Apple Pay has carved out a niche for itself as one of the ways to most used mobile payment on the planetWith hundreds of millions of users and trillions of transactions each year, Apple's massive presence and the trust generated by the Apple brand have made it a highly attractive target for scammers.
Although the system is designed with strong security measures —such as Face ID, Touch ID, card tokenization and passkeys for more secure access—, criminals have learned to circumvent that protection «"hacking" the user And not the technology. The problem isn't usually Apple Pay, but the way they get us to hand over data or approve transactions without us realizing it.
Why Apple Pay is a target for scammers
According to various reports from cybersecurity companies such as ESETApple Pay already processes astronomical volumes of money worldwide. Wherever so much cash is involved, actors emerge willing to exploit it, especially by taking advantage of Apple's ecosystem's reputation for security to lull victims into a false sense of security.
Experts stress that This is not a massive technical failure on the platform. Apple Pay uses biometric authentication to authorize payments and a tokenization system that prevents the actual card number from being shared with merchants or stored in plain text on the device. The fraudsters' objective is different: steal login credentials, Apple ID, 2FA codes, and banking credentials to link our cards to your own digital wallets.
The techniques used fall squarely within the field of social engineeringAlarmist messages, calls that sound very official, legitimate-looking emails, or websites almost identical to Apple's are the entry point for many of these scams. The user thinks they are talking to their bank or Apple support, but in reality, they are handing over the keys to their money.
This type of scam doesn't only affect Apple Pay: Google Pay and other digital wallets They suffer similar tactics. ESET has even warned of a sharp increase in malware that exploits NFC technology on Android, demonstrating that the entire contactless payments sector is on cybercrime's radar.
The most common Apple Pay scams
Security analysts agree that most Apple Pay-related frauds fit into six major categoriesIn almost all cases, the ultimate goal is the same: to get your money, your Apple ID, or the verification codes that allow you to control your cards.
Phishing that impersonates Apple or your bank
The star method remains the PhishingThe user receives an SMS, a call, or an email that It pretends to be from Apple, your bank, or an official service.The hook can vary: a supposed prize, a pending refund, a notification that your Apple Pay has been blocked, a problem adding your card to the wallet, etc.
The message includes links that lead to fake pages that look very similar to the official oneswhere personal data, card numbers, online banking credentials, or Apple ID and password are requested. In some cases, the scammer enters this data into their own device in real time and Try adding the card to your Apple Pay.
When the bank sends the one-time password The fraudulent website immediately requests the 2FA code to confirm card registration. If the victim enters it thinking they are verifying a security issue, It allows the criminal to link the card to their digital wallet. and start spending in your name.
Scammers on buying and selling platforms
This fake buyer uses stolen cards that you have previously associated with Apple Pay to pay for the item. The seller sees the charge as correct and ships the product as usual. Days later, the actual cardholder detects the fraudulent use and files a claim with the bank, which initiates the chargeback process.
The result is that the seller is left with without the product and without the moneyThe financial institution reverses the payment, and the scammer has already received the item without leaving hardly any useful trace to recover it, especially if they used intermediaries or fake delivery addresses.
Overpayments and fraudulent refunds
Another widespread scam revolves around the so-called overpaymentThe scammer contacts the victim because they are interested in an item they are selling online and, after agreeing on a price, sends more money than agreed uponsupposedly "by mistake".
Immediately afterwards he asks that he return the difference through Apple Cash (a service available in some countries), via a peer-to-peer money transfer app, or with a gift card. The real trick is that the original payment was made with a stolen cardWhen that charge is cancelled, the victim not only loses the product, but also the amount they "extra" refunded.
Unsolicited payments that end in trouble
Related to the above scheme is the fraud of unsolicited paymentIn this case, someone sends you money out of the blue through Apple Pay, without you having sold anything or expected any income.
Soon after, that person—or someone claiming to be them—contacts you to ask for a refundThey claim they sent the money to the wrong person or had a problem with the app. They usually insist you use another method: Apple Cash, another payment app, or gift cards.
When the legitimate cardholder used for that first deposit reports the charge, the bank reverses the original paymentThe result is that you are forced to return that amount and, in addition, you have already sent the "refund" to the scammer, so you end up assuming the entire loss.
Fake receipts and non-existent money
A classic example of internet fraud is the fake receiptHere, the scammer claims to have paid for the product using Apple Pay and sends a screenshot which supposedly proves the transaction: the amount, the date, and a message indicating that the money is "pending" or held in some kind of custody appear.
The story usually includes that The funds will be released when the order is shipped. and the tracking number is shared. It all sounds reasonable, but there's a key detail: Apple Pay does not offer an escrow payment systemIf the money does not appear in your account or on your actual statement, it means the payment does not exist, no matter how convincing the image may seem.
Fake public Wi-Fi networks and Apple portals
Another avenue of attack is based on the open Wi-Fi networks that we find in cafes, hotels, airports, or shopping malls. Cybercriminals can set up a "evil twin" hotspot, which mimics the name of the legitimate network (for example, "Airport_Free" instead of "Airport Free").
If we connect to that fake network, the attacker can intercept part of the traffic and redirect us to pages that mimic Apple's login portals. The goal is to capture the Apple ID and password, and in some cases also bank details or Apple Cash.
With those credentials in hand, the scammer can try seize the balance of the digital wallet, making purchases, adding new cards or even blocking access to the account to the legitimate user, complicating the recovery of control.
Red flags: how to detect when something is wrong
Most of these Apple Pay scams share a number of characteristics very clear warning signs which are important to always keep in mind. Recognizing them early often makes the difference between losing money and stopping the scam right away.
One of the most common is the use of the extreme urgencyMessages or calls that pressure you to confirm your account, provide confidential information, or return a payment immediately, under threat of being blocked or having your funds lost, are a classic symptom of social engineering.
Another obvious red flag is any Request your 2FA codesPasswords, card PINs, or your full online banking details. Neither Apple nor your bank will ever ask you by phone, SMS, email, or messaging to read aloud a verification code or enter it on a website other than the official one.
It should also trigger any alarms that someone asks you to. to return part or all of a payment received using a method other than the original (gift cards, other payment apps, cryptocurrencies, etc.), or insisting that you send a product just with a screenshot of alleged payment, without the money actually appearing in your account.
Finally, any unsolicited contact in which someone claims to speak on behalf of Apple, your bank, or a public body and asks for financial or login information. If in doubt, it's best to hang up and call the official customer service number directly.
Steps to use Apple Pay (and other wallets) more securely
Cybersecurity experts insist that, despite the increase in fraud, protect your iPhone Using Apple Pay isn't that complicated if a series of basic precautions are applied and a healthy degree of skepticism is maintained towards the unexpected.
One of the first recommendations is to activate the protection against stolen devices in the iPhone settings. This feature requires the use of Face ID or Touch ID to make sensitive changes, such as modifying passwords, disabling certain security options, or adjusting key Apple Pay settings.
It's also a good idea to make sure that all cards added to the digital wallet have settings you should activate and payment notifications enabled. This way, any charge is immediately reflected on your mobile device, allowing you to react quickly if you detect any unusual or unrecognized activity.
For online shopping, experts suggest prioritizing the use of cards that allow chargebacks (chargeback). In this way, if the seller turns out to be a fraudster, there is the possibility of formally claiming from the bank and recovering the amount, provided that action is taken within the established deadlines.
Regarding connectivity, it is advisable to avoid using public Wi-Fi networks for sensitive operations whenever possible, and if there is no alternative, use a trusted VPN that encrypts the communication. Some security providers also include additional services, such as monitoring personal data or dark web monitoring.
Finally, keep your devices and apps up to date. always updated And reviewing the main known scams from time to time helps avoid falling into traps that are repeated in different guises. As ESET reminds us, memory is also part of our protection.
What to do if you suspect you've been scammed with Apple Pay
When you suspect you've fallen for an Apple Pay scam, the The time factor is fundamentalThe sooner action is taken, the more options there are to limit the damage and even block some operations.
The first step is usually to review the wallet application and, if possible, cancel the payment directly from the device. If you cannot cancel from your mobile device, you must contact the [relevant department/company] without delay. card issuing bank to report the fraud, request the blocking of the affected card and request the issuance of a new one.
In parallel, if the Apple ID, passwords, or verification codes, it is essential reset privacy and security settingsIt may also be advisable to log out of all linked devices and check which devices have access to the account.
In the European context, in addition to the financial institution, it is possible report the fraud to the appropriate authorities through the channels provided by Europol or national cybersecurity and consumer protection agencies. Although recovery of the money is not always possible, these reports help to prosecute the networks behind them.
In a context where digital wallets make everyday life easier, it's important to keep in mind that this same agility can backfire when combined with haste and carelessness: Take a few seconds to be suspicious, check who is on the other end, and carefully review the messages. It has become one of the best defenses against scams surrounding Apple Pay.
