear Apple User," or "Hello Apple ID Owner" are fake.
  • Urgency timer. "Within 24 hours" or "your account will be permanently deleted" is a pressure tactic. Apple does not do that.
  • Spelling and grammar. Real Apple emails are proofread. Phishing emails routinely contain weird capitalization, missing articles ("Your apple account has Lock"), and awkward phrasing.
  • Logo quality. Phishing logos are often slightly pixelated or use the wrong shade of grey. Apple's actual brand assets are crisp at any zoom level.

The 5-step verification (do this before clicking anything)

  1. Do not click the email button. Open a new browser tab manually.
  2. Go to appleid.apple.com by typing it. Do not Google it. The top Google result during peak phishing waves is sometimes a paid ad pointing to a typosquat.
  3. Sign in. If your account is genuinely locked, Apple's real page will tell you. Apple unlocks the account through the same page using your trusted phone number or security questions. There is no email-only unlock flow.
  4. On iPhone or iPad: open Settings โ†’ tap your name at the top. If there is a real account issue, a red badge will appear here. No badge means there is no issue, regardless of what the email says.
  5. Check recent sign-in activity at appleid.apple.com/account/manage โ†’ Devices. Any unfamiliar device should be removed and your password changed.

If you already clicked and entered your password

Speed matters. The attacker typically uses stolen Apple ID credentials within 5 to 15 minutes. Move fast.

  1. Change your Apple ID password immediately at appleid.apple.com or on your iPhone in Settings โ†’ [your name] โ†’ Sign-In & Security โ†’ Change Password. Use a long, unique password that you have not used anywhere else.
  2. Turn on two-factor authentication if it is not already on. This is non-optional in 2026 for any Apple account.
  3. Review trusted devices in Settings โ†’ [your name]. Remove anything you do not recognize.
  4. Check Apple ID payment methods for any new card added by the attacker. Remove and re-add yours.
  5. Review recent App Store and iTunes purchases. Report unauthorized charges through reportaproblem.apple.com.
  6. If you entered a 2FA code, call your bank too. The attacker may have already used the same code path to authorize Apple Pay charges or App Store purchases.
  7. Report the phishing email to Apple by forwarding it to reportphishing@apple.com. Apple uses these reports to take down phishing infrastructure.

Why Apple ID is the #1 target

The Apple ID is a key to a much larger kingdom than the email address suggests. It controls:

  • iCloud (photos, contacts, notes, files, full device backups)
  • App Store purchases (auto-renewing subscriptions, in-app purchases)
  • Apple Pay (linked credit cards)
  • Find My (live location of every Apple device you own)
  • iMessage and FaceTime (your conversation history and identity)
  • Find My passwords (auto-fill keychain across all Apple devices)
  • Family Sharing (purchases and subscriptions shared with relatives)

A single Apple ID compromise can lock the user out of every Apple device they own, expose 10+ years of photos, and authorize fraudulent purchases on linked cards. The leverage is much higher than a typical phishing target, which is exactly why this scam has the highest reported volume of any single phishing email pattern in 2026.

How browser-layer defense catches this earlier

The email itself is hard to block at the inbox level because attackers rotate sender domains daily. The defense that works is at the destination: when you click the link and land on the fake Apple ID page, a browser-layer scanner can recognize the page is impersonating Apple and block it before you type your password.

SafeBrowz is a free Chrome, Firefox, and Edge extension that scans every URL before the page renders. It checks the domain against a database of 550+ brands including Apple, and the page content against impersonation signals (Apple logo + login form on a non-apple.com domain is an instant flag). When it detects a fake Apple ID page, it shows a full-screen warning before any form loads. Install SafeBrowz free if you want a second line of defense for your Apple ID and every other login you have.

Frequently asked questions

Does Apple ever send emails about my account being locked?

Yes, but only as a follow-up after you (or someone trying to access your account) failed multiple sign-in attempts or triggered a security event you can see in Settings โ†’ [your name] โ†’ Sign-In & Security. Apple's real lock notifications direct you to appleid.apple.com or your device's Settings, never to a third-party domain. The real Apple email also never threatens "permanent deletion in 24 hours."

I clicked the link but did not enter my password. Am I still at risk?

Probably safe, but verify. Run a virus scan if you are on a Mac or PC. On iPhone, the risk from just clicking is very low because Safari sandboxes web pages. Still change your Apple ID password as a precaution, and turn on two-factor authentication if it is off.

The email had my real name in it. How is that possible?

Your name is in many data breaches paired with your email address. Attackers buy these breach lists for a few dollars and use them to personalize phishing emails. A personalized greeting is not proof an email is legitimate.

If I entered my Apple ID password, did the attacker also get my photos?

Not immediately. Photos are protected by both your Apple ID password and the device passcode for end-to-end encrypted iCloud features. But the attacker can use your Apple ID to sign in on a new device, which would then start syncing your photos unless you change your password and remove that device first. Speed matters.

How do I report an Apple phishing email so Apple takes the page down?

Forward the full email (with headers if possible) to reportphishing@apple.com. Apple's security team uses these reports to file domain takedowns with registrars and to update Safari's built-in phishing protection. The faster a phishing domain gets reported, the shorter its lifespan.

Why does Apple ID phishing keep working when iPhones have all this security?

The attack does not exploit the iPhone. It exploits the user's trust in Apple branding and the panic of "your account is locked." Once the user types the password into a fake page, no amount of device security can help. The defense has to happen at the browser layer, before the form loads.

Related reading

Bottom line: Apple ID phishing is the most-reported brand impersonation in the world right now. The defense has not changed. Do not click email buttons. Type appleid.apple.com manually. Turn on two-factor. And add a browser-layer scanner like SafeBrowz so the fake page never gets a chance to load.