If you have ever checked your child’s grades online, submitted a college paper through a school portal, downloaded homework assignments, or received messages from a teacher through a classroom app, there is a good chance you have used Canvas, a nationwide learning management system that was just in a massive data breach.
This is exactly the moment McAfee+ Advanced was built for. With our built-in Scam Detector to flag risky links, QR codes, and deepfakes; Identity Monitoring that alerts you when your data appears where it shouldn’t; and Personal Data Cleanup that removes your information from the dark web and data brokers, McAfee+ Advanced is an all-in-one solution for protection after a data breach.
Now let’s get into what you need to know about this breach:
Who Is Behind the Canvas Breach?
The ransomware group ShinyHunters is claiming responsibility for the attack. The group alleges it stole roughly 275 million records tied to nearly 9,000 schools and educational institutions worldwide.
How Did the Canvas Cyberattack Happen?
Instructure, the company behind Canvas, confirmed a cyber incident affecting its cloud-hosted environment. The attackers later posted claims about the breach on their leak site, where ransomware groups pressure organizations into paying by threatening to release stolen data publicly.
What Information Was Stolen in the Canvas Breach?
The stolen data reportedly includes:
Student names
Teacher and staff names
Email addresses
Student IDs
Course and enrollment information
School-related records
ShinyHunters claims the breach exposed roughly 275 million records and more than 231 million unique email addresses.
How Could the Canvas Data Breach Impact Families and Students?
Even if financial information was not exposed, this kind of data can still be extremely valuable to scammers. Criminals can use real school names, real classes, teacher names, and student information to create highly convincing phishing emails, fake school alerts, scholarship scams, tuition scams, or password reset messages.
A scam message referencing your child’s actual school or assignment is much harder to spot as fake.
This is what a Canvas message might look like when forwarded to your email inbox. Hackers claim to have millions of these types of messages.
This is a real message from Canvas from a community college professor after yours truly took an anthropology class for fun during the pandemic. It’s full of links to apply for programs and reach out to professors. It has exact details about courses I’ve taken.
While this correspondence is real, it’s exactly the type of messaging that scammers could fake and replicate, replacing real links with fake “paid” opportunities to pursue degrees.
Now think of the millions of messages and specific scenarios scammers have access to, to create dubious and convincing scams. That’s why protecting yourself after a breach is key.
What To Do Right Now
Here are some actions you can take immediately ot protect yourself after this breach:
Change you or your child’s Canvas password immediately, and update any other accounts where they reuse that password
Turn on multi-factor authentication(2FA) on parent and student accounts wherever the school permits it — Instructure’s own post-incident guidance specifically called out enforcing MFA as a recommended precaution
Ask your school what identity protection is being offered if sensitive data was involved
Consider placing a credit freeze on your or your child’s file to block new accounts from being opened in their name
Avoid clicking links in any messages that reference the breach, go directly to the official site instead
And that, my friends, is issue number one in this week’s This Week in Scams. Let’s get into what else is on our radar in cybersecurity and scam news.
Fake Amazon Recall Texts Are Targeting Shoppers
Your phone buzzes. It’s a text from an unknown number, but the message looks official.
“Dear Amazon Customer, we are writing to inform you that an item from your March 2026 order has been identified for recall.” There’s an order number. A link at the top of the message. A note about quality standards and a refund waiting for you.
It looks real. It has the Amazon logo, the branded formatting, even a reference to the “Amazon Customer Safety Team.” The only thing it doesn’t have? Any connection to Amazon at all.
A photo of a scam recall text I received this week. Luckily Scam Detector flags the link as risky if you try to click.
This is a fake Amazon recall scam, and it is making the rounds right now. The goal is to get you to click that link, which takes you to a site designed to harvest your login credentials, payment information, or both.
If you get a text like this, do not click the link. Go directly to amazon.com in your browser, log in, and check your orders and messages from there. Amazon does not initiate recall or refund processes through unsolicited texts with outside links.
What Is a Fake Amazon Recall Scam And How Does It Work?
A fake Amazon recall scam is a text message or email in which criminals impersonate Amazon to convince you that one of your recent orders has been flagged for a product recall. The message directs you to an external link leading to a phishing site designed to steal your Amazon credentials, credit card details, or personal information.
Red Flags To Watch For
The text comes from an unknown number, not a short code or verified sender
The link goes to a domain that is not amazon.com
The message asks you to complete a refund through an external link
Small typos or awkward phrasing appear in what looks like official communication
The greeting says “Dear Amazon Customer” rather than your actual name
What To Do If You Get One
Do not click the link
Go to amazon.com directly and check your orders and account notifications
Where McAfee Steps In (So You Don’t Have to Guess)
Scams today are layered. A fake email leads to stolen credentials. A breach leads to targeted phishing. And those follow-ups are getting harder to spot.
With McAfee+ Advanced, multiple layers work together so you’re not left figuring it out after the damage is done:
Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast
According to McAfee’s 2026 State of the Scamiverse report, Americans now spend 114 hours a year trying to figure out what’s real and what’s fake online. That’s nearly three full workweeks lost to second-guessing messages, alerts, and links.
And when scams do succeed, they move quickly. The typical scam unfolds in about 38 minutes, leaving little room for hesitation.
That creates a gap: People want to check before they act, but the tools haven’t always met them in that moment.
ChatGPT + McAfee is designed to close that gap, bringing scam detection directly to a platform people are already using to ask questions and make decisions.
And it’s available to anyone. You don’t have to be a McAfee subscriber.
This isn’t just detection. It’s guidance in the exact moment you’re deciding what to do.
Instead of guessing, you can paste a message or drop in a screenshot and get a clear explanation of what’s risky, and what to do next, powered by McAfee’s threat intelligence.
What You Can Do with ChatGPT + McAfee
With this integration, checking something suspicious becomes as simple as asking a question.
Paste a message. Drop in a link. Upload a screenshot.
McAfee analyzes it and explains what’s going on clearly and in context.
Here’s how it works:
Feature
What it does
How it protects you
Link safety check
Paste a suspicious URL and get a reputational analysis based on McAfee threat intelligence
Scam links are often designed to look legitimate. A quick check helps avoid phishing and malware
Message analysis
Submit texts, emails, or social messages for evaluation
Many scams now rely on urgency and tone. Analysis helps surface subtle red flags
Screenshot uploads
Upload screenshots of messages, emails, or posts for review
Scams don’t always come as clean text. This makes it easier to check what you’re actually seeing
Clear explanations
Get a breakdown of why something is flagged as risky or safe
Not just a warning—an explanation that helps you recognize patterns next time
Guided next steps
Receive recommendations on what to do next
Helps prevent escalation, especially in moments of uncertainty
It’s a quick, accessible way to get answers in the moment. But it’s just one part of a broader system designed to protect you more comprehensively.
Behind the scenes, ChatGPT + McAfee is powered by the same intelligence that fuels McAfee’s broader scam protection ecosystem.
When you submit something for review:
Links are checked against known threat signals
Messages are analyzed for scam patterns and language cues
Results are translated into clear, human-readable explanations
The goal isn’t just to flag risk. It’s to help you understand it.
A New Way to Stay Ahead of Scams
Scams aren’t slowing down. If anything, they’re becoming more convincing, more personalized, and harder to detect.
That’s where ChatGPT + McAfee comes in. But this is only one part of a much bigger system designed to protect you before, during, and after a scam attempt.
With McAfee+ Advanced, multiple layers work together so you’re not left figuring it out after the damage is done:
Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast
Graduating should feel like a fresh start, a time when the whole world is at your fingertips.
Unfortunately, scammers often see graduates and think “student loans.” Or more specifically “student loan scams.”
As student loan payments resume or repayment plans shift, scammers move in fast; posing as loan servicers, promising forgiveness, or offering to “simplify” your loans for a fee.
The tricky part? These messages often look real.
That’s where tools like McAfee’s Scam Detector come in. It flags suspicious emails, texts, links, and even deepfake-style messages, helping you spot what’s real before you click, respond, or pay.
Here’s how to spot these scams and stay safe with McAfee:
What Is a Student Loan Consolidation Scam?
Student loan consolidation itself is a legitimate option. It allows you to combine multiple federal loans into one, often to simplify payments.
Scammers exploit that confusion.
Instead of helping, they pose as government partners or “relief experts” and charge you for services you can do yourself…for free.
According to Federal Student Aid, you never have to pay for help managing or consolidating your federal student loans.
That’s the baseline truth most scams try to blur.
How These Scams Actually Work
Step
What Happens
Red Flags
What Scammers Want
1. The Outreach
You get an email, text, or call about “loan consolidation” or “forgiveness”
Urgent tone, unfamiliar sender, “final notice” language
Your attention and quick reaction
2. The Hook
They claim you qualify for a special program or limited-time offer
“Act now,” “guaranteed forgiveness,” or “new law” claims
Your trust
3. The Ask
They request payment or personal info
Upfront fees, requests for FSA ID or bank info
Money + account access
4. The Control
They may ask for authorization to manage your loans
Power of attorney forms, account takeover steps
Full control of your loan account
Luckily, for McAfee+ Advanced users, they have access to Scam Detector which alerts users to suspicious emails, messages, links, and deepfakes that are often employed by scammers in these student loan fraud scenarios.
The Most Common Lies to Watch For
Scammers tend to recycle the same scripts. Federal Student Aid warns about messages like:
“Act immediately to qualify for student loan forgiveness before the program is discontinued.”
“You’re eligible for total loan discharge. Call now.”
“Your loans are flagged for forgiveness pending verification.”
These messages are designed to create urgency, not clarity.
And importantly, they are notcoming from the U.S. Department of Education or its partners.
Image Courtesy of STUDENTAID.GOV.
Where McAfee’s Scam Detector Comes In
This is exactly the kind of gray-area messaging that trips people up.
Federal Student Aid also recommends reviewing your account activity and confirming no unauthorized changes were made.
The Bottom Line
Student loan consolidation scams don’t look like scams anymore.
They look like helpful emails. Official notices. Last chances.
That’s why protection today isn’t just about knowing the rules, it’s about having backup when something feels off.
With McAfee, you’re not left guessing. You can spot suspicious messages, understand the risks, and move forward with confidence, without handing your time, money, or identity to someone who doesn’t deserve it.
Because starting your post-grad life shouldn’t come with a scam attached.
You’re scrolling through Facebook or TikTok and see it.
A flash sale from a brand you recognize. A limited-time investment opportunity. A job posting that promises quick money.
The ad has comments. The account looks polished. Maybe someone you follow even liked it.
So you click.
From there, things move fast. You’re pushed to act quickly, enter your information, or send payment before the “deal” disappears. And just like that, the money is gone or your account is compromised.
This isn’t an edge case anymore. According to new FTC data, nearly 30% of people who reported losing money to a scam in 2025 said it started on social media, with total losses hitting $2.1 billion.
That’s why McAfee+ Advanced includes comprehensive protection designed to help you spot and stop scams at every step, including McAfee’s Scam Detector, which flags suspicious links and messages and explains why they may be risky, along with identity and privacy tools that help protect your information if a scam slips through.
How Social Media Ad Scams Work
A social media ad scam is when scammers use paid ads, fake profiles, or hijacked accounts on platforms like Facebook, Instagram, or TikTok to promote fake products, services, or investment opportunities in order to steal money or personal information.
Step
What happens
What to do
How McAfee helps
1
You see an ad, post, or DM promoting a deal, job, or investment
Don’t engage immediately, even if it looks legitimate
Scam Detector flags suspicious links and messages before you interact
2
The ad links to a website or moves you into DMs
Avoid clicking unfamiliar links or continuing off-platform
Safe Browsing helps block risky or newly created websites
3
You’re pressured to act quickly or “secure your spot”
Slow down and verify the company independently
Scam Detector explains urgency tactics and why they’re risky
4
You’re asked to pay, share login info, or download something
Never send money or credentials based on a social media interaction
Identity Monitoring helps protect your personal data if exposed
5
The product never arrives, the investment disappears, or your account is compromised
Report the scam and secure your accounts immediately
Personal Data Cleanup and monitoring help reduce ongoing exposure
Red Flags To Watch For
Deals that feel unusually cheap or urgent
Ads linking to unfamiliar or slightly misspelled websites
Requests to move conversations off-platform quickly
Payment requests via apps, crypto, or wire transfer
Accounts with limited history or inconsistent engagement
And that is the first part of This Week in Scams! This Friday we’re taking a different format to talk about this new FTC data and all that it reveals.
Let’s keep digging in:
FTC Report: Social Media Scams Are Now The Most Costly Fraud Channel
New data from the FTC shows just how dominant social media has become in the scam landscape.
Social media scams drove $2.1 billion in reported losses in 2025
Losses have increased eightfold since 2020
Investment scams alone accounted for $1.1 billion of those losses
Where Scams Are Happening And What’s Changing
Category
What to know
Most common scams
Shopping scams lead, with over 40% of victims reporting purchases from social media ads that never arrived
Most costly scams
Investment scams drive the biggest losses, often starting with ads or group chats showing fake success
What’s changing
Scammers are using platform tools like ads, targeting, and profile data to reach people more precisely than ever
A new scam making the rounds takes a familiar delivery trick and upgrades it with hyper‑realistic messaging and a QR code that looks safe to scan.
But don’t be fooled.
It’s the same delivery scam playbook scammers have relied on for years, just repackaged with better design and more convincing details.
You get a message with a notice that looks something like this, a real message received by our team and tested against McAfee’s Scam Detector.
This is an example of the scam message we received, impersonating the USPS.
That added layer of realism is what makes this version more dangerous. But it doesn’t hold up under scrutiny. McAfee’s Scam Detector flagged both the suspicious language and the QR code in this message before any interaction.
If you receive something like this, pause. Do not scan the code.
You can also protect yourself with McAfee’s Scam Detector, which flags suspicious links and messages, including delivery scams and QR‑based attacks, and explains why they may be risky.
What is the USPS QR Code Scam and How Does it Work?
The USPS QR code scam is a phishing attempt where scammers impersonate postal services and use QR codes instead of clickable links to direct victims to malicious websites.
Once scanned, the QR code can lead to a fake USPS page that asks for payment, login credentials, or personal information.
How the scam works
Step
What happens
The red flags
What to do
How McAfee helps
1
You receive a text about a delivery issue or missed package
Requests for small “redelivery” or “processing” fees are not normal
Exit immediately and do not submit anything
Scam Detector explains why the page is risky, and Identity Monitoring supports you when if your info gets out.
What To Do If You Get This Message
Do not scan the QR code
Go directly to the official USPS website to check tracking
Delete the message
Report it as spam
Monitor your accounts if you interacted with it
And that, my friends, is scam number one in this week’s This Week in Scams.
Let’s get into what else is on our radar.
A Major Health Data Breach Exposes 500,000 Records
A massive health data incident is raising new concerns about how sensitive information is handled and shared.
According to reporting from the Associated Press, data tied to 500,000 participants in a major U.K. health research project was found listed for sale online. The dataset included biological and health-related information, though it did not contain direct identifiers like names or contact details.
Access to the data had been granted to research institutions, but that access has since been revoked. Authorities say no purchases were made, and the listing has been removed.
Still, the situation highlights a growing reality: once data is accessed or shared, control over it becomes harder to guarantee.
What This Breach Says About Data Privacy
Scams are no longer isolated events. They are layered.
A data breach does not just stay a breach. It becomes fuel for future scams. Exposed information can be used to make phishing messages more convincing, personalize attacks, and build trust with targets.
That is why detection alone is not enough anymore. Protection has to account for both incoming threats and what happens when data is already out there.
How McAfee Protects You In A World of Scams and Data Breaches
McAfee+ Advanced gives you multiple layers working together so you are not left figuring it out after the damage is done:
Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast
Personal Data Cleanup helps remove your information from data broker sites, making you harder to target in the first place
Scam Detector flags suspicious texts, emails, links, and even deepfake videos before you engage
Safe Browsing helps block risky sites if you do click
For many families around the world, the digital spaces where children learn and play have also become venues for relentless harassment. According to a 2025 survey of nearly 3,500 U.S. teens by the Cyberbullying Research Center, about 58% have been cyberbullied at least once, a significant jump from 34% in 2016.
Experts warn that this issue is now a constant crisis and impacting the well-being of children and teens.
In this guide, we will clarify exactly what counts as cyberbullying. We will explore how new platforms and artificial intelligence are reshaping the landscape. Most importantly, we will provide you with practical steps to protect your family. Together, we can take actionable steps to keep our digital lives safe and positive.
What Is Cyberbullying?
Cyberbullying is not a vague term for online drama. It has specific characteristics that separate it from a simple disagreement between friends. Similar to bullying, cyberbullying has standard elements of unwanted aggressive behavior, an observed or perceived power imbalance, and behavior that is repeated or likely to be repeated.
Common cyberbullying behaviors include name-calling, severe insults, rumor spreading, direct threats, impersonation through fake accounts, intentional exclusion from group chats, non-consensual sharing of private photos, and doxxing, publishing someone’s private information like their home address or phone number without consent. We also frequently see pile-on attacks, where dozens or hundreds of users flood a person’s comments section with hate statements.
The Cyberbullying Research Center notes that in recent national surveys, about 26.5% of U.S. students reported being cyberbullied in the last 30 days, underscoring the ongoing nature of online harassment as a daily reality for many.
Why Cyberbullying is Different (and More Harmful)
While the core intent to harm is the same as traditional bullying, cyberbullying operates differently:
Platform: Bullying takes place in the physical world, while cyberbullying occurs in digital spaces such as text messages, direct messages, social media platforms, group chats, online gaming environments, email, and photo-sharing applications.
Anonymity: Another major difference is anonymity. Cyberbullies often hide behind fake profiles or anonymous accounts, making it difficult to know who is launching the attacks.
Constancy: A significant difference with cyberbullying is the constant nature of the internet. Online harassment can follow teens home and continue late into the night via phones and apps.
Audience and permanence: A hurtful comment made in a school hallway is heard by a few people and eventually fades, while a similar post online can spread to thousands of people in minutes. It can be screen-captured and may resurface years later. Once it is out there, it is incredibly difficult to remove.
Despite these differences, there is a strong overlap in how bullying and cyberbullying impact individuals. Many youths who are bullied online are also bullied at school, and experience anxiety or depression.
Types and Examples of Cyberbullying
Cyberbullying takes many forms, from classic harassment tactics to emerging AI-powered threats. The most frequently reported forms of cyberbullying include being excluded from group chats, mean or hurtful comments posted online, public embarrassment or humiliation, and rumors spread online, according to the Cyberbullying Research Center’s 2025 survey. Understanding these methods helps you recognize and stop them.
Common Cyberbullying Methods
Harassment: Sending repeated offensive messages through texts, direct messages, or comments, or intentionally leaving someone out of group chats and online activities where they can see what they’re missing.
Flaming: An online fight conducted through angry, vulgar exchanges via emails, messages, social media, or chat rooms. Unlike harassment, flaming is often a heated back-and-forth exchange rather than one-sided attacks.
Impersonation and Fake Accounts: Creating fake profiles or hacking into someone’s account to post damaging content as if the victim wrote it themselves, destroying reputations quickly
Outing and Doxing: Sharing private photos, messages, or personal information (like addresses or phone numbers) publicly without consent to embarrass, humiliate, or intimidate
Cyberstalking: Persistent online monitoring accompanied by threatening messages that make someone fear for their safety, which is a federal crime. Examples include tracking someone’s location through social media check-ins, obsessively monitoring their online activity, or sending relentless, threatening messages.
Where Cyberbullying Occurs Most
To protect our kids, we need to know where the risks are highest. Recent analyses find that cyberbullying mainly happens on social media platforms, including YouTube, TikTok, and Facebook, as well as in messaging apps and online games, where teens commonly interact.
If you are a parent, take an inventory of the apps your child uses most frequently and ask them to show you how the messaging and commenting features work. Familiarizing yourself with these digital environments will help them navigate these platforms safely.
Emerging AI-Driven Threats
Artificial intelligence (AI) has fundamentally changed the internet, and has, unfortunately, introduced alarming new tactics:
Deepfake Images and Videos: AI-generated content can be misused to create highly realistic images or videos called deepfakes. Entirely fake videos can be created showing a student doing or saying something they never did, which complicates evidence gathering. These are then shared in group chats or posted publicly to spread false narratives and destroy reputations.
Voice Cloning: Students are using AI to mimic classmates’ voices, generating audio that makes someone sound like they said something offensive or embarrassing, with no easy way to prove it wasn’t real. About 11% of U.S. high schoolers have experienced this.
AI-Generated Harassment: AI chatbots are being used to generate spam, threats, and hate speech at scale, flooding a victim’s inbox or comment sections across platforms.
Body-Shaming with AI Filters: AI-altered images and filters are being weaponized to body-shame and humiliate targets, often shared widely before victims can respond.
AI Can Also Be a Safety Tool
However, platforms have also begun using AI as a safety tool to detect hate speech, harassment, and predatory behavior in real time. Newer safety reports show that AI-driven comment filtering and think-before-you-post nudges successfully reduce toxic comments and repeat harassment on major platforms.
How Common Is Cyberbullying Today?
The statistics show that cyberbullying is a widespread issue requiring immediate attention. In a 2024 study, the World Health Organization revealed that 15% of surveyed adolescents have experienced cyberbullying.
In the U.S., the Centers for Disease Control and Prevention (CDC) Youth Risk Behavior Survey reports that 16% of high school students were electronically bullied in the previous 12 months, about 38.3% of whom were girls compared to 29.9% of boys.
Another study showed that about 53.9% of teens aged 13 to 17 reported being cyberbullied. These statistics demonstrate that cyberbullying is a mainstream experience, making digital safety education relevant to almost every family.
The Most Affected Groups
Aside from gender, identity plays a key role in who is targeted for cyberbullying. Gender minorities reported much higher rates of harassment at 47.1% compared with their heterosexual peers at 30%, as did students with developmental disabilities.
How Cyberbullying Affects Mental Health
There is evidence that online harassment causes profound psychological harm. A CDC report links frequent social media use with higher rates of both in-person and cyberbullying, as well as constant sadness, hopelessness, and suicidal thinking among teens.
This is supported by the 2025 announcement from mental health experts highlighting the connection between cyberbullying and increased anxiety, depression, and trauma-like symptoms. Even though incidents seem minor, parents and teens must acknowledge that emotional reactions to cyberbullying are valid and serious. Early support and intervention can significantly reduce long-term harm.
Platform Safety Updates for Teens
Social media companies are facing intense pressure to protect younger users, leading to significant updates. In 2025, Meta tightened default messaging and commenting settings for teens, automatically assigning the strictest safety options to teen accounts to filter inappropriate interactions from unknown users.
In addition, the company’s Instagram and Facebook platforms now provide more information about users contacting teens, showing details such as the age of the account and providing a way to block and report abusive users.
Help your child utilize these settings by ensuring their accounts are set to private to restrict direct messages from strangers. Enable each platform’s built-in AI comment filtering to hide offensive words automatically.
Signs Your Child May Be Cyberbullied
As a parent, one of your most powerful tools is simply paying attention. Cyberbullying often leaves visible traces in your child’s behavior, emotions, and device habits, if you know what to look for. The good news is that early recognition means early intervention, and that can make all the difference.
Behavioral Changes to Watch For
Sudden withdrawal from social activities or friends
Reluctance to go to school or participate in usual activities
Anxiety or nervousness when using devices or checking messages
Changes in sleep patterns or appetite
Emotional Warning Signs
Increased sadness, anxiety, or irritability, especially after being online
Low self-esteem or negative self-talk (“nobody likes me,” “I’m stupid”)
Reluctance to discuss online activities or what’s happening at school
Device and Online Behavior
Extreme changes in screen time, either excessive checking or complete avoidance
Suddenly deleting social media accounts without explanation
Being secretive about online activity or quickly hiding screens
Receiving unusual volumes of messages or calls, especially at odd hours
If you notice several of these signs together, it’s time for a conversation. The key is approaching with empathy and making it clear they won’t be punished for opening up.
How to Prevent Cyberbullying: Guidance for Families
Knowing the impact of cyberbullying is only half the battle. The most important step is being proactive to protect your family. Here is how you can build a resilient defense against online harassment and empower your children.
Build Open Communication and Digital Citizenship Skills
The foundation of digital safety is trust. Encourage regular, judgment-free check-ins on your child’s online activities. Ask them what they are doing, seeing, and feeling related to the ongoing online issues. Assure them you will not confiscate their phone when they report a problem.
In addition, teach your kids to recognize cyberbullying and to support their peers who are being targeted. Underscore the importance of not joining in on the comment pile-ons, and let them know that it is perfectly acceptable to block, mute, or simply leave harmful digital spaces. Research suggests that strong parent-teen communication can buffer some negative effects of social media use and encourage teens to ask for help sooner.
Enable Safety Settings
Every major platform has tools designed to stop harassment. Teach your child to use keyword filters to automatically hide comments that contain specific insults, slurs, and other forms of hate speech. Help them set their accounts to private to restrict direct messages from strangers, and enable each platform’s built-in AI comment-filtering features.
How to Report Cyberbullying
Alongside safety features, teach them to block and report harassers on the platform. You can end cyberbullying quickly if you know how to use platforms’ tools effectively.
1. Document Everything First
Before blocking, deleting, or reporting anything, save evidence. Create a digital safety plan and agree with your family that if anyone receives a threatening or highly abusive message, they should document the incident with screenshots before blocking, deleting, or responding to it. These screenshots will serve as important pieces of evidence if the school or platforms need to take action.
2. Use Platform Reporting Tools
Most importantly, teach your child to block and report harassers on the platform. Here’s how on major platforms:
Instagram, Facebook, and Threads:
Tap the three dots on the post or message
Select “Report” and choose the violation type (bullying or harassment)
Follow prompts to block the account
Use “Restrict” to limit interactions without full blocking
TikTok:
Long-press the comment or video
Select “Report” and choose “Bullying and harassment”
Block the account from their profile page
Snapchat:
Press and hold on the message or username
Tap “Report” and select the issue
Block the user to prevent further contact
YouTube:
Click the three dots next to the comment or video
Select “Report” and choose “Cyberbullying or harassment”
Gaming Platforms (Xbox, PlayStation, Discord, and Roblox)
Use in-game or platform reporting options, typically found in user profiles or chat menus
Many platforms now offer real-time abuse detection that automatically flags harassment
Text Messages:
Block the number through your phone settings
Report spam to your carrier (forward to 7726/SPAM for most U.S. carriers)
Save screenshots before blocking
3. Escalate for More Help
Sometimes, platform tools are not enough. You need to know when to escalate the situation to the appropriate authorities. Follow the steps below when you see signs of ongoing harassment, physical threats, identity-based or other forms of hate, the sharing of private images, as well as changes in your child’s mood, sleep patterns, or school attendance.
Save all evidence, including screenshots, URLs, usernames, and timestamps.
Contact school officials, such as a counselor or principal, and provide them with specific documentation.
Seek professional mental health support to address your child’s distress.
Contact local law enforcement immediately if there are threats of physical harm or illegal content involved.
How Technology Can Help Prevent Cyberbullying
While technology is the medium for cyberbullying, it is also a tool for prevention and protection. Using the right software can give parents peace of mind and help teens navigate the web.
Device-Level Protection and Parental Controls
Cyberbullying is frequently accompanied by other digital threats, such as sending malicious links, stealing passwords, or tricking victims into downloading scam apps. This is where robust security software becomes essential to help block phishing links and compromised websites.
Additionally, parental control tools allow you to manage screen time, filter inappropriate web content, and monitor or limit certain types of app usage for age-appropriate scenarios. These tools help protect younger children from platforms they are not emotionally ready to handle.
Digital Well-Being Tools that Signal Distress
Modern security solutions offer digital well-being tools that track app usage and highlight sudden changes in behavior, such as late-night device use, massive spikes in messaging, or the sudden downloading of new, unfamiliar apps. These changes can be early warning signs of distress or harassment.
It is crucial to use these tools transparently by introducing them to your teens as conversation starters rather than secret surveillance. Saying that you noticed they were on their phone very late last night and asking if everything is okay builds trust. Spying breaks it.
Legal Grounds to Deal with Cyberbullying
Cyberbullying is not just a behavioral issue. It intersects heavily with school policies, community safety, and the law. Understanding this context will help your family deal with severe harassment.
Laws and School Responsibilities
Globally, many countries are adopting frameworks to protect digital citizens against cyberbullying. In the United States, all 50 states have anti-bullying laws, most of which now explicitly include electronic or cyberbullying in their definitions and guidance. These include laws and district policies that allow schools to address online behavior that creates a hostile environment or substantially disrupts a student’s learning. This means that even if the harassment happens on a weekend via a smartphone, the school has the authority and the responsibility to intervene if it impacts the victim’s ability to feel safe in the classroom.
Cyberbullying as a Crime
Certain cruel online behaviors may cross the line into criminal activity and to be considered crimes. For instance, credible threats of violence, stalking, extortion, hate-motivated harassment, and the non-consensual sharing of intimate images may violate criminal laws.
If a situation escalates to this level, it is time for legal and law enforcement to intervene. When this happens, families should document all evidence and consider contacting law enforcement or civil rights agencies.
Look up your local school district’s specific cyberbullying policies and legal obligations, and find out who to contact. This will save you valuable time if you need to report an incident.
Final Thoughts
Cyberbullying is intentional, repeated online harm, and a serious issue that leverages the constant nature of the internet to follow young children, teens, and certain groups into their homes and bedrooms.
While social media platforms, school policies, and laws are steadily improving, families still hold the most powerful tools. You can significantly reduce the harm to your children caused by online harassment by initiating open and non-judgmental conversations, utilizing built-in device protections and app privacy settings, partnering with your local schools, and seeking mental health support when needed.
Talk with your kids this week about their online experiences. Sit down together and review the safety and privacy settings on their favorite apps. Finally, consider using a trusted security partner such as McAfee+ as part of a broader, proactive digital safety plan.
A McAfee+ family plan helps protect your household’s devices from the malware and malicious links that often accompany harassment or sextortion attempts and sets healthy boundaries around apps, web content, and screen time. Furthermore, it provides educational resources on digital citizenship and safe social media use beyond basic antivirus software.
When you work with trusted tools, you can help keep the internet a place of connection and creativity.
Your data might be safe today. But that doesn’t mean it’s safe forever.
A growing number of sophisticated actors are collecting encrypted data now, with the goal of decrypting it later, when more powerful technology becomes available.
This strategy is known as Harvest Now, Decrypt Later (HNDL). And it’s not a future problem. It’s already happening, according to research from our McAfee VPN team.
For everyday people, that means private messages, financial records, and sensitive documents could be exposed years from now if protections don’t evolve today.
That’s why security teams, including McAfee’s VPN engineers, are already working on ways to strengthen encryption for both today and what comes next.
What “Harvest Now, Decrypt Later” Means
At its core, HNDL is simple: Attackers collect encrypted data now, store it, and wait until they have the tools to unlock it later.
Even though today’s encryption is incredibly strong, the strategy doesn’t rely on breaking it today. It relies on patience.
A Simple Way to Think About It
You put valuable belongings and documents in a safe at home that’s locked and secured. This works at preventing crimes of opportunity. But let’s say there’s a thief who steals the entire safe, knowing they have tools they can use later to access what’s inside. They wait, and once the tools are available, they break into your safe and access everything inside.
That’s one way to think of HNDL. The safe is the encryption. The quantum computing is the tool they can use later.
But in real life, you’d probably notice if your safe is gone. In the case of HNDL, if you’re not monitoring your data, you may not even notice encrypted information has been stolen to be decrypted.
Key Terms Explained
Term
What it means
Encryption
Scrambling data so others can’t read it
Quantum computing
A new type of computing that can break some encryption
HNDL
A strategy to collect encrypted data now and decrypt it later
Why This Matters Right Now
This isn’t about whether your data is valuable today. It’s about whether it might be valuable later.
Data with a long shelf life is especially at risk, including:
Financial records
Medical information
Private messages
Legal or identity documents
Even something that feels low-stakes today could become sensitive in the future.
And because the collection phase is already happening, the risk isn’t hypothetical. It’s already in motion.
How This Affects VPNs (and what doesn’t change)
VPNs remain one of the most effective ways to protect your data today. That hasn’t changed.
But HNDL introduces a new layer of complexity.
What’s still strong: The encryption that protects your data in transit remains highly resilient.
Where the risk is: The “handshake” process (how a secure connection is established) is more vulnerable to future quantum attacks.
In simple terms: Your data is well protected today, but parts of how that protection is set up may need to evolve for the future.
What Quantum Computing Changes
Traditional computers process information in a linear way.
Quantum computers work differently. They can solve certain types of problems much faster, including the kinds of mathematical challenges that protect today’s encryption.
That’s why attackers are willing to wait.
Once quantum computing reaches a certain level, it could unlock data that was previously considered secure.
What McAfee’s VPN Team is Working On
McAfee’s VPN team is already preparing for this shift.
Evaluating quantum-safe encryption approaches
Exploring hybrid models that protect both now and long-term
Building toward a more resilient VPN experience
This work builds on a broader privacy-by-design approach, where systems are designed to minimize risk from the start, not react after the fact.
Because with HNDL, waiting isn’t an option.
What You Can Do Now
You don’t need to wait for quantum computing to take steps today.
Use a trusted VPN to encrypt your connection
Be mindful of long-term sensitive data you share online
Avoid unsecured public Wi-Fi when possible
Keep your apps and devices updated
These steps help protect your data now while the industry builds toward future-ready security.
How McAfee Helps Protect You
McAfee+ Advanced gives you multiple layers working together so you are not left figuring it out after the damage is done:
Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast
Personal Data Cleanup helps remove your information from data broker sites, making you harder to target in the first place
Scam Detector flags suspicious texts, emails, links, and even deepfake videos before you engage
Safe Browsing helps block risky sites if you do click
Secure VPN keeps your data private, especially on public Wi-Fi
Frequently Asked Questions (FAQs)
FAQ
Q: Is my data safe right now?
A: In most cases, yes—today’s encryption is extremely strong and is designed to protect your data from current threats. If you’re using trusted security tools like a VPN, safe browsing protections, and device security, your data is actively protected while it’s in transit and in use. However, no system is risk-free. Data exposed through phishing, weak passwords, breaches, or unsecured networks may still be vulnerable. And with “Harvest Now, Decrypt Later,” even properly encrypted data could be collected today and targeted for decryption in the future.
Q: What is quantum-safe encryption?
A: Quantum-safe (or post-quantum) encryption refers to new types of cryptography designed to remain secure even against future quantum computers. Today’s encryption relies on math problems that are extremely difficult for classical computers to solve, but quantum computers could eventually solve some of them much faster. Quantum-safe approaches use different mathematical foundations that are believed to resist those capabilities. In practice, many companies are moving toward hybrid encryption, combining today’s proven methods with newer quantum-resistant techniques to protect data both now and long-term.
Q: Should I still use a VPN?
A: Yes. A VPN remains one of the most effective ways to protect your data today, especially on public or unsecured networks. It encrypts your internet traffic and helps prevent interception by hackers, internet providers, or other third parties. While VPN protocols are evolving to address future quantum risks, they still provide strong, essential protection against today’s threats.
Q: When will this become a real threat?
A: The risk unfolds in two phases. The collection phase is already happening today, where sophisticated actors gather encrypted data and store it. The decryption phase depends on when quantum computing advances far enough to break certain types of encryption, which could take years but is actively progressing. This means data with a long lifespan, such as financial records, personal communications, and sensitive documents, is most at risk because it only needs to remain valuable until those capabilities exist.
You open your inbox and see it: Your cloud storage is full.
There’s a warning about photos being deleted, your account being suspended, or a renewal failing. There’s a button to “fix it now.” Or a warning to “act today.”
It looks routine. Maybe even urgent enough to click.
That’s exactly the point.
An example of a cloud storage scam detected by McAfee.
Cloud storage scams are making headlines again, building on patterns we flagged earlier this year in our State of the Scamiverse research.
These emails have circulated steadily since 2025, often impersonating trusted brands like Apple, Microsoft, and Google. Many are timed to moments when people are already thinking about storage, backups, or subscriptions.
The safest move is simple: pause and don’t click. If there’s a real issue, go directly to your account through the official app or website.
You can also protect yourself with McAfee’s Scam Detector, which flags suspicious links and messages, including cloud storage scams, and explains why they may be risky.
What Is A Cloud Storage Scam And How Does It Work?
Cloud storage scams are phishing attacks designed to trick you into believing there’s an issue with your account so you’ll click a malicious link.
They often look like this, and include 3 key red flags:
Messages that create urgency like “act now or lose your data”
Generic greetings instead of your name
Links that don’t match the official domain
How the scam works (step-by-step)
Step
What happens
What to do
How McAfee helps
1. You receive a message
Email or text claims your storage is full or your account has an issue
Don’t click links directly from the message
Scam Detector flags suspicious messages before you interact
2. Urgency is introduced
Warning that files or photos will be deleted if you don’t act
Investment-related fraud topped the charts, with over $8.5 billion lost to investment cybercrime in 2025. And that’s just losses that were reported. Not everyone reports when they were scammed. (Image Courtesy FBI)
This is where layered protection matters. It’s not just about catching one bad link. It’s about recognizing patterns across messages, platforms, and moments when something feels slightly off.
How McAfee Protects You From Scams and Cyber Threats
McAfee+ Advanced gives you multiple layers working together so you are not left figuring it out after the damage is done:
Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast
Personal Data Cleanup helps remove your information from data broker sites, making you harder to target in the first place
Scam Detector flags suspicious texts, emails, links, and even deepfake videos before you engage
Safe Browsing helps block risky sites if you do click
Wearable health devices are designed to give you more control over your body and your data.
But in 2026, the bigger risk isn’t someone spying on your smartwatch or smartring in real time. It’s what happens if the data connected to that device gets exposed.
Health data, login credentials, and behavioral patterns tied to wearables can become valuable signals for cybercriminals. And once that data is out, it can fuel everything from identity theft to highly targeted scams.
Here’s what’s actually at risk, and how to protect yourself.
What Is Wearable Health Data (and Why It Matters)
Wearable health data refers to the personal information collected and stored by devices like fitness trackers, smartwatches, and connected medical monitors.
This can include:
Heart rate and activity levels
Sleep patterns
Location data
Medical metrics (like glucose levels)
Account credentials tied to apps and dashboards
On its own, this data may seem harmless. But combined, it creates a highly detailed profile of your habits, routines, and health status.
The Real Risk in 2026 Isn’t the Device. It’s the Data.
Early conversations around wearable security focused on device hacking or surveillance.
Today, the bigger concern is data exposure.
If wearable platforms, apps, or connected services are breached, your data could be:
Sold on the dark web
Used to impersonate you
Leveraged in targeted phishing or health-related scams
And because this data is personal and specific, scams built from it can feel far more convincing than generic spam.
How Exposed Wearable Data Can Lead to Scams
When cybercriminals gain access to personal data, they don’t just sit on it. They use it.
Here’s how that plays out:
Scenario
What It Looks Like
Why It Works
Health-related phishing
“Your insurance claim was denied” or “Update your health profile”
Feels relevant and urgent
Account takeover attempts
Password reset emails tied to known apps
Uses real account signals
Personalized scams
Messages referencing routines, devices, or conditions
Builds trust quickly
Fake alerts or services
“Device security issue detected”
Mimics real product behavior
This is where the risk shifts from data privacy → real-world financial and identity impact.
2) Use layered protection, not just device settings A VPN and security software help protect data in transit and block threats before they reach you.
3) Strengthen your login credentials Use strong, unique passwords and enable two-factor authentication wherever possible.
4) Limit what you share Review app permissions and only connect devices to services you trust.
5) Verify every message or alert If you receive a message tied to your device or health data, double-check the source before clicking.
6) Monitor your accounts regularly Small signs of unusual activity can be early indicators of larger issues.
How McAfee Helps Protect Your Data Beyond the Device
Protecting your wearable doesn’t stop at the device itself. It extends to what happens if your data is exposed or targeted.
Identity Monitoring
McAfee helps track your personal information across known breach sources and alerts you if your data appears where it shouldn’t.
This gives you early warning if wearable-related accounts or associated data are compromised.
Scam Detector
If your data is exposed, scammers often follow.
McAfee’s Scam Detector helps identify suspicious messages, links, and communications before you engage, and explains why something was flagged, so you can make informed decisions quickly.
Together, these tools help protect not just your device, but the chain reaction that can follow a data breach.
Emails claiming to be from Social Security are making the rounds right now.
They look official. They sound official. And they’re designed to get you to click before you think twice.
The Social Security Administration’s Office of Inspector General is warning about a spike in messages that claim your Social Security statement is ready to download. The goal is simple. Get you to click a link or open an attachment.
From there, things can go sideways fast.
Before interacting with anything like this, it’s worth pausing and running it through a tool like McAfee’s Scam Detector. This is exactly the kind of message it’s built to flag. Something that looks legitimate, but feels just slightly off.
How The Scam Works
The email mimics official government communication, using logos, formatting, and language that feels familiar. It might say your statement is ready, your account needs attention, or you need to review a document.
Once you click:
You may be sent to a fake website designed to capture your personal information
You may download malware without realizing it
Or you may be prompted to enter sensitive financial details
Either way, the goal is the same: get access to your identity.
The Red Flags In These Emails
Messages claiming your social security statement is ready to download
Links or attachments labeled as official documents
Urgency pushing you to act quickly
Sender addresses that do not end in “.Gov”
The biggest tell: Social Security does not send emails like this asking you to download statements or provide sensitive information.
What To Do If You Get One
Do not click links or download attachments
Delete the email immediately
Access your account by going directly to the official SSA website
Report the message to the SSA Office of Inspector General
If you already clicked:
Stop communication immediately
Contact your financial institutions
Monitor your accounts closely
Report the incident to the FTC or the FBI’s IC3
And that, my friends, is scam number one in this week’s This Week in Scams.
Let’s get into what else is on our radar.
A Healthcare Data Breach That Could Lead to Follow-Up Scams
Healthcare data breaches don’t always make headlines the same way big tech breaches do, but they can be just as serious.
According to reporting from Fox News, CareCloud, a company that supports electronic health records for tens of thousands of providers, recently confirmed a security incident involving unauthorized access to one of its systems.
The access lasted several hours. And while it’s still unclear whether any data was taken, that uncertainty is exactly what makes situations like this risky.
Because even if you’ve never heard of the company, your doctor might use it.
Why This Matters
Healthcare data is incredibly valuable. It can include:
Names and social security numbers
Insurance details
Medical history
Billing information
Unlike a credit card, you can’t just cancel your medical history.
And when that kind of data is exposed or even potentially exposed, scammers often follow up with messages that feel highly specific and personal.
What To Watch For Next
After incidents like this, scammers often move quickly:
Emails or texts pretending to be your provider
Messages about billing issues or medical records
Requests to “verify” your information
Links to log in or update your account
These scams work because they’re timed perfectly and feel relevant.
This is another moment where Scam Detector can help flag suspicious links or messages before you engage, even when they reference real healthcare providers.
How To Protect Yourself
Review medical bills and insurance statements for unfamiliar activity
Enable two-factor authentication on patient portals
Use strong, unique passwords
Avoid clicking links in unexpected healthcare-related messages
Consider identity monitoring to catch misuse early
Where McAfee Steps In (So You Don’t Have to Guess)
Scams today are layered.
A fake email leads to stolen credentials. A breach leads to targeted phishing. And those follow-ups are getting harder to spot.
McAfee+ Advancedgives you multiple layers working together so you are not left figuring it out after the damage is done:
Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast
Personal Data Cleanup helps remove your information from data broker sites, making you harder to target in the first place
Scam Detector flags suspicious texts, emails, links, and even deepfake videos before you engage
Safe Browsing helps block risky sites if you do click
We’re excited to share that McAfee’s Scam Detector has been named a finalist in the 2026 Webby Awards.
Recognized in the AI Experiences & Applications – Consumer Application category and named a Webby Honoree for Best Use of AI & Machine Learning, Scam Detector is being acknowledged for its effectiveness as an AI-driven consumer tool.
This recognition of Scam Detector validates something key in research findings. According to McAfee’s 2026 State of the Scamiverse report, Americans now spend 114 hours a year trying to decide what’s real and what’s fake online.
Scam Detector was built with this era of uncertainty in mind, designed to help people cut through confusion and identify scams as they appear. The Webby recognition reinforces to us that McAfee’s Scam Detector is doing exactly that.
What Are the Webby Awards?
The Webby Awards are presented by the International Academy of Digital Arts & Sciences and recognize excellence across the internet, including apps, software, AI, and digital experiences.
Each year, thousands of entries are evaluated, with finalists representing the top work in their category globally.
In addition to judged awards, the Webby Awards include a People’s Voice Award, which is decided by public vote.
How McAfee’s Scam Detector Uses AI to Stop Scams
Scam Detector is designed to help people identify scams where they’re most likely to happen, always ready to help you spot what’s real and what’s not when you least expect it.
It uses AI to analyze and flag suspicious:
Text messages and emails
Links and websites
QR codes
Social media messages
AI-generated and deepfake content
Beyond detection, Scam Detector explains why something was flagged as risky. That transparency helps show how decisions are made, so people can quickly understand the risk and feel more confident trusting what’s flagged.
As scams become more personalized and harder to detect, this combination of automatic detection and clear guidance is critical to preventing financial loss and identity theft.
Vote for McAfee’s Scam Detector
Scam Detector is eligible for the Webby People’s Voice Award, which is decided by public vote.
Voting is open through Thursday, April 16 at 11:59 pm PDT.
Winners will be announced on April 21, 2026.
And a big thank you to the McAfee teams who brought Scam Detector to life and who continuously improve how Scam Detector identifies new threats and adapts to the evolving world of AI-driven scams.
A tax system breach in Oklahoma is putting highly sensitive personal information at risk. And unfortunately, this is exactly the kind of situation scammers love to exploit.
Hackers reportedly accessed W-2 and 1099 files through Oklahoma’s online tax portal, according to state officials, exposing the kind of information that can open the door to tax fraud, identity theft, and highly targeted phishing attempts.
Before the follow-up scams start rolling in, this is the kind of moment where layered protection matters. McAfee+ Advanced includes identity monitoring and data cleansup that can help alert you if your personal information starts circulating where it shouldn’t, and Scam Detector can flag suspicious messages if scammers try to use this breach as a hook.
What Happened in Oklahoma
According to a statement by the Oklahoma Tax Commission and reported by KOCO News 5, a local ABC affiliate, suspicious activity inside the state’s Oklahoma Taxpayer Access Point system was identified in December 2025. The agency says impacted individuals have been notified directly by mail, and complimentary credit monitoring and fraud assistance are being offered.
When W-2s, 1099s, Social Security numbers, and tax-related records are exposed, scammers can use that information to:
File fraudulent tax returns
Try to open new accounts
Build phishing emails or texts that feel unusually real
Either way, the goal is the same: use real information to make the next scam more believable.
Red Flags of a Scam After a Breach Like This
The breach itself is real. But what often follows is a second wave of scams pretending to help.
Watch For:
Emails or texts about your “tax account” that create urgency
Messages asking you to verify personal information
Fake alerts about refunds, filings, or suspicious activity
Links telling you to log in and “secure” your account
That’s where people can get hit twice: once by the breach, and again by the scam that follows it.
What To Do If You’re Impacted
First, don’t panic. Then:
Take advantage of any free credit monitoring or fraud assistance being offered
Monitor your bank accounts, tax records, and credit reports closely
Consider placing a fraud alert or credit freeze if needed
Be extra careful with any message referencing taxes, refunds, or account access
Go directly to official sites instead of clicking links in emails or texts
And that, my friends, is scam number one in this week’s This Week in Scams.
Let’s get into what else is on our radar.
The FBI Impersonation Scam Showing Up Across the U.S.
Scammers pretending to be federal agents are making the rounds across the country, and this one is built to make people panic fast.
Field offices, including Chicago and Houston, are warning the public about fraudsters posing as FBI agents in calls, texts, and emails. In some cases, the scammers claim you’re connected to an investigation. In others, they say you’re a victim of fraud and need to act immediately to protect yourself.
Sometimes they do not stop there. They may also pretend to be bank employees working alongside the FBI, all to make the story feel more convincing and get access to your money or personal information.
The FBI has shared images of these suspects pretending to be agents. If you are contacted by these officials, report it to the FBI.
Why This Scam Works
This scam plays on the same pressure tactics we’ve seen over and over again: authority, urgency, and confusion.
If someone claims to be a federal agent, many people freeze up and assume they need to cooperate immediately. That’s exactly what scammers are counting on.
The FBI has been clear about this: federal law enforcement will not ask you for money or sensitive personal information over the phone, by text, or by email.
The Red Flags in This Message
Unsolicited outreach from someone claiming to be federal law enforcement
Pressure to act immediately
Requests for money, gift cards, prepaid cards, or personal information
Instructions to keep the conversation secret
Stories involving a bank “working with” the FBI
If it feels dramatic, high-pressure, and just a little off, trust that instinct.
What To Do if You Get One Of These Messages
Do not respond
Do not send money or share personal information
Contact the agency directly using publicly listed contact information
Save the message for your records
Report it to the FBI: 1-800-CALL-FBI (225-5324), or online at tips.fbi.gov.
This is also exactly the kind of message McAfee’s Scam Detector is built to flag before you get pulled in.
How McAfee Helps You Stay Ahead of Scams and Breaches
McAfee+ Advancedgives you multiple layers working together so you are not left figuring it out after the damage is done:
Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast
Personal Data Cleanup helps remove your information from data broker sites, making you harder to target in the first place
Scam Detector flags suspicious texts, emails, links, and even deepfake videos before you engage
Safe Browsing helps block risky sites if you do click
Secure VPN keeps your data private, especially on public Wi-Fi
This kind of layered protection is critical in cases like ghost student scams, where the first sign of fraud often comes after financial damage has already happened.
Safety tips to carry into next week
Be extra cautious after any real breach makes headlines
Do not trust unsolicited messages just because they reference real institutions
Never send money to someone claiming to be law enforcement
Go directly to official websites instead of clicking links
Use tools that flag suspicious messages in real time so you do not have to guess
The reality is, scams are getting better at looking official.
You should not have to be an expert to spot them. That’s why McAfee is here to help. We’re Safer Together.
We’ll be back next week with more scams making headlines.
Rob J., 31, an internal auditor in California, thought he was doing everything right this tax season. He filed his return as usual, even early, and expected a state refund just short of $400.
Instead, he got a letter saying the state had taken it.
The notice from the California Franchise Tax Board said his refund had been intercepted to pay a debt owed to a local community college.
There was just one problem: Rob had never attended that school.
“How could the state be taking my tax refund to pay a debt to a community college I’ve never attended?” he told us at McAfee. “I immediately knew something was wrong.”
“I started researching and came across the term ‘ghost student,’ and that’s when it clicked. Someone had used my identity to enroll in a college like they were me.”
How McAfee+ Advanced Helps Protect You from Identity Theft
Scams like this do not start with a suspicious text or email. They start with your data being exposed somewhere you cannot see.
That is why protection has to go beyond one moment and cover the full lifecycle of identity theft.
McAfee+ Advancedgives you multiple layers working together so you are not left figuring it out after the damage is done:
Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast
Personal Data Cleanup helps remove your information from data broker sites, making you harder to target in the first place
Scam Detector flags suspicious texts, emails, links, and even deepfake videos before you engage
Safe Browsing helps block risky sites if you do click
Secure VPN keeps your data private, especially on public Wi-Fi
This kind of layered protection is critical in cases like ghost student scams, where the first sign of fraud often comes after financial damage has already happened.
What Is a Ghost Student Scam?
A ghost student scam is a form of identity theft where someone uses your stolen personal information, often your Social Security number, to enroll in a college or university under your name.
The scammer is not trying to attend school. They are trying to use your identity to access financial aid, create accounts, or generate funds tied to a real person.
In many cases, the victim has no idea anything happened until the consequences show up later, such as a tax refund being taken, a debt appearing, or a loan being opened in their name.
That is exactly what happened to Rob.
“I started researching and came across the term ‘ghost student,’ and that’s when it clicked,” he said. “Someone had used my identity to enroll in a college like they were me.”
How Ghost Student Scams Happen
These scams typically follow a predictable pattern, even if the victim does not see it happening in real time:
Stage
What happens
Why it matters
Data exposure
Your personal information is leaked in a data breach or collected from data broker sites
Scammers get the core details they need to impersonate you
Identity misuse
Your information is used to apply to colleges or financial aid programs
The scam is tied to your real identity, not a fake one
Enrollment activity
Fake students may enroll just long enough to access funds or create accounts
This helps scammers avoid early detection
Financial impact
Debts, balances, or aid obligations are created in your name
You become financially responsible on paper
Discovery
You find out later through a notice, refund interception, or account alert
By this point, damage has already been done
In Rob’s case, the starting point was a data breach the year before. His Social Security number had been exposed, but he had not frozen his credit.
Someone used that information to enroll at Pasadena City College. When the balance went unpaid, the state redirected his tax refund to cover it.
“Despite Being the Victim, I’m Trying to Prove My Identity”
Once Rob realized what happened, he moved quickly. He froze his credit, set up identity monitoring, filed a police report, and began working with the college to prove he was not the student.
He says the process has been slow and frustrating.
“I’ve spent hours on the phone trying to fix this… I’m exhausted,” he said. “Despite being the victim I am the one dealing with the consequences and trying to prove my identity to the same institution that let a fake me register.”
When he contacted campus police, he learned something else: “this has been happening to other people too.”
Why Ghost Student Scams Are Increasing
Ghost student scams are part of a broader shift in how identity theft works.
Instead of quick-hit fraud like a stolen credit card, scammers are using real identities to create more complex, longer-term opportunities for financial gain.
In higher education, that can include:
Enrolling fake students using stolen identities
Accessing financial aid
Holding seats in classes long enough to collect funds
This trend has already affected thousands of suspected cases across education systems and continues to grow as scammers scale their tactics
What to Do If Your Identity Is Used in a Ghost Student Scam
If something like this happens, speed matters:
Freeze your credit with all three bureaus
Check your FAFSA and student loan records
Contact the school and dispute the enrollment
File a police report
Set up identity monitoring and alerts
Remove your personal information from data broker sites
These steps help contain the damage, but they are reactive. The goal is to catch exposure earlier. McAfee+ Advanced can help you with freezing your credit, ongoing identity monitoring, and data removal from the dark web.
How Rob’s Story Ends: ‘I’m Waiting for the Other Shoe to Drop’
Rob has confirmed there are no federal loans in his name, but the situation is not fully resolved.
“I still feel like I’m waiting for the other shoe to drop,” he said.
That uncertainty is part of what makes identity theft so difficult. You are often reacting to something that started months or even years earlier. Rob said he currently has an outstanding police report and is in the process of getting his refund reclaimed.
How to Stay Ahead of Identity Theft Like This
Ghost student scams work because they operate quietly, using real data in systems most people are not actively watching. That is where ongoing protection matters.
Alerting you early when your personal data appears on the dark web or in risky environments
Reducing your exposure by removing your data from broker sites that scammers rely on
Blocking scam entry points across texts, emails, links, and deepfakes
Protecting your devices and connections so attackers have fewer ways in
Because the goal is not just to respond to identity theft, it’s to catch the signals early enough that someone cannot become a “student” in your name in the first place.
This category recognizes work that doesn’t just perform, it matters: campaigns that raise awareness, inspire action, and make a real-world impact.
That’s exactly what “Keep It Real” set out to do.
Because behind every scam statistic is a person who thought they were making the right call. And too often, what follows isn’t just financial loss. It’s embarrassment, silence, and stigma.
We wanted to change that.
The campaign launched alongside McAfee Scam Detector to address a growing reality: scams powered by AI are becoming harder to recognize and easier to fall for.
“Keep It Real” paired real survivor stories with AI-driven protection to show how scams actually happen and how people can stop them in the moment.
The goal was simple:
Normalize the experience
Remove shame around being scammed
Help more people recognize scams faster
Because when people feel safe talking about scams, they’re more likely to spot them and stop them.
What Are the Shorty Awards?
The Shorty Awards honor the best work in social media, digital campaigns, and online storytelling across brands, creators, and organizations.
Now in their 18th year, the awards recognize campaigns that combine creativity, impact, and real-world relevance. Finalists are selected alongside leading global brands and judged on both industry evaluation and public voting.
How McAfee’s Scam Detector Fits In
McAfee’s Scam Detector is designed to help people identify scams across everyday digital moments.
It uses AI to fight AI by flagging suspicious:
Text messages and emails
QR codes and links
Social media messages
AI-generated and deepfake content
By combining automatic detection with clear guidance, Scam Detector helps people better understand what they’re seeing and decide what to trust.
Real Stories Behind the Campaign
A core part of “Keep It Real” was giving space to people who experienced scams to share what happened, in their own words.
These stories helped show that scams can happen to anyone and played a key role in breaking the stigma around being targeted.
This recognition reflects the work across McAfee teams who built and brought this campaign to life, including product, engineering, research, creative, and communications.
It also reflects the individuals who chose to share their real scam stories to help others recognize scams, stay safer, and end the shame and stigma around being scammed.
Support the Campaign
The Shorty Awards include a public voting component.
McAfee’s mobile research team has uncovered a large-scale Android malware campaign we’re tracking as Operation NoVoice.
The campaign was distributed through more than 50 apps previously available on Google Play, disguised as everyday tools like cleaners, games, and photo utilities. Together, the apps were downloaded more than 2.3 million times, though it’s unclear how many devices may have been impacted.
If the attack succeeds, the malware can gain deep control of a device, allowing attackers to inject malicious code into apps as they are opened and access sensitive data.
However, the most serious impact depends on the device.
On older or unpatched Android devices, the malware can install a highly persistent form of infection that may survive a standard factory reset. Newer Android devices with up-to-date security protections are not vulnerable to the root exploit observed in this campaign, though they may still be exposed to other types of malicious activity from these apps.
In other words, on vulnerable devices, the malware can behave like a kind of digital “zombie,” continuing to operate in the background even after a reset.
Operation NoVoice is what security experts call a rootkit malware attack.
A rootkit is a type of malware designed to gain deep, privileged control of a device while hiding its presence from the user and the operating system’s normal security tools.
Breaking the term down:
“Root” refers to the highest level of access on a system (administrator-level control).
“Kit” refers to a collection of tools used by an attacker to maintain that control.
Put simply, a rootkit allows attackers to operate underneath the normal apps and security protections on a phone, giving them powerful control while staying difficult to detect.
In the case of Operation NoVoice, the attack unfolds in several steps.
1) A normal-looking app starts the attack
The campaign began with apps that appeared harmless on the Google Play Store. These apps advertised themselves as tools like phone cleaners, puzzle games, or gallery utilities.
When a user downloaded and opened one of these apps, it appeared to work normally. There are no obvious signs to the user that anything is wrong.
2) The malware quietly checks the device
Behind the scenes, the app contacts a remote server controlled by the attackers.
The server collects information about the device, things like its hardware, operating system version, and security patch level. Based on that information, the attackers send back custom exploit code designed for that specific device.
3) The attack gains deep system access
If the exploit succeeds, the malware gains root-level access to the device.
At that point, the attackers can install additional malicious components and modify parts of the Android operating system itself.
4) Every app on the phone can be affected
Once the rootkit is installed, it modifies a core Android system library that every app relies on.
This allows attacker-controlled code to run inside any app the user opens.
That means the attackers could potentially access data from messaging apps, financial apps, or social media apps without the user noticing.
5) The malware can remain even after a reset
Operation NoVoice also includes persistence mechanisms designed to keep the malware active.
In some cases, the infection could survive a standard factory reset, because the malicious components modify parts of the system software that resets typically do not replace.
Fully removing the infection may require reinstalling the device’s firmware, something most users cannot easily do themselves.
*To be clear, these apps have been removed from Google Play and are no longer available for download.
Why The Name “Operation NoVoice”
The name Operation NoVoice comes from a hidden component inside the malware itself.
Researchers discovered a resource labeled “novioce” embedded in one of the attack’s later stages. The file contains a silent audio track that plays at zero volume.
This may seem strange, but it serves a purpose.
By continuously playing silent audio in the background, the malware can keep a foreground service running without drawing attention. This allows the malicious code to remain active while appearing harmless to the operating system.
The researchers believe the name “novioce” is likely a misspelling of “no voice,” referring to the silent audio trick used to keep the malware running.
How To Stay Safe from Malware Disguised as Apps
Operation NoVoice highlights an important reality: even apps that appear legitimate can sometimes hide malicious behavior.
Fortunately, there are several steps users can take to reduce their risk.
Be cautious with unfamiliar apps
Even if an app appears on the Google Play Store, it’s still important to review:
the developer’s name
the number of downloads
recent user reviews (check for negative reviews)
Apps with very few reviews, vague descriptions, or suspicious developer accounts can sometimes be part of malware campaigns. And exercise even greater caution with apps promoted through advertisements or that create a a sense of urgency.
Keep your phone updated
Many attacks rely on exploiting known vulnerabilities in older versions of Android.
Installing system updates and security patches helps reduce the chance that these exploits will work.
Remove apps you don’t recognize
If you notice apps on your device that you don’t remember installing, review them carefully and remove anything suspicious.
Keeping your phone’s app list clean reduces the potential attack surface.
Use mobile security protection
Mobile security software can help detect suspicious behavior and block known malware.
What Operation NoVoice Tells Us About the Future of Mobile Threats
Operation NoVoice highlights how mobile malware is evolving. Instead of obvious malicious apps, attackers are increasingly hiding their operations inside ordinary-looking tools distributed through legitimate app stores.
What makes this campaign particularly concerning isn’t just the number of downloads or the technical complexity. It’s the way the malware combines several advanced techniques, device-specific exploits, modular plugins, and deep system persistence, into a single attack chain.
That approach allows attackers to quietly turn an everyday app download into long-term control of a device.
That’s why keeping devices updated, reviewing apps carefully, and using mobile security protection are becoming increasingly important. As Operation NoVoice shows, today’s malware isn’t just trying to get onto devices; it’s trying to stay there.
McAfee’s mobile research team identified and investigated an Android rootkit campaign tracked as Operation Novoice. The malware described in this blog relies on vulnerabilities Android made patches available for in 2016 – 2021. All Android devices with a security patch level of 2021-05-01 or higher are not susceptible to the exploits that we were able to obtain from the command-and-control server. However patched devices that downloaded these apps could have been exposed to unknown potential payloads outside of what we discovered. The attack begins with apps that were previously available on Google Play that appear to be simple tools such as cleaners, games, or gallery utilities. When a user downloaded and opened one of these apps, it appeared to behave as advertised, giving no obvious signs of malicious activity.
In the background, however, the app contacts a remote server, profiles the device, and downloads root exploits tailored to that device’s specific hardware and software. If the exploits succeed, the malware gains full control of the device. From that moment onward, every app that the user opens are injected with attacker‑controlled code.
This allows the operators to access any app data and exfiltrate it to their servers. One of the targeted apps is WhatsApp. We recovered a payload designed to execute when WhatsApp launches, gather all necessary data to clone the session, and send it to the attacker’s infrastructure.
On older, unsupported devices (Android 7 and lower) that no longer receive Android security updates as of September 2021, this rootkit is highly persistent; a standard factory reset will not remove it, and only reflashing the device with a clean firmware will fully restore the device.
In total, we identified more than 50 of these malicious apps on Google Play, with at least 2.3 million downloads.
McAfee identified the malicious apps, conducted the technical analysis, and reported its findings to Google through responsible disclosure channels. Following McAfee’s report, Google removed the identified apps from Google Play and banned the associated developer accounts. McAfee is a member of the App Defense Alliance, which supports collaboration across the mobile ecosystem to improve user protection. McAfee Mobile Security detects this malware as a High-Risk Threat. For more information, and to get fully protected, visit McAfee Mobile Security.
Background And Key Findings
Android malware has been moving toward modular frameworks that update themselves remotely and adapt to each device. Campaigns like Triada and Keenadu have shown that replacing system libraries gives attackers persistence to survive factory resets. BADBOX has shown that backdoors pre-installed through the supply chain can reach millions of devices. Recent research has confirmed links between several of these families, suggesting shared tooling rather than isolated efforts.
NoVoice fits both trends but does not rely on supply chain access. It reaches devices through Google Play and achieves the same level of persistence through exploitation. McAfee’s investigation revealed the following key findings:
All carrier apps were distributed through Google Play. No sideloading required, no user interaction beyond opening the app.
C2 infrastructure remains active at the time of publication.
The C2 server profiles each device and delivers root exploits matched to its hardware and software version.
The rootkit overwrites a core system library, causing every app on the device to run attacker code at launch.
The infection survives factory reset and can only be removed by reflashing the firmware.
The chain is fully plugin-based. Operators can push any payload to any app on the device at runtime.
The only task we recovered clones WhatsApp sessions, but the framework is designed to accept any objective.
Naming
The name comes from R.raw.novioce, a silent audio resource embedded in one of the later-stage payloads. It plays at zero volume to keep a foreground service alive, abusing Android’s media playback exemption. We believe it is a deliberate misspelling of “no voice.”
Distribution Method
All carrier apps were distributed through Google Play and request no unusual permissions. Their manifests include the same SDKs any legitimate app would (Firebase, Google Analytics, Facebook SDK, AndroidX). The malicious components are registered under tampered com.facebook.utils, blending in with the real Facebook SDK classes the apps already include.
Figure 1: One of the carrier apps on Google Play
The initial payload is embedded in the app’s asset directory as a polyglot image. This means the file displays and renders a normal image, but a deeper inspection reveals that the encrypted malicious payload is appended after the PNG IEND marker. Since that marker signals to image viewers that the image data ends there, the appended payload remains hidden during normal viewing.
Geographical Prevalence
The geographical prevalence map shows the highest infection rates in Nigeria, Ethiopia, Algeria, India, and Kenya, regions where budget devices and older Android versions that no longer receive security updates are common.
Figure 2: Affected users around the world
Malware Analysis
The following breakdown walks through each stage of the chain in order, from the moment a user opens the app to the moment stolen data leaves the device. No single file contains the full chain. Each stage decrypts and loads the next, most are delivered from the server at runtime.
Figure 3. The NoVoice rootkit payloads
Stage 1: The Delivery
The moment the app opens, code injected into the legitimate Facebook SDK initialization path runs automatically. No user interaction is needed. It first checks whether the device has already been processed and, in most samples, whether it is running Android 12L or below. A subset of the carrier apps skips the version check entirely. If either check fails, it stops and logs a message disguised as a Facebook SDK error: “FacebookSdk: Failed in initStore.”
If the device was already processed, the code cleans up files assumed to be left behind by previous runs, including paths that do not belong to any standard Android component. None of these are visible to the user.
If the checks pass, the app reads a polyglot image from its own assets’ directory, extracts the encrypted payload (enc.apk) hidden after the image data, decrypts it to produce h.apk, and loads it into memory. It then deletes all intermediate files, temporary directories.
Figure 4: Normal looking image with malicious payloadFigure 5: The malicious payload begins after the IEND marker, starting with the magic value CAFEBABE
Stage 2: The Gatekeeper
The decrypted payload (h.apk) loads a native library (libkwc.so) that controls the rest of this stage. It first verifies it is running inside the intended carrier app by checking the package name and signing certificate against hardcoded values. It also checks whether the app is running in a debug environment.
libkwc.so contains two encrypted embedded payloads. The first (sec.jar) is a gate designed to detect analysis environments. It runs 15 checks, including emulator detection, root indicators, debuggers, VPN and proxy connections, Xposed hooks, and GPS geofencing. If any check fails, the chain stops silently. The geofence compares the device’s location against bounding boxes for Beijing and Shenzhen hardcoded in the native library and excludes devices confirmed to be inside them. If the app does not have location permission, it cannot determine the device’s position and defaults to letting the chain continue. Two brands get special treatment: on Gionee devices, all checks except the geofence are skipped; on Meizu devices, the chain follows a separate code path entirely. Gionee devices have a documented history of shipping with pre-installed malware through supply chain compromise.
Only if all checks in sec.jar pass does libkwc.so decrypt and load the second payload (hex.jar), which begins contacting the C2 server. If the gate fails, it deletes the working directory and stops.
Figure 6: 15 validation checks before proceeding to the next stage
Stage 3: The Plugin
Once the gate passes, hex.jar sets up a plugin framework built on an internal codebase the authors refer to as “kuwo” in their package names. It checks in with a C2 server every 60 seconds. Updates are delivered the same way as the initial payload: as image files with encrypted data hidden after the image content. The server returns download URLs in a response field named warningIcon, disguising plugin downloads as icon fetches. A log-deletion routine runs alongside the framework to remove forensic traces from the device.
The first plugin delivered (rt) acts as an orchestrator. It manages sub-plugins and handles C2 communication. It checks in with the server, sending over 30 device identifiers including hardware model, kernel version, installed packages, and whether the device has already been rooted. The campaign’s name comes from this plugin: it embeds a silent audio resource named R.raw. novioce.
The checkin tells the server two things: who this device is and whether it has already been rooted. If it has not, rt_plugin downloads security.jar, moving the chain into root exploitation.
Figure 7: MediaPlayer initialized to load the embedded NoVoice audio
Stage 4: The Exploit
security.jar first checks whether the device is already rooted. If it has been, it stops. For unrooted devices, it sends the device’s chipset, kernel version, security patch date, and other identifiers to the C2. The server responds with a list of exploit binaries matched to that specific device.
Before running any exploit, the rootkit installer (CsKaitno.d) is decrypted from an embedded resource and written to disk. The rootkit is already in place before any exploit runs.
The exploits are downloaded one at a time from the C2’s CDN, each encrypted and verified before execution. We recovered 22 exploits in total. Our deep analysis of one revealed a three-stage kernel attack: an IPv6 use-after-free for kernel read, a Mali GPU driver vulnerability for kernel read/write, and finally credential patching and SELinux disablement.
The expected end result is the same across all exploits: a root shell with SELinux disabled. From that shell, the exploit loads CsKaitno.d. This is where exploitation ends and persistence begins.
Figure 8: SELinux enforcement disabled as part of the exploit chain
Stage 5: The Rootkit
CsKaitno.d carries four encrypted payloads: library hooks for ARM32 and ARM64 (asbymol and bdlomsd), a bytecode patcher (jkpatch), and a persistence daemon (watch_dog). It first removes files associated with possible competing rootkits, then decrypts and writes its own payloads to disk.
The installer backs up the original libandroid_runtime.so and replaces it with a hook binary matched to the device’s architecture. It also replaces libmedia_jni.so. The replacements are not copies of the original libraries. They are wrappers that intercept the system’s own functions. When any hooked function runs, it redirects to attacker code.
Figure 9: Rootkit copying and preparing modified system libraries before remounting the filesystem as writable
After replacing the libraries, jkpatch modifies pre-compiled framework bytecode on disk. This is a second layer of persistence: even if someone restores the original library, the framework’s own compiled code still contains the injected redirections
Stage 6: The Watchdog
To survive reboots, the installer replaces the system crash handler with a rootkit launcher, installs recovery scripts, and stores a fallback copy of the exploitation stage on the system partition. If any component is removed, the rootkit can reinstall itself.
It then deploys a watchdog daemon (watch_dog) that checks the installation every 60 seconds. If anything is missing, it reinstalls it. If that fails repeatedly, it forces a reboot, bringing the device back up with the rootkit intact.
After cleaning up all staging files, the installer marks the device as compromised. On the next boot, the system’s process launcher (zygote) loads the replaced library, and every app it starts inherits the attacker’s code.
Figure 10: Watchdog payload decrypted, written to disk, permissioned, and launched with a 60‑second restart interval
Stage 7: The Injection
On the next boot, every app on the device loads the replaced system library. The injected code decides what to do based on which app it is running inside. Two payloads activate depending on the app. The malware authors named them BufferA and BufferB in their own code. Both are embedded as fragments inside the replaced libandroid_runtime.so from Stage 5, assembled in memory at runtime, and deleted from disk immediately after loading, leaving no files behind. BufferA runs inside the system’s package installer and can silently install or uninstall apps. BufferB runs inside any app with internet access.
BufferB is the campaign’s primary post-exploitation tool. It operates two independent C2 channels with separate encryption keys and beacon intervals. Both channels send device fingerprints to the C2 and receive task instructions in return.
If all primary domains fail and three or more days pass without contact, a fallback routine activates between 1 and 4 AM, reaching out to api[.]googlserves[.]com for a fresh domain list. Because BufferB runs inside any app with internet access, it can be active in dozens of apps simultaneously on a single device.
Figure 11: Injection logic selecting BufferA for the package installer and BufferB for all other apps
Stage 8: The Theft
The only task payload we recovered is PtfLibc, delivered to BufferB from Alibaba Cloud OSS. Its target is WhatsApp.
PtfLibc copies WhatsApp’s encryption database, extracts the device’s Signal protocol identity keys and registration ID, and pulls the most recent signed prekey. It also reads 12 keys from WhatsApp’s local storage, including the phone number, push name, country code, and Google Drive backup account. For the client keypair, it tries multiple decryption methods depending on how the device stores the key.
It sends the stolen data to api[.]googlserves[.]com through multiple layers of encryption and deletes the temporary database copy when done.
With these keys and session data, an attacker can clone the victim’s WhatsApp session onto another device.
Figure 12: Code accessing and copying WhatsApp’s encrypted Signal protocol databases for exfiltration
Infrastructure
The campaign spreads its C2 communication across multiple domains, each serving a different function.
fcm[.]androidlogs[.]com handles initial device enrollment. Once the plugin framework activates, stat[.]upload-logs[.]com takes over as the primary C2 for plugin delivery, device checkin, exploit distribution, and result reporting. config[.]updatesdk[.]com serves as its fallback. Exploit binaries are hosted separately on download[.]androidlogs[.]com, with an S3-accelerated endpoint (logserves[.]s3-accelerate[.]amazonaws[.]com) as the primary CDN. This endpoint returned 403 errors during our analysis.
Task payloads for BufferB are hosted on Alibaba Cloud OSS (prod-log-oss-01[.]oss-ap-southeast-1[.]aliyuncs[.]com). PtfLibc beacons to api[.]googlserves[.]com, a domain designed to look like Google service traffic at a glance.
The domain separation is deliberate. Taking down one domain does not affect the others. The C2 can update BufferB’s domain lists at runtime, and a fallback routine fetches fresh domains from hardcoded backup endpoints if all configured domains go silent for three or more days.
Recommendations
Because the rootkit writes to the system partition, a factory reset does not remove it. A reset wipes user data but leaves system files intact. Compromised devices require a full firmware reflash to return to a clean state. Blocking the C2 domains and beacon patterns listed in this report at the network level can disrupt the chain at multiple stages.
Attribution
Several indicators link NoVoice to the Android.Triada family. The property (os.config.ppgl.status)NoVoice sets to mark a device as compromised is a known indicator of compromise for Android.Triada.231, a variant that uses the same property to track installation state. Both NoVoice and Triada.231 persist by replacing libandroid_runtime.so and hooking system functions so that every app runs attacker code at launch. Whether NoVoice is a direct evolution of Triada.231, a fork of its codebase, or a separate group reusing proven techniques, the shared approach suggests access to a common toolchain.
Conclusion
What makes NoVoice dangerous is not any single technique. It is the engineering effort behind the full chain: a self-healing pipeline that goes from a Play Store install to code execution inside every app on the device, survives factory reset, and monitors its own installation. The operators built a delivery system, an infrastructure.
We recovered one task. The framework is designed to accept any number of them, for any app, at any time. The C2 infrastructure remains active. We do not know what other objectives have been deployed before, during, or after our analysis. The WhatsApp session theft we observed may be the least of it.
The rootkit’s persistence model, overwriting a system library inherited by every process, patching pre-compiled framework bytecode, and monitoring its own installation with a watchdog, makes remediation difficult.
This research underscores McAfee’s ongoing role in identifying advanced mobile threats and working with platform partners to protect users before large‑scale harm occurs.
A text that looks like it came straight from a courthouse is making the rounds across the U.S. And yes, I got it too.
First things first, that’s a scam. And to be clear: DON’T SCAN THAT QR CODE.
It’s the same playbook as last year’s toll road scams, just dressed up with a little more authority and a lot more pressure.
Before doing anything, our team ran it through McAfee’s Scam Detector. It immediately flagged the message as suspicious, and that’s exactly the kind of moment this tool is built for. When something feels just real enough to second guess, it gives you a clear signal before you click, scan, or spiral.
A screenshot showing Scam Detector in action.
How the scam works
The text claims you’ve missed a payment, violated a law, or have some kind of outstanding “case.” It then pushes you to scan a QR code or click a link to resolve it quickly.
From there, one of two things usually happens:
You’re taken to a fake payment page designed to steal your money, or
You’re prompted to download something that gives scammers access to your device or data
Either way, the goal is the same: get you to act fast before you have time to question it.
Here’s the scam text I got in California. You’ll notice it looks exactly like the others across the country.
The red flags in this message
Urgent, threatening language about fines, penalties, or legal action
Vague accusations with no real details about what you supposedly did
Official-looking formatting like case numbers, clerk signatures, and judge names
Copy-paste consistency across states: McAfee employees in New York and California received nearly identical messages with the same names
There are reports of this scam popping up nationwide, but the rule is simple: law enforcement does not text you to demand payment or resolve legal issues.
What to do if you scanned the QR code
First, don’t panic. Then:
Do not pay anything or enter personal information
Do not delete apps you were told to install (this can make it harder to detect what happened)
Run a device scan using a trusted security tool like McAfee’s free antivirus
Keep an eye on your financial accounts and logins for unusual activity
And that, my friends, is scam number one in this week’s This Week in Scams (new format, we’re experimenting a little).
Let’s get into what else is on our radar.
What to Know About an Alleged Crunchyroll Breach
Anime streaming platform Crunchyroll is investigating claims of a data breach involving customer support ticket data, potentially impacting millions of users.
According to TechCrunch, access appears to involve a third-party vendor system, a reminder that even strong security setups still rely on people and partners, which can introduce risk in everyday moments.
Even if you’ve never entered your credit card into a support form, these tickets can still include:
Email addresses
Usernames
Screenshots or account details
Conversations that reveal habits, subscriptions, or personal context
That’s more than enough for scammers to build highly believable follow-ups.
Why this matters right now
When breaches like this surface, scammers don’t wait. They use the moment to send emails and messages that feel timely, relevant, and legitimate.
For example, scammers might send messages pretending to be Crunchyroll and suggesting you “click this link to secure your account” after the breach. In reality, that “security check” exposes your information.
This is where tools like Scam Detector come back into play, flagging suspicious links and messages even when they reference real companies or real events.
What to do if you have a Crunchyroll account
Change your password, especially if you’ve reused it elsewhere
Turn on two-factor authentication
Be cautious of emails referencing the breach or asking you to “secure your account”
Avoid clicking links and go directly to the official site instead
How McAfee Helps You Stay Ahead of Scams and Breaches
McAfee+ Advanced gives you multiple layers working together so you’re not left figuring it out in the moment:
Scam Detector flags suspicious texts, emails, links, and even deepfake videos before you engage
Safe Browsing helps block risky sites if you do click or scan
Device Security helps detect and remove malicious apps or downloads
Identity Monitoring alerts you if your personal info shows up where it shouldn’t, so you can act fast
Personal Data Cleanup helps remove your information from data broker sites, making you a harder target in the first place
Secure VPN keeps your data private, especially on public Wi-Fi
Plus our instant QR code scam checks will flag suspicious QR codes before you scan them.
Safety tips to carry into next week
Slow down when a message creates urgency. That’s the hook
Don’t scan QR codes or click links from unexpected texts
Go directly to official websites instead of using links sent to you
Use tools that flag scams in real time so you don’t have to guess
The reality is, these scams are designed to look normal. You shouldn’t have to be an expert to spot them. That’s why McAfee’s here to help.
We’ll be back next week with more scams making headlines.
Tax season is prime time for scammers. And in 2026, the scams are more convincing, more targeted, and increasingly powered by AI.
In this guide, we break down this year’s biggest tax scams from the IRS Dirty Dozen and show how tools like McAfee’s Scam Detector help flag malicious links, scan suspicious QR codes, and analyze risky messages across text, email, and social media to help you stay ahead of fraud.
67% are seeing the same or more scam messages than last year
40% say scams are more sophisticated
Only 29% feel very confident they can spot a deepfake scam
Nearly 1 in 4 Americans say they’ve lost money to a tax scam
Tax scams are not just increasing. They are getting harder to recognize in the moment.
What is the IRS Dirty Dozen?
The IRS Dirty Dozen is the agency’s annual list of the most common and dangerous tax scams targeting individuals and businesses.
The 2026 list highlights a clear shift toward:
AI-driven impersonation
QR code and link-based phishing
Social media misinformation
Refund and credit manipulation schemes
These scams are designed to create urgency, confusion, and quick decisions. That combination is what makes them effective.
The IRS Dirty Dozen for 2026 and how to spot each scam
Below is a full breakdown of all 12 scams identified by the IRS, along with what to look for and how protection tools can help.
#
Scam Type
How It Works
Red Flags
How McAfee Helps
1
IRS impersonation (email, text, DM)
Messages claim to be from the IRS asking you to verify info or claim a refund
Urgent tone, links, QR codes, unexpected outreach
Scam Detector flags suspicious messages and links across text, email, and social. Safe browsing blocks fake IRS sites if you click
2
AI voice scams and robocalls
AI-generated calls mimic IRS agents or officials
Threats, payment pressure, spoofed caller ID
Scam Detector helps validate follow-up messages or links tied to the call. Identity monitoring helps detect if your info is being used in impersonation attempts
3
Fake charities
Scammers pose as charities to collect donations or data
Emotional appeals, vague organization details
Scam Detector flags suspicious donation links. Safe browsing blocks fraudulent charity sites. Personal Data Cleanup reduces exposure to targeting lists
4
Social media tax misinformation
Viral posts push fake deductions or “tax hacks”
Promises of large refunds or loopholes
Scam Detector’s screenshot analysis lets you check social posts and DMs before acting, helping identify misleading or risky claims
5
IRS account takeover scams
Criminals use stolen data to access IRS accounts
Alerts about account changes you didn’t initiate
Identity monitoring and alerts notify you if your data is exposed. Device security helps prevent malware used to steal credentials
6
Abusive capital gains schemes (Form 2439)
Fake or inflated claims tied to investment credits
Complicated filings tied to unfamiliar organizations
Scam Detector flags suspicious messages and links. Safe browsing blocks fraudulent filing sites tied to these schemes
7
Fake self-employment tax credit
Misleading claims about eligibility for large credits
“You qualify” messaging without verification
Safe browsing blocks scam sites attempting to capture personal or tax info
8
Ghost tax preparers
Preparers refuse to sign returns or provide credentials
No PTIN, vague business identity
Scam Detector helps assess suspicious messages or outreach. Identity monitoring adds protection if your data is shared with a bad actor
9
Non-cash donation schemes
Inflated valuations used to reduce tax liability
Unrealistic deductions, aggressive promoters
Scam Detector flags suspicious offers and links. Safe browsing blocks sites attempting to collect sensitive financial data
10
Overstated withholding scams
False income or withholding reported to inflate refunds
Encouragement to “boost” refund numbers
Scam Detector flags misleading content. Device security helps protect against malware tied to fake filing tools
Companies overpromise tax debt relief and charge high fees
High-pressure sales tactics, guaranteed outcomes
Scam Detector flags suspicious outreach. Personal Data Cleanup reduces targeting. Identity monitoring helps catch misuse of your data
How McAfee helps protect you from tax scams
Tax scams rarely rely on just one tactic. A message leads to a link. A link leads to a fake site. A fake site leads to stolen data or payment.
That is why protection needs to work across the full chain, not just one moment.
McAfee goes beyond traditional antivirus by combining multiple layers of digital protection into one app, helping you stay safer before, during, and after a scam attempt.
Here is how each layer helps:
Scam Detector helps flag suspicious messages, links, and AI-driven scams across text, email, and social media. It can also scan QR codes and analyze screenshots of messages that feel off.
Safe browsing tools help block risky websites, including fake IRS portals and lookalike domains designed to steal personal and financial information.
Secure VPN helps keep your connection private, especially on public Wi-Fi where sensitive activity like filing taxes or accessing financial accounts can be exposed.
Identity monitoring and alerts notify you if your personal information, like your Social Security number or email, appears in places it should not, helping you act quickly if identity theft is attempted.
Personal Data Cleanup helps reduce your exposure by removing your information from high-risk data broker sites that scammers use to target you.
Device and account security helps protect the devices and accounts you rely on every day, adding another layer of defense against malware, phishing, and unauthorized access.
Together, these protections help you do more than react to scams. They help you spot them earlier, avoid risky situations, and recover faster if something goes wrong.
Today marks the start of Spring in the Northern Hemisphere, and with warmer weather setting in summer trips are vacation planning are starting to take shape.
But before you respond to that message about your hotel booking or payment confirmation, it’s worth asking: is it actually legit?
This week in scams, we’re breaking down a travel phishing scheme making the rounds through realistic booking messages, as well as new McAfee research on betting scams and AI-driven malware.
Scammers Who Know Your Exact Travel Reservation Details
A new phishing campaign targeting travelers is exploiting hotel booking platforms like Booking.com, and it’s convincing enough to fool even cautious users.
According to reporting from ITBrew and Cybernews, attackers are running a multi-stage scam:
How The Booking Scam Works
Scam Stage
How It Works
What You’ll Notice
How to Protect Yourself
Where McAfee Helps
Stage 1: Hotel account gets compromised
Attackers phish or hack hotel staff to access booking platforms and guest reservation data.
You won’t see this part — it happens behind the scenes.
Use strong, unique passwords and enable multi-factor authentication on your own accounts to reduce risk of similar breaches.
Identity Monitoring can alert you if your personal information appears in suspicious places or data leaks.
Stage 2: You receive a realistic message
Scammers use stolen booking data to send messages via WhatsApp, email, or even booking platforms.
The message includes your real name, hotel, and travel dates, making it feel legitimate.
Be cautious of unexpected outreach, even if the details are correct. Don’t assume accuracy means authenticity.
Scam detection tools can help flag suspicious messages and identify potential phishing attempts.
Stage 3: Urgency is introduced
The message claims there’s an issue with your reservation and pushes you to act quickly.
Phrases like “confirm within 12 hours” or “risk cancellation” create pressure.
Pause before acting. Legitimate companies rarely require urgent payment changes without prior notice.
Scam detection can help identify high-risk messages designed to pressure you into quick decisions.
Stage 4: You’re sent to a fake payment page
A link leads to a convincing lookalike site designed to steal your payment details.
The page looks real but may have subtle URL differences or unusual formatting.
Always navigate directly to the official website or app instead of clicking links in messages.
Safe Browsing tools can help block risky or known malicious websites before you enter sensitive information.
March Madness Brackets, Bets, and Bad Actors
March Madness brings brackets, bets, and a flood of bad actors.
New McAfee research found that 1 in 3 Americans (32%) say they’ve experienced a betting or gambling scam, and nearly a quarter (24%) say they’ve lost money to one. On average, victims reported losing $547.
That’s not surprising when you look at the environment around the tournament. More than half of Americans are watching, more than half are participating in some form of betting, and 82% say they’ve seen betting promotions in the past year.
Some of the most common setups this season include:
“Guaranteed win” or “can’t lose” betting tips that require payment upfront
Fake sportsbook promotions offering bonus bets or free credits
Messages claiming you have winnings, but need to pay a fee to unlock them
Impersonation scams posing as sportsbook support or betting platforms
Invitations to private “VIP betting groups” on WhatsApp or Telegram
The takeaway: If a betting offer promises guaranteed results, demands the use of bizarre apps and sites, asks for money upfront, or pushes you to act quickly, it’s not an edge. It’s a scam.
“AI-Written” Malware Is Hiding in Everyday Downloads
Not all scams start with a message. Some start with a search.
443 malicious ZIP files disguised as legitimate software
1,700+ file names used to make those downloads look credible
48 variants of a malicious DLL file used to infect devices
These weren’t hosted on obscure corners of the internet either. The files were distributed through platforms people recognize, including Discord, SourceForge, and file-sharing sites.
Here’s how the attack typically works:
You search for a tool.
You download what looks like the right file.
It opens normally at first.
Then, behind the scenes, malware loads quietly and begins pulling in additional code. In some cases, victims are shown fake error messages while the real infection happens in the background.
From there, attackers can:
Turn your device into a cryptocurrency mining machine
Install additional malware like infostealers or remote access tools
Slow down your system while running hidden processes
What makes this campaign stand out is that some of the code appears to have been generated with help from AI tools.
That doesn’t mean AI is running the attack on its own. But it does suggest attackers are using AI to:
Generate code faster
Create more variations of malware
Scale campaigns more efficiently
In other words, the barrier to building malware is getting lower.
The takeaway: If a download is unofficial, hard to find, or feels like a shortcut, it’s worth slowing down. The file may look right, but that doesn’t mean it’s safe.
How McAfee+ Advanced Works in These Scam Moments
Whether it’s a message about your booking, a betting offer that looks legitimate, or a download that appears to be exactly what you were searching for, these scams all rely on the same thing: they blend into everyday moments.
That’s where having backup like McAfee+ Advanced comes in. It includes:
McAfee’s Scam Detector, which helps flag suspicious links in texts and messages like the ones used in these booking and betting scams, so you can spot something risky before you engage
Web protection and real-time device security, helping protect against risky links, malicious sites, and evolving threats if you do click, including fake betting platforms or malware hidden in downloads
Personal Data Cleanup, which helps remove your information from sites that sell it, making it harder for scammers to access the personal details that make messages and scams feel legitimate
Secure VPN, which helps keep your personal info safe and private anywhere you use public Wi-Fi, like hotels, airports, and cafés while traveling
Identity Monitoring and alerts, with 24/7 scans of the dark web to help ensure your personal and financial information isn’t being exposed or reused
Credit and transaction monitoring, so you can get alerts about suspicious financial activity if your information is ever compromised
Identity restoration support and up to $2 million in identity theft coverage, giving you access to US-based experts and added peace of mind if something does go wrong
Stay skeptical, verify before you click, and we’ll see you next week with more.
Filing your taxes may not feel risky. You download a W-2. Upload a PDF. Email a document. Move on.
But tax season is one of the most active times of year for scammers, and the moment you start collecting and sharing tax documents is often when people are most exposed.
W-2s, 1099s, prior-year returns, and identity documents contain nearly everything criminals need to commit tax fraud or identity theft. And increasingly, scammers don’t need to break into systems to get them. They rely on rushed filers, familiar workflows, and convincing messages that blend into tax season noise.
The good news: securing your tax documents doesn’t require expensive tools or technical expertise. With a few deliberate steps, you can dramatically reduce your risk before anything leaves your device.
Why Scammers Want Your Tax Documents
Tax documents are valuable because they’re complete.A single W-2 includes your full name, Social Security number, employer information, and income data. Combined with other files, like a prior return or ID scan, that’s enough to:
File a fraudulent tax return
Open new credit accounts
Access financial services
Sell your identity on criminal marketplaces
That’s why tax-related phishing and document theft spike every filing season. Many scams don’t look like scams at all. They look like routine requests, delivery notices, or “quick questions” from someone you already trust.
How to Safely Handle and Share Tax Documents
Tax forms contain some of the most sensitive personal information you have. Taking a few precautions when storing and sharing them can reduce the risk of identity theft and tax fraud.
Store Your Tax Documents Securely
Before sending anything to an accountant or tax service, make sure your files are organized and stored safely.
Use a single secure folder Create one folder, on your device or in a trusted private cloud service account, specifically for tax documents. Avoid scattering files across downloads, email attachments, and screenshots.
Rename files clearly Use descriptive names such as “2025_W2_EmployerName.pdf” so you can easily identify documents without opening multiple files or re-downloading forms.
Avoid public Wi-Fi If you’re downloading tax documents, do it on a secure home network whenever possible. Public Wi-Fi can increase the risk of interception. If you must connect in public, using a trusted VPN adds another layer of protection.
Watch for Tax-Season Phishing Scams
Many tax scams don’t target software, they target people.
Common examples include:
Emails pretending to be from the IRS asking you to “verify” information
Messages that appear to come from your employer requesting a copy of your W2
Fake tax portals asking you to re-upload documents
Urgent messages claiming there is a problem with your return
These scams often arrive when you’re already expecting tax-related communication, which makes them easier to trust.
Important: The IRS does not initiate contact by email, text message, or social media to request personal or financial information.
Use Secure Ways to Share Tax Documents
Email attachments are convenient, but they can also expose sensitive information.
Safer options include:
A secure client portal provided by your accountant or tax preparer
Encrypted file-sharing services
Password-protected documents sent through a secure channel
If you must email a document, avoid sending the password in the same message.
Verify Requests Before Sending Documents
Even if a request looks legitimate, pause before sharing sensitive files.
Ask yourself:
Did I expect this request?
Is the sender using their normal contact method?
Does the message create urgency or pressure?
If something seems unusual, verify the request through a separate channel, such as calling the person directly or starting a new email thread.
Secure the Devices You Use to File
Protecting tax documents also means protecting the device where they’re stored.
Before filing your taxes:
Install the latest software updates on your computer and phone
Tax scams increasingly arrive through text messages and social media, not just email, so protection needs to cover the places scammers actually reach you.
File Early and Watch for Warning Signs
Filing early reduces the opportunity for scammers to file a fraudulent tax return in your name.
After filing:
Watch for IRS notices you didn’t expect
Monitor financial accounts for unfamiliar activity
Be cautious of follow-up messages claiming problems with your return
If something feels off, investigate before responding.
Step-by-Step: How to Encrypt Tax Documents Before Sending Them
Step
What to Do
Why It Matters
1. Put all tax files into one folder
Gather your W-2s, 1099s, receipts, PDFs, and spreadsheets in one folder.
Keeps you organized and prevents accidentally leaving something unprotected.
2. Convert photos into PDFs (if needed)
If documents are photos, save them as a PDF using your phone scanner app or printer settings.
PDFs are easier to encrypt and share securely than image files.
3. Combine files into one ZIP folder
On your computer, select all files → right click → Compress / Zip.
Creates a single package you can protect with a password.
4. Add a password to the ZIP file
Choose the “Encrypt” or “Password Protect” option when creating the ZIP file.
Password protection helps prevent unauthorized access if the file is intercepted.
5. Use a strong password
Use at least 12 characters with a mix of letters, numbers, and symbols.
Weak passwords can be cracked quickly.
6. Rename the file to something generic
Use a name like “Documents_2025.zip” instead of “Taxes_W2_SSN.zip.”
Avoids exposing sensitive info in the file name itself.
7. Send the encrypted file through a secure method
Upload via your tax preparer’s secure portal or share through a secure cloud link.
Email attachments can be risky if the wrong person gains access.
8. Send the password separately
Text or call the password—don’t include it in the same email as the file.
If someone intercepts the email, they won’t have both pieces.
Acting quickly can limit damage and help prevent long-term fallout.
Final Thoughts
Securing your tax documents doesn’t require perfection, just intention.
By slowing down, using safer sharing methods, and staying alert to tax-season scams, you can protect yourself before problems start. In a season where everyone feels rushed, a few extra minutes can save months of cleanup later.
McAfee helps protect your identity, devices, and personal information so tax season doesn’t become scam season.
Frequently Asked Questions
Q: Is it safe to email tax documents to my accountant?
A: Email is not the safest option. Secure portals or encrypted file-sharing tools are preferred for sensitive documents like W-2s and tax returns.
Q: How do W-2 phishing scams work?
A: Scammers impersonate employers or tax authorities to trick people into sending W-2s or personal information, often using urgent or official-looking messag
Q: Can scammers file taxes using my W-2?
A: Yes. With enough personal information, criminals can file fraudulent returns or commit identity theft.
Q: How can I tell if a tax message is fake? A: Be cautious of unsolicited requests, urgent language, unfamiliar links, or requests for documents outside normal filing workflows.
Q: What’s the safest way to share tax documents online?
A: Use secure portals, encrypted file-sharing, and verified communication channels. Avoid public Wi-Fi and unprotected email attachments.
Login
