The post This Week in Scams: Why That “Booking Confirmation” Message Might Be Fake appeared first on McAfee Blog.

Filing your taxes may not feel risky. You download a W-2. Upload a PDF. Email a document. Move on. 

But tax season is one of the most active times of year for scammers, and the moment you start collecting and sharing tax documents is often when people are most exposed. 

W-2s, 1099s, prior-year returns, and identity documents contain nearly everything criminals need to commit tax fraud or identity theft. And increasingly, scammers don’t need to break into systems to get them. They rely on rushed filers, familiar workflows, and convincing messages that blend into tax season noise. 

The good news: securing your tax documents doesn’t require expensive tools or technical expertise. With a few deliberate steps, you can dramatically reduce your risk before anything leaves your device. 

Why Scammers Want Your Tax Documents

Tax documents are valuable because they’re complete.A single W-2 includes your full name, Social Security number, employer information, and income data. Combined with other files, like a prior return or ID scan, that’s enough to: 

• File a fraudulent tax return 
• Open new credit accounts 
• Access financial services 
• Sell your identity on criminal marketplaces 

That’s why tax-related phishing and document theft spike every filing season. Many scams don’t look like scams at all. They look like routine requests, delivery notices, or “quick questions” from someone you already trust. 

How to Safely Handle and Share Tax Documents 

Tax forms contain some of the most sensitive personal information you have. Taking a few precautions when storing and sharing them can reduce the risk of identity theft and tax fraud. 

Store Your Tax Documents Securely 

Before sending anything to an accountant or tax service, make sure your files are organized and stored safely. 

Use a single secure folder
Create one folder, on your device or in a trusted private cloud service account, specifically for tax documents. Avoid scattering files across downloads, email attachments, and screenshots. 

Rename files clearly
Use descriptive names such as “2025_W2_EmployerName.pdf” so you can easily identify documents without opening multiple files or re-downloading forms. 

Avoid public Wi-Fi
If you’re downloading tax documents, do it on a secure home network whenever possible. Public Wi-Fi can increase the risk of interception. If you must connect in public, using a trusted VPN adds another layer of protection. 

Watch for Tax-Season Phishing Scams 

Many tax scams don’t target software, they target people. 

Common examples include: 

• Emails pretending to be from the IRS asking you to “verify” information 
• Messages that appear to come from your employer requesting a copy of your  W2 
• Fake tax portals asking you to re-upload documents 
• Urgent messages claiming there is a problem with your return 

These scams often arrive when you’re already expecting tax-related communication, which makes them easier to trust. 

Important: The IRS does not initiate contact by email, text message, or social media to request personal or financial information. 

Use Secure Ways to Share Tax Documents 

Email attachments are convenient, but they can also expose sensitive information. 

Safer options include: 

• A secure client portal provided by your accountant or tax preparer 
• Encrypted file-sharing services 
• Password-protected documents sent through a secure channel 

If you must email a document, avoid sending the password in the same message. 

Verify Requests Before Sending Documents 

Even if a request looks legitimate, pause before sharing sensitive files. 

Ask yourself: 

• Did I expect this request? 
• Is the sender using their normal contact method? 
• Does the message create urgency or pressure? 

If something seems unusual, verify the request through a separate channel, such as calling the person directly or starting a new email thread. 

Secure the Devices You Use to File 

Protecting tax documents also means protecting the device where they’re stored. 

Before filing your taxes: 

• Install the latest software updates on your computer and phone 
• Enable automatic updates when possible 
• Use security tools that can flag malicious links, fake websites, and suspicious messages, like McAfee’s WebAdvisor (free download here)

Tax scams increasingly arrive through text messages and social media, not just email, so protection needs to cover the places scammers actually reach you. 

File Early and Watch for Warning Signs 

Filing early reduces the opportunity for scammers to file a fraudulent tax return in your name. 

After filing: 

• Watch for IRS notices you didn’t expect 
• Monitor financial accounts for unfamiliar activity 
• Be cautious of follow-up messages claiming problems with your return 

If something feels off, investigate before responding. 

Step-by-Step: How to Encrypt Tax Documents Before Sending Them 

What to Do If You Think Your Tax Information Was Exposed 

If you believe your tax documents were shared with the wrong party or compromised: 

1. Stop further communication immediately 
2. Contact your accountant or tax service 
3. Notify the IRS if sensitive information was exposed 
4. Monitor credit and financial accounts closely 
5. Run a security scan on your device, check out our free trial 

Acting quickly can limit damage and help prevent long-term fallout. 

Final Thoughts

Securing your tax documents doesn’t require perfection, just intention. 

By slowing down, using safer sharing methods, and staying alert to tax-season scams, you can protect yourself before problems start. In a season where everyone feels rushed, a few extra minutes can save months of cleanup later. 

McAfee helps protect your identity, devices, and personal information so tax season doesn’t become scam season. 

Frequently Asked Questions 

The post How to Secure Tax Documents Before Sending to Your Accountant appeared first on McAfee Blog.

McAfee Labs has uncovered a widespread malware campaign hiding inside fake downloads for things like game mods, AI tools, drivers, and trading utilities. 

In January 2026, researchers observed 443 malicious ZIP files impersonating software people might actively search for online. Across those files, McAfee identified 48 malicious WinUpdateHelper.dll variants used to infect devices. The campaign was spread through a mix of file-hosting and content delivery services, including Discord, SourceForge, FOSSHub, and mydofiles[.]com. 

What makes this campaign especially notable is that some parts of it appear to have been built with help from large language models (LLMs). McAfee researchers found signs that certain scripts likely used AI-generated code, which may have helped the attackers create and scale the campaign faster. 

That does not mean AI created the whole operation on its own. But it does suggest AI may be helping cybercriminals lower the effort needed to build malware and launch attacks. 

Want the full research? Dive in here. 

We break down the top takeaways below. 

What McAfee Found 

What Is “AI-Written Malware”? 

In this case, “AI-written malware” does not mean an AI system independently invented and launched the attack. 

Instead, McAfee Labs found evidence that the attackers very likely used AI tools to help generate some of the code used in the campaign, especially in certain PowerShell scripts. 

Put simply: 

This matters because it can make malware development faster, easier, and more scalable for attackers. 

How The Fake Download Attack Works 

The attack begins when someone searches for software online and downloads what looks like the tool they wanted. 

That tool might appear to be a game mod, AI voice changer, emulator, trading utility, VPN, or driver. But behind the scenes, the ZIP archive includes malicious components that start the infection. 

What Kinds of Files Were Used as Bait 

McAfee found that the attackers cast a very wide net. The malicious ZIP files impersonated many types of software, including: 

That broad range is part of what made the campaign effective. It was designed to catch people already looking for shortcuts, unofficial tools, or hard-to-find software. 

Why McAfee Researchers Believe AI Was Used 

One of the strongest clues came from the comments inside some of the attack scripts. 

McAfee researchers found explanatory comments that looked more like AI-generated instructions than the kind of shorthand attackers usually leave for themselves. In one example, a comment referred to downloading a file from “your GitHub URL,” which suggests the code may have come from a generated template and was not fully cleaned up before use. 

These details do not prove every part of the campaign was AI-made. But they do support McAfee’s assessment that certain components were likely generated with help from large language models. 

What Happens on an Infected Device 

In many cases, the malware was used to turn victims’ computers into quiet crypto-mining machines. 

McAfee observed mining activity involving several cryptocurrencies, including: 

• Ravencoin 
• Zephyr 
• Monero 
• Bitcoin Gold 
• Ergo 
• Clore 

Some samples also downloaded additional payloads such as SalatStealer or Mesh Agent. 

For victims, that can mean: 

McAfee was also able to trace several Bitcoin wallets tied to the campaign. At the time of the report, those wallets held about $4,536 in Bitcoin, while total funds received were approximately $11,497.70. Researchers note the real total could be higher because some of the currencies involved are harder to trace. 

Who Was Targeted Most 

This campaign was observed most heavily in: 

• United States 
• United Kingdom 
• India 
• Brazil 
• France 
• Canada 
• Australia 

That does not mean users elsewhere were unaffected. These were simply the countries where researchers saw the highest prevalence. 

The post New Research: Hackers Are Using AI-Written Code to Spread Malware appeared first on McAfee Blog.

Authored by Aayush Tyagi  

Background 

The term ‘Vibe coding,’ first coined back in February of 2025 by OpenAI researchers, has exploded across digital platforms. With hundreds of articles and YouTube Videos discussing the dangers of Vibe coding and warning the internet about the rise of “Vibe Coders”, while others labelled it as the fundamental shift in software development and the future of coding.  

Vibe Coding is an approach where the AI does heavy lifting, rather than the user. Instead of manually writing code or implementing algorithms, users describe their intent through text-based prompt, and the LLMs respond with fully functional code and explanation. Unsurprisingly, the internet is now flooded with guides on the best LLMs and prompts to generate “perfect” code. 

Given the ease of generating fully functional code, McAfee Labs has also seen a rise in vibe-coded malware. In these campaigns, certain components of the kill chain contain AI-generated code, significantly reducing the effort and knowledge required to execute new malware campaigns. This shift not only makes malware campaigns more scalable but also lowers the barrier to entry for new malware authors. 

Executive summary 

In January 2026, McAfee Labs observed 443 malicious zip files impersonating a wide range of software, including AI image generators and voice-changing tools, stock-market trading utilities, game mods and modding tools, game hacks, graphics card and USB drivers, ransomware decryptors, VPNs, emulators, and even infostealer, cookie-stealer, and backdoor malware, to infect users.  

Across the 440+ zip files, we observed 48 unique malicious WinUpdateHelper.dll variants, responsible for the infections. McAfee has been detecting variants of this threat since December 2024, although the vibe coding observed in certain components appears to be a recent addition. These files are distributed through various legitimate content delivery network (CDN) services and file-hosting websites, such as Discord, SourceForge, FOSSHub, and MediaFire, to name a few. Another website that was actively delivering this malware was mydofiles[.]com. 

Here, the attackers implement volume-driven malware distribution techniques to infect as many users as possible.  

This attack begins when users surf the internet looking for tools and software that promise to simplify their tasks. Instead, they encounter trojanized zip files.  

We discovered over 100 URLs actively spreading this malware, of which approximately 61 were hosted on Discord, 17 on SourceForge, and 15 on mydofiles[.]com. 

On running the executable, it loads a malicious WinUpdateHelper.dll file, which redirects the user to file-hosting websites, under the disguise that they are missing crucial dependencies and tricks them into installing unrelated software, which is a distraction. Meanwhile, the DLL has already requested and executed a malicious PowerShell script from a command-and-control (C2) server.  

This script infects the user’s system and downloads additional mining software, and abuses the system’s resources, or it downloads additional payloads such as SalatStealer or Mesh Agent, depending on the WinUpdateHelper.dll sample which infected the user.  

In this PowerShell script, the presence of explanatory comments and structured sections strongly indicates the use of LLM models to generate this code. 

Read more about this in the Using AI to generate malware? section below.  

So far, we’ve observed the mining of Ravencoin, Zephyr, Monero, Bitcoin Gold, Ergo, and Clore cryptocurrencies.    

Due to the presence of hardcoded Bitcoin wallet credentials within these malware samples, we were able to trace on-chain transactions and identify wallets containing over $4,500 USD that are part of this campaign.  

Since most of the mining activity targets privacy-focused cryptocurrencies such as Zephyr, Ravencoin and Monero, the real financial impact is likely to be nearly double the amount identified through Bitcoin tracing alone.  

Geographical Prevalence 

This malware campaign has specifically targeted users in the following counties, ranked by prevalence: The United States of America, followed by United Kingdom, India, Brazil, France, Canada, Australia. 

Bottom Line

The availability of LLMs capable of generating code instantly, combined with the widespread accessibility of technical knowledge, has created a low-effort, high-reward environment, making malware deployment increasingly accessible. 

At McAfee Labs, we have been doing hard work so that you don’t need to worry. But it always helps to be informed and educated on the latest threat that steps into the threat landscape. 
We will continue monitoring these campaigns to ensure our customers remain informed and protected across platforms. 

Technical Analysis  

Impersonated Applications

Here we see malware distribution at a large scale and by analyzing the filenames of these ZIP archives, we can infer to the users that are being targeted. These are some of the names we’ve witnessed in the wild. 

The attackers are actively impersonating video game cheats and game mods for popular titles, and well-known script executors for Roblox, such as Delta Executor and Solara as seen above.  

Names such as Panther-Stealer and Zerotrace-Stealer indicate that even users looking for malware on the internet are not safe either, reinforcing the notion that there is truly no honor among thieves. 

The campaign also leverages drivers and AI-themed tools as part of its lure portfolio among other tools. Interestingly, we see the name ‘DeepSeek.zip’, where attackers are exploiting a prominent LLM model, DeepSeek. McAfee had encountered these types of attacks in early 2025 and covered them extensively.  

Read the previous blog here: Look Before You Leap: Imposter DeepSeek Software Seek Gullible Users  

Stage 1 Payload – Misleading Installation  

Once the user downloads the ZIP archive from Discord or any other website. They get the following set of files.

Here, the executable named ‘gta-5-online-mod-menu.exe’ (Highlighted in Blue) is a legitimate and clean file. Whereas the file named ‘WinUpdateHelper.dll’ (Highlighted in Red) is malicious.  

On executing ‘gta-5-online-mod-menu.exe’, the malicious DLL is loaded. The user is informed that they are missing dependencies, and they’re redirected to the following URL via default browser.  

hxxps://igk[.]filexspace.com/getfile/XKQLPSK?title=DependencyCore&tracker=gta-5-online-mod-menu 

Here, within the URL, a tracker variable is used to identify which malware has infected the user. In this instance, it was ‘gta-5-online-mod-menu’.  

Dependecycore.zip is a setup file. On execution, it installs unrelated 3rd party software on the victim’s system. 

In this instance, iTop Easy Desktop was installed. 

This unwanted installation is meant to subvert users’ attention. As, the WinUpdateHelper.dll has already connected to the C2 server and infected the system.   

Stage 1 Payload – Malicious Functionality  

Once the redirection code is executed, the malware executes the malicious code.  

In the above code snippet, which is present in the WinUpdateHelper.dll, we can see that a new service has been created under the name “Microsoft Console Host” to make it appear to be benign (Highlighted in Red). The parameters passed to this service ensure that it executes at system boot. This is done to maintain persistence in the system.

The service executes a PowerShell command that dynamically generates the C2 domain using the UNIX time stamp.  

Using the following code, 
$([Math]::Floor([DateTimeOffset]::UtcNow.ToUnixTimeSeconds() / 5000000) * 5000000).xyz 

It generates a domain name that changes once every 5,000,000 seconds or 58 days. 

The latest C2 domain we’ve discovered that is up and running is 
1770000000[.]xyz/script?id=fA9zQk2L0M&tag=WinUpdateHelper

During our analysis we observed the following domain 
1765000000[.]xyz/script?id=fA9zQk2L0M&tag=WinUpdateHelper, which is present in the following images.  

Here the id=fA9zQk2L0M is randomly generated, to uniquely identify the user and tag=WinUpdateHelper is used to identify the malware campaign.  

The malware connects to the above-mentioned C2 server to download a PowerShell script and execute it in memory. This fileless execution ensures improved evasion against signature-based detections. 

Stage 2 Payload – PowerShell Script  

It is funny to note here, that the first comment of this script says “# I am forever sorry” which indicates that the attacks do carry some guilt regarding their actions, but not enough to stop the campaign. We found similar comments, such as “# sorry lol”, across multiple PowerShell scripts we discovered.  

The first set of commands (Highlighted in Green) are used to delete windows services and scheduled tasks. This is done to remove older or conflicting persistence mechanisms and to avoid duplicate miners from running on the same system. 

The second set of commands (Highlighted in Red) are registry modifications, that adds “C:\ProgramData” to Windows Defender exclusion paths. That is, ProgramData Folder won’t be scanned by Windows Defender anymore. This exclusion allows malware to drop additional payloads to disk, without the risk of them being detected and removed.  

The third set of commands (Highlighted in Blue) does exactly that. It downloads the next level payload from the URL “hxxps://1765000000[.]xyz/download/xbhgjahddaa” and stored it at this path “C:\ProgramData\fontdrvhost.exe”.

Again the name ‘fontdrvhost.exe’ imitates a legitimate Windows binary, to masquerade its true intent. After the download, the file is decoded using a simple arithmetic decryption routine. This provides protection against static signature detection and network detection. 

The payload is an XMRIG miner sample. In the next command, the miner is initialized and executed. Here, we see the miner connecting to “solo-zeph.2miners.com:4444” and start CPU based Zephyr coin mining using the following wallet address: ‘ZEPHsCY4zbcHGgz2U8PvkEjkWjopuPurPNv8nnSFnM5MN8hBas8kBN4hoNKmc7uMRfUQh4Fc9AHyGxL6NFARnc217m2vYgbKxf’. 

In the second half of the script, we see another miner being set up and executed using the same technique (Highlighted in Red). This time the file is stored as “RuntimeBroker.exe” in the ProgramData folder. The miner is connecting to “solo-rvn.2miners.com:7070” to mine Ravencoin and it is using the system’s GPU instead of the CPU for mining (Highlighted in Blue).  

This is the wallet address used for mining in this instance ‘bc1q9a59scnfwkdlm6wlcu5w76zm2uesjrqdy4fr8r’.  

Hence, we see a dual coin-mining deployment infrastructure utilizing both CPU and GPU resources to optimize mining efficiency. 

Bitcoin? Interesting…  

What is interesting here is that attackers have used a bitcoin wallet address for mining Ravencoin, which indicates they are using multi-coin pools for mining. The attackers are using the victims’ machine to mine Ravencoin and automatically convert the mining rewards to Bitcoin before the payout.  

This is done for a variety of reasons, such as, bitcoin offers higher liquidity and has broader acceptance, but most importantly, Ravencoin is computationally easier and economically viable to mine on victim’s system. Bitcoin requires specialized ASIC hardware for profitable mining and attempting to mine Bitcoin directly on infected systems would generate negligible returns. We’ve seen the same behaviour in multiple samples. 

This is a smoking gun. Unlike Zephyr coin or Monero, Bitcoin’s blockchain is fully traceable. Every Satoshi, the smallest unit of Bitcoin, can be traced across the blockchain from the moment it was mined to its current holder. From there, it becomes easy to determine how much cryptocurrency the threat actor is receiving. More on this later.  

Anti-Analysis Techniques 

The attackers have meticulously designed the campaign and have implemented various anti-analysis techniques to thwart researchers.  

The PowerShell script we’ve seen above is responsible for downloading and initializing the coin miner samples. It is only accessible via PowerShell. If we try to access the server via Curl, we get the following response.  

 This indicates that the server is actively monitoring the User-Agent of incoming requests and deploys the payload only when the request originates from PowerShell. 

 Similarly, the URLs embedded within the PowerShell script that download the next payload are unique to each victim and remain active for 60 seconds. After that, they return a 404 Not Found error.  

These techniques are meant to confuse and disorient researchers, making the analysis difficult.  

Using AI to generate malware?  

While working on this malware campaign, we came across over 440 unique zip files. These same zip files were distributed with over 1700 different names, targeting various software. 

Across these 440 zip files, we noticed 48 unique variants of WinUpdateHelper.dll. These 48 files can be clustered together into 17 distinct kill chains, each featuring their own C2 infrastructure, misleading installation setups, second-stage PowerShell scripts and final payloads, yet the cryptocurrency wallet credentials remain similar. 

In the above technical analysis, we’ve only covered 1 kill chain. Yet, across these 17 kill chains, we’ve noticed the flow remain the same.  

Across multiple second stage payloads, we encounter multiple comments such as the following, embedded within the code:

# === Create and execute run.bat in C:\ProgramData ===

:: This batch file:

:: – Creates the hidden folder C:\ProgramData\cvtres if it doesn”t exist (using CMD attrib for hidden + system)

:: – Downloads cvtres.exe from your GitHub URL

:: – Saves it to C:\ProgramData\cvtres\cvtres.exe

:: – Executes it immediately

:: – Runs completely hidden/minimized (no window visible)

The presence of such explanatory-style comments indicates that large language models were likely used during the development of these scripts. Especially, the comment “Downloads cvtres.exe from your GitHub URL”, where ‘Your GitHub URL’ refers to the threat actor’s GitHub repository that is hosting the malware, which indicates potential vibe coding.  

Tracking Bitcoin Across the Blockchain 

During analysis of this malware campaign, we came across few instances where the final payload was Infostealer malware. In most cases it was coin miner samples. 
In these cases, we encountered wallet credentials and mining pool URLs for several alternative cryptocurrencies such as Ravencoin, Zephyr, Monero, which aren’t traceable.  

Fortunately, we came across 7 bitcoin wallets that are part of this malware campaign and are actively receiving mined cryptocurrency. 

bc1q9a59scnfwkdlm6wlcu5w76zm2uesjrqdy4fr8r     bc1q7cpwxjatrtpa29u85tayvggs67f6fxwyggm8kd 

bc1qyy0cv8snz7zqummg0yucdfzpxv2a5syu7xzsdq    bc1qxhp6mn0h7k9r89w8amalqjn38t4j5yaa7t89rp 

bc1qxnkkpnuhydckmpx8fmkp73e38dfed93uhfh68l    bc1qrtztxnqnjk9q4d5hupnla245c7620ncj3tzp7h 

bc1q97yd574m9znar99fa0u799rvm55tnjzkw9l33w 

As of writing this blog, these wallets contain Bitcoin valued at approximately $4,536.20 USD. 

These wallets have seen regular withdrawals, with total funds received amounting to approximately $11,497.7 USD. 

McAfee Coverage 

McAfee has extensive coverage for this Coinminer Malware Campaign. We’re proactively covering new samples observed in the wild. 

Trojan:Win/Phishing.AP 

Trojan:Script/Coinminer.AT 

Trojan:Win/Dropper.AT 

Indicator of Compromise(s)

The post AI Wrote This Malware: Dissecting the Insides of a Vibe-Coded Malware Campaign appeared first on McAfee Blog.

Whether you’re a hardcore basketball fan or the office colleague who gets roped into filling out a bracket every year, March Madness is the season for brackets, office pools, and last-minute picks. 

More than half of Americans (57%) plan to watch the NCAA basketball tournament, and 55% say they participate in some kind of betting or bracket activity during March Madness, from office pools to licensed sportsbook wagers.  

But where there’s excitement and money, scammers aren’t far behind. 

New research from McAfee finds that 1 in 3 Americans (32%) say they’ve experienced a betting or gambling scam, and 24% say they’ve lost money to one, with victims losing an average of $547. 

Big events like March Madness create the perfect storm: massive attention, constant betting promotions, and fans searching online for predictions, tips, and an edge. 

Scammers know it, and they’re exploiting the moment. 

Why March Madness is Prime Time for Betting Scams 

Sports betting promotions are everywhere during major events like March Madness. 

According to McAfee research, 82% of Americans say they’ve seen sports betting promotions or offers in the past year, often on social media, streaming broadcasts, and sports websites. 

That flood of promotions makes it easier for scams to blend in with legitimate content. 

Many scams start the same way legitimate offers do, through messages, ads, or links promising bonuses or tips. But once someone clicks or responds, the situation can escalate quickly. 

For example: 

• 42% of Americans say they’ve been asked to click a link sent via email tied to a betting offer 
• Others report links sent through social media messages or text messages directing them to betting sites, apps, or private betting groups 

In many cases, victims are then asked to send money to unlock winnings, activate accounts, or access premium betting picks. 

The payout rarely exists. 

The Most Common Betting Scams Fans Encounter 

Betting scams come in several forms, but many follow familiar patterns. 

Here are some of the most common tactics reported in McAfee’s research: 

AI Is Making Betting Scams Harder to Spot 

Artificial intelligence is beginning to change how scams look and sound. 

About 1 in 5 Americans say they’ve encountered betting scams that appeared more realistic because of AI, and 27% believe they’ve seen AI-generated betting content such as fake promotions, images, or videos.  

Among those who encountered AI-driven scams: 

• 58% reported AI-generated images or graphics in betting ads 
• 57% saw AI-written messages that sounded natural or personalized 
• 45% encountered fake celebrity or influencer endorsements 
• 36% interacted with chatbots posing as betting experts or support agents  

As these tools improve, scam messages are becoming smoother, more convincing, and harder to distinguish from legitimate promotions. 

March Madness is meant to be fun, filling out brackets, debating picks with friends, and cheering for the next big upset. Betting can be part of that excitement, but it’s worth remembering that scammers are watching the tournament too. 

A simple rule of thumb can go a long way: if a betting offer promises guaranteed wins, asks for money upfront, or pushes you to act quickly, take a step back and verify it first.  

The safest plays are the ones where you slow down, stick to trusted platforms, and keep your personal information protected. 

If You or Someone You Know Needs Help 

Sports betting can be fun, but for some people it can become difficult to manage. If you or someone you know is struggling with gambling, help is available through the National Problem Gambling Helpline (1-800-MY-RESET), operated by the National Council on Problem Gambling. 

The post 1 in 3 Has Experienced a Betting Scam. What March Madness Fans Should Know appeared first on McAfee Blog.