Scam emails impersonating Apple's iCloud service threaten users with account blocking and data deletion to trick them into clicking malicious links, according to multiple reports. These emails may coincide with genuine Apple messages about storage limits, making them more convincing, and often have suspicious sender domains, such as those mentioning Ecuador or '.biz.ua'. The UK consumer body Which? warned about this iCloud scam in a Facebook post. A scam involving fake Apple Pay 'fraud alerts' via text message tricks victims into moving funds or withdrawing cash, as reported by multiple sources.
In Apple iCloud and Apple Pay scams, tactics include social engineering rather than hacking, as explained by the consumer advocacy organisation Consumer Affairs. One victim nearly lost $15,000 (£11,100) to the Apple Pay scam before a bank worker intervened, according to multiple reports. Apple advises users to screenshot suspicious texts and email them to reportphishing@apple.com. Apple, Microsoft, and Google will never contact users asking them to call a number or link to a specific website. Banks will never ask for full passwords or PINs over the phone.
Apple's official guidance emphasizes reporting phishing attempts and adhering to general security principles. The company recommends forwarding suspicious communications to its dedicated email address and reminds users that legitimate entities do not solicit sensitive information via unsolicited contacts. This aligns with broader advice from cybersecurity experts to verify sources independently.
EE users are being targeted by a scam text message claiming reward points will expire unless they act immediately, according to multiple reports. The scam tries to apply urgency by saying that there are only a few days to take advantage of the offer, a common tactic used by criminals to try to force people into decisions which they would not otherwise make. EE users who clicked on the link said they were taken to a site which appeared legitimate and offered prizes in exchange for points. According to The Guardian - Money, a fake text message described an EE points program reminder, stating that users are high-quality and should click a link to redeem points before they expire.
This message serves as an advance notice regarding your Vodafone Reward Points. You currently hold 12,739, of which 12,000 points are scheduled to expire in 3 days in line with the 2026 programme.
Cybersecurity experts at Bitdefender warned about this EE scam on Instagram. A spokesperson for EE said it first heard of the scam two months ago and since then 265,000 people had reported the fake text messages. EE advises you highlight the scam by pressing on the 'report spam' button. Suspicious texts should be forwarded to 7726 and then deleted, according to multiple reports. EE has stated it does not operate a points programme, clarifying that its legitimate rewards involve partnerships like Airtime for discounts and cashback.
Fake text messages have been sent claiming to be from EE and Vodafone, promising prizes from their rewards schemes, according to research from three sources. Vodafone has the VeryMe Rewards scheme but says it never refers to it as the 'Vodafone Rewards Club', which is what it is called in some texts. Vodafone said its customers were mostly not receiving the texts labelled as coming from Vodafone because RCS is not enabled by the carrier on iPhones. People on other networks are receiving the fake Vodafone texts, as per research from three sources.
A technical challenge arises from RCS messaging enabling scams, with EE saying the messages were sent via RCS, a more advanced type of messaging than SMS, and it is unable to block them, unlike SMS which it can. EE said it was working with Apple and Google on the problem of RCS scam messages, though specific technical measures being implemented remain unknown. This highlights vulnerabilities in newer communication technologies.
In Finland, scam messages are being sent in the name of teleoperator Elisa, directing recipients to phishing sites, according to multiple reports. Elisa recommends changing passwords immediately if login credentials are suspected to be compromised. Recently, Finns have been targeted with scam messages impersonating Suomi.fi, Tax Administration, Kela, Spotify, Netflix, OmaPosti, and Aktia, as reported by multiple sources, indicating a broader regional trend.
Important Reminder about your reward points. You currently have 12,739 Reward Points available in your account. If no action is taken, these points will expire in 3 days under the terms of the 2026 Reward Points campaign. To explore your reward options and redeem your points, please visit the link below.
General phishing text characteristics include urgency, unknown numbers, and action prompts. Phishing texts will usually ask you to do something – like click a link or call a number. Phishing texts may be sent from a UK mobile number that you don’t recognise, and will almost always try to create a sense of urgency – telling you’ve won a prize for example, according to research from three sources. These tactics exploit psychological pressure to bypass user caution.
EE's clarification on legitimate rewards programs versus scams notes that at EE, it does not offer an EE points program that would let you exchange points for rewards. Instead, it has partnered with Airtime, which users can join to claim discounts on their bill and cashback on some purchases made with their cards. This distinction helps users identify fraudulent offers.
Contextually, a broader trend of scams impersonating trusted entities like Suomi.fi and banks has emerged, as seen in the Finnish campaigns. This reflects a global increase in phishing attempts leveraging brand trust to deceive individuals.
Reactions include consumer bodies and cybersecurity experts raising public awareness, with organizations like Which? and Bitdefender actively warning users. These efforts aim to educate the public on recognizing and reporting scams.
Implications involve increased vulnerability due to advanced messaging and social engineering, as RCS and sophisticated tactics make scams harder to detect and block. This escalation challenges both technological defenses and user vigilance.
Unknowns persist, including who is behind the phishing and smishing scams targeting Apple iCloud, Apple Pay, EE, Vodafone, and Elisa users, and how many people have fallen victim with total financial losses unconfirmed. It is unclear what specific technical measures Apple, Google, and mobile carriers are implementing to block RCS scam messages, or if any law enforcement investigations are ongoing with arrests made. The effectiveness of current anti-phishing software and user awareness campaigns in preventing these scams also remains uncertain.