Fake Apple ID / iCloud account suspended phishing — impersonates Apple security notices claiming the Apple ID was locked or suspended due to unusual activity, driving to a credential-harvest page; Apple is a top-5 most impersonated brand (APWG); FBI IC3 2023: Apple impersonation scams caused $300M+ in losses
fake-apple-id-icloud-account-suspended-phish
What this tier means
High-confidence threat indicator — phishing, impersonation, BEC, or scam pattern. Strong contributor to the trash decision.
How Gorganizer detects this
Phishing emails impersonating Apple security notices to claim the victim's Apple ID has been locked, suspended, or disabled due to unusual sign-in activity — then directing to a polished credential-harvest page styled as Apple's sign-in portal. Key facts: (1) APWG 2024: Apple is consistently in the top-5 most impersonated brands globally; Apple ID phishing is categorically distinct from Apple Pay phishing (targets payment) and Apple order-confirmation phishing (targets order anxiety); this signal specifically targets account-access fear; (2) FBI IC3 2023: Apple impersonation scams (combined across Apple ID, Apple Pay, and Apple Support vectors) caused $300M+ in reported losses, with credential theft enabling downstream attacks including SIM-swapping, cryptocurrency theft, and takeover of linked financial accounts; (3) The urgency mechanism is deliberately calibrated: "your Apple ID will be permanently disabled in 24 hours" creates a time-pressure that bypasses rational evaluation, causing recipients to click through fear rather than curiosity — the same mechanism used in tech-support and IRS impersonation scams; (4) Apple ID credentials are high-value targets because they unlock iCloud backups (which contain messages, photos, and app data), Apple Pay, App Store purchases, and iCloud Keychain passwords — a single compromised Apple ID can expose far more than a streaming account. Legitimate Apple security emails arrive exclusively from apple.com domains, do not threaten permanent deactivation via a link, and always direct users to iforgot.apple.com for password resets. Warning signs: sender domain not apple.com or icloud.com, threat of permanent account deactivation, link to a non-Apple domain, no reference to the specific device or location of the suspicious sign-in.
False-positive guard
Every signal in Gorganizer feeds a multi-module score — never a sole verdict. This is a threat-tier signal — it adds a strong contribution to the trash score. The full pipeline still requires convergence across multiple modules + a margin over the safety floor before deletion happens, and Gmail's trash (30-day recovery) is always used — never permanent delete.
About the scoring engine
Gorganizer's scoring engine emits over 1,800 signals across six modules — headers, sender, subject, body, attachments, and structural metadata. Every email is scored by every module independently; the final verdict requires multiple modules to agree and the trash score to beat the safety floor by a margin.
Sacred safety guards — never delete starred emails, replies, calendar invites, receipts/invoices, or attachments — apply unconditionally regardless of any signal.
Ready to clean your inbox?
Gorganizer scans your Gmail with this signal and 1,800+ others, then cleans everything in one click. $4.99 one-time, no subscription.
Get started