How To

How to spot fake Apple security alerts via text, phone, email, or web

Posted on by

Apple recently contacted users in 92 countries around the world, warning them that they had been targeted by a “mercenary spyware attack.” This term replaces what Apple used to call “state-sponsored attacks,” and covers attacks using spyware such as Pegasus, created by the NSO Group. Apple contacted these individuals by both email and iMessage. Also, when logging into their Apple ID account in a browser, users would see a “Threat Notification” bar with the date on which Apple sent those communications.

But if you get a message that claims to be from Apple—whether by SMS text message, iMessage, email, or a phone call—how can you know whether it’s really Apple or not?

Let’s examine the reasons why Apple might legitimately contact you (and how they’ll do so), and how to recognize scams.

Apple notified users who were victims of mercenary spyware attacks

The aforementioned Apple emails reportedly included the following details:

“Apple detected that you are being targeted by a mercenary spyware attack that is trying to remotely compromise the iPhone associated with your Apple ID -xxx-

“This attack is likely targeting you specifically because of who you are or what you do. Although it’s never possible to achieve absolute certainty when detecting such attacks, Apple has high confidence in this warning — please take it seriously.

“We are unable to provide more information about what caused us to send you this notification, as that may help mercenary spyware attackers adapt their behavior to evade detection in the future.

“Mercenary spyware attacks, such as those using Pegasus from the NSO Group, are exceptionally rare and vastly more sophisticated than regular cybercriminal activity or consumer malware.”

Notably, these real Apple emails do not contain any links. So if you get a similar-looking email, but it prompts you to click on something, don’t trust it—it’s a scam.

How can I confirm that an Apple threat notification is legitimate?

As Apple points out in a support document entitled About Apple threat notifications and protecting against mercenary spyware, the company “sends an email and iMessage notification to the email addresses and phone numbers associated with the user’s Apple ID.” Moreover, “A Threat Notification is displayed at the top of the page after the user signs into appleid.apple.com.”

The emails and notifications do not contain links to click, but direct users to the Apple ID website instead. After signing into the website, clicking the View Details link in the Threat Notification bar takes the user to a page giving more information about the attack.

Will Apple send me emails containing links?

If you receive an email purporting to be from Apple, but it entices you to click on a link, it is likely a phishing email.

One exception to this rule is if you have recently opened a support case with AppleCare; the emails they send will include your case number for verification purposes, and they may contain links to Apple’s support website. Receipts from Apple’s App Store, iTunes Store, or other Apple services will also contain links. But no legitimate emails from Apple will recommend that you click on a link to log into your Apple ID account.

If you receive an email claiming to be from Apple, and claiming you’ve made a purchase that you don’t recognize, don’t click any links; it’s almost certainly a scam. If you’re really concerned, check your actual purchase history (or billing method) to make sure that you did not accidentally buy something. If you did make an accidental purchase, you can use Apple’s Report a Problem site to resolve the issue. Just make sure you go to that site from a trusted link or bookmark—not a link from a possible phishing email.

iCloud storage warning email phishing scams

Late last year, a wave of iCloud storage-related phishing emails circulated. They claimed, for example: “Your [iCloud] storage might be full,” and they pretended to offer a free iCloud storage upgrade to recipients who clicked on a “Get this deal” link. We wrote about this scam in December: Don’t fall for “iCloud FREE Storage Notice” e-mail scams.

Don’t fall for “iCloud FREE Storage Notice” email scams

How to report scam emails that impersonate Apple

If you receive an email that claims to be from Apple but you believe it’s fraudulent, check out our video tutorial on how to report it to Apple and the authorities: How to report scam e-mails – Phishing, fraud, blackmail, or extortion.

Will Apple ever send me text messages?

There are very rare and limited circumstances under which Apple may send you messages through the Messages app. These may either be SMS text messages, or feature-rich chats similar to iMessage—but with distinct features that allow users to easily verify that they’re really from Apple.

SMS two-factor authentication codes

Apple may send text messages to users as two-factor authentication codes if the user cannot get notified in any other way. Other than that, Apple never sends ordinary plain-text messages.

Following is an example of a real text message from Apple. Note the lack of a link, other than the percent symbol followed by apple.com. Although the formatting looks odd, it’s designed to comply with Apple’s own AutoFill standards for SMS text messages.

Your Apple ID Code is: 123456. Don’t share it with anyone. @apple.com #123456 %apple.com

Verified support via Apple Messages for Business

Here’s another example of legitimate messages you may receive from Apple via the Messages app. If you contact Apple via its Support app for iPhone, you may have the option to chat live. This chat takes place in the Messages app—the same app you use for iMessage and SMS/MMS (and RCS, as of iOS 18) text message conversations. But you’ll notice some key differences in appearance. These conversations include a Verified badge next to Apple’s company name at the top. If you’re able to reply, your messages will have a gray bubble (rather than blue for iMessage or green for other chats).

Similarly, Apple may also send shipping notifications via the Messages app. You won’t have the option to reply. But you will see a Verified badge next to the name “Apple Notifications” at the top of the chat. If you tap on the Verified badge, you’ll see more details about the company.

Other companies besides Apple can also get Verified badges and interact with customers via the Messages app. To do so, the company must register for the Apple Messages for Business service.

What if I get a message that doesn’t look like the examples above?

What about if you get any other kind of text message or iMessage that claims to be from Apple? If it doesn’t look like the examples above, don’t trust it; it’s a scam. Don’t click on any links within those messages, as they may lead to a phishing or malware site.

Will Apple ever call me by phone?

Real scenarios when Apple may call you

Apple will not call you unless it’s about a tech support case you previously initiated. When you start a support case with AppleCare, you can choose to receive a phone call. That call will happen within one minute of when you request it. You will be instructed to press a number if you’re ready to take the call.

If your support case is escalated, you may get a call back from a senior support agent. It’s a good idea to ask them for the case number, to confirm that they are from Apple. AppleCare sends an email when you initiate a case which contains a case number and other information.

A real email you’ll get from Apple when you open a support case. (Note that phishing scam emails may try to impersonate these.)

Scams that may appear to be Apple calling you

One possible fake phone call that Apple users may receive comes after an “MFA bombing” attack. (MFA stands for multifactor authentication.) This occurs when a user receives repeated notifications asking to approve a password reset, initiated by a malicious user trying to get into their account. The goal of this attack is to get the user to slip up when tapping the notifications; they hope you’ll accidentally hit Allow rather than Don’t Allow. All it takes is one mistake to enable a malicious to user to reset your Apple ID password reset.

With this attack, users may receive a phone call purporting to be from Apple support. Their phone may even display the correct phone number for Apple Support; this is because the attacker is “spoofing” the Apple support phone number stored in your contacts. Apple won’t call a user like this, except for an AppleCare case the user has already initiated recently. Any phone call claiming to be from Apple after repeated password-reset push notifications is bogus, and should be ignored.

Will Apple ever display in-browser alerts about malware infections or security issues?

For many years, scammer-operated sites have tried to trick victims with flashy alerts claiming your system is infected. These may either come in the form of a “virus scan” window, or a pop-up alert like the ones below. You may encounter similar alerts after clicking on a search engine result. Don’t believe in-browser alerts like these; they’re scams. Apple will never contact you this way.

Fake in-browser alerts claiming to be from Apple or the FBI.

If you’re concerned that you Mac might actually be infected, scan your Mac with a trustworthy antivirus.

Intego X9 software boxesIntego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9, is a powerful solution designed to protect against, detect, and eliminate Mac malware.

Whether you believe your Mac may be infected, or to prevent future infections, it’s best to use antivirus software from a trusted Mac developer. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes real-time protection. It runs natively on both Intel- and Apple silicon-based Macs, and it’s compatible with Apple’s current Mac operating system, macOS Sonoma.

Key takeaways

Apple has a support document explaining how to “Recognize and avoid phishing messages, phony support calls, and other scams.” This document includes many links and email addresses to deal with fraudulent contacts purporting to be from Apple.

The bottom line: Apple will only contact users for very specific reasons. These include: if Apple thinks you have been targeted by mercenary software; when they send receipts for purchases from one of Apple’s services (which won’t contain login/action links); and for AppleCare support cases. The company sends text messages with two-factor authentication codes if users can’t authenticate in another way. And they only call users about AppleCare support cases you’ve just created. Any other supposed contact from Apple is likely malicious. Don’t click on any links that claim to be from Apple; it’s safest to use an existing bookmark to sign into your Apple ID account.

How can I learn more?

Other resources on this topic include:

We discussed Apple notifications about mercenary spyware on episode 340 of the Intego Mac Podcast.

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on X/Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Kirk McElhearn

Kirk McElhearn writes about Apple products and more on his blog Kirkville. He is co-host of the Intego Mac Podcast, as well as several other podcasts, and is a regular contributor to The Mac Security Blog, TidBITS, and several other websites and publications. Kirk has written more than two dozen books, including Take Control books about Apple's media apps, Scrivener, and LaunchBar. Follow him on Twitter at @mcelhearn. View all posts by Kirk McElhearn →