Fake Apple Pay / Google Pay / Samsung Pay digital wallet phishing — fraudulent email impersonating Apple Pay, Google Pay, Samsung Pay, or Apple Wallet claiming a transaction was declined, the digital wallet account has been suspended, unusual payment activity was detected, or a payment method has expired — directing the recipient to verify payment credentials, update billing information, or sign in to restore access — a credential and payment card harvesting attack targeting digital wallet users; Zimperium 2024: digital wallet phishing grew 340% YoY; Apple Pay has 500M+ users globally

Phishing emails impersonating Apple Pay, Google Pay, Samsung Pay, or Apple Wallet claiming a transaction was declined, the digital wallet account has been suspended due to unusual payment activity, or a payment method has expired — directing the recipient to verify payment credentials, update billing information, or sign in to restore access. Key facts: (1) Zimperium 2024 Mobile Threat Intelligence Report: digital wallet phishing grew 340% year-over-year, driven by the massive expansion of contactless payment adoption post-pandemic — Apple Pay has 500M+ users globally, Google Pay 150M+, creating an enormous attack surface for fraudulent "account issue" notifications; (2) The credibility of these attacks comes from the high frequency of legitimate payment-declined and billing-update emails: Apple, Google, and Samsung all routinely email users about failed payments, expired cards, and required verifications — attackers study the exact template design, subject line wording, and CTA language of real Apple Pay / Google Pay emails to craft convincing fakes; (3) The credential impact extends far beyond the wallet itself: a spoofed "Apple Pay — verify your Apple ID" page captures Apple ID credentials, giving attackers access to iCloud (photos, documents, backups, Find My device), iMessage, App Store, and any stored password in iCloud Keychain — making this a full account takeover vehicle disguised as a payment issue; similarly, a fake "Google Pay" page capturing Google credentials grants access to Gmail, Google Drive, Google Photos, and all Google-connected services; (4) Card data harvested through fake "update your payment method" portals is immediately sold on dark web card markets at $20–$80 per card with CVV, or used for card-present fraud before the victim realizes the compromise. Warning signs: sender domain not apple.com, google.com, or samsung.com; email asks for card details directly rather than linking to account settings; generic greeting without last-four-digits of the card or last transaction amount; link to non-Apple/non-Google domain; urgency about permanent wallet suspension.