In just a few years, Apple Pay It has gone from being a novelty to becoming part of the daily lives of millions of people. The convenience of paying with a mobile phone or watch has skyrocketed its use, with hundreds of millions of users and trillions of annual transactions throughout the world, including in Spain and the rest of Europe.
That popularity has a less pleasant side: it has become a top target for scammersNot because Apple's system is insecure, but because criminals know that where large sums of money are involved and there is trust in technology, it is easier to slip in scams based on... social engineering and in user manipulation.
Apple Pay is secure, but the weak link remains the user.
Cybersecurity experts point out that Apple Pay's design is geared towards security and privacyThe service uses mechanisms such as biometric authentication (Face ID or Touch ID) to authorize payments and the tokenization to prevent the actual card numbers from traveling over the network or being stored on the device.
These technical layers make it extremely difficult for an attacker to directly steal the card details from your iPhone or Apple WatchThat's why, in practice, most frauds don't attack the technology, they attack the person: they focus on getting the user to voluntarily hand over their credentials, one-time codes, or bank details.
Researchers from companies like ESET They point out that cybercriminals are primarily looking for financial information, access to Apple ID and 2FA codes (two-step authentication). Once they obtain these pieces, they can link third-party cards to their wallets, authorize payments, or even attempt to drain balances from linked services, such as Apple Cash in countries where it is available.
In parallel, the technology of near field communication (NFC)The technology that enables contactless mobile payments is also increasingly targeted by attackers. In the Android environment, for example, a notable increase in attacks has been observed. Malware that abuses NFCThis shows the widespread interest of criminals in mobile payments.
The most common scams targeting Apple Pay users
In Europe and in Spain, fraud patterns very similar to those described by international analysts are being detected. Six types of scams account for the majority of the frauds linked to Apple Pay, many of them also replicated in other services such as Google Pay.
1. Phishing: messages that impersonate Apple or your bank
Phishing remains the main entrance door for this type of fraud. The user receives a SMS, email or call that appears to be from Apple, your bank, or a messaging service. The pretext is usually a prize, a pending refund, or an alleged security issue with Apple Pay or with the card.
The message includes a link that leads to a website that It mimics the official appearance of Apple or the bank.That page requests information such as your card number, bank username and password, Apple ID, or even one-time authentication codesThe user, trusting, enters the information without suspecting that they are on a site controlled by the scammer.
In some cases, criminals use this information in real timeWhile the victim fills out the form, they try to add that card to their own Apple Pay wallet. The bank then sends a SMS code to confirm the linkThe fraudulent site asks for that code, and if the person enters it, the card is compromised. associated with the offender's device.
The same scheme is replicated over the phone: a person claiming to be from Apple support or the bank insists there is suspicious activity and that it is necessary to "verify" the identity, trying to obtain 2FA credentials or codes that should never be shared.
2. Fraud in digital markets: purchases with stolen cards
Another widespread tactic occurs in the online marketplaces for buying and selling between individuals and on secondhand platforms. Here, the seller is usually the victim. A “buyer” becomes interested in a product of a certain value—mobile phones, computers, consoles, watches, etc.—and claims that will pay with Apple Pay using your iPhone or Apple Watch.
The problem is that this supposed buyer has linked their Apple Pay account. stolen or compromised cardsThe payment transaction appears to go smoothly; the seller sees the money in their account and proceeds to submit the articletrusting that everything is in order.
Days later, the legitimate cardholder disputes the charge with their bank. The financial institution investigates, initiates a refund, and ultimately, The seller loses both the product and the money.because he is obligated to refund the money he received. The scammer, meanwhile, has already received and probably resold the item.
3. Overpayment: “I sent you too much, please refund the difference”
Closely linked to digital markets is the scam of overpaymentHere the criminal also poses as a buyer, but his tactic is somewhat different: he makes a payment for an amount higher than agreed And then he apologizes and asks for the difference to be returned to him.
For that refund, it usually suggests alternative channels such as Apple Cash In countries where it exists, or through other money transfer applications (for example, services like Venmo or Zelle in the US market). All of this is done hastily and by appealing to the seller's good faith.
The key is that the first payment comes from a stolen cardWhen the bank cancels that fraudulent transaction, the seller loses both the initial amount and the amount that has paid back out of his own pocketAnd, if you have also shipped the product, you also lose the item.
4. Unsolicited payments: money that arrives “out of nowhere”
A very similar variant is that of unsolicited paymentThe victim receives an unexpected deposit through Apple Pay and, shortly after, a message or call from the supposed sender saying that You have sent the wrong recipient or that it is a mistake.
With that argument, the scammer pressures for the money to be returned using methods such as Apple Cash, digital gift cards, or third-party payment appsAgain, the source of the income is usually a third-party card, so when the bank detects it, claim a refund of the original amountwhile the amount reimbursed by the victim has already flown into the hands of the offender.
The result is a double loss: the one who received the payment they weren't expecting. must return it to the rightful owner And, in addition, he has sent a second payment through another channel for which no one will reimburse him.
5. Fake receipts and screenshots
Another common trap in online buying and selling is using forged receiptsThe scammer agrees to buy a product and claims to have made the payment via Apple Pay. To prove it, they send a screenshot prepared which shows an alleged proof of payment.
Sometimes, that fake receipt includes messages like "the money is there" “on hold” or “in custody” and that it will be released as soon as the seller ships the package and provides a tracking number. It's a way to give the scam a more legitimate appearance.
The reality is that Apple Pay It does not offer escrow services or hold funds in custodyIf the balance doesn't appear in your account or banking app, there's no actual payment. Relying solely on a screenshot opens the door to fraud. The item is sent without having charged anything..
6. Public Wi-Fi networks and “evil twin” access points
Beyond the realm of messages and screenshots, there are also attacks that exploit the device internet connectionOne of the most talked about is the so-called evil twin or “evil twin”: a Wi‑Fi hotspot that imitates the name of a legitimate network in places like cafes, stations or airports.
When the user connects to that fake network, the attacker can intercept part of the traffic and redirect the iPhone or computer to fraudulent websites that mimic Apple portals or from banking institutions. From there, the social engineering aspect reappears: the goal is to steal Apple IDs, passwords, or payment information.
With these credentials, criminals can attempt to gain access digital wallet servicesreview sensitive information or even move associated funds if the account has an available balance, for example in Apple Cash-type solutions in the markets where it operates.
Warning signs: when to suspect an Apple Pay scam
Although criminals refine their methods, almost all of these scams share a number of characteristics. patterns that can put you on alertPaying attention to these details helps to stop fraud before it's too late.
- Urgency and pressureMessages or calls asking you to act "now" to avoid losing a prize, prevent an alleged account block, or resolve a fabricated issue.
- Request for 2FA codes or passwordsNeither Apple, nor your bank, nor a reputable messaging service will ask you via SMS, email, or phone for the codes you receive to log in or authorize transactions.
- Recent payment refundsIf someone who has just paid you insists that you return part or all of the amount by another method (gift card, different payment app, etc.), it is advisable to be suspicious and check the origin carefully.
- Non-existent escrow paymentsAny story about funds being “held” by Apple Pay until you ship the product is false; the platform does not operate as an escrow service.
- Unsolicited contacts impersonating Apple or your bankIf someone presents themselves as a support employee and starts asking you for sensitive information, the wisest thing to do is hang up and call the entity's official number yourself.
Often, the deciding factor is pause for a few seconds before clicking or replyingThat pause is usually enough to detect inconsistencies, spelling mistakes, suspicious web addresses, or requests that don't fit with the usual operation of Apple Pay or your bank.
Best practices for using Apple Pay with more peace of mind
Despite the noise surrounding these frauds, experts agree that Keeping your money and data safe with Apple Pay is perfectly possible. if the device's technical protections are combined with certain prudent habits.
First, it's worth reviewing the iPhone security optionsActivate the function protection against stolen devices It makes sensitive changes, such as modifying security settings or managing cards, require Face ID or the device code even when the phone is unlocked.
It is also recommended Enable notifications for all cards integrated into the Wallet. This way, any payment or charge is immediately reflected on the screen, making it easier detect transactions that you have not authorized and react quickly.
If you frequently shop online, it's advisable to use Apple Pay. cards that allow chargebacksThis offers an additional layer of protection in case the seller turns out to be a scammer or fails to deliver the product.
In shared environments such as airports, hotels, or cafes, the general recommendation from experts is Avoid using unprotected public Wi-Fi. for sensitive tasks. When there is no other option, lean on a virtual private network (VPN) Using a reliable provider helps encrypt the connection and makes it harder to intercept data.
Finally, it is useful Stay up to date on new fraud tacticsScams evolve, change their excuses, and adapt to current events, so taking a few minutes now and then to read alerts from European agencies, security forces, or cybersecurity companies can make all the difference.
What to do if you think you've fallen for an Apple Pay scam
If you suspect you have been the victim of any of these scams, the key element is reaction speedThe sooner you act, the better your chances of limiting the financial damage and regaining control of your accounts.
The first is Check the Wallet app and your online banking To check for unrecognized payments or added cards that you haven't set up, you can try the following directly from your device. cancel recent transactions or remove suspicious cards linked to the wallet.
In parallel, it is advisable contact the bank immediatelyThe bank can block or cancel cards, stop ongoing charges, and issue new cards. If you have provided 2FA codes or login credentials, it is prudent to consider that data compromised and take appropriate action.
Another priority measure is change passwords of your Apple ID and associated financial services, by activating or reviewing the two factor authentication wherever available. It is essential that new passwords are strong and that old passwords are not reused across different platforms.
From a legal point of view, in Europe it is advisable report the fraud to the appropriate authoritiesBoth national bodies and police forces specializing in cybercrime can intervene, and Europol's channels can also be used to report fraud networks operating on a cross-border scale.
Digital wallets have significantly simplified the way we pay, but that convenience implies assuming that the first line of defense is youBy understanding how the most common scams work, recognizing warning signs, and making good use of the device's security features, you can navigate the Apple Pay ecosystem with much greater peace of mind and minimize the chances of a criminal taking advantage of your trust.
