John C. isn’t the person you picture getting scammed.
He’s 36. He’s tech-savvy. He’s a mechanical engineer leading a team at a national energy lab in Denver. And he told us his story for one reason: “Scammers will target anyone.”
It began with a phone call from someone claiming to be the IRS. They said John had underpaid his taxes and needed to resolve it quickly. The caller sounded polished and convincing, so convincing that John didn’t stop to question it.
“I thought maybe they sent back too much money [in my refund], and they needed it back,” he said. “I was just so busy and overwhelmed that I never really stopped to think about the situation.”
A follow-up email arrived with IRS logos, clean formatting, and a big payment button. John was trying to move fast between classes as he finished up his PhD, and he wanted to correct the situation as quickly as possible.
“I was like, let me just hurry up and do this, get it over with.”
He clicked. He paid. But later, when he checked his statement, he saw the charge didn’t look like an IRS payment at all. In fact, it was an international charge. The whole thing was a scam.
John said the scammer on the phone had appealed to his emotions and been incredibly convincing.
“It was absolutely masterful,” John said. “I would give him an Oscar for it.
And new McAfee research shows John isn’t alone, with nearly 1 in 4 (23%) US adults surveyed revealing they’ve lost money to a tax scam.
Here’s what our January 2026 survey of 3,008 U.S. adults found:
In addition to our consumer survey findings, McAfee Labs analyzed malicious URLs, apps, texts, and emails in the months leading up to filing season.
The major takeaway: tax scams don’t wait for April.
Scam activity began climbing as early as November and has again continued building steadily into 2026.
Between September 1, 2025, and February 19, 2026, McAfee Labs identified 1,468 malicious or suspicious tax-themed unique domains, an average of 43 new fake tax websites every day.
In early November 2025 alone, the average number of new tax-themed malicious domains nearly doubled in just over a week. After a brief dip in late December, activity resumed climbing into February, a pattern we expect to intensify as the April filing deadline approaches.
Scammers are rapidly creating lookalike IRS domains that mimic official government URLs.
They use small changes, extra letters, added words, subtle misspellings, to trick taxpayers into believing they’re on a legitimate IRS site.
Examples include domains that insert additional text around “irs.gov” or add misleading subdomains designed to pass a quick glance.
These fake portals are used to:
In some cases, these sites don’t just steal, they overcharge.
McAfee Labs observed scam services offering to file for an EIN (Employer Identification Number), something the IRS provides for free, and charging as much as $319 for it.
Example of a scam website we found charging for an EIN.
The official IRS website explicitly warns: you never have to pay a fee to obtain an EIN.
Other scam sites misuse legitimate policy terms, like the “Fresh Start Initiative,” to harvest personal data and enroll victims in aggressive robocall and marketing campaigns.
Tax scams don’t always steal outright. Sometimes they monetize confusion.
Most tax scams aren’t one single message. They’re a sequence, designed to make you panic, click, and comply.
Below is the common playbook, plus the red flags that show up repeatedly.
*Note: Scammers may swap the details like AI voice, fake IRS videos, cloned websites, or impersonating tax software, but the pattern stays familiar.
| Step | What happens | Red flags you’ll see at this step | Red flags that are true every time | What to do instead |
| 1) The hook | You get a call, text, or email claiming there’s a tax issue (refund problem, underpayment, verification needed). | Message arrives out of nowhere, often during busy hours; “final notice” language; spoofed caller ID. | Unexpected contact + urgency. | Don’t engage. Pause. Go directly to IRS.gov or your tax provider’s official site (type it in). |
| 2) The authority move | They lean hard on being “the IRS” or “state tax authority,” sometimes with personal details. | They sound polished; may use AI voice cloning; may cite a “case number.” Fake or meaningless case numbers are very common. | They want you to trust the title, not verify the source. | Ask for written notice and time. Real tax issues can be verified through official channels. |
| 3) The link | They send a link to a “secure portal” or “refund page.” | Lookalike website, subtle misspellings, weird domain, shortened link, email button that says “Pay Now.” | They’re trying to pull you off official channels. | Never click the link. Navigate to the real site yourself. If unsure, delete it. |
| 4) The data grab | The site (or “agent”) asks for SSN, banking info, login credentials, or details from a prior return. | Requests that are broader than needed; “verify identity” prompts; form fields that feel too invasive. | They want sensitive info fast. | Stop. Don’t type anything. If you already did, assume it’s compromised and act quickly (see next section). |
| 5) The payment push | They demand payment to “avoid penalties,” “release your refund,” or “resolve a mistake.” | Gift cards, crypto, wire transfers, payment apps; pressure to pay today; threats. | Urgency + unusual payment method. | The IRS does not demand immediate payment via text/social, and doesn’t require gift cards or crypto. Verify independently. |
| 6) The escalation | If you hesitate, they intensify: threats, “law enforcement,” or AI video/audio that “proves” it’s real. | Deepfake IRS video, intimidating language, “you’ll be arrested,” “your license will be revoked.” | Fear is the product. | Hang up. Save evidence. Talk to a trusted person. Contact official support through verified numbers. |
| 7) The aftermath | You realize it was a scam—often after noticing a strange charge or login activity. | Charges from odd merchants; new accounts; IRS account alerts; failed tax filing due to “duplicate return.” | Shame keeps people quiet—scammers count on that. | Report it and protect your identity right away. You’re not alone, and it’s not your fault. |
Key point: A message can look “official” and still be fake. AI is making scam language smoother and scams more believable. The safest habit is simple: slow down, and verify using official sources you navigate to yourself.
First: take a breath. Scams are designed to trick you, especially when you’re overwhelmed, rushed, or just trying to fix a problem quickly.
John said it plainly: “Don’t be embarrassed. It does happen. It’s common… they will target anyone.”
And he’s right. The most important thing is what you do next.
Take screenshots and save:
If a scammer gets into your email, they can reset passwords for everything else.
Do this today:
Important: If you clicked a suspicious link, downloaded a file, or gave someone remote access to your computer, make sure you use a different, trusted device (like your phone or another computer) to change passwords. Why? If a scammer installed malware or has access to your computer, they may be able to see all of your brand-new passwords as you’re making them.
Tip: A password manager like McAfee’s can help you create strong, unique passwords quickly, without having to memorize them all.
Tax scams often turn into identity theft. Watch for:
If you suspect tax-related identity theft:
McAfee’s Identity Monitoring can help restore your sense of security and privacy online.
Reporting helps you and helps stop the next person from getting hit.
Common reporting options include:
Scammers don’t just use what you give them. They also use what they can look up.
Removing your personal details from risky data broker sites can reduce how easily scammers can target you again. Tools like Personal Data Cleanup can help you identify where your information is exposed and guide removal.
Tax season scams often come in waves, especially if scammers think your info is “good.”
Helpful layers include:
Tax season creates the perfect storm: time pressure, sensitive data, and a lot of official-looking communication.
Our research shows most people are worried, and for good reason. Scammers are getting more convincing, and AI is raising the bar on what “real” looks and sounds like.
“Tell your friends, tell your family,” John said. “Everyone I know at some point has heard this story, and it might just prevent someone from losing… thousands of dollars.”
If you remember just three things this season, make them these:
The post Tax Scams Hit Nearly 1 in 4 Adults. Spot the Red Flags appeared first on McAfee Blog.
This week in scams, we’re looking at three very different stories with the same underlying theme: trust is being exploited at scale.
A massive government contractor data breach has quietly grown to affect more than 25 million people. Meanwhile, a viral AI-generated image of Mary-Kate and Ashley Olsen posing in a fake luxury campaign is spreading across social media, fooling some users and alarming others.
And in a new threat report, OpenAI detailed how its own tools are being misused for dating scams, impersonation, and influence operations.
Let’s break it down.
The fallout from a ransomware attack on Conduent, one of the largest government contractors in the U.S., continues to expand.
According to reporting from TechCrunch, updated state-level breach notifications now indicate that more than 25 million people across the U.S. have had personal data exposed.
Conduent provides services tied to state benefit programs, including food assistance, unemployment systems, and other government payment processing operations. The company has said its services reach over 100 million people.
Data reportedly exposed in the breach includes:
TechCrunch noted that the majority of affected individuals appear to be in Oregon and Texas, based on state breach disclosures. Other states have also reported an impact.
The attack has been described as one of the largest government-contractor-related data breaches in recent memory.
Why this matters: When companies that process government benefits are hit, the exposed data often includes highly sensitive identity information. Social Security numbers combined with medical or insurance details can significantly increase the risk of identity theft and fraud.
If you believe your data may have been exposed:
Breaches like this often lead to secondary scams months later. The breach itself is only phase one. Phishing campaigns usually follow.
A supposed luxury campaign featuring Mary-Kate and Ashley Olsen began circulating widely on X and Facebook this week, racking up millions of views.
The images show the twins styled in what appears to be a high-end fashion shoot, drawing numerous comments over their styling. But social media users quickly pointed out visual irregularities and inconsistencies commonly associated with AI-generated imagery.
A screenshot of one of the AI images making thr rounds across social media.
While this doesn’t fall into our typical “scam” roundup, the normalization of AI-generated visuals that look close enough to real to confuse people are a growing issue that can lead to real confusion and distrust.
We have entered a phase where:
Today it’s a fashion ad. Tomorrow it could be a fake political endorsement, financial announcement, or emergency alert.
The takeaway: If you see a surprising campaign or announcement, verify it through official brand websites or verified accounts before assuming it’s real.
In a newly released threat report, OpenAI outlined several ways its tools have been abused by bad actors.
According to Reuters’ reporting:
A cluster of accounts used ChatGPT to run a dating scam targeting Indonesian men, allegedly defrauding hundreds of victims per month.
Some accounts used the tool to generate promotional copy and ads for a fake dating platform that pressured users into completing costly “tasks.”
Other accounts posed as law firms, impersonating real attorneys and U.S. law enforcement to target fraud victims.
OpenAI also banned accounts linked to activity believed to be part of influence operations, including efforts targeting Japanese political figures.
OpenAI stated that the activity was detected and accounts were removed.
Why this matters: AI tools themselves are not inherently scams. But they dramatically lower the cost and increase the scale of fraud operations. Writing persuasive emails, generating fake legal letters, building scam ads… these now require fewer technical skills than ever before.
The technology doesn’t create the criminal intent. It just accelerates it.
From ransomware breaches to AI-generated impersonations, the pattern is clear: scammers are scaling trust manipulation with technology.
Stay skeptical. Verify before you click. And we’ll be back next week with another breakdown of what’s making headlines, and what it actually means for your security.
Taylor Swift Tops List of Most Deepfaked Celebs
What to Do If You’re Caught Up in a Data Breach
Everything You Need to Know to Keep Your Passwords Secure
The post This Week in Scams: Conduent Data Breach and AI Olsen Twins appeared first on McAfee Blog.
X (formerly Twitter) hacks tend to hit fast.
One minute you’re scrolling like normal. The next, your account is posting crypto promotions, sending spam DMs, or following hundreds of random accounts you’ve never heard of. Sometimes you don’t even notice until a friend asks why you’re suddenly “giving away” gift cards.
If you use X for work, your personal brand, or your business, a takeover can do real damage quickly. And in many cases, the hacker isn’t just trying to cause chaos, they’re trying to use your account to scam your followers while you still look trustworthy.
This guide walks you through exactly what to do if your X account has been hacked: how to spot the warning signs, how to regain access, and what to change immediately so it doesn’t happen again.
If you’re still locked out after trying these steps, X also offers an official support form for hacked or compromised accounts.
X account takeovers don’t always start with a full lockout. Often, the first signs are strange activity you didn’t authorize.
Watch for these red flags:
Unexpected posts: Tweets you didn’t write, especially spam, crypto links, or promotions.
Unusual DMs: Messages sent from your account that you don’t remember sending.
Account behavior changes: Random follows, unfollows, blocks, or profile changes you didn’t approve.
Security notifications: Alerts from X that your account may be compromised.
Account info changed: Notifications that your email, phone number, or password was updated without your permission.
Password suddenly stops working: You’re prompted to reset your password even though you didn’t request it.
If any of these are happening, assume your account is compromised and start recovery steps immediately.
If your X account was hacked, assume your login details may have been stolen.
That means simply getting back into your account isn’t enough, you also need to update the passwords and settings attackers could still use.
Here’s what to change right away:
If you suspect the hack started through malware or phishing, it’s also smart to update passwords for other sensitive accounts tied to your identity, like banking apps, payment apps, or your Apple/Google account.
Using a password manager like McAfee’s can help you create strong, unique passwords for every account, and store them securely in one place.
X offers different recovery options depending on whether you can still log in.
| Step | What to Do | Why It Matters |
| 1. Change your password immediately (if you can still log in) | Go into your X account settings and update your password to something strong and unique. | This is the fastest way to cut off unauthorized access. |
| 2. Reset your password if you’re locked out | Use the “Forgot password” option on the login screen to start account recovery. | This can help you regain access even if the hacker changed your password. |
| 3. Secure your email account | Change your email password and enable 2FA. Make sure only you can access it. | If your email is compromised, the hacker can keep resetting your X account. |
| 4. Reverse suspicious email changes if possible | If you receive an email about an account email change, check for an option to undo it. | This may allow you to regain control before the hacker fully locks you out. |
| 5. Revoke third-party app access | While logged in, review connected apps and remove anything you don’t recognize. | Some takeovers happen through malicious apps, not direct password guessing. |
| 6. Revoke mobile app sessions if needed | If suspicious activity continues, revoke access for X mobile apps from your settings so they’re forced to re-authenticate. | X notes that password changes may not automatically log out mobile sessions. |
| 7. Update your password anywhere it’s saved | If you use trusted apps or services that store your X password, update it there too. | Repeated failed login attempts can temporarily lock your account. |
| 8. Turn on 2FA | Enable two-factor authentication as soon as you regain control. | This adds a strong layer of protection even if your password gets stolen again. |
| 9. Contact X support if you still can’t regain access | Submit X’s hacked/compromised account request form. Include your username and the last date you had access. | If self-recovery fails, support may be able to help restore access. |
If you’re still unable to log in after attempting recovery, visit X’s official hacked account support form for next steps.
Watch for Phishing “X Support” Scams
One of the most common ways X accounts get hacked is through phishing.
Scammers impersonate:
They try to pressure you into clicking a link and logging in on a fake page designed to steal your password.
If you receive a suspicious email or DM, don’t click.
Instead, open X directly in the app or browser and check your account settings from there.
A hacked X account can spread scams quickly, especially if the attacker uses your account to message followers directly.
The most important steps are:
McAfee offers a free antivirus scan that can help you detect malware or suspicious programs that may have compromised your account in the first place.
And if you’re still locked out or something doesn’t look right, use X’s official support request form to report the account as hacked or compromised.
| Q: How do I know if my X account was hacked? A: Common signs include posts or DMs you didn’t send, unusual follows/unfollows, account changes you didn’t authorize, security alerts from X, or a password that suddenly stops working. |
| Q: If I change my password, will the hacker be logged out? A: Changing your password is critical, but some mobile sessions may remain active. X recommends revoking app access in your settings if suspicious activity continues. |
| Q: What should I do if my email address was changed? A: Check your inbox for an email from X about the change. In some cases, you may be able to reverse it using the security link. If you can’t, start account recovery immediately and submit a support request if needed. |
| Q: Should I remove third-party apps after a hack? A: Yes. X notes that malicious or untrusted third-party apps can compromise your account. Remove anything you don’t recognize or no longer use. |
| Q: What if I still can’t log in after resetting my password? A: Submit a hacked account support request through X’s official form. Be sure to include your username and the last date you had access. |
| Q: What’s the biggest mistake people make after their X account gets hacked? A: Only changing their password. If the attacker still has access through connected apps, a compromised email account, or saved sessions, they can regain control quickly. |
The post X (Twitter) Account Hacked: What to Do Right Now appeared first on McAfee Blog.
Instagram hacks don’t always start with a dramatic “you’ve been locked out” moment.
More often, it starts with something small: your followers asking why you just sent them a weird link. Your account suddenly following hundreds of random profiles. A post you didn’t write showing up in your feed. Or an email from Instagram saying your login details were changed.
By the time you realize what’s happening, scammers may already be using your account to impersonate you, message your followers, or promote fake giveaways and crypto scams through your profile.
This guide walks you through exactly what to do if your Instagram account has been hacked: how to spot the warning signs, how to regain access, and what to change immediately so it doesn’t happen again.
And if you’re still having trouble at any stage, be sure to visit Instagram’s official recovery tools for additional support.
Instagram account takeovers don’t always look obvious at first. In many cases, the first signs are subtle changes you didn’t make.
Watch for these red flags:
Password or email changes you didn’t request: You may receive an email saying your account information was updated.
Suspicious login alerts: Notifications about a login attempt, new device, or verification code you didn’t request.
Posts, Stories, or Reels you didn’t publish: Scammers often post crypto promotions, fake giveaways, or sketchy links.
DMs you didn’t send: A common tactic is using your account to message your followers with phishing links.
Your account starts following random accounts: Hackers may use compromised accounts to inflate scam pages or bot networks.
Your profile info has been edited: Name, bio, profile photo, or website links changed without your permission.
If any of these are happening, assume your account is compromised and start recovery steps immediately.
If your Instagram account was hacked, assume your login details may have been stolen.
That means simply getting back into your account isn’t enough, you also need to update the passwords and settings attackers could still use.
Here’s what to change right away:
If you suspect the hack started through malware or a phishing link, it’s also smart to update passwords for other sensitive accounts tied to your identity, like banking apps, payment apps, or your Apple/Google account.
Using a password manager like McAfee’s can help you create strong, unique passwords for every account, and store them securely in one place.
Instagram provides several recovery options depending on what information you still have access to (email, phone number, username, or trusted device).
| Step | What to Do | Why It Matters |
| 1. Visit Instagram’s hacked account recovery page | Use Instagram’s official hacked account recovery flow in your browser or app. | This is often the fastest way to secure your account and start recovery. |
| 2. Check your email for security messages from Instagram | Look for messages about password changes or email changes. If Instagram gives you a link to undo the change, use it immediately. | If a hacker changed your email address, this may be your quickest chance to reverse it. |
| 3. Request a login link | Use “Forgot password?” to request a login link sent to your email or phone number. | This can restore access even if your password was changed. |
| 4. Request a security code or additional support | If login links aren’t working, follow Instagram’s prompts to request further help. Use an email address only you can access. | If the attacker changed your contact info, you may need additional verification steps. |
| 5. Complete identity verification if prompted | Instagram may ask you to verify your identity, including submitting a video selfie if your account contains photos of you. | This helps Instagram confirm you’re the real account owner. |
| 6. Change your password immediately after regaining access | Reset your password to something strong and unique. | This cuts off access and helps prevent repeat takeovers. |
| 7. Remove suspicious linked accounts and apps | Check Accounts Center and remove anything unfamiliar. Revoke access for any third-party apps you don’t trust. | Hackers may leave behind access routes to get back in later. |
| 8. Turn on 2FA and login alerts | Enable two-factor authentication and set alerts for new logins. | This makes it much harder for attackers to regain access. |
If you’re still unable to recover your account, visit Instagram’s official support and recovery tools for additional help.
One of the most common ways Instagram accounts get hacked is through phishing.
Scammers impersonate:
Their goal is to pressure you into clicking a link and entering your password on a fake login page.
If you receive a suspicious email or DM, don’t click.
Instead, open Instagram directly in the app and check your security settings from there.
If you think you entered your login info into a suspicious link, change your password immediately and secure your account right away.
A hacked Instagram account is stressful for a reason: it doesn’t just affect your profile. It affects your followers, your reputation, and your private messages.
The most important steps are:
McAfee offers a free antivirus scan that can help you detect malware or suspicious programs that may have compromised your account in the first place.
And if you’re still locked out or something doesn’t look right, follow Instagram’s official recovery guidance and contact Instagram support directly.
| Q: How do I know if my Instagram account was hacked? A: Common signs include password or email changes you didn’t request, suspicious login alerts, DMs you didn’t send, posts you didn’t publish, or unexpected changes to your profile details. |
| Q: What if my Instagram email address was changed? A: Check your inbox for an email from Instagram about the change. In some cases, Instagram may provide a security link that lets you reverse it. If you can’t undo the change, start the hacked account recovery process as soon as possible. |
| Q: What if I can’t log in at all? A: Use Instagram’s official hacked account recovery tools. Depending on your situation, Instagram may offer login links, security codes, or identity verification options to help you regain access. |
| Q: Should I remove third-party apps after a hack? A: Yes. Some account takeovers happen because an unsafe app was given access. Remove anything you don’t recognize or no longer use. |
| Q: What’s the biggest mistake people make after getting hacked? A: Only changing their Instagram password. If the attacker still has access through your email account, linked accounts, or suspicious third-party apps, they can regain control quickly. |
| Q: Can Instagram ask me to verify my identity? A: Yes. In some cases, Instagram may ask you to confirm ownership through verification steps. This can include submitting additional information or completing a video selfie process. |
The post My Instagram Has Been Hacked – What Do I Do Now? appeared first on McAfee Blog.
Login