Common Apple Pay Scams and How to Avoid Them
Apple has hundreds of millions of customers worldwide. Nearly 75% of them use Apple Pay. Apple Pay is Apple’s digital payment service. It’s an extremely popular service, and it’s easy to understand why. You can send money to any individual or merchant using Apple Pay, and the payments are close to instantaneous. On top of that, Apple Pay is more secure than a traditional credit card.
But for all its virtues (and its security), Apple Pay is still vulnerable to scammers. Like other popular third-party payment services, the more people use them, the more they become a valuable target for scammers.
In this post, we provide an overview of Apple Pay and how it works. We also go over some of the more common Apple Pay scams, with tips on how to avoid them.
What is Apple Pay?
Apple Pay is Apple’s payment system that allows one to send money to a business or individual for free (there are no fees to users). The payments are almost instantaneous, and all Apple Pay transactions are encrypted.
Merchants never get your banking details, and because Apple uses a type of hash (token) of your credit card number, your actual credit card number is never stored on Apple’s servers.
Apple Pay offers multiple layers of security.
Biometric authentication/passcode
Before making a purchase, you will first need to authenticate yourself, either using biometrics (Face ID, Touch ID) or with your passcode if Face ID or Touch ID is disabled. This secures your transactions when you make them and complicates matters for malicious actors if your phone is ever lost or stolen.
Tokenization
Tokenization is the main event in Apple Pay’s security posture. Rather than storing and sharing your credit card number, expiration date, and CVV code to transfer money, Apple creates a special hash, a token, that can only be used once. Only the token (and your email – see below) are sent to the merchant, and only the token is stored on Apple’s servers.
If a hacker were ever to intercept your one-time token, they wouldn’t be able to access your money with it.
If you don’t want your email address to be forwarded to merchants, you can configure Apple Pay to use Apple-generated alias email instead of your real email. Emails sent to the alias address are forwarded to your “real” inbox.
Find My
Another way Apple Pay secures your accounts is through the Find My app.
If your iPhone (or other Apple device) is ever lost or stolen, you can temporarily freeze your Apple Pay account through the Find My app. That way, you can rest easy knowing that all Apple Pay transactions will be rejected even if the person who has your phone can access it.
This feature protects your Apple Pay account even if your phone is compromised.
A two-fold service
Apple Pay has two components:
Apple Pay
I mentioned above that Apple Pay can be used to send money to either merchants or individuals. And that’s where the above distinction comes into play.
When you use Apple Pay in a shop to pay for goods or services, you’re using Apple Pay. That may sound like a pleonasm, but it’s not. The Apple Pay and the Apple Cash components are subsumed under the Apple Pay umbrella.
Apple Pay supports both credit and debit cards, and Apple does not store transaction details (they are stored by the underlying financial institution that issued your card(s).
Apple Cash
When you use Apple Pay to send money to a friend, you’re using Apple Cash. The system behind Apple Cash is the same peer-to-peer system as that of other third-party payment platforms, like PayPal and Zelle.
Unlike the Apple Pay component, you can only link a debit card (and some prepaid credit cards).
Whether you use Apple Pay or Apple Cash, you need to remember that both services align with the third-party payment platform industry regarding buyer protection – that is, there is none. If you get scammed, that’s pretty much it. Apple will not refund you, and neither will your bank.
Common Apple Pay scams
Most Apple Pay scams you’ll likely encounter can be grouped into one of the five categories below.
- Impersonation scams
- Seller scams
- Advance-fee scams
- Reimbursement scams
- Phishing/2FA scams
We’ll review each of them while providing examples and mitigation tips.
Impersonation scams
An impersonation scam is one in which a malicious actor impersonates someone you know or at least recognize. The malicious actor will typically attempt to impersonate a family member, a friend, a representative from Apple, your bank, or any other business, possibly by WhatsApp, with which you transferred funds using Apple Pay.
Whoever they choose to impersonate will provide a legitimate reason to send them money through the app. Your daughter is stranded in a train station and needs you to send her money through Apple Pay to buy a ticket home.
Another typical ploy is to impersonate an Apple Pay representative, informing you that you must send money through Apple Pay to yourself to cancel a fraudulent withdrawal. Here, the attacker attempts to create an emergency and trigger an emotional reaction, short-circuiting your rational thought processes.
Regardless of pretense, the idea is always to convince you to send the impersonator an Apple Pay transfer. Doing so transfers the money to the attacker rather than the intended recipient.
Also, remember that with the rise of AI (voice cloning), these impersonation attacks become easier to pull off and are much more convincing.
Mitigations
To avoid impersonation scams, remember that Apple or your bank will never call you asking for money. If you get such a call, hang up and call your bank or contact Apple to confirm the situation. If it’s a third-party business, do the same thing: hang up and contact them directly.
If the attacker is trying to impersonate someone you know, ask them a question only the actual person would be able to answer.
Try and keep your cool. The key is not to panic and follow the above advice. You’ll know soon enough whether the emergency is real.
Seller scams
This one is extremely common. A malicious actor places an ad on an online marketplace. You pay for the goods using Apple Pay, but they never arrive. And because you made the payment yourself and there’s no buyer protection with Apple Pay, you’ve been had.
A common variation of this seller scam is when you see an ad for a beautiful apartment for rent at a ridiculously low price; you need to send a deposit (via Apple Pay) to secure the rental. Of course, once the transfer is complete, you never hear back from the seller, and the ad disappears. There never was an apartment for rent.
Mitigations
Seller scams aim to create a sense of urgency through scarcity by putting forth a very low price or stock levels (only one left – buy now!). That urgency is an attempt to trigger an emotional response. Don’t fall for it. Things that sound too good to be true usually are.
Only purchase from sellers you trust. Never send money to strangers. If you’re buying used goods, try to meet the seller in person or use a password-protected money transfer system (many banks offer the ability to protect a funds transfer with a password or security question) and only share the password or answer with the seller once you have the goods.
Advance fee scams
This one is epitomized by the old Nigerian prince email scam from the late ’90s that you may remember. It goes like this: One day, one of them stands out as you check your email. It claims to be from the prince of Nigeria, who explains that he’s been locked out of his large inheritance following his father’s death. And, for some reason, he needs you to send him money so he can access his vast fortune – part of which will go to you if you agree to help him and send him the needed funds.
Seems legit, right?
That’s a classic advance fee scam. Its modus operandi: you pay the advance fee based on the promise of a reward that never comes.
Of course, that was then, and this is now. Hopefully, few people would fall for the Nigerian prince hoax today. However, contemporary variations of the advance fee scam are rampant today, like the “contest you won though you weren’t aware you entered” scam. You need to pay this or that fee to claim your prize. Of course, your prize is as elusive as a Nigerian prince when you do.
Mitigations
Don’t fall for the lure of easy profit. Legitimate money doesn’t simply appear in your inbox.
Someone asking you to pay in advance for any financial assistance is unlikely to have your best interests at heart. I’d also recommend performing a web search on the person or business asking you for an advance fee with the words “scam” or “complaint” and see what results come up.
Reimbursement scams
While reimbursement scams are a type of impersonation scam, given that the person calling will pretend to be someone they’re not – typically a representative from Apple or your financial institution – they’re so prevalent that I felt they deserved their own section.
So, you’re sitting quietly at home, and the phone suddenly rings. A representative from your bank states that money has been debited from your account due to a suspicious Apple Pay payment you never made. They then propose to guide you through a convoluted (and fake) Apple Pay recovery process.
You’re actually sending money directly to your attacker.
Mitigations
Hang up with the caller and contact your bank or Apple directly to confirm the situation. Whether or not it turns out to be true, checking with Apple or your bank won’t incur further financial loss, and you’ll still be able to address the situation.
As with all these scams, it’s critical you don’t cede to panic.
Phishing/2FA scams
Almost all the scams listed in this post are phishing scams of one kind or another. However, in the context of Apple Pay, many particularities warrant splitting them into different categories.
I’m bundling phishing scams with a common 2FA Apple Pay scam. Because you can protect Apple Pay with biometrics, it thwarts some of the potential phishing attacks that can occur with other payment platforms – attackers can’t easily steal your face or fingerprint (it’s still possible, but it’s very involved and unlikely to affect large numbers of users). However, attackers can target your credentials, passcode, or 2FA tokens.
2FA (two-factor authentication) or MFA (multifactor authentication) are excellent ways to protect your account. However, in recent times, they’ve been weaponized by malicious actors to access your accounts and steal your information, money, or both.
This one works by having a malicious actor robocall you or send you a text message asking for your 2FA code. The call or text will appear legitimate, so it might be tempting to comply – don’t. Odds are the attacker already has your credentials, and the only thing keeping them out of your account is the 2FA code.
Again, this attack could be mounted to trick you into relinquishing your Apple credentials or your iPhone’s passcode – in a more traditional phishing attack.
This attacker could trick you into installing malware or direct you to a fake web form controlled by the attacker. Whatever method is used, the point is that the attacker gets your Apple credentials/device passcode/2FA token, which they then use to access your funds.
A variant of this attack tends to gain traction as the holidays approach is the “missing package” scam. It goes like this: you receive a text message from a fake number claiming that you have a lost package that may be retrieved if you fill out a form accessed through a provided link. Conveniently, the form has fields for your email, password, and maybe even your passcode (for greener victims). Of course, the form is fake and under the attacker’s control.
Keep your eyes peeled for this one; it’s peaking right about now.
Mitigations
Don’t click links in emails or text messages unless you explicitly trust them and the sender, especially if you’re not expecting any packages.
If you are expecting a package, contact the company you purchased from and confirm with them that there’s an issue with your delivery.
Take a good look at the sender’s email address or phone number. If it doesn’t look legit, it probably isn’t. Be on the lookout for spelling mistakes and poor grammar – two hallmarks of scam emails and messages.
Remember that neither Apple nor your bank will contact you and ask you to disclose your 2FA code. They’re typically meant to be entered into a web page before being granted access to your account. Only use them that way, and never divulge your 2FA codes to anyone.
General advice to help avoid Apple Pay scams
Here are some general tips for all scams you should remember.
- Only use Apple Pay (or any other P2P payment system) with trustworthy merchants. That way, emergency requests from third parties will immediately appear suspect.
- Only use Apple Cash with people you know and trust. If there’s an unexpected issue with the transfer, you can contact the recipient directly.
- Be wary of time-constrained emergencies. Your bank or Apple’s assistance isn’t time-constrained. That’s a tactic designed to manufacture a false sense of urgency, elicit an emotional response, and bypass your rational thought processes. Don’t fall for it.
- Don’t trust merchants who insist on using only Apple Pay. That’s a red flag.
What to do if it’s too late (you’ve been scammed)
Hopefully, you’ll avoid falling victim to an Apple Pay scam. But, if you don’t, here’s what you should immediately do.
Alert your financial institution and Apple
Contact your bank and Apple when you know you’ve been scammed. Your financial institution’s customer service telephone number is printed on the back of your debit or credit card. You can find the proper phone number to contact Apple on its website. This is the link to the “Contact Us” page on Apple’s American site.
Lockdown and set up alerts on your financial accounts
You want to treat an Apple Pay scam as if your credit card number was compromised. Lock down your account. That usually means putting your account under more scrutiny by your bank, such as receiving text messages to approve purchases.
You can also change your username and password for your online banking account and request a credit freeze from credit bureaus.
Alert the police
While it’s unlikely law enforcement will open an investigation, filing a police report will nonetheless create a record of the event, which can be helpful if any additional fraud or identity theft occurs further down the line. You may as well have your bases covered.
Wrap up
So those were the ins and outs of Apple Pay scams. Since Apple Pay doesn’t provide buyer protection, you should be extra careful when using the service. Falling victim to an Apple Pay scam can have nasty consequences. Like cash, Apple Pay payments are instantaneous and irreversible. Every medal has two sides…
Still, with vigilance and common sense, you should be able to use Apple Pay safely – it’s pretty convenient.
Stay safe.
See also:
Source link