Schlanger Law Group LLP - Restore Your Financial Life
212 500 6114

Apple Pay Phishing Scams: What to Do When Your Bank Won’t Return Your Money

By: The Schlanger Law Group Legal Team 

Apple Pay phishing scam victim disputing unauthorized charges

It starts with an email or text message that looks like it came from Apple. There’s been an unauthorized purchase on your account — a MacBook Air for $1,157, or maybe a gift card for $279. The message includes a phone number to call right away. You dial. The person who answers sounds professional and knowledgeable, and they walk you through what appears to be a standard fraud verification process. Within minutes, thousands of dollars have disappeared from your bank account.

This is one of the fastest-growing phishing scams in the country, and it is targeting the nearly 64 million Americans who use Apple Pay. Apple Pay now processes over $8.7 trillion in global transactions annually, and that enormous volume has made it a magnet for criminals. Between 2022 and 2023, the share of large financial institutions reporting fraud linked to Apple Pay nearly doubled, rising from 33.1 percent to 59.9 percent, according to the PYMNTS Intelligence “State of Fraud and Financial Crime in the U.S.” report. Fraud involving digital wallets overall has increased by 31 percent.

Apple markets its platform as one of the most secure payment systems available, claiming it has a fraud rate of just 0.01 percent. But that security architecture means very little when a scammer convinces you to hand over your login credentials or read a two-factor authentication code out loud over the phone. The technology is not what fails in these scams — the scammer bypasses it entirely by manipulating the person holding the phone.

What makes this situation worse is what often happens next. When victims report the fraud to their bank, many are told the transactions were “authorized” because they provided their credentials. The bank denies the claim and refuses to return the stolen funds. That denial is not only devastating — in many cases, it violates federal law.

How the Apple Pay Phishing Scam Works

Phishing accounts for approximately 40 percent of all identity fraud cases, and the Apple Pay variant is particularly effective because it combines a convincing email with a live phone call — a technique security researchers call “vishing,” or voice phishing.

The scam typically begins with an email designed to look like an official Apple billing notification. The message warns of a suspicious transaction and provides a phone number for Apple’s “fraud department.” The email does not come from an official Apple domain, but the formatting and branding are convincing enough that most people do not think to check.

When the victim calls the number, a scammer answers and runs a scripted “verification process.” The scammer may ask for the victim’s Apple ID or other account details, claiming this information is needed to cancel the unauthorized charge. During the call, the scammer triggers a real two-factor authentication request from Apple. The victim receives a legitimate verification code on their device and, believing it is part of the fraud resolution process, reads it to the caller.

That code is all the scammer needs. With it, they gain access to the victim’s Apple ID and everything connected to it, including payment methods stored in the Apple Wallet — debit cards, credit cards, and bank accounts. From there, the scammer can initiate transfers, make purchases, or move funds to accounts they control.

Phishing emails and fake phone calls are not the only methods criminals use to steal Apple Pay credentials. A growing number of scams use fraudulent QR codes — a technique known as quishing — to redirect victims to fake login pages that capture account information.

In some versions of this scam, the attack is even more sophisticated. In Roberts v. USAA Federal Savings Bank, Apple Payments, Inc., and Green Dot Bank (M.D. Fla. 2025), a case currently being litigated by Schlanger Law Group, a scammer spoofed the customer service number of the victim’s own bank. The victim’s caller ID displayed the bank’s real phone number. The caller had access to the victim’s account details, knew the victim’s current location, and could describe recent Apple Pay transactions — all of which reinforced the appearance that the call was legitimate. The scammer claimed the victim’s debit card had been linked to an unknown Apple Pay account and convinced the victim to provide Apple Pay credentials so the card could be “unlinked.”

With that information, the scammer took control of the victim’s phone and executed two unauthorized transfers from the victim’s bank accounts through Apple Pay, totaling over $9,000. The funds were routed to unknown third-party accounts at other banks. The victim disputed every transaction. USAA, Apple Payments, and Green Dot Bank all denied the claims.

How to Tell the Difference Between a Scam and a Real Apple Notification

Understanding what Apple actually does — and does not do — is critical to avoiding falling victim to this scam. Apple does not send emails asking you to call a phone number to resolve billing disputes. Apple does not ask for two-factor authentication codes over the phone. Apple does not schedule “fraud appointments” through email or text. When there is a genuine issue with a declined purchase, Apple sends a push notification through the Wallet app on your device — not an email with a phone number.

If you receive any message about a suspicious Apple Pay transaction, do not call the number provided. Instead, open the Wallet app directly, visit apple.com, or call Apple Support at 1-800-MY-APPLE.

Why Banks Deny These Claims — and Why They Are Often Wrong

After the money is gone, many victims expect their bank to make them whole. Instead, they receive a denial letter. The bank’s reasoning typically follows the same script: because the consumer provided their credentials or approved a verification code, the transactions were “authorized.”

This reasoning is understandable on a surface level — the bank’s systems show that the correct credentials were used, so the system “worked.” But federal law does not define authorization that way.

It is also worth noting that banks have verification procedures available to them that could help prevent exactly this kind of fraud. Many financial institutions can flag out-of-character transactions and require the accountholder to call the number on the back of their card or on their statement to verbally confirm the activity before the transfer is processed. That kind of procedure would stop most imposter scams in their tracks — the scammer, not the real customer, is the one initiating the transfer, and a callback to a verified number would expose the fraud immediately. When banks choose not to implement or follow these safeguards and then deny claims by blaming the consumer, the result is doubly unfair.

Your Legal Rights Under the Electronic Fund Transfer Act

The Electronic Fund Transfer Act is the federal law that protects consumers when money is stolen from their bank accounts through electronic transfers. It covers debit card transactions, ATM withdrawals, ACH transfers, and transfers through digital wallets like Apple Pay when those wallets are linked to a bank account.

The EFTA and its implementing regulation, Regulation E, are clear on a point that many banks either misunderstand or choose to ignore: a transfer initiated by someone who obtained the consumer’s access device through fraud is an unauthorized electronic fund transfer. The regulation’s Official Interpretation states this explicitly: “An unauthorized EFT includes a transfer initiated by a person who obtained the access device from the consumer through fraud or robbery.” 12 C.F.R. § 1005.2(m), Official Interpretation, Comment 3.

Schlanger Law Group served as counsel to the plaintiff in Green v. Capital One, N.A. (S.D.N.Y. 2021), a case in which the court held that “under the Official Interpretation, access obtained by fraud was never truly ‘authorized.’” That principle applies directly to Apple Pay phishing scams: when a scammer tricks you into providing your credentials, the resulting transfers are unauthorized regardless of whether the bank’s system recorded them as “verified.”

This means that when a scammer poses as your bank or as Apple, tricks you into providing your credentials, and then uses those credentials to drain your account, the resulting transfers are unauthorized under federal law. The fact that you were the one who provided the credentials does not make the transfer “authorized” — the EFTA specifically accounts for exactly this scenario.

The regulation goes even further. Regulation E’s Official Commentary on consumer liability states that “negligence by the consumer cannot be used as the basis for imposing greater liability than is permissible under Regulation E.” A bank cannot deny your claim simply because you fell for a sophisticated scam. That is not a legally valid basis for denial.

What Your Bank Is Required to Do

When you report an unauthorized transfer, the EFTA imposes specific obligations on your bank. The bank must investigate your claim within 10 business days. If the bank needs more time — up to 45 days — it must provisionally credit the disputed amount to your account while it completes its investigation. If the bank concludes that no error occurred, it must provide you with a written explanation of its findings and inform you of your right to request copies of the documents it relied on in reaching that conclusion.

Banks that fail to meet these requirements — or that deny claims without conducting a good-faith investigation — may be liable for the amount of the unauthorized transfer, plus additional statutory damages. Under 15 U.S.C. § 1693f(e), if a bank knowingly and willfully concludes that a consumer’s account was not in error when it could not reasonably have reached that conclusion based on the available evidence, the consumer may be entitled to treble damages — three times the amount of the proven loss.

The Evolving Question of Apple Pay’s EFTA Obligations

One important area of developing law is whether Apple Pay itself — as distinct from the bank whose account is linked to Apple Pay — qualifies as a “financial institution” with its own obligations under the EFTA. This is a question that Schlanger Law Group is actively litigating. In Roberts v. USAA, the complaint names Apple Payments, Inc. as a defendant under the EFTA alongside the victim’s bank and Green Dot Bank, which provides banking-as-a-service to Apple.

Regardless of how courts ultimately resolve that question, one thing is clear: the bank that holds your money and processes the electronic transfer has EFTA obligations. If your bank denied your fraud claim after an Apple Pay phishing scam, the bank’s conduct — not Apple’s status — is the first and most important issue.

If a Credit Card Was Compromised

Not every Apple Pay phishing scam results in a drained bank account. If the scammer used your stolen credentials to make unauthorized credit card charges rather than debit card or bank account transfers, a different set of federal protections applies.

The Truth in Lending Act (TILA), specifically Section 1643, and the Fair Credit Billing Act (FCBA) cap your liability for unauthorized credit card charges at $50, and in practice most card issuers waive even that amount. If you discover unauthorized credit card charges resulting from a phishing scam, report them to your card issuer and follow up in writing. The card issuer must investigate and cannot simply hold you responsible because a scammer obtained your credentials through fraud. For a detailed explanation of your rights under the Fair Credit Billing Act, see our FCBA FAQ.

What to Do If You Have Been Targeted

If you believe you have been the victim of an Apple Pay phishing scam, act quickly. The speed of your response directly affects your legal rights and your chances of recovering stolen funds.

Report to your bank immediately. Call the bank and follow up with a written dispute. Under the EFTA, your liability for unauthorized transfers depends in part on how quickly you report the problem. If you report within two business days of learning about the unauthorized transfer, your maximum liability is $50. If you report after two business days but within 60 days of receiving the statement showing the unauthorized transfer, your liability can increase to $500. Reporting promptly keeps your exposure low and triggers the bank’s investigation obligations.

Dispute with Apple. Contact Apple Support directly and report the unauthorized activity. If your Apple Pay account is linked to Apple Cash, which is serviced by Green Dot Bank, file a dispute with Green Dot as well.

Secure your accounts. Change your Apple ID password immediately. Remove any unfamiliar devices from your Apple account. Review all payment methods in your Wallet and remove or freeze any compromised cards.

File an identity theft report with the FTC at IdentityTheft.gov. This generates an official Identity Theft Report that can support your disputes with financial institutions and credit bureaus.

File a police report. A police report creates additional documentation and may be requested by your bank during its investigation.

Check your credit reports. Phishing scams that capture your personal information can lead to broader identity theft, including fraudulent accounts opened in your name. Pull your reports from all three major bureaus at AnnualCreditReport.com and review them for any accounts or inquiries you do not recognize. If you discover signs of identity theft on your credit reports, Schlanger Law Group’s comprehensive guide, Fighting Back: A Victim’s Guide to Identity Theft and Credit Report Errors, walks you through the process of disputing fraudulent information and protecting your credit file.

How to Recognize and Avoid Apple Pay Phishing Scams

The most effective defense against these scams is knowing what to look for. There are several consistent red flags.

Any email or text claiming to be from Apple that includes a phone number to call about a billing issue is almost certainly fraudulent. Apple handles billing disputes through its app ecosystem, not through callback numbers in emails.

Be especially wary of callers who create a sense of urgency — telling you that your account is being drained right now, that your password must be changed immediately to stop an ongoing theft, or that you need to “verify” your identity before the damage gets worse. The irony of these scripts is that the call itself is the thieves’ ongoing attempt to steal your money. The urgency is designed to keep you on the line and prevent you from hanging up and independently verifying the situation — because the moment you do, the scam falls apart.

No legitimate representative from Apple, your bank, or any other company should ever ask you to read a two-factor authentication code over the phone. These codes exist to verify that you are the one logging in. If someone asks you to share one, they are trying to gain access to your account.

If you are unsure whether a communication is legitimate, hang up and contact the company directly using a number you find independently — on the back of your card, on the company’s official website, or through the app on your device. Do not use any contact information provided in the suspicious message.

———

Schlanger Law Group has represented victims of unauthorized electronic fund transfers since 2007, and EFTA claims are one of our core practice areas. We are currently litigating cases involving Apple Pay phishing scams in which banks and payment platforms have denied fraud claims. We typically represent victims on a contingency fee basis and handle cases nationwide. If your bank denied your fraud claim after an Apple Pay phishing scam, contact us today to discuss your options.

Share this Article

More to Explore

Schlanger Law Group In The Media

Blue background with white LAW360 logo.
The New York Times logo in white on a black background.
Black background with white WSJ letters.
Black and white ABA Journal logo.

Give Yourself A Legal Voice and Restore Your Financial Life.

Reach out to Schlanger Law Group for a free consultation, and let’s discuss your case with no upfront fees.

Something went wrong. Please try again or call us at (212) 500-6114.

The information on this website is for general information purposes only. Nothing on this site should be taken as legal advice for any individual case or situation.
This information is not intended to create, and receipt or viewing does not constitute, an attorney-client relationship.
ATTORNEY ADVERTISEMENT | Past Results Do Not Guarantee Similar Outcomes in the Future

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Copyright © 2023, Schlanger Law Group, LLP. All rights reserved.| Disclaimer | Privacy Policy

WEBSITE BY: VISIONTRACTION