More and more people are paying with their mobile phones, and in particular with iPhones. Among those who use them daily, Apple Pay has become such an everyday tool like taking your card out of your pocket, whether to shop in physical stores or order online. This normality has a less pleasant side: when a payment system becomes widespread, it also becomes a very attractive target for fraudsters.
Recently, a notable increase in fraud through Apple Pay In various countries, cybercriminals are employing increasingly sophisticated techniques. From messages impersonating banks or Apple to websites almost identical to official ones, everything is designed to make users let their guard down for a second and reveal their data, as exposed in [the following]. a data base, and the criminal can link cards, make unauthorized charges, or take complete control of the account.
Why Apple Pay has become such a juicy target
The rise of mobile payments has transformed the way we move our money: Instant, contactless payments from anywhereThis convenience, however, also opens the door for criminals to try to exploit any lapse in security. Apple Pay, as one of the most widespread payment platforms in the world, has become central to this scenario.
Authorities and cybersecurity specialists have been warning that blind faith in technologyThis, combined with the speed of the transactions, creates the perfect breeding ground for these scams. Many users assume that if their phone asks for a code or confirmation, everything is secure, without considering that they may have arrived there via a fraudulent link.
The situation described by security agencies in different countries also fits with what is being observed in Europe and in Spain: The same patterns of deception are repeated in very different environments, which indicates that gangs reuse tactics with slight variations depending on the market and language.
In parallel, the rise of secondhand marketplaces and online stores has added another layer of risk. In some cases, when criminals obtain the details of a card linked to Apple Pay, they not only make direct purchases, but also They resell products or use accounts on third-party appsso that the victim of the fraud is not always the same person who sees the charge on their bank statement.
Identity theft: when the scammer impersonates Apple or your bank
One of the most widespread methods is the identity theft, also known as spoofingThis type of attack is analyzed in identity theft on iOSThe scheme is simple but effective: the criminal poses as an employee of the bank, Apple customer service, or even a well-known store, and uses fear or urgency to make the user act without thinking too much.
Communications can arrive via SMS, email, or phone call. The message usually warns of alleged irregular charges, account blocks or security issues with Apple Pay. From there, the user is asked to "verify" their information or confirm a transaction to avoid further harm.
In this type of fraud, the goal is for the victim to provide critical data: verification codes, passwords, card number, or personal informationWith that information, the fraudster can link the card to their own device, authorize payments, or modify account access data.
To make it more believable, many criminals employ techniques such as falsification of the caller ID or SMS senderThe number or name displayed on the screen matches that of the bank or Apple. This makes detecting the scam more difficult, especially for users less familiar with this type of threat.
In Europe and Spain, where banking regulations require strong customer authentication, criminals are focusing precisely on convince the user to provide those second security factors, presenting them as mere routine verification steps.
Phishing and cloned websites: the perfect bait for stealing credentials
Another common technique related to fraud using Apple Pay is the PhishingIn this case, the initial contact usually comes via email or SMS. The message warns of a suspicious purchase, an unusual login, or a supposed block on the Apple or bank account, and includes a link to "review" or "cancel" the transaction.
By clicking that link, the user is directed to a website that imitates with great fidelity The appearance of the official site: logos, colors, design, and sometimes even security certificates that can mislead those who do not carefully check the actual domain address.
These fake websites request information such as Apple ID, password, verification codes sent via SMS or push notification...and even additional banking information. If the victim enters this information, the criminal can access the real account in a matter of minutes.
A typical example is the message that appears to be from the bank, alerting you to a purchase made with Apple Pay and offering a link to "cancel" the transaction. The sense of urgency plays a key role hereMany people, frightened by the possibility of a high position, click on the link without checking if the address is legitimate.
Once inside, the process appears completely normal from the user's perspective. Although the page displays success or confirmation messages, in reality, the only thing that has happened is that the data has fallen into the hands of the scammers, who They take advantage of that window of time to take control of the account and carry out fraudulent transactions before the victim can react.
Fake apps, public Wi-Fi networks, and other tricks to capture data
Beyond messages and calls, cybercriminals also resort to malicious applications and compromised Wi-Fi networks to try to obtain information related to Apple Pay and other mobile payment methods. The goal here is for the device itself to become the entry point.
In the case of fake apps, they are usually disguised as banking apps, financial management tools, or purported utilities for obtaining discounts or rewards for paying with your mobile phone. Some are downloaded from official stores after passing security checks, while others circulate through less secure alternative channels, and are sometimes linked to threats such as New malware on WhatsApp that steals user information.
Once installed, these applications may request excessive permissions or display forms that invite the user to enter credentials, card details, or personal information which is actually sent to the attacker's servers. In some cases, the malware may even attempt to intercept notifications or read messages containing verification codes.
Public Wi-Fi networks also pose an added risk. When you connect to unprotected or tampered access pointsUsers may be sending data through an infrastructure controlled by the criminals themselves. Although Apple Pay is designed to operate with high security standards, other services surrounding the payment (email, SMS, bank access) may be vulnerable.
In environments such as cafes, stations, or airports, it is not uncommon to find connections that appear legitimate but, in reality, have been created for intercept traffic and access credentialsTherefore, the authorities insist that, when it comes to financial transactions, it is preferable to use mobile data connections or trusted networks.
Purchases with stolen cards and fraud on secondhand platforms
When criminals manage to access a card associated with Apple Pay or link it to their own device, they don't always limit themselves to making direct purchases at regular stores. Some of these frauds are channeled through online marketplaces. and online stores, where money and products change hands quickly.
In scenarios like this, scammers make payments with the compromised card on second-hand sales services or marketplaces. They receive the product legitimatelywhile the cardholder remains unaware until they check their bank account and detect unrecognized charges; similar cases have been seen in transactions where the The Civil Guard dismantled a plot dedicated to fraudulent sales.
When the victim files a complaint and the financial institution reverses the payment, The honest seller on the platform can end up without the money and without the product.Since the item has already been shipped and delivered, the fraud creates a chain reaction that affects several people.
These situations complicate the claim process because contracts between private parties, buyer and seller protection policies, and the platform's own actions all come into play. It's not always easy. determine who bears the economic losswhich makes these types of crimes especially harmful.
That's why it's recommended to exercise extreme caution when a buyer proposes unusual payment methods, excessive haste, or overly advantageous conditions when closing a transaction. Although fraud is not always directly linked to Apple Pay, the cards and accounts associated with the service can be part of the criminal scheme.
How to minimize the risk when using Apple Pay
Despite this situation, there is still room to significantly reduce the likelihood of falling victim to a scam. Recommendations from cyber police units and consumer organizations are similar, with slight variations, but they all revolve around the same idea: regain control over the information we share and about the channels we use.
A basic rule is never to share verification codes, passwords, or bank details No legitimate company requests this type of information through calls, SMS messages, or emails, regardless of whether the person on the other end claims to be from Apple or a financial institution.
It is also essential Verify any suspicious activity directly from the bank's official app or from Apple Pay settingsInstead of following the links in messages. If there's a real problem, it will appear even when accessing the site through the usual channels.
Another important layer of protection is two-factor authentication and real-time notifications. The use of Security keys for your Apple ID It provides an additional barrier against unauthorized access and makes it more difficult for phishing-based attacks to succeed.
Finally, although it may seem like a minor detail, it's worth taking a few extra seconds to check the exact address of the web pages where we enter credentials, as well as avoiding accessing financial services from public or unknown Wi-Fi networks.
Overall, everything suggests that the success of Apple Pay fraud is not so much due to technical flaws in the system as to the fraudsters' skill in Exploiting trust, haste, and lack of verification From some users. Maintaining a critical mind, being wary of unexpected communications, and always relying on official channels remains the best way to use your mobile phone for payments without turning it into an open door for criminals.
