Experts issue urgent warning to 1.8 billion iPhone users over scam that's targeting bank accounts

Yet another scam targeting iPhone users with emails coming straight from Apple has been revealed, and you may want to take extra caution with this one.

In 'another day on the Internet,' iPhone users around the world -- that's 1.8 billion people, give or take -- have been warned against clicking carelessly onto calendar invites coming straight from an Apple email address as they may hide a scam targeting their bank accounts.

Sending malicious communications to access login data and bleed bank accounts dry isn't new. However, it seems scammers are getting sharper as they find ways to bypass spam filters.

In a new phishing scam, iCloud Calendar invites are being used to send callback phishing emails disguised as purchase notifications. The scariest part is that, unlike other phishing scams where typos and sketchy email addresses are easy to spot, these invites are being sent directly from Apple's email servers.

Apple users are being targeted with Calendar invites including a fake purchase. (Getty Stock Images)

This means that they won't land in your spam folder and will be trickier to identify as a fraud attempt. But fret not, as there are ways to protect yourself before clicking that link.

Apple has issued a warning after a reader shared a suspicious email they'd received with Bleeping Computer, explaining that the communication included a false PayPal purchase and a number to call to dispute it.

"Hello Customer, Your PayPal account has been billed $599.00. We’re confirming receipt of your recent payment," the email stated (via Forbes).

Scammers have adopted a variation of the usual "callback phishing scam" abusing iCloud Calendar invites. The aim is for the user to call back so the attackers could convince them that their account had been hacked and that action needs to be taken promptly. This is done by convincing the victim to download software through which the scammers could then steal credentials or cash.

“The threat actor included the phishing text within the Notes field and then invited a Microsoft 365 email address that they controlled,” Bleeping Computer explained of the recent trending scam.

Always ask yourself if the communication seems genuine or was expected. (Getty Stock Images)

The hope is to trick victims into calling fraudulent 'support' numbers, explained Jamie Akhtar, CEO and cofounder of CyberSmart. "Because these invites are sent from Apple’s legitimate servers, they pass authentication checks and appear trustworthy, making them far harder for traditional filters to block."

Javvad Malik, lead CISO advisor at KnowBe4, offered some advice about how to avoid to fall for such scams.

“Ask if this communication was expected, is it trying to spike emotion, and is there an artificial time limit pushing you to act now? If the answer is yes to any, stop and self‑verify via a known channel. And treat calendar invites with the same skepticism as email."