Fake 'Sign in with Apple' OAuth Consent Phishing Scam
Fraudsters create lookalike 'Sign in with Apple' pages embedded in fake app flows or phishing sites to harvest Apple IDs and passwords, bypassing Apple's privacy relay and accessing the victim's wider Apple ecosystem.
Part of: Social Login & OAuth Phishing
Last reviewed: 8 June 2026
Apple's 'Sign in with Apple' feature allows users to log in to third-party apps using their Apple ID, with the option to hide their real email address behind a relay address. When used correctly, this is a privacy-respecting authentication method. The consent screen always appears on apple.com or as a native system prompt on an Apple device.
Scammers build fake app pages and phishing sites that display a counterfeit 'Sign in with Apple' button linking to a near-identical replica of the Apple sign-in page on a non-Apple domain. Users who believe they are using a privacy-safe authentication method may be less on guard when prompted for their Apple ID and password.
Because many Apple users have Face ID or Touch ID auto-fill enabled, they may not notice that the page asking for their password is not on apple.com.
How this scam works on the Apple brand
A victim encounters a free productivity app advertised on social media that offers to back up contacts to iCloud. When they tap 'Sign in with Apple' in the app's onboarding flow, they are redirected to a page at apple-auth.appname.io rather than appleid.apple.com. The page is an identical replica of Apple's sign-in UI.
After entering the Apple ID and password, the victim may also be prompted for the two-factor authentication code that Apple sends to their trusted device. The attacker, who is conducting a real-time relay attack, submits these credentials to the real Apple sign-in page and obtains a session token before the victim notices anything is wrong.
Some variants use a malicious Safari extension or browser redirect to intercept the Apple OAuth flow and insert the fake page mid-transaction.
Common red flags
- The 'Sign in with Apple' URL must start with appleid.apple.com — any other domain is fraudulent.
- On an iPhone or Mac, genuine 'Sign in with Apple' uses a system-level face ID or Touch ID prompt — not a webpage form asking you to type your password.
- You are asked to enter your two-factor code on a web page immediately after entering your password.
- The app requesting Sign in with Apple is not listed in the App Store but claims to integrate with Apple services.
- After completing the sign-in, you are asked for additional information like credit card details or social security number.
- Your Apple ID shows a new login from an unfamiliar location in the Security section of appleid.apple.com.
How to protect yourself
- On Apple devices, Sign in with Apple should trigger a native Face ID or Touch ID system sheet — if you see a web form asking for your password, stop immediately.
- Regularly review apps connected to your Apple ID at appleid.apple.com > Sign in with Apple to revoke any you do not recognise.
- Enable two-factor authentication on your Apple ID and review trusted devices regularly.
- If you entered credentials on a suspect page, change your Apple ID password at appleid.apple.com immediately and check for unrecognised devices.
- Use Sign in with Apple only for apps with reputable App Store listings from known developers.
How to report it
- Report the phishing site to Apple at [email protected].
- Report the app to the Apple App Store using the 'Report a Problem' link.
- File a report with the FTC at ReportFraud.ftc.gov.
- Report the URL to the Anti-Phishing Working Group at [email protected].
Frequently asked questions
Is 'Sign in with Apple' more secure than a username and password?
On a genuine Apple device, Sign in with Apple uses Face ID or Touch ID and does not expose your real email address, making it more privacy-preserving. However, on a fake phishing page that mimics the Apple login form, the security benefit is nullified.
Can I check which apps are using Sign in with Apple on my account?
Yes. Visit appleid.apple.com, sign in, and under the Security section find 'Sign in with Apple.' You can review and revoke app access from there.
Does Apple ever ask for my Apple ID password in a webpage form during Sign in with Apple?
On an Apple device, Sign in with Apple uses a native system prompt authenticated by Face ID, Touch ID, or passcode — not a webpage text field. If a website is asking you to type your Apple ID password into a form, it is not the genuine Apple flow.