Tax season is a headache for many people, and when a shortcut promises to make filing easier, it’s hard to resist. This year, one of the newest trends is using AI chatbots like ChatGPT to help prepare tax returns.

According to new McAfee research, 30% of people say they plan to use an AI tool, such as ChatGPT, to help with their taxes, with younger adults leading the trend. 

At first glance, it makes sense. AI tools can explain confusing tax rules, summarize IRS forms, and answer questions instantly. 

But there’s an important line that should never be crossed: Do not enter your personal tax information into AI chatbots. 

That includes Social Security numbers, income records, home addresses, bank details, or anything else tied to your identity. 

Here’s why: 

Typing Your Tax Info Into a Chatbot Is Like Posting It Online 

Think about it this way: when you type something into an AI chatbot, you’re sending that information over the internet to a system that processes and stores data. 

In practical terms, entering sensitive information into an AI tool is similar to typing it directly into a search engine or submitting it to an online form. 

Once it leaves your device, you lose direct control over where it travels and how it may be stored. 

Even companies with strong security protections are transparent about this risk. 

OpenAI’s privacy documentation explains that they use encryption and strict access controls to protect user data. However, they also note that no internet transmission or digital storage system can be guaranteed completely secure. 

This is true across the internet, not just for AI tools.  

Even Secure Systems Can Experience Breaches 

Security incidents can happen anywhere online, including companies with robust security programs. 

For example, in late 2025, OpenAI disclosed a security incident involving a third-party analytics provider called Mixpanel. The breach occurred within the vendor’s systems, not OpenAI’s infrastructure, but some limited user profile data associated with the platform was exposed. 

According to OpenAI’s disclosure, the data involved information such as: 

• Names associated with accounts 
• Email addresses 
• Approximate location data 
• Browser and device information 

Importantly, chat content, passwords, payment information, and government IDs were not exposed in that incident. 

But the event highlights a broader cybersecurity reality: 

Even when a company takes strong security precautions, third-party services, vendors, and other parts of the digital ecosystem can still introduce risk. 

That’s why cybersecurity experts recommend limiting what personal information you share online whenever possible. 

Why Tax Data Is Especially Dangerous to Share 

Tax information is one of the most valuable targets for cybercriminals. 

If scammers obtain the details commonly found in tax filings, they may be able to: 

• Commit tax refund fraud 
• Open financial accounts in your name 
• Conduct identity theft 
• Launch highly personalized phishing attacks 

Tax returns typically include multiple pieces of highly sensitive data, including: 

• Social Security numbers 
• Home addresses 
• Employer and income information 
• Banking details for refunds 
• Family member information 
• Entering these details into any tool outside of a secure tax platform significantly increases risk. 

Safer Ways to File Your Taxes 

Instead of relying on AI chatbots for filing, stick with trusted tax preparation options designed to securely handle sensitive data: 

• Official tax software platforms 
• Licensed tax professionals 
• IRS-approved free filing services 

These systems are specifically built with compliance, encryption, and identity verification in mind. 

AI tools can be incredibly useful for learning and research. But they are not secure tax filing platforms. 

If you wouldn’t feel comfortable posting your Social Security number publicly online, you shouldn’t paste it into a chatbot either. When it comes to taxes, the safest rule is simple: Use AI for advice, not for your personal data. 

The post Using an AI like ChatGPT to File Your Taxes? Stop and Read This First appeared first on McAfee Blog.

John C. isn’t the person you picture getting scammed. 

He’s 36. He’s tech-savvy. He’s a mechanical engineer leading a team at a national energy lab in Denver. And he told us his story for one reason: “Scammers will target anyone.” 

It began with a phone call from someone claiming to be the IRS. They said John had underpaid his taxes and needed to resolve it quickly. The caller sounded polished and convincing, so convincing that John didn’t stop to question it. 

“I thought maybe they sent back too much money [in my refund], and they needed it back,” he said. “I was just so busy and overwhelmed that I never really stopped to think about the situation.” 

A follow-up email arrived with IRS logos, clean formatting, and a big payment button. John was trying to move fast between classes as he finished up his PhD, and he wanted to correct the situation as quickly as possible. 

“I was like, let me just hurry up and do this, get it over with.” 

He clicked. He paid. But later, when he checked his statement, he saw the charge didn’t look like an IRS payment at all. In fact, it was an international charge. The whole thing was a scam. 

John said the scammer on the phone had appealed to his emotions and been incredibly convincing.  

“It was absolutely masterful,” John said. “I would give him an Oscar for it. 

And new McAfee research shows John isn’t alone, with nearly 1 in 4 (23%) US adults surveyed revealing they’ve lost money to a tax scam.  

Key findings from McAfee’s 2026 Tax Season Survey 

Here’s what our January 2026 survey of 3,008 U.S. adults found: 

The big picture: lots of worry, not enough confidence 

• 82% of Americans say they’re concerned about tax fraud this season. 
• 67% say they’re seeing the same or more tax scam messages than last year. 
• 40% say tax scam messages are more sophisticated than last year. 
• 84% are concerned about AI making tax scams more realistic. 
• Only 29% say they’re very confident they could spot a deepfake tax scam. 

How often scams are reaching people 

• 34% say they’ve been contacted by someone claiming to be the IRS or another tax authority (phone, text, or email). 
• 38% say they’ve been asked to click a link or send payment related to a “tax issue.” 
• Common asks include SSNs (15%), birth dates (11%), addresses (10%), “you owe back taxes” pressure (9%), and banking details (8%). 

Who is getting hit hardest 

• Nearly 1 in 4 Americans (23%) say they’ve fallen for a tax scam. 
• Young adults report the highest exposure: 42% of 18–24-year-olds say they’ve fallen for at least one tax scam. 
• 11% of Americans report tax-related identity theft, rising to 17% among ages 25–34. 

The money is real 

• Among people who say they’ve fallen for a tax scam, the average loss is $1,020. 
• Separately, nearly 1 in 5 Americans say they’ve lost money to a tax scam. 

Tax filing is increasingly digital (and that changes the risk) 

• 55% say they file taxes online (software or IRS Free File). 
• 75% say they receive refunds or pay taxes electronically (direct deposit, cards, apps, EFTPS, etc.). 
• 30% say they plan to use an AI tool (like ChatGPT) to help prepare taxes, especially younger adults. This is highly dangerous, even with platform security protections. For example, if an AI tool were compromised in a data breach, user messages with personal tax information (like social security numbers, home address, and more) could be made public.  

Tax Scams Now Hit Year-Round, McAfee Labs Finds 

In addition to our consumer survey findings, McAfee Labs analyzed malicious URLs, apps, texts, and emails in the months leading up to filing season. 

The major takeaway: tax scams don’t wait for April. 

Scam activity began climbing as early as November and has again continued building steadily into 2026. 

Between September 1, 2025, and February 19, 2026, McAfee Labs identified 1,468 malicious or suspicious tax-themed unique domains, an average of 43 new fake tax websites every day. 

In early November 2025 alone, the average number of new tax-themed malicious domains nearly doubled in just over a week. After a brief dip in late December, activity resumed climbing into February, a pattern we expect to intensify as the April filing deadline approaches. 

 

Fake IRS Websites Are A Major Threat 

Scammers are rapidly creating lookalike IRS domains that mimic official government URLs.  

They use small changes, extra letters, added words, subtle misspellings, to trick taxpayers into believing they’re on a legitimate IRS site. 

Examples include domains that insert additional text around “irs.gov” or add misleading subdomains designed to pass a quick glance. 

These fake portals are used to: 

• Steal login credentials 
• Harvest Social Security numbers and tax IDs 
• Capture payment details 
• Charge bogus “processing fees” 

In some cases, these sites don’t just steal, they overcharge. 

McAfee Labs observed scam services offering to file for an EIN (Employer Identification Number), something the IRS provides for free, and charging as much as $319 for it. 

Example of a scam website we found charging for an EIN. 

The official IRS website explicitly warns: you never have to pay a fee to obtain an EIN. 

Other scam sites misuse legitimate policy terms, like the “Fresh Start Initiative,” to harvest personal data and enroll victims in aggressive robocall and marketing campaigns. 

Tax scams don’t always steal outright. Sometimes they monetize confusion. 

How a Typical Tax Scam Unfolds 

Most tax scams aren’t one single message. They’re a sequence, designed to make you panic, click, and comply. 

Below is the common playbook, plus the red flags that show up repeatedly. 

*Note: Scammers may swap the details like AI voice, fake IRS videos, cloned websites, or impersonating tax software, but the pattern stays familiar. 

Step	What happens	Red flags you’ll see at this step	Red flags that are true every time	What to do instead
1) The hook	You get a call, text, or email claiming there’s a tax issue (refund problem, underpayment, verification needed).	Message arrives out of nowhere, often during busy hours; “final notice” language; spoofed caller ID.	Unexpected contact + urgency.	Don’t engage. Pause. Go directly to IRS.gov or your tax provider’s official site (type it in).
2) The authority move	They lean hard on being “the IRS” or “state tax authority,” sometimes with personal details.	They sound polished; may use AI voice cloning; may cite a “case number.” Fake or meaningless case numbers are very common.	They want you to trust the title, not verify the source.	Ask for written notice and time. Real tax issues can be verified through official channels.
3) The link	They send a link to a “secure portal” or “refund page.”	Lookalike website, subtle misspellings, weird domain, shortened link, email button that says “Pay Now.”	They’re trying to pull you off official channels.	Never click the link. Navigate to the real site yourself. If unsure, delete it.
4) The data grab	The site (or “agent”) asks for SSN, banking info, login credentials, or details from a prior return.	Requests that are broader than needed; “verify identity” prompts; form fields that feel too invasive.	They want sensitive info fast.	Stop. Don’t type anything. If you already did, assume it’s compromised and act quickly (see next section).
5) The payment push	They demand payment to “avoid penalties,” “release your refund,” or “resolve a mistake.”	Gift cards, crypto, wire transfers, payment apps; pressure to pay today; threats.	Urgency + unusual payment method.	The IRS does not demand immediate payment via text/social, and doesn’t require gift cards or crypto. Verify independently.
6) The escalation	If you hesitate, they intensify: threats, “law enforcement,” or AI video/audio that “proves” it’s real.	Deepfake IRS video, intimidating language, “you’ll be arrested,” “your license will be revoked.”	Fear is the product.	Hang up. Save evidence. Talk to a trusted person. Contact official support through verified numbers.
7) The aftermath	You realize it was a scam—often after noticing a strange charge or login activity.	Charges from odd merchants; new accounts; IRS account alerts; failed tax filing due to “duplicate return.”	Shame keeps people quiet—scammers count on that.	Report it and protect your identity right away. You’re not alone, and it’s not your fault.

Key point: A message can look “official” and still be fake. AI is making scam language smoother and scams more believable. The safest habit is simple: slow down, and verify using official sources you navigate to yourself. 

What to do if you’ve been involved in a tax scam 

First: take a breath. Scams are designed to trick you, especially when you’re overwhelmed, rushed, or just trying to fix a problem quickly. 

John said it plainly: “Don’t be embarrassed. It does happen. It’s common… they will target anyone.” 

And he’s right. The most important thing is what you do next. 

1) Stop the bleeding: cut off contact 

• Stop replying 
• Don’t click anything else 
• Don’t send more information or money 

2) Capture proof (before it disappears) 

Take screenshots and save: 

• Phone numbers, email addresses, usernames 
• The message content 
• Links (don’t click them, just copy) 
• Payment receipts and transaction IDs 

3) Lock down your accounts (especially email) 

If a scammer gets into your email, they can reset passwords for everything else. 

Do this today: 

• Change your email password first, then banking/tax accounts 
• Turn on two-factor authentication (2FA) 
• If you reused passwords anywhere, change those too 

Important: If you clicked a suspicious link, downloaded a file, or gave someone remote access to your computer, make sure you use a different, trusted device (like your phone or another computer) to change passwords. Why? If a scammer installed malware or has access to your computer, they may be able to see all of your brand-new passwords as you’re making them. 

Tip: A password manager like McAfee’s can help you create strong, unique passwords quickly, without having to memorize them all. 

4) Check for identity theft signals 

Tax scams often turn into identity theft. Watch for: 

• IRS notices about a return you didn’t file 
• Trouble e-filing because a return was already submitted 
• Alerts about a new IRS online account you didn’t create 

If you suspect tax-related identity theft: 

• Consider filing an IRS identity theft report (commonly done with IRS Form 14039, Identity Theft Affidavit). 
• Create or log into your IRS account periodically to review account activity (John now does this every few months). 

McAfee’s Identity Monitoring can help restore your sense of security and privacy online.  

5) Report it (even if you feel weird about it) 

Reporting helps you and helps stop the next person from getting hit. 

Common reporting options include: 

• FTC report: Report scams and identity theft at the FTC’s reporting site. 
• IRS phishing email: If you received a scam email posing as the IRS, you can forward it to phishing@irs.gov. 
• Your bank or card provider: If you paid, contact them immediately. Even if recovery isn’t guaranteed, speed matters. 

6) Clean up your digital footprint 

Scammers don’t just use what you give them. They also use what they can look up. 

Removing your personal details from risky data broker sites can reduce how easily scammers can target you again. Tools like Personal Data Cleanup can help you identify where your information is exposed and guide removal. 

7) Add protection for the next attempt 

Tax season scams often come in waves, especially if scammers think your info is “good.” 

Helpful layers include: 

• Web protection to warn you about risky links and lookalike sites before you enter info – get our free WebAdvisor download here 
• Scam detection that can flag suspicious messages 
• Identity monitoring to alert you if key personal info shows up in risky places 
• Run a free antivirus scan to check your device for malware or unwanted programs (especially if you clicked a link or downloaded anything) 

The key takeaway 

Tax season creates the perfect storm: time pressure, sensitive data, and a lot of official-looking communication. 

Our research shows most people are worried, and for good reason. Scammers are getting more convincing, and AI is raising the bar on what “real” looks and sounds like. 

“Tell your friends, tell your family,” John said. “Everyone I know at some point has heard this story, and it might just prevent someone from losing… thousands of dollars.” 

If you remember just three things this season, make them these: 

1. Pause before you click. 
2. Verify through official channels you navigate to yourself. 
3. If something happens, act quickly, and don’t blame yourself. 

The post Tax Scams Hit Nearly 1 in 4 Adults. Spot the Red Flags appeared first on McAfee Blog.

AI is supposed to make the internet easier. But right now, it’s also making scams easier. 

Every week, we round up the biggest scam and cybersecurity stories of the moment so you can recognize red flags, protect your accounts, and avoid the most common traps scammers are using. 

This week in scams, we’re talking AI-powered search scams, a major fintech data breach, and an unexpected ticket fraud scheme that allegedly cost the Louvre millions. 

Let’s jump in: 

Google AI Overviews Are Being Used to Scam People Out of Money 

Google Search doesn’t just show links anymore. Now, it often shows AI-generated summaries at the top of the page called AI Overviews, quick answers designed to save you time. 

But according to reporting from WIRED, scammers are finding ways to exploit these AI summaries by planting fake customer support phone numbers into search results. 

Here’s how the scam works: Someone searches for a bank, airline, or service provider, usually something like “Company name customer support number.” Then Google’s AI Overview pulls a phone number from somewhere online and displays it as if it’s legitimate. 

The problem? Sometimes that number doesn’t connect you to the company at all. 

Instead, it connects you to a scammer impersonating customer service, someone trained to sound helpful, calm, and official, while quietly steering you toward sharing payment information, account details, or verification codes. 

This isn’t just misinformation. It’s a direct path into fraud. 

Google told WIRED it’s working to strengthen anti-spam protections in AI Overviews, but also recommends users double-check customer support numbers through additional searches. 

Key red flags to watch for 

• The AI Overview provides a phone number without clearly showing where it came from 
• The “support agent” asks for payment information immediately 
• The person asks for your login credentials, bank info, or verification codes 
• The caller pressures you to act quickly (“your account will be frozen”) 
• The number doesn’t match what’s listed on the company’s official website 

How to protect yourself 

If you’re looking for a customer support number, don’t rely on an AI summary. 

• Go directly to the company’s official website and find their contact page 
• Verify the phone number through multiple sources 
• If the person on the phone asks for passwords or MFA codes, hang up immediately 
• Treat any urgency or threats (“you must act now”) as a scam signal 

The big lesson: AI can summarize the internet, but it can’t always verify the truth. 

Data Breach Watch: Fintech Firm Figure Exposes Nearly 1 Million Accounts 

If you’ve applied for a loan, worked with a fintech service, or interacted with a home equity platform recently, this one is worth paying attention to. 

According to BleepingComputer, fintech company Figure Technology Solutions was breached in a social engineering attack, with hackers reportedly stealing personal data tied to nearly 967,200 accounts. 

The exposed data reportedly included names, email addresses, phone numbers, physical addresses, and dates of birth. And that’s exactly what scammers use to build believable impersonation attempts. 

Why this matters 

Even if you’ve never heard of Figure, data breaches like this can ripple outward fast. Once scammers have your email, phone number, and date of birth, they can launch more convincing scams like: 

• Fake “account verification” calls 
• Fraudulent loan or credit applications 
• Phishing emails pretending to be financial institutions 
• Identity theft attempts using your personal details 

And because this breach was reportedly caused by social engineering, it’s also a reminder that the weakest link in security isn’t always technology, it’s human trust. 

Key red flags to watch for after a breach 

• Calls claiming your loan account needs immediate verification 
• Emails asking you to “confirm your identity” using a link 
• Messages that include personal details to sound legitimate 
• Fake financial support agents asking for payment or login credentials

What to do right now 

• Change passwords (especially if you reuse them across accounts) 
• Turn on multi-factor authentication where possible 
• Monitor your credit report for unusual activity 
• Be skeptical of unexpected financial messages, even if they seem personalized 

After breaches like this, scammers often wait weeks or months before striking, because they know people stop paying attention.  

A Scam at the Louvre Allegedly Cost $12 Million 

Not every scam story is about malware or phishing links. Some are about old-fashioned fraud, executed at a scale that feels almost unbelievable. 

According to reporting from The New York Times, French investigators uncovered a ticket fraud scheme that may have cost the Louvre in Paris nearly $12 million over a decade. 

Officials say the suspected scam involved tour guides allegedly reusing tickets multiple times, bribes paid to museum employees, and tourist groups being split up to avoid additional fees. 

Last week, police reportedly arrested nine people in the case, including two museum employees. 

Investigators also believe similar fraud may have taken place at Versailles. 

The Takeaway

This wasn’t a one-time trick. Investigators believe the network may have been running for years, allegedly bringing in multiple tour groups per day. 

It’s a reminder that scammers don’t always need to “hack” a system. 

Sometimes, they just find a weak point, then repeat it until it becomes a business model. 

The bottom line: the Louvre story is dramatic, but the lesson is familiar. Scams thrive anywhere oversight is stretched thin, systems are overwhelmed, and people assume someone else is double-checking. 

Whether it’s a museum ticket scanner or an AI-generated search result, scammers will always look for the fastest path through the cracks. 

McAfee’s Safety Tips for This Week 

This week’s scam pattern is all about one theme: trust shortcuts. 

AI summaries that feel official. Phone numbers that look real. Support agents who sound convincing. Breach data that makes phishing more believable. 

The best defense is slowing down and verifying before you act. 

Here are the smartest moves to make right now: 

Don’t trust AI Overviews (or search snippets) for customer support phone numbers. Always verify through the company’s official website. 

Treat “customer service” calls with caution, especially if they ask for payment info, passwords, or MFA codes. 

Never share verification codes, even if someone claims they’re just “confirming your identity.” 

Watch for phishing attempts after major breaches. Scammers often use stolen data to make messages feel personal and urgent. 

Be suspicious of pressure tactics like “your account will be frozen” or “you must act immediately.” 

If you think your personal data may be exposed, monitor your credit and update your passwords now, not later. 

Use tools like McAfee Web Protection to avoid dangerous links, bad downloads, malicious websites, and more. 

We’ll be back next week with another roundup of the scams making headlines, and what you can do to stay ahead of them. 

The post This Week in Scams: AI Search Traps, a Fintech Breach, and a $12M Louvre Hustle appeared first on McAfee Blog.

It usually starts with a small, uneasy moment. A notification you don’t recognize. A login code you didn’t request. A friend texting to ask why you just posted something… weird. 

If you’re staring at your phone wondering whether your TikTok account was hacked, you’re not alone, and you’re not being paranoid.  

Account takeovers often don’t look dramatic at first. They show up as subtle changes: a password that suddenly doesn’t work, a new device logged in overnight, or settings you swear you never touched. 

This guide walks you through exactly what to do if your TikTok account has been compromised: how to spot the warning signs, how to recover access if you’re locked out, and how to lock down active sessions so it doesn’t happen again.  

Signs Your TikTok Account May Be Compromised 

When someone else gets into your account, things usually start behaving in ways that don’t feel like you. Pay attention to changes like these: 

Profile or settings changes you didn’t make
Your display name, bio, password, linked email, phone number, or privacy settings look different, even though you never touched them. 

Content or activity you don’t recognize
Videos you didn’t post. Comments or DMs you didn’t send. New follows or likes that don’t match how you use the app. 

Login alerts that come out of nowhere
Notifications about a new device, verification codes you didn’t request, or emails confirming changes you didn’t initiate. 

Other warning signs include being locked out of your usual login method, missing recovery options, or friends telling you your account is sending strange messages. 

How to Regain Access to Your TikTok Account 

Speed matters here. The longer someone has access, the more they can change, or use your account to scam others. 

If you can still log in 

Secure the account immediately. 

1. Change your password: Use the “Forgot password?” option if needed and choose a strong, unique password you haven’t used anywhere else. 
2. Check your account details: Confirm the email address and phone number are yours. Remove anything you don’t recognize. 
3. Look for unfamiliar devices or sessions: You’ll deal with this more thoroughly below, but flag anything that looks off. 

If you’re locked out 

Start TikTok’s recovery process right away. 

1. On the login screen, tap “Report a problem” or visit the Help Center. 
2. Be ready to prove ownership. That usually includes: 
3. Your username 
4. A previous email or phone number linked to the account 
5. Devices you’ve used to log in before 
6. Screenshots of changes, if you have them 

TikTok uses this information to verify that the account is yours and roll back unauthorized changes. 

Secure your email and phone, too 

This step is critical and often overlooked. 

• Change the password on the email account linked to TikTok.  If someone controls your email, they can keep resetting your social accounts. 
• Confirm your phone number is correct and remove any unfamiliar contact info. 

Once you regain access, clean up anything the attacker touched, delete suspicious posts, undo profile changes, and revoke access for any apps you don’t recognize. 

Figure 1: How to remove TikTok logins from other devices. 

Lock Down Sessions and Strengthen Your TikTok Security 

Getting back in is only half the job. The next step is making sure whoever got in can’t come back. 

Turn on two-step verification 

In Settings & Privacy, enable two-factor verification (2FA) and choose your preferred method. An authenticator app offers the strongest protection, but SMS or email is still far better than nothing. 

Review active sessions and devices 

Head to Security and look for Manage devices or Active sessions. 

• Remove any devices you don’t recognize. 
• If available, use “Log out of all devices” to force everyone, including an attacker, out at once. 

Revoke third-party app access 

Check which apps or tools are connected to your TikTok account and remove anything you don’t use or trust. 

Use a strong, unique password 

• Aim for 12+ characters with a mix of letters, numbers, and symbols. 
• Never reuse passwords from other sites. 
• A reputable password manager like McAfee’s can help generate and store secure passwords. 

Keep your app and phone updated 

Updates often include security fixes. Running outdated software makes it easier for attackers to exploit known issues. 

Be cautious with links and messages 

Unexpected DMs, “copyright warnings,” fake verification notices, or links asking you to log in again are common hacker tactics. When in doubt, don’t click, open the app directly instead. 

 

Figure 2: Where in “Security & permissions” to find security updates and 2FA. 

How to Report an Impersonation Account on TikTok 

Discovering a fake account that’s using your name, photos, or videos can feel like a second violation on top of having your account hacked.  

Luckily, TikTok has a way to flag these imposters, both from inside the app and, in some regions, through an official web form. 

1. Open the impostor’s profile: Head to the account that’s pretending to be you. 
2. Tap the share icon: On mobile, this is usually the arrow at  the top of the profile. 
3. Select “Report”: Choose the option to report the account. 
4. Choose “Report account” → “Pretending to Be Someone”: That’s TikTok’s way of flagging impersonation specifically. 
5. Indicate who is being impersonated: Select Me if it’s your identity, or Celebrity/Another person if it’s someone else. Then submit.  

Figure 3: A screenshot showing where in TikTok you report fake profiles. 

If you’re in the U.S. and the fake profile is doing real damage, for example, scamming your followers or using official business assets, TikTok also offers a dedicated impersonation report form online: 

• Choose whether you’re reporting or appealing an impersonation. 
• Enter your email and country. 
• Upload valid ID or other proof that you’re who you say you are. 
• Confirm the statements and submit the form.  

For accounts outside the U.S., the public Help Center form lets you select Report a potential violation → Account violation → Impersonation and walk through similar steps.

 

Frequently Asked Questions 

Q: How do I lock down sessions on TikTok? A: Go to Settings & Privacy → Security, then open Manage devices or Active sessions. Remove unfamiliar devices, log out of all sessions if possible, change your password, and enable two-step verification.

Q: Can I recover my account if the email and phone number were changed? A: Yes. Start an account recovery request through TikTok support and provide proof of ownership, including previous contact details and device information.

Q: What if I keep getting verification codes I didn’t request? A: That’s a sign someone is trying to get in. Change your password immediately, enable two-step verification, and review active sessions. If it continues, contact TikTok support

Q: Should I warn my followers? A: If your account posted or messaged others without your permission, yes. Let people know your account was compromised so they don’t engage with scam links or requests.

 

The post Was My TikTok Hacked? How to Get Back Into Your Account and Lock Down Sessions appeared first on McAfee Blog.

As Harry Styles concert tickets go on sale for his first tour in years, cybersecurity experts warn that the same excitement driving ticket registrations and social chatter will also drive a spike in ticket scams across social media, email, and text messages. 

“When demand spikes around a major tour, ticket scams spike too,” said Abhishek Karnik, Head of Threat Research at McAfee. “We saw this during recent major ticket releases, including the Oasis reunion, when McAfee Labs identified more than 2,000 suspicious ticket listings online.” 

“Scammers take advantage of the urgency fans already feel, and the fear of missing out, inserting themselves into social posts, DMs, and text threads with offers that sound normal and believable,” Karnik added.

“Avoid interacting with unknown sellers, especially when offers are made over social media,” Karnik said. “Payments made via wire transfers, cryptocurrency, gift cards, or peer-to-peer platforms like Venmo or Zelle are often not recoverable, which is why it’s safer to buy directly from official ticketing sites or well known resale platforms.”

Where, When, and How to Get Harry Styles Tickets 

Styles announced Together, Together on January 22, marking his first tour since 2023. 

The residency-style run spans seven cities worldwide: Amsterdam, London, São Paulo, Mexico City, New York, Melbourne, and Sydney. Shows begin in May and continue through December. 

New York City is the only North American stop, making competition for tickets especially intense for U.S. fans. In fact, a record-breaking 11.5 million people have already registered for ticket information to attend the Madison Square Garden stop alone. For context, the capacity for that venue is just 19,500 people.  

According to The Hollywood Reporter, that means just 5% of people who signed up for U.S. tickets will be able to buy them when they go on sale this week.  

American Express access presale ticket sales are already live, and Ticketmaster is the primary platform handling official sales.  

The rest of the Together, Together tour tickets will be released in two stages:  

1. General on sale for NYC dates August 26 – October 9 begins on Friday, January 30.  
2. General on sale for October 10 – 31 begins Wednesday, February 4. 

That staggered release schedule matters. Multiple on-sale moments mean repeated waves of urgency, which scammers often mirror with fake “last chance” messages, counterfeit presale links, or impersonations of ticketing platforms and customer support. 

What do Harry Styles tickets cost right now 

Ticket prices range widely by seat location and package, with outlets reporting lower prices starting in the $100 range. However, premium seats climb past $1,000. According to Forbes, the average ticket price of his 2022 tour was $113. 

That context matters, because it helps fans recognize the biggest red flag in ticket fraud: a too-good-to-be-true price.  

If you are seeing “floor seats for $50” while reputable platforms are showing far higher prices for comparable sections, that is not a deal. It is a hook for a scammer. 

How ticket scams work 

Ticket scams rarely start with “Buy my fake ticket.” They start with the conditions that make people easy to rush: too much noise, too many messages, and too little time to verify what’s real. 

McAfee’s State of the Scamiverse survey of 7,500 consumers found people now receive 14 scam messages per day on average, and spend a “time tax” of 114 hours a year sorting real from fake. In that environment, criminals don’t need you to be careless. They just need you to be busy. And major ticket drops create the perfect opening: high demand, fast-moving queues, and price shock that makes a “good deal” feel like something you have to grab immediately. 

What’s changed is that scams don’t even need a link anymore. The report found more than 1 in 4 people (26%) say suspicious social messages now arrive without a URL, and 44% admit they reply to those linkless DMs anyway, often triggering the next step of the scam. That’s the blueprint behind many ticket scams today: a believable message, a quick pivot to payment, and pressure to move fast before you can verify. 

Below are among the most common ticket-scam patterns to watch for, and exactly how they play out. 

Ticket fraud 

Ticket fraud is when someone advertises tickets, takes payment, and delivers nothing, or delivers tickets that do not work at the door. This includes fake screenshots, fake confirmation emails, and counterfeit QR codes. 

How it plays out: 

• A seller claims they “cannot make the show.” 
• They ask you to pay quickly to “hold” the tickets. 
• They send a screenshot of a ticket or order email. 
• The tickets never arrive, or the QR code fails when scanned. 

Resale duplication scams 

A resale duplication scam happens when the scammer sells the same ticket to multiple buyers. Sometimes the scammer has one legitimate ticket and sells it repeatedly. Sometimes they have none and simply reuse the same screenshot. 

How it plays out: 

• You receive something that looks real. 
• Multiple people show up with the same ticket. 
• Only the first scan gets in. 

Phishing scams 

A phishing scam is a message designed to trick you into clicking a link or sharing personal information. Ticket phishing often pretends to be from Ticketmaster, a venue, a presale program, or customer support. 

How it plays out: 

• “Your tickets are on hold, confirm within 10 minutes.” 
• “Unusual activity detected. Verify your account.” 
• “Your payment failed. Update billing.” 

Modern phishing messages can look polished and grammatically clean, which is why relying on spelling errors is no longer a reliable defense. 

Cloned ticket websites 

A cloned ticket website is a fake site made to look like a legitimate seller. These sites are built to capture your payment info, personal data, or both. 

How it plays out: 

• You click an ad or link from social media. 
• The site looks legitimate, but the URL is slightly off. 
• You “buy” tickets and either receive nothing or later see fraud on your card. 

Ticket transfer and account takeover scams 

A ticket transfer scam exploits the fact that many tickets are digital and transferable. A related risk is account takeover, where scammers steal your ticketing login and transfer tickets out of your account. 

How it plays out: 

• You get a message claiming your account needs verification. 
• You enter credentials on a fake page. 
• The attacker logs in and transfers tickets away. 

Fake customer support scams 

A fake customer support scam is when scammers pose as a company’s help desk, often after you post publicly that you need help. 

How it plays out: 

• You tweet, post, or comment about ticket issues. 
• An “agent” messages you first. 
• They ask for login details, a code, or payment to “unlock” tickets. 

A true scam story: Henry’s last-minute ticket scam 

Henry A. had been trying for weeks to score a ticket to see Tyler, the Creator in Dallas. Even without a confirmed seat, he headed to the venue hoping for a miracle. And that’s when the message came in, someone nearby claimed to have extra tickets.  

The seller said he was just outside too. The price? Reasonable enough. The tone? Casual and confident. All Henry had to do was send half the money to hold the tickets.  

Minutes later, he sent the full $280.  

“I was already in line—excited, hopeful, and just trying to get in. That made me an easy target.”  

The seller began stalling. Then came a screenshot—another buyer offering a higher price. He pressured Henry to pay more. When Henry refused, the seller blocked him. 

Just like that, the tickets were gone. So was the money. And Henry and his friend never made it into the show.  

“I sent $280 and got blocked. We never made it inside.”  

What makes Henry’s experience so common is not the platform. It is the pattern: 

• A believable story 
• A “reasonable” price 
• A fast-moving negotiation 
• A sudden change in terms 
• Pressure, then disappearance 

How to spot a ticket scam fast 

Use these red flags as a reality filter: 

Red Flag	What It Looks Like in Real Life
Price mismatch	Tickets priced far below or far above comparable listings on official or verified resale platforms.
Urgency tactics	Messages pushing “last chance,” “only today,” or claiming someone else is about to buy.
Unprotected payment requests	Asking for wire transfers, cryptocurrency, gift cards, or peer-to-peer payments to strangers.
Off-platform pressure	Requests to move the transaction to text, DMs, or email instead of using an official site.
Refusal to verify tickets	Sellers unwilling to use a verified resale platform or provide proof that can be independently confirmed.
Suspicious links	Shortened URLs, unusual domains, or ticket links sent through direct messages.

Safer ways to buy tickets 

If you want the simplest rule: buy through official ticketing and verified resale platforms that offer buyer protection. Scammers can create fake accounts anywhere, but they cannot easily bypass legitimate purchase protections. 

Practical steps: 

1. Go direct: Type the official ticketing URL into your browser, do not follow random links. 
2. Use protected payment: Credit cards generally offer stronger dispute options than unprotected transfers. 
3. Avoid risky payment demands: Crypto, gift cards, and wires are common in fraud because they are hard to reverse. 
4. Secure your accounts: Use strong passwords and enable two-factor authentication where available. 
5. Pause before paying: Scammers depend on emotional momentum. 

How Scam Detector can help 

Tools like McAfee’s Scam Detector can act as a second set of eyes when messages or links are designed to rush you.  

Scam detection can help flag suspicious language patterns, risky links, and social engineering tactics before money leaves your account. 

The post Buying Harry Styles Tickets? Avoid These Common Ticket Scams appeared first on McAfee Blog.

If you recently received an unexpected email from Instagram asking you to reset your password, you are not alone. Over the past several days, thousands of users reported receiving legitimate password reset emails they did not request. 

The sudden wave of messages led to widespread confusion and concern about whether Instagram had suffered a data breach. Instagram and its parent company Meta deny that a breach occurred, stating instead that they fixed an issue that allowed an external party to trigger password reset emails for some users. 

While the exact source of the activity remains disputed, the situation highlights a broader and more important issue. Password reset emails, even when legitimate, are often the first signal users get that their information may be exposed, reused, or being targeted by attackers. 

Here is what we know so far and what this incident reveals about how password compromises really happen. 

Was Instagram Hacked? 

Instagram says no. 

In statements reported by the BBC and BleepingComputer, Meta said it resolved a problem that allowed an external party to request password reset emails on behalf of users. The company maintains there was no breach of its systems and that accounts remain secure. 

At the same time, cybersecurity researchers and firms, including Malwarebytes, have warned about a dataset circulating on hacking forums that allegedly contains information linked to more than 17 million Instagram accounts. According to reporting, that data may include usernames, email addresses, phone numbers, locations, and account IDs, but not passwords. 

Some researchers believe the dataset may be a compilation of older scraped data rather than evidence of a new breach. Others say the timing of the password reset emails and the appearance of the data raises unresolved questions. 

What matters for users is this: regardless of whether this was a new breach, old scraped data, or a technical abuse of password reset systems, attackers routinely use exposed personal information to launch phishing, account takeover attempts, and social engineering attacks. 

What Counts as a Data Breach and What Does Not 

A true data breach occurs when attackers gain unauthorized access to internal systems and steal protected data such as passwords, financial information, or private communications. 

In many cases, personal data is also exposed through: 

• API scraping of publicly accessible information 
• Older leaks that are resold or repackaged 
• Credential stuffing using passwords stolen from unrelated sites 
• Abuse of account recovery or password reset features 

That distinction matters because even when passwords are not leaked, exposed personal data can still be weaponized. Names, emails, phone numbers, and locations are often enough for scammers to craft convincing phishing messages that appear legitimate. 

Why You Might Receive a Password Reset Email You Did Not Request 

There are several common reasons this happens, and none of them require your Instagram password to be stolen. 

• Someone may be testing whether your email address is linked to an account. 
• Attackers may be attempting credential stuffing using passwords from past breaches. 
• Your information may appear in older datasets that are being reused or resold. 
• A platform bug or abuse of recovery systems may trigger reset emails at scale. 

Scammers often use these moments to send fake follow-up emails that look nearly identical to legitimate ones. That is why security experts consistently recommend going directly to the app or official website rather than clicking links in unexpected messages. 

What to Do If You Received an Instagram Password Reset Email 

If you did not request the reset:  

1. Do not click links in the email. 
2. Open the Instagram app or visit the official site directly to review security settings.  
3. Check recent login activity and remove any unfamiliar sessions. 
4. Enable two-factor authentication (2FA) if it is not already turned on. 

If you decide to change your password, make sure the new one is unique and not used anywhere else. 

Click “Review Settings” to enable 2FA in your Account Center

How to enable multi-factor authentication for Instagram 

1. Click More in the bottom left, then click Settings. 
2. Click See more in Accounts Center, then click Password and Security. 
3. Click Two-factor (2FA) authentication, then select an account. 
4. Choose the security method you want to add and follow the on-screen instructions. 

When you set up two-factor authentication on Instagram, you’ll be asked to choose one of three security methods: an authentication app, text message, or WhatsApp. 

And here’s a link to the company’s full walkthrough: https://help.instagram.com/566810106808145 

How to Manage Passwords the Right Way 

Remembering dozens of unique, strong passwords is not realistic for most people. That is why password managers exist. 

A password manager can: 

• Generate strong, unique passwords for every account 
• Store them securely so you do not need to remember them 
• Alert you if your credentials appear in known breaches 
• Reduce the risk of account takeover from reused passwords 

Using a password manager removes the pressure to reuse passwords and helps close one of the most common doors attackers walk through.  

McAfee’s password manager helps you secure your accounts by generating complex passwords, storing them and auto-filling your info for faster logins across devices. It’s secure and, best of all, you only have to remember a single password. 

FAQ: Instagram Password Reset Emails and Account Safety 

Was my Instagram password stolen? There is no evidence that passwords were leaked in this incident.

Should I reset my password anyway? If you are unsure or reuse passwords elsewhere, resetting it directly in the app is a smart precaution.

Are the emails real or phishing? Some emails were legitimate, but scammers often mimic them. Always go directly to the app or website.

Why is password reuse dangerous? Because a breach on one site can expose all accounts that share the same password.

 

The post Didn’t Request an Instagram Password Reset? Here’s What to Do appeared first on McAfee Blog.

Parents are waking up to this new online threat to their kids: ‘The Blue Whale Challenge’ which in extreme steps leads children to commit suicide. Fingers are flying fast on WhatsApp, Facebook and Twitter sharing ‘facts’ about the challenge, tips about mentoring kids, and opinions of experts that are adding to the confusion.

“What is the Blue Whale Challenge?”, “Is it a game or an app?”, “Where is it available?”,  “How can I know if my child is playing it?” These and similar questions are now circulating, understandably, as concerned parents are trying their best to get a grip on the issue.

The Facts First:

Alternate names: A Blue Whale/ A Quiet House/ A Silent House/ A Sea of Whales/ Wake Me Up at 4:20 am.

The background: The Blue Whale Challenge was developed by a Russian who is currently behind bars. The game had an app but now it has been removed. HOWEVER, if anyone has backed up data and saved the app, it may still be there on their devices. It may also be shared in unregulated groups.

The game: The game consists of a series of dares, and every time the player completes a challenge, a new one is assigned to him/her. This happens over a period of 50 days (According to some reports, this includes carving a Blue Whale on the hand). The last one is supposed to be one that is potentially life-threatening. Not only that, the participant has to livestream or share the suicide on Facebook.

The modus operandi: How does the moderator get the participants to accept and complete challenges? Simply by goading them on; shaming them or belittling them if they show hesitation. They already have the phone numbers and email addresses of the participants, so it’s easy for the moderator to contact the participants. The participants are also threatened not to keep records of any mails or messages or else their family member’s personal information would be hacked and made public.

Origin: There are contradictory reports about existence of an app and now it’s been removed from online stores. Social media and forums are recognized means which have helped proliferate the same.

What Can Parents Do?

This is not a case of malware or virus attacks. It is more related to human psychology and banks on the child’s naiveté, lack of self-esteem and acceptance to a group. Such games have existed and continue to exist and bans won’t prevent their creation. Just like there are fun challenges like the ice bucket challenge and the pink whale challenge, there are also potentially harmful ones that include taking selfies in front of running trains and other dangerous acts. Children by nature are adventurous and dares, no matter how small or big, could satisfy this need for excitement.

1. Open Conversation: Like in the real world where you guide your child, likewise your child needs guidance in the online world too which can only be given by you until they attain maturity. Have regular and informal conversation so they share without the fear of being reprimanded. Encourage questions, address their curiosity and guide them in a friendly manner rather than leaving up to them to figure things on their own Also, its recommended to impart knowledge to break free from peer pressure and not be negative online. A strong, confident child will be able to make better decisions and this is the skill as parents you can teach your children.
2. Stranger Danger: According to McAfee’s ‘Connected Family’ study in 2017, 49% of Indian parents are concerned about their child potentially interacting with a social predator or cybercriminal online. Education and open conversations within families are critical as kids are curious and give trust easily. Highlight incidents about how strangers try to earn trust falsely for their own agenda which can extend from cybercrime to physical theft when you are not home. Insist that they should avoid entering into any form of communication, sharing or confiding with strangers including calling, emailing, texting or meeting people they don’t know well in person.
3. Balance: Set daily internet time when they can surf online and do school work. Also, make the rule -Absolutely NO devices go to bed with your child. If you notice your child is online more often than usual you should investigate.
4. Monitor: Even if you are not a tech-savvy person, there is nothing like a parent’s concern to keep children on the right path. It’s suggested you use the parental control features available in reputed security software which makes it easy and simple to help keep your children safe online.
5. Do your part: Discuss with your child about how to identify such online dangers and report it if they encounter any. It’s our duty to keep the ecosystem safe for everyone as we would expect from our neighbor.

Monitoring your child’s online experience until they get a sense of judgement is something I have always advocated for, and is now more important than ever. Do your part and help make the internet a safer place for everyone.

Final Thoughts

The Blue Whale Challenge is a grim reminder that not all online threats come in the form of a virus or malicious download. Sometimes, the real danger lies in manipulation, peer pressure, and psychological coercion. As parents, you cannot control every corner of the internet, but you can teach your children effective ways to navigate it.

Your role in your child’s life is more powerful than any app or algorithm. Open conversations, emotional support, clear digital boundaries, and active involvement in your child’s online activities constitute the strongest defense. When children feel heard, valued, and confident, they are far less likely to fall prey to harmful online challenges or strangers seeking to exploit them.

Parental guidance should also be supported by practical safeguards. Just as you lock your doors at night, your child’s digital world deserves protection too. Using trusted parental control tools can help you monitor their online activity, manage screen time, filter inappropriate content, and receive alerts about potential risks without invading your child’s sense of independence.

With the McAfee+ Family Plan, you are empowered with comprehensive parental controls, identity monitoring, and multi-device protection to help you support, guide, and protect your child as they grow in a connected world.

The post Blue Whale Challenge: What Parents Need to Know! appeared first on McAfee Blog.

McAfee’s Scam Detector has been named a Winner of the 2026 BIG Innovation Awards, presented by the Business Intelligence Group, marking the third major industry award the product has earned since launching just months ago. 

The recognition underscores a growing consensus across independent judges: as scams become more sophisticated and AI-driven, consumers need protection that works automatically, explains risks clearly, and helps stop harm before it happens. 

What Is the BIG Innovation Award? 

The BIG Innovation Awards recognize products and organizations that deliver measurable innovation with real-world impact. The program focuses not only on technical advancement, but on how solutions improve everyday life for individuals and households. 

For consumer cybersecurity products like Scam Detector, that means being evaluated on: 

• Real-world relevance 
• Ease of use for non-experts 
• Societal impact 
• Demonstrated adoption and need 

The award highlights Scam Detector’s role in helping people stay safer online as scams grow more sophisticated, more personal, and increasingly powered by AI.  

Why Scam Detector Stands Out 

According to feedback from the BIG Innovation Awards judging panel, Scam Detector was recognized for: 

Strong real-world relevance: Scams are now an everyday risk, not a niche technical issue 

Clear consumer value: Protection that runs automatically in the background without requiring expert knowledge

AI used responsibly: Applying advanced models to reduce harm, not increase it

Early impact: Rapid adoption, with more than one million users in its first months 

Judges also noted the importance of Scam Detector’s educational alerts, which don’t just block threats, but explain why something is risky, helping people build confidence over time. 

Using AI to Fight AI-Driven Scams 

Scam Detector is McAfee’s AI-powered protection designed to detect scams across text, email, and video, block dangerous links, and identify deepfakes, before harm occurs. 

As scammers increasingly use generative AI to impersonate people, brands, and institutions, protection needs to operate at the same speed and scale. Scam Detector is built to do exactly that, quietly working in the background while users go about their day. 

Scam Detector is included with all core McAfee plans and is available across mobile, PC, and web. 

In Good Company: Consumer Innovation Across Industries 

McAfee was recognized alongside other consumer-facing innovators whose products directly serve individuals and households. Fellow 2026 BIG Innovation Award winners include: 

Capital One Auto – Chat Concierge: A consumer-facing service designed to help car buyers and owners navigate financing and ownership decisions. 

Starkey – Omega AI Hearing Aid: A wearable hearing aid that integrates AI assistance, health monitoring, and real-time translation. 

Phonak – Virto R Infinio: Custom-fit hearing aids designed to deliver personalized hearing solutions for individual users. 

EZVIZ – 9c Dual 4G Series Camera: A smart home security camera built for personal and household use. 

Sinomax USA: Consumer mattresses and comfort products focused on everyday home use. 

beyoutica 1905: A wellness product designed for health- and lifestyle-focused consumers. 

Wheels – Pool CheckOut: A consumer-oriented solution designed to simplify vehicle service and checkout experiences. 

Together, these winners reflect how innovation increasingly shows up in tools people rely on at home, in their cars, and on their phones. 

Scam Detector Awards and Industry Recognition 

Since launch, McAfee’s Scam Detector has earned recognition across multiple independent award programs, each highlighting a different dimension of its impact: 

2026 BIG Innovation Awards

Winner and Top 10 Innovator – Large Business, recognizing real-world consumer impact and responsible AI use. 

2025 A.I. Awards

2025 Tech Ascension Awards 

The post McAfee’s Scam Detector Earns Third Major Award Within Months of Launch appeared first on McAfee Blog.

This week in scams, the biggest threats showed up as routine security messages, viral consumer “warnings,” and AI-generated content that blended seamlessly into platforms people already trust. 

Every week, we bring you a roundup of the scams making headlines, not just to track what’s happening, but to explain how these schemes work, why they’re spreading now, and what you can do to stay ahead of them.  

Here are scams in the news this week, and safety tips from our experts at McAfee: 

Amazon One-Time Passcode Scam: How Fake Security Calls Hijack Real Accounts 

Scammers are increasingly impersonating Amazon customer support to take over accounts using real one-time passcodes (OTPs), not fake links or malware. 

Here’s how the scam works in practice. 

What is the Amazon one-time passcode scam? 

Victims receive an unsolicited phone call from someone claiming to work for Amazon. The caller says suspicious activity has been detected on the account and may reference expensive purchases, often items like smartphones, to make the threat feel credible. 

The call usually comes from a spoofed number and the scammer may already know your name or phone number, which helps lower suspicion. 

How scammers use real Amazon security codes 

While speaking to you, the scammer attempts to access your Amazon account themselves by entering your phone number or email address on the login page and selecting “forgot password” or triggering a login from a new device. 

That action causes Amazon’s real security system to send a legitimate one-time passcode to your phone or email. 

If you read that code aloud or share it, the scammer can immediately: 

• Complete the login process 
• Change your account password 
• Access saved payment methods 
• Place fraudulent orders or lock you out of the account 

The scam works precisely because the code is real—and because it arrives while the caller is convincing you it’s part of a routine security check. 

Key red flags to watch for 

• Unsolicited calls claiming to be from Amazon 
• Requests to share a one-time passcode 
• Pressure to act quickly “to secure your account” 

Important to remember: Amazon will never contact you first to ask for your password, verification codes, or security details. If you receive a one-time passcode you didn’t request, do not share it with anyone. 

AI Deepfake Scam on TikTok Uses Fake Princess to Steal Money 

A growing scam on TikTok shows how AI-generated deepfake videos are now being used not just for misinformation, but for direct financial fraud. 

This week, Spanish media and officials warned that scammers are circulating fake TikTok videos appearing to show Princess Leonor, the 20-year-old heir to Spain’s throne, offering financial assistance to users.  

According to The Guardian, the videos show an AI-generated version of Leonor promising payouts running into the thousands of dollars in exchange for a small upfront “fee.”  

Once victims send that initial payment, the scam doesn’t end. Fraudsters repeatedly demand additional fees before eventually disappearing. 

This case highlights how deepfakes are moving beyond novelty and into repeatable, high-reach fraud, where trust in familiar public figures is weaponized at scale. 

Viral Reddit “Whistleblower” Scam: When AI-Generated Posts Fool Millions 

A viral post on Reddit this week shows how AI-generated text can convincingly impersonate whistleblowers, and even mislead experienced journalists. 

The post claimed to come from an employee at a major food delivery company, alleging the firm was exploiting drivers and users through opaque AI systems. Written as a long, confessional screed, the author said he was drunk, using library Wi-Fi, and risking retaliation to expose the truth. 

The claims were believable in part because similar companies have faced real lawsuits in the past. The post rocketed to Reddit’s front page, collecting over 87,000 upvotes, and spread even further after being reposted on X, where it amassed tens of millions of impressions. 

As Platformer journalist Casey Newton later reported, the supposed whistleblower provided what appeared to be convincing evidence, including a photo of an employee badge and an 18-page internal document describing an AI-driven “desperation score” used to manage drivers. But during verification attempts, red flags emerged. The materials were ultimately traced back to an AI-generated hoax. 

Detection tools later confirmed that some of the images contained AI watermarks, but only after the post had already gone viral. 

Why AI-generated hoaxes like this are dangerous 

• They mimic real whistleblower behavior and language 
• They exploit existing public distrust of large platforms 
• They can mislead journalists, not just casual readers 
• Debunking often comes too late to stop spread 

This incident underscores a growing problem: AI-generated misinformation doesn’t need to steal money directly to cause harm. Sometimes, the damage is to trust itself — and by the time the truth surfaces, the narrative has already taken hold. 

McAfee’s Safety Tips for This Week 

As scams increasingly rely on a combination of realism and urgency, protecting yourself starts with slowing down and verifying before you act. 

If a message or video promises money or financial help: 

• Be skeptical of any offer that requires an upfront “fee,” no matter how small. 
• Remember that public figures, charities, and foundations do not distribute money through social media DMs or comment sections. 
• If an offer claims to come from a well-known individual or organization, verify it through official websites or trusted news sources. 

When content appears viral or emotionally convincing: 

• Pause before sharing or acting on posts framed as warnings, whistleblower revelations, or exposés. 
• Look for confirmation from multiple reputable outlets — not just screenshots or reposts. 
• Be cautious of long, detailed posts that feel personal or confessional but can’t be independently verified. 

When AI may be involved: 

• Assume that realistic images, videos, and documents can be generated quickly and at scale. 
• Don’t rely on appearance alone to determine authenticity, even high-quality content can be fake. 
• Treat unsolicited financial requests, account actions, or “inside information” as red flags, regardless of how credible they seem. 

If you think you’ve engaged with a scam: 

• Stop responding immediately. 
• Secure your accounts by changing passwords and enabling multi-factor authentication. 
• Monitor financial statements and account activity for unusual behavior. 

Final Takeaway 

The scams making headlines this week share a common theme: they don’t look like scams at first glance. Whether it’s an AI-generated video of a public figure or a viral post posing as a consumer warning, today’s fraud relies on familiarity, credibility, and trust. 

That’s why McAfee’s Scam Detector and Web Protection help detect scam messages, dangerous sites, and AI-generated deepfake videos, alerting you before you interact or click. 

We’ll be back next week with another roundup of the scams worth watching, the stories behind them, and the steps you can take to stay one step ahead. 

The post This Week in Scams: Explaining the Fake Amazon Code Surge appeared first on McAfee Blog.

Pets, poisoned AI search results, and a phone call that sounds like it’s coming straight from the federal government, this week’s scams don’t have much in common except one thing: they’re getting harder to spot.

In today’s edition of This Week in Scams, we’re breaking down the biggest security lapses and the tactics scammers used to exploit them, and what you can do to stay ahead of the latest threats.

Two data security lapses discovered at Petco in one week put pet parents at risk

If you’re a Petco customer, you’ll want to know about not one but two data security lapses in the past week.

First, as reported by TechCrunch on Monday, Petco followed Texas data privacy laws by filing a data breach with the attorney general’s office. In that filing, Petco reported that the affected data included names, Social Security numbers, and driver’s license numbers. Further info including account numbers, credit and debit card numbers, and dates of birth were also mentioned in the filing.

Also according to Techcrunch, the company filed similar notices in California and Massachusetts.

To date, Petco has not made a comment about the size of the breach and the number of people affected.

Different states have different policies for reporting data breaches. In some cases, that helps us put a figure to the size of the breach, as some states require companies to disclose the total number of people caught up in the breach. That’s not the case here, so the full scope of the attack remains in question, at least for right now.

As of Thursday, we know Petco reported that 329 Texans were affected along with seven Massachusetts residents, per the respective reports filed. California’s report does not contain the number of Californians affected, yet laws in that state require businesses to report breaches that affect 500 or more people, so at least 500 people were affected there.

Below you can see the form letter Petco sent to affected Californians in accordance with California’s data privacy laws:

 

In it, you can see that Petco discovered that “a setting within one of our software applications … inadvertently allowed certain files to become accessible online.” Further, Petco said that it “immediately took steps to correct the issue and to remove the files from further online access,” and that it “corrected” the setting and implemented unspecified “additional security measures.”

So while no foul play appears to have been behind the breach, it’s still no less risky and concerning for Petco’s customers. We’ll cover what you can do about that in a moment after we cover yet another data issue at Petco through its Vetco clinics.

Also within the same timeframe, yet more research and reporting from Techcrunch uncovered a second security lapse that exposed personal info online. From their article:

“TechCrunch identified a vulnerability in how Vetco’s website generates copies of PDF documents for its customers.

“Vetco’s customer portal, located at petpass.com, allows customers to log in and obtain veterinary records and other documents relating to their pet’s care. But TechCrunch found that the PDF generating page on Vetco’s website was public and not protected with a password.

“As such, it was possible for anyone on the internet to access sensitive customer files directly from Vetco’s servers by modifying the web address to input a customer’s unique identification number. Vetco customer numbers are sequential, which means one could access other customers’ data simply by changing a customer number by one or two digits.”

What to do if you think you had info stolen in the Petco breach

With the size and reach of the Petco breach still unknown, and the impact of the Vetco security lapse also unknown, we advise caution for all Petco customers. At minimum, monitor transactions and keep an eye on your credit report for any suspicious activity. And it’s always a good time to update a weak password.

For those who received a notification, we advise the following:

Check your credit, consider a security freeze, and get ID theft protection. You can get all three working for you with McAfee+ Advanced or McAfee+ Ultimate.

Monitor transactions across your accounts, also available in McAfee+ Advanced and Ultimate.

Keep an eye out for phishing attacks. Use our Scam Detector to spot any follow-on attacks.

Update your passwords. Strong and unique passwords are best. Our password manager can help you create and store them securely.

And use two-factor authentication on all your accounts. Enabling two-factor authentication provides an added layer of security.

 

What to do if your Social Security number was breached.

If you think your Social Security number was caught up in the breach, act quickly.

1. First, contact one of the three credit bureaus (Equifax, Experian, or TransUnion) and place a fraud alert on your credit report.
2. That will cover all three bureaus and make it harder for someone to open new accounts in your name. You can also quickly freeze your credit altogether with McAfee+ Ultimate.
3. Also notify the Social Security Administration (SSA) along with the Internal Revenue Service (IRS), and file a police report immediately if you believe your number is being misused.

The call center number that connects you to … scammers?

You might want to be careful when searching for customer service numbers while in AI mode. Or with an AI search engine. It could connect you to a scammer.

From The Times comes reports of scammers manipulating the AI in platforms like Google and Perplexity so that their search results return scam numbers instead of a proper customer service numbers for, say, British Airways.

How do they manipulate those results? By spamming the internet with false info that gets picked up and then amplified by AI.

“[S]cammers have started seeding fake call center numbers on the web so the AI is tricked into thinking it is genuine …

“Criminals have set up YouTube channels with videos claiming to help with customer support, which are packed with airline brand names and scam numbers designed to be scraped and reused by the AI.

“Bot-generated reviews on Yelp or video descriptions on YouTube are filled with fraudulent numbers as are airline and travel web forums.”

And with these tactics, scammers could poison the results for just about any organization, business, or brand. Not just airlines. Per The Times, “The scammers have also hijacked government sites, university domains, and even fitness sites to place scam numbers, which fools the AI into thinking they are genuine.”

This reveals a current limitation with many AI platforms. Largely they can’t distinguish when people deliberately feed them bad info, as seen in the case here.

Yet even as this attack is new, our advice remains the same: any time you want to ring up a customer service line, get the number directly from the company’s official website. Not from AI search and not by clicking a paid search result that shows up first (scammers can poison them too).

Is that a call from an FTC “agent?” If so, it’s a scam.

Are you under investigation for money laundering? Of course not. But this scam wants you to think so—and to pay up.

On Tuesday, the Federal Trade Commission (FTC) issued a consumer alert warning that people are reporting getting unexpected calls from someone saying they’re “FTC agent” John Krebs. Apparently “Agent Krebs” is telling people that they’re under investigation for money laundering—and that a deposit to a Bitcoin ATM can resolve the matter.

Of course, it’s a scam.

For starters, the FTC doesn’t have “agents.” And the idea of clearing one’s name in an investigation with a Bitcoin payment is a sure-fire sign of a scam. Lastly, any time someone asks for payment with Bitcoin or other payment methods that are near-impossible to recover (think wire transfers and gift cards), those are big red flags.

Apart from hanging up and holding on to your money, the FTC offers the following guidance, which holds true for any scam call:

• Never transfer or send money to anyone in response to an unexpected call or message, no matter who they say they are.
• Know that the FTC won’t ask for money. In fact, no government agency will ever tell you to deposit money at a cryptocurrency ATM, buy gift cards and share the numbers, or send money over a payment app like Zelle, Cash App, or Venmo.
• Don’t trust your caller ID. A call might look like it’s coming from the government or a business, but scammers often fake caller ID.

And we close things out a quick roundup …

As always, here’s a quick list of a few stories that caught our eye this week:

AI tools transform Christmas shopping as people turn to chatbots

National cybercrime network operating for 14 years dismantled in Indonesia

Why is AI becoming the go-to support for our children’s mental health?

We’ll see you next Friday with a special edition to close out 2025 … This Year in Scams.

The post This Week in Scams: Petco Breach Warning, and Watch Out for Fake Federal Calls appeared first on McAfee Blog.

It looks harmless enough.

A digital party invitation lands in your inbox or phone. You click to see the details. Then it asks you to log in or create an account before revealing the event. 

That’s where the scam begins. 

Fake e-vite phishing scams are on the rise, and they take advantage of something simple: social trust. You’re far more likely to click an invitation than a generic “account alert” or “delivery notice.” 

And that’s exactly why scammers are using them. 

In fact, here’s a screenshot of a fake phishing email I recently got this holiday season:

When you click the “open invitation” link, it immediately asks you to sign in or create an account with your personal information. That’s the step where scammers steal your private data. 

What Is a Fake E-Vite Scam? 

A fake e-vite scam is a phishing attack that pretends to be a real invitation from platforms like Paperless Post or other digital invitation services. 

The goal is to trick you into: 

• Entering your email and password 
• Creating a fake account on a malicious site 
• Clicking links that lead to credential-stealing pages 
• Downloading malware disguised as an invitation 

Once scammers have your login information, they can: 

• Take over your email 
• Reset passwords on other accounts 
• Send scams to your contacts 
• Launch identity theft attempts 

How These Fake Invitation Scams Usually Work 

Here’s the most common flow: 

1. You receive a digital invitation that looks normal 
2. The message prompts you to “view the invitation” 
3. You’re redirected to a login or signup page 
4. You enter your email, password, or personal info 
5. The invitation never appears 
6. Your credentials have now been stolen 

Because this starts with something familiar and social, many people don’t realize it’s phishing until accounts are already compromised. Plus, scammers then use your email and name to trick friends and family into trusting more fake e-vites from your account.

How to Tell If a Paperless Post Invite Is Real 

Paperless Post has publicly acknowledged these scams and shared what legitimate messages actually look like. 

Legitimate Paperless Post Emails Will Never: 

• Include .EXE attachments 
• Include .PDF attachments 
• Include any attachments other than image files 

Official Paperless Post Email Domains: 

Legitimate invitations and account messages only come from: 

• paperless@email.paperlesspost.com 
• paperlesspost@paperlesspost.com 
• paperlesspost@accounts.paperlesspost.com 

Official support emails only come from: 

• help@paperlesspost.com 
• pds@paperlesspost.com 
• security@paperlesspost.com 
• privacy@paperlesspost.com 
• agent@paperlesspost.com 
• optout@paperlesspost.com 

If the sender does not match one of these exactly, it’s a scam. 

Paperless Post also notes that verified emails may display a blue checkmark in supported inboxes to confirm authenticity.  

The Biggest Red Flags of a Fake E-Vite 

If you see any of the following, do not click: 

• You’re forced to log in to “see” who invited you 
• The sender email doesn’t match the official domains above 
• The invitation creates urgency 
• You’re asked for payment to view the event 
• The message feels generic instead of personal 
• The site address looks slightly off 

Why These Scams Are So Effective Right Now 

Modern phishing attacks don’t rely on sloppy design anymore. Many now use: 

• Polished branding 
• Clean layouts 
• Familiar platforms 
• Friendly language 
• Social pressure 

Invitation phishing is especially powerful because: 

• It triggers curiosity 
• It feels harmless 
• It mimics real social behavior 
• It doesn’t start with fear or threats 
• By the time the scam turns risky, your guard is already down. 

What To Do If You Clicked a Fake E-Vite 

If you entered any information into a suspicious invitation page: 

1. Immediately change your email password 
2. Change any other account that reused that password 
3. Enable two-factor authentication 
4. Check for unknown login activity 
5. Warn contacts if your email may have been compromised 
6. Run a security scan on your device 

The faster you act, the more damage you can prevent. 

The post Think That Party Invite Is Real? Fake E-Vite Scams Are the New Phishing Trap appeared first on McAfee Blog.

AI-powered browsers give you much more than a window to the web. They represent an entirely new way to experience the internet, with an AI “agent” working by your side.

We’re entering an age where you can delegate all kinds of tasks to a browser, and with that comes a few things you’ll want to keep in mind when using AI browsers like ChatGPT’s Atlas, Perplexity’s Comet, and others.

What are agentic AI browsers?

So, what’s the allure of this new breed of browser? The answer is that it’s highly helpful, and plenty more.

By design, these “agentic” AI browsers actively assist you with the things you do online. They can automate tasks and interpret your intentions when you make a request. Further, they can work proactively by anticipating things you might need or by offering suggestions.

In a way, an AI browser works like a personal assistant. It can summarize the pages in several open tabs, conduct research on just about any topic you ask it to, or even track down the lowest airfare to Paris in the month of May. Want it to order ink for your printer and some batteries for your remote? It can do that too. And that’s just to name a few possibilities.

As you can see, referring to the AI in these browsers as “agentic” fits. It truly works like an agent on your behalf, a capability that promises to get more powerful over time.

Is it safe to use an AI browser?

But as with any new technology, early adopters should balance excitement with awareness, especially when it comes to privacy and security. You might have seen some recent headlines that shared word of security concerns with these browsers.

The reported exploits vary, as does the harm they can potentially inflict. That ranges from stealing personal info, gaining access to Gmail and Google Drive files, installing malware, and injecting the AI’s “memory” with malicious instructions, which can follow from session to session and device to device, wherever a user logs in.

Our own research has shown that some of these attacks are now tougher to pull off than they were initially, particularly as the AI browser companies continue to put guardrails in place. If anything, this reinforces a long-standing truth about online security, it’s a cat-and-mouse game. Tech companies put protections in place, bad actors discover an exploit, companies put further protections in place, new exploits crop up, and so on. It’s much the same in the rapidly evolving space of AI browsers. The technology might be new, but the game certainly isn’t.

While these reports don’t mean AI browsers are necessarily unsafe to use, they do underscore how fast this space is evolving…and why caution is smart as the tech matures.

How To Use an AI Browser Safely

It’s still early days for AI-powered browsers and understanding the security and privacy implications of their use. With that, we strongly recommend the following to help reduce your risk:

Don’t let an AI browser do what you wouldn’t let a stranger do. Handle things like your banking, finances, and health on your own. And the same certainly goes for all the info tied to those aspects of your life.

Pay attention to confirmations. As of today, agentic browsers still require some level of confirmation from the user to perform key actions (like processing a payment, sending an email, or updating a calendar entry). Pay close attention to them, so you can prevent your browser from doing something you don’t want it to do.

Use the “logged out” mode, if possible. As of this writing, at least one AI browser, Atlas, gives you the option to use the agent in the logged-out mode.ⁱ This limits its access to sensitive data and the risk of it taking actions on your behalf with your credentials.

If possible, disable “model learning.” By turning it off, you reduce the amount of personal info stored and processed by the AI provider for AI training purposes, which can minimize security and privacy risks.

Set privacy controls to the strictest options available. Further, understand what privacy policies the AI developer has in place. For example, some AI providers have policies that allow people to review your interactions with the AI as part of its training. These policies vary from company to company, and they tend to undergo changes. Keeping regular tabs on the privacy policy of the AI browser you use makes for a privacy-smart move.

Keep yourself informed. The capabilities, features, and privacy policies of AI-powered browsers continue to evolve rapidly. Set up news alerts about the AI browser you use and see if any issues get reported and, if so, how the AI developer has responded. Do routine searches pairing the name of the AI browser with “privacy.”

How McAfee Can Help

McAfee’s award-winning protection helps you browse safer, whether you’re testing out new AI tools or just surfing the web.

McAfee offers comprehensive privacy services, including personal info scans and removal plus a secure VPN.

Plus, protections like McAfee’s Scam Detector automatically alert you to suspicious texts, emails, and videos before harm can happen—helping you manage your online presence confidently and safeguard your digital life for the long term. Likewise, Web Protection can help you steer you clear of suspicious websites that might take advantage of AI browsers.

The post How to Stay Safe on Your New AI Browser appeared first on McAfee Blog.

It’s an increasingly common surprise: a package shows up at your door with your name and your address…but you never ordered it.  

These unsolicited deliveries may seem harmless, but they’re often tied to a scheme called a brushing scam. These scams occur year-round but tend to pick up around the holidays or peak shopping seasons, when shipping volume spikes and it’s easier for suspicious packages to blend in. 

Below is everything you need to know: how brushing scams work, what they mean for your personal information, and the exact steps to take if one shows up at your doorstep. 

 Takeaways 

• A brushing scam is when a seller sends you an item you didn’t order so they can post a fake “verified purchase” review under your name. 
• These scams usually involve low-value items like cheap jewelry, seeds, or trinkets. 
• Unexpected packages can signal that your personal data was exposed in a breach or has been purchased illegally. 
• You don’t have to return the item, but you should report it, update your passwords, and check for suspicious activity. 
• These scams increase during busy shipping periods, including holidays. 

What Is a Brushing Scam? 

A brushing scam is when sellers send you unsolicited items so they can post fake reviews using your name, boosting their product’s ranking and credibility without your consent. 

How Brushing Scams Work 

A typical brushing scam looks like this: 

1. A scammer creates or uses a seller account on a marketplace like Amazon or AliExpress. 
2. They obtain your name and address, often through a breach, data leak, or illegal database. 
3. They “order” their own product but send it to you at no cost. 
4. Once shipping confirms delivery, they post a fake verified review under your identity to boost their seller rating. 
5. The product gains more visibility, which drives more sales. 

In one sentence: Your delivery confirmation becomes their proof that a real customer received the item—even though you never ordered it. 

Why It’s Called “Brushing” 

The term comes from e-commerce, where sellers would “brush up” their sales by generating fake orders and reviews. Today, brushing scams are a global issue affecting major online marketplaces. 

Common Items Sent in Brushing Scams 

• Costume jewelry 
• Small electronics or keychain gadgets 
• Random home goods 
• Seeds (often unmarked) 
• Low-cost accessories 

If the item feels random or unusually cheap, it fits the profile. 

Are Brushing Scams Dangerous? 

Personal Data Exposure

The biggest red flag is that someone had your name and address, and possibly more. Brushing scams often follow data breaches or third-party leaks. 

Account Risk

Some platforms may temporarily flag or freeze your account if someone posts fake reviews under your name. 

Misleading Products

Fake reviews inflate trust and push low-quality items higher in search results. That misleads other shoppers and props up fraudulent sellers.

Potential Safety Hazards

Some unsolicited items—cosmetics, supplements, electronics, or seeds—may be unsafe, expired, counterfeit, or banned. 

What To Do If You Receive an Unordered Package 

1. Don’t use or consume the item, especially cosmetics, food, or electronics. 
2. Check your marketplace account (Amazon, AliExpress, etc.) to confirm there’s no unauthorized order. 
3. Report the brushing scam using the platform’s built-in reporting tools. 
4. Update your passwords for your shopping account and linked email. 
5. Enable two-factor authentication (2FA) for added security. 
6. Monitor bank/credit card activity for unusual charges. 
7. If the package came via USPS, you can mark it “Return to sender” without cost. 

How to Report a Brushing Scam on Amazon 

1. Log into your Amazon account. 
2. Go to the Report Unsolicited Package section. 
3. Add your tracking number and package details. 
4. Amazon may take up to 10 days to investigate. 

Should You Return the Package? 

Generally: No.

You are not legally required to return or pay for an unsolicited package. But reporting it helps platforms investigate fraudulent sellers. 

How To Protect Yourself From Brushing Scams

Secure Your Accounts

• Update passwords and use unique credentials.
• Turn on two-factor authentication.
• Use security software like McAfee+ to protect your privacy and personal data

Report Every Unsolicited Package

This helps platforms identify abusive sellers.

Verify Reviews Before Buying

Genuine reviews mention specific details; fake ones are vague, repetitive, or overly positive.

Stick to Well-Reviewed, Long-Standing Sellers

Avoid newly created storefronts with few verified reviews.

Quick FAQ 

Why am I receiving random packages from overseas?
It’s often part of a brushing scam where sellers need a “delivered” status to post fake reviews.

Is a brushing scam identity theft?
Not exactly, but it does mean someone had access to your personal data, which increases your overall risk.

Should I throw the item away?
You can safely discard most brushing-scam items, but avoid using them and report the incident first.

Should I worry if I get seeds or soil?
Yes—never plant or dispose of unknown seeds improperly. Report them to the USDA or your state agriculture office.

Final Thoughts

Brushing scams may seem like a harmless freebie, but they’re a sign that your personal information was exposed and could potentially be misused.

Stay cautious, secure your accounts, report any unsolicited packages, and trust only reputable sellers. With simple steps, you can protect your identity, and avoid being pulled into a scammer’s fake review scheme.

The post Brushing Scams: What They Are and How to Stay Safe From Unsolicited Packages appeared first on McAfee Blog.

It usually starts with something small.

You’re scrolling TikTok or Instagram, half-paying attention, when a Black Friday ad pops up. It looks like the brand you love—same logo, same photos, same “limited-time deal” language you’ve seen in real promos. The link takes you to a site that looks identical to the real one. The checkout page works. The confirmation email looks legit.

Then the payment clears, and the merchant name on your bank statement doesn’t match the store at all.

That moment, wait, what did I just buy from?, is becoming the defining holiday-shopping scam of 2025.

This year, fake ads and cloned storefronts aren’t sketchy one-offs or typo-filled red flags. They’re polished. They’re identical. And increasingly, they’re powered by AI.

McAfee’s 2025 holiday research found that nearly half of Americans (46%) have already encountered AI-altered or AI-generated scams while shopping. And with 96% of people planning to shop online, many doing so daily, scammers know this is peak opportunity.

Here’s how fraudsters are blending into the busiest shopping season of the year, what the data shows, and how to stay one step ahead.

Why Scammers Are So Effective Right Now

A perfect storm is happening:

People are shopping more often.
Nearly half of U.S. adults expect to shop online daily or multiple times per day during the holidays.

People are rushed.
From early Black Friday “price drop” alerts to Cyber Monday countdowns, shoppers don’t slow down to verify what they’re seeing.

AI makes scam content nearly flawless.
McAfee found technology email scams surging ~85%, retail email scams rising ~50%, and fraudulent URLs climbing across the board—from counterfeit Apple support pages to fake Costco refund portals.

Holiday deals are already rolling out—and so are the scams.

McAfee’s 2025 holiday research shows major spikes in email scams (~50% increase), technology scams (~85% increase), and fake storefronts that mimic trusted retailers. AI tools are making these scams faster, more realistic, and harder to spot.

It’s not that shoppers suddenly got careless.

It’s that scammers suddenly got good.

The 2025 Scams Hitting Shoppers the Hardest

1. Fake Retail Sites & “Deal” Pages That Look Real

This is the big one, and it’s getting cleaner every year.

Scammers lift entire storefronts:

• Logos
• Product photos
• Sale graphics
• Checkout flows
• Even fake customer service pages

The only giveaway? A URL that’s juuust slightly off—“target-sale.com” instead of “target.com,” or a link ending in “.shop” or “.store” rather than a brand’s normal domain.

Once you enter your payment info, it goes directly into a database that criminals resell or use to make purchases.

How to spot and avoid this scam: Skip the ad. Type the retailer’s name into your browser yourself. If it’s a real deal, you’ll find it on their actual site.

2. TikTok, Instagram & Social Video Scams

Short-form videos are now a prime scam vehicle.

Scammers steal influencer footage, use AI voice clones, or generate deepfake “promo” videos with celebrities offering huge holiday discounts. When someone clicks the link, it leads straight to a counterfeit store.

According to McAfee:

• 46% have encountered fake influencer/celebrity endorsements
• Younger shoppers (18–34) see them most
• Many appear during holiday-sale cycles on TikTok Shop and Instagram Shopping
• US – Holiday Shopping 2025 fact…

How to spot and avoid this scam: Check the creator’s account history. Real brands don’t drop one-off promo videos from accounts you’ve never seen before. Same as our initial advice, skip the ad entirely and go directly to the official brand website rather than clicking any links.

3. Delivery & Shipping Text Scams

The classic delivery scam is back, with McAfee researchers finding dozens of examples of fake messages attempting to scam holiday shoppers.

You’ll receive a text saying a package can’t be delivered or that a small fee is needed to confirm your address.

McAfee found that 43% of people have encountered fake delivery notifications, and many victims say they entered credit card information thinking they were resolving a legitimate issue.

How to spot and avoid this scam: UPS, USPS, and FedEx will never send a clickable payment link in a text. If you’re wondering about a specific delivery, go directly to the site you ordered it from, or your original receipt in your email to find your tracking information.

4. Account Verification & Gift Card Scams

These hit during the weeks leading up to the holidays.

Messages claim:

• Your Amazon account is locked
• Your Apple ID has “suspicious activity”
• Your loyalty points are expiring
• You must verify your payment information
• You must pay a fee or gift card to resolve an issue

How to spot and avoid this scam:
No legitimate company will ever resolve account issues through gift cards or text-confirmation codes.

How AI Is Supercharging These Scams

Not long ago, scam emails had broken English and pixelated logos.

Now scammers use generative AI to:

• Clone real brand websites
• Rewrite perfect phishing emails
• Fake customer service chatbots
• Produce Hyper-real video ads
• Replicate influencer voices
• Generate thousands of unique scam texts instantly

And people are noticing.

57% of shoppers say they’re more concerned about AI scams this year than last.

Yet 38% believe they can spot scams—even though 22% have fallen for one.

Confidence ≠ protection.

What to Do if You Think You’ve Encountered a Scam

If something feels off—a message, a link, a charge on your bank statement—don’t panic. Most holiday scams rely on speed and confusion. Slowing down and taking a few simple steps can keep a bad situation from turning into real damage.

1. Stop engaging immediately

Close the tab, delete the message, and don’t click anything else.
Scammers often stack multiple pop-ups or redirects to pressure you into acting fast.

2. Don’t enter any additional information

If you started typing in a password or card number but didn’t hit “submit,” back out.
If you did enter details, move to the next steps right away.

3. Change your passwords (starting with the affected account)

Use a strong, unique password—especially for accounts tied to:

• email
• shopping apps
• banking
• cloud storage

A reused password is how one compromised login unlocks everything else. McAfee offers a password manager to help you make and store strong, unique passwords.

4. Check your bank or credit card for unexpected charges

Fraud usually starts small: $1–$5 “test” charges, odd merchant names, or tiny withdrawals.
If you see anything suspicious, contact your bank and request:

• a card replacement
• a fraud alert
• a temporary account freeze, if necessary

5. Run a security scan on your device

Some fake sites drop malware or spyware quietly in the background.
A quick scan can detect:

• malicious downloads
• browser hijackers
• unsafe extensions
• keyloggers

McAfee offers a free antivirus trial that you can use to scan your device and check for compromises.

6. Report the scam

Reporting helps stop other shoppers from being targeted.
You can report scams to:

• the retailer being impersonated
• the platform where you saw the ad (TikTok, Instagram, Facebook)
• your national fraud reporting center

7. Let technology help you clean up

McAfee can automatically detect whether the link, message, or site you interacted with is malicious—and alert you if your information may have been exposed.
Tools like:

• Scam Detector (Built into all core McAfee plans, flags scam texts, emails, and deepfakes)
• Web Protection (malicious or suspicious websites before they load)
• Identity & Financial Monitoring (Credit Monitoring can alert you to unusual account activity)

can help contain an issue before it turns into identity theft.

Need a Gift for the Practical Person in Your Life? Consider Giving Them Scam Protection

There’s always someone on your holiday list who doesn’t want more stuff, they want something useful. The friend who loves a clean inbox. The sibling who’s constantly traveling. The parent who keeps forwarding you suspicious texts asking, “Is this real?”

For them, security might actually be the most thoughtful gift you can give this year.

Online safety tools aren’t flashy, but they are the thing people reach for the moment they click the wrong link, lose a password, or get a sketchy delivery text. And with scams more believable than ever, digital protection has quietly become a new “practical essential,” like a good VPN or a reliable password manager.

Gifting McAfee means giving someone:

Scam protection that works quietly in the background
Scam Detector flags dangerous messages, deepfake-style content, and fake shopping sites before they ever interact with them.

Identity & financial monitoring
A huge help for anyone who’s been burned by fraud in the past — or is tired of checking bank statements manually.

Password security that doesn’t require them to remember anything
Perfect for the person who uses the same password everywhere (and you know exactly who I mean).

Device protection for laptops, phones, and tablets
Which is especially relevant for people shopping, traveling, or working remotely through the holiday season.

It’s practical. It’s protective. And unlike most presents, it’s something they’ll use all year.

The post How To Protect Yourself from Black Friday and Cyber Monday AI Scams  appeared first on McAfee Blog.

It’s no longer possible to deny that your life in the physical world and your digital life are one and the same. Coming to terms with this reality will help you make better decisions in many aspects of your life.

The same identity you use at work, at home, and with friends also exists in apps, inboxes, accounts, devices, and databases, whether you actively post online or prefer to stay quiet. Every purchase, login, location ping, and message leaves a trail. And that trail shapes what people, companies, and scammers can learn about you, how they can reach you, and what they might try to take.

That’s why digital security isn’t just an IT or a “tech person” problem. It’s a daily life skill. When you understand how your digital life works, what information you’re sharing, where it’s stored, and how it can be misused, you make better decisions. This guide is designed to help you build that awareness and translate it into practical habits: protecting your data, securing your accounts, and staying in control of your privacy in a world that’s always connected.

The essence of digital security

Being digitally secure doesn’t mean hiding from the internet or using complicated tools you don’t understand. It means having intentional control over your digital life to reduce risks while still being able to live, work, and communicate online safely. A digitally secure person focuses on four interconnected areas:

Personal information

Your personal data is the foundation of your digital identity. Protecting it includes limiting how much data you share, understanding where it’s stored, and reducing how easily it can be collected, sold, or stolen. At its heart, personal information falls into two critical categories that require different levels of protection:

• Personally identifiable information (PII):This represents the core data that defines you, such as your name, contact details, financial data, health information, location history, Social Security number, driver’s license number, passport information, home address, and online behavior. Financial data such as bank account numbers, credit card details, and tax identification numbers also fall into this category. Medical information, including health insurance numbers and medical records, represents some of your most sensitive PII that requires the highest level of protection.
• Sensitive personal data:While not always directly identifying you, this type of information can be used to build a comprehensive profile of your life and activities. This includes your phone number, email address, employment details, educational background, and family information. Your online activities, browsing history, location data, and social media posts also constitute sensitive personal data that can reveal patterns about your behavior, preferences, and daily routines.

Digital accounts

Account security ensures that only you can access them. Strong, unique passwords, multi-factor authentication, and secure recovery options prevent criminals from hijacking your email, banking, cloud storage, social media, and other online accounts, often the gateway to everything else in your digital life.

Privacy

Privacy control means setting boundaries and deciding who can see what about you, and under what circumstances. This includes managing social media visibility, app permissions, browser tracking, and third-party access to your data.

Digital security is an ongoing effort as threats evolve, platforms change their policies, and new technologies introduce new risks. Staying digitally secure requires periodic check-ins, learning to recognize scams and manipulation, and adjusting your habits as the digital landscape changes.

Common exposure points in daily digital life

Your personal information faces exposure risks through multiple channels during routine digital activities, often without your explicit knowledge.

• Public Wi-Fi networks: When you connect to unsecured networks in coffee shops, airports, hotels, or retail locations, your internet traffic can be intercepted by cybercriminals using the same network. This puts your login credentials, banking information, and communications at risk, even on networks that appear secure.
• Data brokers: These companies gather data, often without your explicit knowledge, from public records, social media platforms, online purchases, and other digital activities to create your profile. They then sell this information to marketers, employers, and other interested parties.
• Social media: When you overshare details about your location, vacation plans, family members, workplace, or daily routines, you provide cybercriminals with valuable information for identity theft and social engineering attacks. Regular platform policy changes can reset your previously private information or expose you to data breaches.
• Third-party applications: Mobile apps, browser extensions, and online services frequently collect more data than necessary for their stated functionality, creating additional privacy risks for you. You could be granting these apps permission to access your personal data, contacts, location, camera, and other device functions without fully understanding how your data will be used, stored, or shared.
• Web trackers: These small pieces of code embedded in websites follow your browsing behavior, monitoring which sites you visit, how long you stay, what you click on, and even where you move your mouse cursor. Advertising networks use this information to build a profile of your interests and online habits to serve you targeted ads.

Core pillars of digital security

Implementing comprehensive personal data protection requires a systematic approach that addresses the common exposure points. These practical steps provide layers of security that work together to minimize your exposure to identity theft and fraud.

Minimize data sharing across platforms

Start by conducting a thorough audit of your online accounts and subscriptions to identify where you have unnecessarily shared more data than needed. Remove or minimize details that aren’t essential for the service to function. Moving forward, provide only the minimum required information to new accounts and avoid linking them across different platforms unless necessary.

Be particularly cautious with loyalty programs, surveys, and promotional offers that ask for extensive personal information, as they may share it with third parties. Read privacy policies carefully, focusing on sections that describe data sharing, retention periods, and your rights regarding your personal information.

If possible, consider using separate email addresses for different accounts to limit cross-platform tracking and reduce the impact if one account is compromised. Create dedicated email addresses for shopping, social media, newsletters, and important accounts like banking and healthcare.

Adjust account privacy settings

Privacy protection requires regular attention to your account settings across all platforms and services you use. Social media platforms frequently update their privacy policies and settings, often defaulting to less private configurations that allow them to collect and share your data. For this reason, it is a good idea to review your privacy settings at least quarterly. Limit who can see your posts, contact information, and friend lists. Disable location tracking, facial recognition, and advertising customization features that rely on your personal data. Turn off automatic photo tagging and prevent search engines from indexing your profile.

On Google accounts, visit your Activity Controls and disable Web & App Activity, Location History, and YouTube History to stop this data from being saved. You can even opt out of ad personalization entirely if desired by adjusting Google Ad Settings. If you are more tech savvy, Google Takeout allows you to export and review what data Google has collected about you.

For Apple ID accounts, you can navigate to System Preferences on Mac or Settings on iOS devices to disable location-based Apple ads, limit app tracking, and review which apps have access to your contacts, photos, and other personal data.

Meanwhile, Amazon accounts store extensive purchase history, voice recordings from Alexa devices, and browsing behavior. Review your privacy settings to limit data sharing with third parties, delete voice recordings, and manage your advertising preferences.

Limit app permissions

Regularly audit the permissions you’ve granted to installed applications. Many apps request far more permissions to your location, contacts, camera, and microphone even though they don’t need them. Cancel these unnecessary permissions, and be particularly cautious about granting access to sensitive data.

Use strong passwords and multi-factor authentication

Create passwords that actually protect you; they should be long and complex enough that even sophisticated attacks can’t easily break them. Combine uppercase letters, lowercase letters, numbers, and special characters to make it harder for attackers to crack.

Aside from passwords, enable multi-factor authentication (MFA) on your most critical accounts: banking and financial services, email, cloud storage, social media, work, and healthcare. Use authenticator apps such as Google Authenticator, Microsoft Authenticator, or Authy rather than SMS-based authentication when possible, as text messages can be intercepted through SIM swapping attacks. When setting up MFA, ensure you save backup codes in a secure location and register multiple devices when possible to keep you from being locked out of your accounts if your primary authentication device is lost, stolen, or damaged.

Alternatively, many services now offer passkeys which use cryptographic keys stored on your device, providing stronger security than passwords while being more convenient to use. Consider adopting passkeys for accounts that support them, particularly for your most sensitive accounts.

Enable device encryption and automatic backups

Device encryption protects your personal information if your smartphone, tablet, or laptop is lost, stolen, or accessed without authorization. Modern devices typically offer built-in encryption options that are easy to enable and don’t noticeably impact performance.

You can implement automatic backup systems such as secure cloud storage services, and ensure backup data is protected. iOS users can utilize encrypted iCloud backups, while Android users should enable Google backup with encryption. Regularly test your backup systems to ensure they’re working correctly and that you can successfully restore your data when needed.

Request data deletion and opt out from data brokers

Identify major data brokers that likely have your information and look for their privacy policy or opt-out procedures, which often involves submitting a request with your personal information and waiting for confirmation that your data has been removed.

In addition, review your subscriptions and memberships to identify services you no longer use. Request account deletion rather than simply closing accounts, as many companies retain data from closed accounts. When requesting deletion, ask specifically for all personal data to be removed from their systems, including backups and archives.

Keep records of your opt-out and deletion requests, and follow up if you don’t receive confirmation within the stated timeframe. In the United States, key data broker companies include Acxiom, LexisNexis, Experian, Equifax, TransUnion, Whitepages, Spokeo, BeenVerified, and PeopleFinder. Visit each company’s website.

Use only trusted, secure networks

Connect only to trusted, secure networks to reduce the risk of your data being intercepted by attackers lurking behind unsecured or fake Wi-Fi connections. Avoid logging into sensitive accounts on public networks in coffee shops, airports, or hotels, and use encrypted connections such as HTTPS or a virtual private network to hide your IP address and block third parties from monitoring your online activities.

Rather than using a free VPN service that often collects and sells your data to generate revenue, it is better to choose a premium, reputable VPN service that doesn’t log your browsing activities and offers servers in multiple locations.

Ongoing monitoring and maintenance habits

Cyber threats evolve constantly, privacy policies change, and new services collect different types of personal information, making personal data protection an ongoing process rather than a one-time task. Here are measures to help regularly maintain your personal data protection:

• Quarterly reviews: Set up a quarterly review process to examine your privacy settings across all platforms and services. Create a calendar reminder to check your social media privacy settings, review app permissions on your devices, and audit your online accounts for unused services that should be deleted.
• Credit monitoring: Monitor your financial accounts regularly for unauthorized activity and consider using credit monitoring services to alert you to potential identity theft.
• Breach alerts: Stay informed about data breaches in the services you use by signing up for breach notification services. If a breach occurs, this will allow you to take immediate action to change passwords, monitor affected accounts, and consider additional security measures for compromised services.
• Device updates: Enable automatic security and software updates on your devices, as these updates include important privacy and security improvements that protect you from newly discovered vulnerabilities.
• Education and awareness: Stay informed about new privacy risks, learn about emerging protective technologies, and share knowledge with family members and friends who may benefit from improved personal data protection practices.

By implementing these systematic approaches and maintaining regular attention to your privacy settings and data sharing practices, you significantly reduce your risk of identity theft and fraud while maintaining greater control over your digital presence and personal information.

Final thoughts

You don’t need to dramatically overhaul your entire digital security in one day, but you can start making meaningful improvements right now. Taking action today, even small steps, builds the foundation for stronger personal data protection and peace of mind in your digital life. Choose one critical account, update its password, enable multi-factor authentication, and you’ll already be significantly more secure than you were this morning. Your future self will thank you for taking these proactive steps to protect what matters most to you.

Every step you take toward better privacy protection strengthens your overall digital security and reduces your risk of becoming a victim of scams, identity theft, or unwanted surveillance. You’ve already taken the first step by learning about digital security risks and solutions. Now it’s time to put that knowledge into action with practical steps that fit seamlessly into your digital routine.

The post What Does It Take To Be Digitally Secure? appeared first on McAfee Blog.

The holidays are just around the corner and amid the hustle and bustle, many of us will fire up our devices to go online, order gifts, plan travel, and spread cheer. But while we’re getting festive, the cybercriminals are getting ready to take advantage of the influx of your good cheer to spread scams and malware.

With online shopping expected to grow by 7.9% year-on-year in the U.S. alone in 2025, according to Mastercard, and more people than ever using social media and mobile devices to connect, the cybercriminals have a lot of opportunities to spoil our fun. Using multiple devices provides the bad guys with more ways to access your valuable “digital assets,” such as personal information and files, especially if the devices are under-protected.

In this guide, let’s look into the 12 most common cybercrimes and scams of Christmas, and what you can do to keep your money, information, and holiday spirit safe.

The psychology of holiday fraud

The festive atmosphere, continued increase in online shopping activity, and charitable spirit that define the holidays create perfect conditions for scammers to exploit your generosity and urgency.

Not surprisingly, digital criminals become more active and professional during this period, driven even more by the increasing power of artificial intelligence. A new McAfee holiday shopping report revealed that 86% of consumers surveyed receive a daily average of 11 shopping-related text or email messages that seem suspicious. This includes 3 scam texts, 5 emails, and 3 social media messages. Meanwhile, 22% admit they have been scammed during a holiday season in the past.

Their scams succeed because they exploit the psychological and behavioral patterns that are rife during the holidays. The excitement and time pressure of holiday shopping often prevail over our usual caution, while the emotional aspects of gift-giving and charitable donations can be exploited and move us to be more generous. Meanwhile, scammers understand that you’re more likely to make quick purchasing decisions when the fear of missing out on limited-time offers overtakes your judgment or when you’re rushing to find the perfect gift before it’s too late.

Overall, the frenzied seasonal themes create an environment where criminals can misuse the urgency of their fake offers and cloud our judgment, making fraudulent emails and websites appear more legitimate, while you’re already operating under the stress of holiday deadlines and budget concerns. After all, holiday promotions and charity appeals are expected during this time of year.

Now that you understand the psychology behind the scams, it’s time to become more aware of the common scams that cybercriminals run during the holiday season.

The 12 Scams of Christmas

As you head online this holiday season, stay on guard and stay aware of scammers’ attempts to steal your money and your information. Familiarize yourself with the “12 Scams of Christmas” to ensure a safe and happy holiday season:

1. Social media scams

Many of us use social media sites to connect with family, friends, and co-workers over the holidays, and the cybercriminals know that this is a good place to catch you off guard because we’re all “friends,” right? Here are some ways that criminals will use these channels to obtain shoppers gift money, identity or other personal information:

• Be careful when liking pages, clicking on fake alerts from friends’ accounts that have been hacked, taking advantage of raffles, ads, and deals that you get from “friends,” or installing suspicious “holiday deal” apps that give your private data away. These links can automatically download malware onto your computer that can steal personal information.
• Ads announcing special discounts for popular gifts are especially popular, and utilize blind, shortened links, many of which could easily be malicious. Criminals are getting savvier with authentic-looking social ads and deals that direct you to fake websites. To take advantage of the deals or contests, scammers will ask you for personal information that will enable them to obtain your credit card number, email address, phone number, or home address.

2. Malicious mobile apps

As the popularity of smartphone apps has grown, so have the chances of you downloading a malicious application that steals your information or sends premium-rate text messages without your knowledge. Apps ask for more permissions than they need, such as access to your contacts or location.

If you unwrap a new smartphone this holiday season, make sure that you only download applications from official app stores and check other users’ reviews, as well as the app’s permission policies, before downloading. Software, such as McAfee Mobile Security, can also help protect you against dangerous apps.

3. Travel scams

Many of us travel to visit family and friends over the holidays. We begin our journey online by looking for deals on airfare, hotels, and rental cars. Before you book, keep in mind that scammers are looking to hook you with phony travel webpages with too-fantastic deals—beautiful pictures and rock-bottom prices—to deceive you into handing over your financial details and money.

Even when you’re already on the road, you need to be careful. Sometimes, scammers who have gained unauthorized access to hotel Wi-Fi will release a malicious pop-up ad on your device screen, and prompt you to install software before connecting. If you agree to the installation, it downloads malware onto your machine. To thwart such an attempt, it’s important that you perform a security software update before traveling.

4. Holiday spam/phishing

You are probably already familiar with email phishing and SMiShing messages containing questionable offers and links. The scammer will mimic a legitimate organization offering cheap Rolex watches and luxury products as the “perfect gift” for that special someone, or send a message posing as your bank with a holiday promo and try to lure you into revealing information or direct you to a fake webpage. Never respond to these scams or click on an included link. Be aware that real banks won’t ask you to divulge personal information via text message. If you have any questions about your accounts, you should contact your bank directly.

5. Quishing

QR code phishing, or “quishing,” has emerged as a significant new threat during holiday shopping seasons. In this scam method, cybercriminals place malicious QR codes in holiday advertisements posted on social media or printed flyers, parking meters and payment kiosks at shopping centers, or at restaurant tables during holiday dining. They could also email attachments claiming to offer exclusive holiday deals or fake shipping labels placed over legitimate tracking QR codes.

6. The new iPad, iPhone, and other hot holiday gift scams

The kind of excitement and buzz surrounding Apple’s new iPad and iPhone is just what cybercrooks dream of when they plot their scams. They will mention must-have holiday gifts in dangerous links, phony contests, and phishing emails to grab your attention. Once they’ve caught your eye, they will again try to get you to reveal personal information or click on a dangerous link that could download malware onto your machine. Be suspicious of any deal mentioning hot holiday gift items—especially at extremely low prices—and try to verify the offer with the real retailer involved.

7. Bogus HR and bonus emails

Cybercriminals exploit employee expectations of year-end communications by creating fake emails that appear to come from your HR department. These messages often claim to contain annual bonus information, updated benefits packages, or mandatory holiday attendance announcements. These scams are particularly effective because they prey on legitimate employee concerns about compensation, benefits, and personal time off during the holiday season. The emails often feature real-looking company logos, proper formatting, and even references to company policies to increase their credibility.

8. Bogus gift cards

Gift cards are probably the perfect gift for some people on your holiday list. Given their popularity, cybercriminals can’t help but want to get in on the action by offering bogus gift cards online. Be wary of buying gift cards from third parties. It’s best to buy from the official retailer. Just imagine how embarrassing it would be to find out that the gift card you gave your mother-in-law was fraudulent!

9. Phony e-tailers

No matter what gift you’re looking for, chances are you can find it quickly and easily online, but you still want to be careful in selecting which site to shop. By promoting great deals, phony e-commerce sites will try to convince you to type in your credit card number and other personal details. After obtaining your money and information, you never receive the merchandise, and your personal information is put at risk. To prevent falling victim to bogus e-commerce stores, shop only at trusted and well-known e-commerce sites. If you’re shopping on a site for the first time, check other users’ reviews and verify that the phone number listed on the site is legitimate.

10. Fake charities

This is one of the biggest scams of every holiday season. As we open our hearts and wallets, the bad guys will send spam emails and pretend to be a real charity in the hope of getting in on the giving. Their emails will sport a stolen logo and copycat text, or come from an entirely invented charity. If you want to give, it’s always safer to visit the charity’s legitimate website, and do a little research about the charity before you donate.

11. Dangerous e-cards

E-cards are a popular way to send a quick “thank you” or holiday greeting. While most e-cards are safe, some are malicious and may contain spyware or viruses that download onto your computer once you click on the link to view the greeting. Before clicking, look for clues that the e-card is legitimate. Make sure it comes from a well-known e-card site by checking the domain name of the included link. Also check to see that the sender is someone you actually know, and that there are no misspellings or other red flags that the card is a fake.

12. Fake shipping and delivery notices

With increased package deliveries during the holiday season, fake shipping notifications have become a common attack. These messages claim to be from legitimate shipping companies such as UPS, FedEx, or DHL, informing you of package delivery attempts or shipping delays. To complete the delivery, these notices will ask you to click on malicious links or attachments that will download malware or direct you to fake websites that will steal personal information. The timing of these attacks coincides with legitimate increased shipping activity, making them harder to distinguish from authentic communications. To track your deliveries, it is best to check the shipping company’s real website or through the trusted platform from which you ordered the product.

Protect yourself from scams during the holidays and year-round

Knowing about these common scam tactics is only the first step toward protecting yourself and those you care about. The next step is for you to learn and implement practical, effective strategies to stay safe while still enjoying digital holiday shopping and giving.

• Stay suspicious: Be wary of any offer that sounds extremely unrealistic, such as 90% discounts on luxury brands, and always learn to spot telltale signs of a fake marketing promotion such as low-resolution images, high-pressure tactics, misspellings, poor grammar, or odd links.
• Practice safe surfing: Find out if a website is potentially dangerous before you click on it by using a safe search plug-in such as McAfee Web Protection, which blocks malware and phishing sites if you accidentally click on a malicious link, alerts you if you type a web address incorrectly and points you in the right direction, and scans your downloads and alerts you if there’s a known risk.
• Shop mindfully: Stick to reputable e-commerce sites and platforms, and look for a trustmark that indicates that the site has been verified as safe by a reliable third-party. Also, look for a lock symbol beside the HTTPS at the beginning of the web address to see if the site uses encryption to protect your data.
• Check before clicking: Don’t click on any links in messages from people you don’t know. If you come across a shortened URL, use a URL expander to see where the link directs to before you click.
• Be cautious of high-pressure tactics: Legitimate businesses and charities will respectfully give you time to make purchase or donation decisions. Be suspicious of organizations that pressure you to buy or give immediately. Charities specifically should be able to provide written information about their programs and financial management.
• Use strong passwords: Make sure your passwords are at least 12 characters long with randomly combined letters, numbers, and characters. Avoid reusing the same password across your important accounts, and never share your passwords with anyone.
• Monitor your financial accounts actively: During peak shopping periods, review your bank and credit card statements at least once daily for charges you don’t recognize, even small ones that scammers sometimes use to test stolen card information. Set up account alerts for all transactions, low balances, and any changes to your account information.
• Use credit instead of debit: When shopping online or in unfamiliar locations, use credit cards rather than debit cards. Credit cards typically offer better fraud protection, and fraudulent charges don’t immediately affect your bank account balance.
• Monitor your credit reports: Check your credit reports regularly for new accounts or inquiries you didn’t authorize. The FTC provides free annual credit reports through AnnualCreditReport.com, and many services now offer free ongoing credit monitoring.
• Consider temporary credit freezes: If you’re not planning to apply for new credit during the holidays, consider placing a temporary freeze on your credit reports to prevent scammers from opening new accounts in your name, and you can lift the freeze quickly when needed.
• Recognize red flags: Holiday-themed phishing attempts abound during the season, making it crucial to identify and avoid suspicious communications. Closely check email addresses and phone numbers from unexpected communications, be suspicious of urgent language, watch for poor grammar and spelling, and don’t just click any link or scan any QR code.
• Practice safe app downloads and installation: If you gift yourself with a new device this holiday season, download only well-reviewed apps developed by legitimate developers and sourced from official sources such as the Apple App Store, Google Play Store, or Microsoft Store. When installing, limit the app’s permission to only what it needs to function.
• Keep apps updated: Regularly update your apps to ensure you have the latest security patches. Enable automatic updates when possible, and review what’s being updated periodically. Remove apps you no longer use.
• Use a complete security solution: With the growing sophistication of scams coming in from all fronts of technology, you will need comprehensive protection with antivirus, antispyware, antispam, and a firewall. McAfee+ can help protect all of your devices—PCs, laptops, smartphones, and tablets—from AI-driven malware, phishing, spyware, and other common and emerging threats.
• Educate yourself and your family: Keep increasing your knowledge of the latest scams and tricks cybercriminals use so you can recognize and avoid potential attacks. You can find helpful information on the McAfee Blogs and the McAfee Guides.

Final thoughts

The holiday season brings joy and connection, but it’s also a time when scammers work hardest to exploit your festive but rushed and distracted spirit. Effective Christmas scam prevention starts with awareness. By slowing down and taking a moment to verify before you click or buy, and using layered cybersecurity protections, you can worry about one less thing and focus on what matters most this season.

Stay security-conscious without letting fear diminish your holiday enjoyment and pursue your digital holiday activities with the right knowledge and tools. We hope that the specific, actionable protections will help you identify red flags, verify legitimate offers, secure your devices and accounts, and respond effectively to suspicious activity. Stay informed by following trusted sources for the latest cybersecurity tips during the holidays, and make this season about celebrating safely with the people you care about most.

Send the link to this page to your family and friends to increase their awareness and take steps to protect themselves.

The post The Top 12 Scams Of Christmas To Watch Out For appeared first on McAfee Blog.

Thanksgiving—not before Halloween as we see things in stores and online now. It seems like the holiday season and decorations start earlier and earlier every year.

But one thing that hasn’t changed is that Black Friday is still a big shopping day. With the advent of online shopping has emerged Cyber Monday, another big sale day for online shoppers on the first Monday after Thanksgiving.

Although many of us may take advantage of these great deals that the holidays offer, we also need to be aware of the risks. Online shopping is a fun and convenient way to make purchases, locate hard-to-find items, and discover bargains, but we need to take steps to protect ourselves.

This guide looks at the methods and warning signs behind online shopping scams, shows you how to recognize fake shopping apps and websites, and shares tips for staying safe online.

Online shopping safety amid growing e-commerce concerns

Online shopping has become a cornerstone of American life. CapitalOne Shopping projects American online spending to reach $1.34 trillion in 2024 and exceed $2.5 trillion in 2030.

With such a massive sum at stake, cybercriminals are laser-focused on taking a share of it, posing financial risk to the 288 million Americans who shop online. As e-commerce grows, so does fraud. In 2024, e-commerce fraud was valued at $44.3 billion, a number seen to grow by 141% to $107 billion in 2029.

Be that as it may, there are many smart shopping habits you can apply to dramatically reduce your risk of becoming a victim of online shopping fraud and enjoy the convenience and benefits of online commerce.

Common online shopping scams

Online shopping scams are designed to look normal—at first glance—especially during busy sale seasons when we’re distracted by a million preparations, moving fast, and chasing deals. These are the very circumstances that fraudsters bank on to victimize you into taking the bait. Being aware of the common scam indicators will help you pause and think, recognize trouble early, and protect both your money and your personal information.

• Non-delivery scams: You pay for items that never arrive, often from fake storefronts or fraudulent sellers who disappear with your money. The seller might have required you to pay through a wire transfer, cryptocurrency, or gift card, methods that are indisputable and untraceable. If you check the website, it may look new and have no customer reviews or suspiciously have only perfect 5-star ratings. It may also offer prices that are significantly below market value.
• Counterfeit goods scams: You receive knock-off products instead of authentic brand-name items, particularly affecting electronics, cosmetics, and luxury goods. On closer inspection, you will notice spelling errors in brand names or product descriptions, the prices seem too good to be true for premium brands, and sellers have no proof of authenticity or authorized dealer status.
• Bait-and-switch scams: Attractive deals lure you in, but you’re pressured to buy different, more expensive items or receive products that don’t match what was advertised. This type of scam is usually characterized by items that are always “out of stock,” but offer readily available, more expensive alternatives. The seller also applies high-pressure sales tactics or limited-time offers that prevent you from comparison shopping, while the product descriptions are vague or don’t match the images shown.
• Refund and overpayment scams: In this scheme, scammers will pose as buyers who “accidentally” overpay you for items you’re selling, then request you to refund the difference before their original payment bounces. They will also use payment methods that can be reversed such as checks or money orders, then ask for a refund and suggest sending shipping companies to collect items before the payment clears.
• Website and marketplace impersonations: Fake websites designed to look like legitimate popular brands can steal your payment information and personal data. Watch out for websites that have slightly misspelled URLs or don’t use secure HTTPS encryption as marked by the padlock icon in your browser, as well as missing or incomplete contact information, privacy policies, or terms of service.
• Product return fraud: Scammers exploit return policies by selling you used, damaged, or counterfeit items while making returns and refunds difficult or impossible through fake or non-existent customer service. Their return policies are overly complicated, buried in fine print, or require original packaging that wasn’t provided. They will disappear from marketplaces immediately after the return period expires.

A guide to knowing if a shopping website is legit

Safe online shopping starts with recognizing the hallmarks of legitimate retailers. Before you enter any payment details, take a moment to verify that the website you’re shopping on is genuine. Scam stores can look polished and convincing, but they often leave behind subtle clues. Here are quick ways to check their authenticity:

1. Verify the website URL: By typing the URL directly into your browser rather than clicking links from emails or ads, you will avoid typosquatting scams—fake websites with URLs that look almost identical to real retailers, except for slight misspellings. Look for clear return and shipping policies. Read the fine print to understand your rights if something goes wrong.
2. Confirm physical address and customer service: Real businesses provide multiple ways to contact them, including a physical address, phone number, and email.
3. Evaluate pricing for realism: The prices are too good to be true, especially for high-demand or hard-to-find items. Many legitimate retailers now offer price-matching policies, allowing you to get market-average or competitive prices.
4. Check for verified customer reviews: Look for reviews on independent platforms like Google, Yelp, or Trustpilot rather than relying solely on testimonials on the retailer’s website. Cross-reference feedback across multiple platforms.
5. Ensure secure payment options: Look for HTTPS in the URL and avoid sites that only accept wire transfers, gift cards, peer-to-peer payment apps, or cryptocurrency. For online purchases, check that the seller offers secure payment options with dispute protection, such as digital wallets and/or credit cards.
6. Research domain age and registration: Use WHOIS lookup tools to check when the domain was registered. Fraudulent sites are usually newly created domains designed to disappear quickly after collecting payments. In addition, established retailers and official brand websites have invested heavily in solid security infrastructure and payment processing, customer protection programs, fraud prevention systems, and long-standing relationships with credit card companies that smaller or unknown sellers often lack.
7. Check the Better Business Bureau: Search for the seller’s company on the Better Business Bureau to see their rating, complaint history, and accreditation status, and help you identify potential risks before making a purchase.
8. Pay attention to browser safety warnings: Modern browsers like Chrome, Firefox, and Safari will warn you about potentially dangerous or untrustworthy sites. Google’s Safe Browsing technology blocks millions of unsafe sites daily, so don’t ignore these warnings when they appear. Some comprehensive security tools also include web protection that alert you against dangerous links and downloads, malicious websites, and more.
9. Verify secure checkout processes: Legitimate sites use SSL (Secure Sockets Layer) encryption during checkout, which you can confirm by looking for “https://” and a lock icon in your browser’s address bar.

11 Tips for safe holiday shopping online

• Be extra vigilant: Cybercriminals send millions of fake shopping emails that contain suspicious links, with the aim of exploiting your anxiety over catching that amazing deal or deliveries. For example, you might receive an unexpected “Amazon Prime renewal” email or a text from UPS, FedEx, or other carriers when you didn’t purchase anything online. These phishing emails and texts contain malicious links designed to steal your personal information or install malware on your devices. Don’t click the link. Verify delivery notifications through your account or the carrier’s official website or app, then delete the scam email or text immediately.
• Stick with trusted sellers: When shopping on marketplaces, stick with your trusted online retailers and sellers with high ratings, extensive review histories, and “fulfilled by” programs where the main platform handles shipping and returns. Download retailer apps directly from official app stores rather than third-party sources, as these include enhanced security features and exclusive customer protections.
• Check the site’s web address: Always type retailer URLs directly into your browser’s address bar or use your bookmarks. Once you arrive at a site, make sure it is the correct URL such as www.amazon.com and not www.amazan.com. Purchase directly from official brand websites or authorized retailers, and verify seller credentials through the brand’s official dealer locator when shopping on marketplaces.
• Check that the site is secure: Some people cannot tell if a site is secure. Some things to look for on a secure site include:
  • A web address that starts with HTTPS instead of HTTP, indicating that encryption is used to protect your information.
  • A lock symbol beside the URL, proper SSL certificates, and several contact methods.
  • A security seal, such as the McAfee SECURE trustmark, indicating that the site has been scanned and verified as secure by a trusted third party. This security seal indicates that the site will help protect you from identity theft, credit card fraud, spam, and other malicious threats.
• Pay with a credit card or digital wallet: Credit cards offer better protection against fraud than debit cards. You won’t be liable for fraudulent purchases, while cyberthieves won’t be able to drain your bank account if they get your account log-in credentials. Better yet, use a virtual credit card number or a digital wallet such as Apple Pay or Google Pay to prevent your actual card details from being stored on merchant sites. Also, avoid storing your credit card information on new or questionable sites to reduce your exposure if those sites experience security breaches.
• Take note of shipping and return policies: Always review shipping timelines, return windows, and refund policies before completing your purchase. Not reading the fine print can leave you stuck with unwanted purchases or unexpected fees.
• Validate social media sellers: Shopping directly through social media platforms or unknown sellers bypasses traditional consumer safeguards. Before you buy from a social media seller, verify their legitimacy, check for customer reviews outside the platform, and use payment methods that offer dispute resolution.
• Keep communications on-platform: Never move conversations or payments outside the marketplace platform. Scammers often try to lure buyers to external communication channels or direct payment methods to circumvent buyer protections. Legitimate sellers understand that platform policies protect both parties and will keep all interactions within the official channels.
• Do not use a public computer or Wi-Fi when shopping online: Strangers may be able to access your browsing history and even your login information on shared devices or over unsecured public Wi-Fi. To protect yourself, do all of your online shopping from your home computer or your personal mobile device.
• Make sure you have a clean computer or mobile device: Make sure you have up-to-date security software on all your devices to safeguard your privacy, protect against identity theft, and defend against viruses and online threats.
• Keep a paper trail: Take a screenshot of product listings and advertisements before purchasing. Keep a copy of your order number and receipt, and note which credit card you used. When you receive your credit card statement, review it to make sure that the charge on your card is correct, with no extra fees.

The FTC also recommends these additional tips so you can enjoy all the advantages that online shopping has to offer and prevent risking your personal information.

Immediate steps to take if you ordered from a fake online store

1. Contact your credit card issuer immediately: Call the customer service number on the back of your card once you realize you’ve been scammed. Request a chargeback and explain that you received counterfeit goods, nothing at all, or that the merchant was fraudulent. You usually have 60 days from your statement date to dispute charges, but acting quickly improves your chances of a successful resolution.
2. Freeze or replace your payment card: Contact your bank or card issuer to freeze your current card and request a new account to prevent more unauthorized charges. If you used a debit card, this step is especially critical since debit card fraud protections are more limited than credit cards.
3. Change your passwords and enable two-factor authentication: If you created an account on the fake website, change your password immediately on your real account and any linked accounts such as email, banking, and social media. Enable two-factor authentication and think about using a password manager to generate and store unique passwords for each account.
4. Report the fraudulent seller to the platform or hosting service: Protect other consumers by reporting the fake store. If the site appeared in search results or social media ads, report it to those platforms. You can also report fraudulent websites to their hosting companies to take down fraudulent sites once notified.
5. File reports with federal and state authorities: Report the scam to the Federal Trade Commission (FTC) and the Internet Crime Complaint Center (IC3) to help authorities track scam trends and assist in investigations. Additionally, contact your state’s attorney general office, as many have consumer protection divisions that handle online fraud.
6. Save and organize all evidence: Document everything related to your purchase in both digital and printed formats: screenshots of the website, confirmation emails, receipts, payment records, and any communication with the seller. Save copies of your credit card or bank statements showing the charge. These documents are essential for your chargeback dispute and law enforcement investigations.
7. Monitor your credit report and identity closely: Keep a close eye on your bank and credit card statements, as well as credit reports from all three major bureaus—Experian, Equifax, and TransUnion—for suspicious activity, and place a fraud alert or credit freeze on your accounts if you’re concerned about identity theft.
8. Follow up on your chargeback and dispute process: Stay in regular contact with your credit card company about your dispute and provide additional documents promptly if requested. Be patient and persistent as the investigation process could take up to 90 days.

Final thoughts

Online shopping should feel exciting, not a dangerous undertaking you have to brace for, especially during the season of giving. It can be, with a few simple steps—checking the URL, looking for HTTPS, verifying the seller, paying with a credit card or virtual number, and trusting your gut when something feels suspicious. These small habits will keep your money and your identity where they belong: with you.

For increased safety while shopping online, seek out the help of a trusted security solution such as McAfee+ that will alert you of risky links and compromised websites to prevent identity theft or malware infection.

If this guide helps you, pass it along to someone you care about. Scams don’t just target individuals—they cascade into families and friend groups. The more we normalize safe shopping habits and increase our vigilance, the harder it is for fraudsters to win. If you ever feel unsure mid-purchase, take a breath and double-check. A few extra seconds now can save you a lot of stress later. Stay safe, and happy shopping!

The post Helpful Tips for Safe Online Shopping appeared first on McAfee Blog.

Even as passkeys and biometric sign-ins become more common, nearly every service still relies on a password somewhere in the process—email, banking, social media, health portals, streaming, work accounts, and device logins.

Most people, however, don’t realize the many ways we make our accounts vulnerable due to weak passwords, enabling hackers to easily crack them. In truth, password security isn’t complicated once you understand what attackers do and what habits stop them.

In this guide, we will look into the common mistakes we make in creating passwords and offer tips on how you can improve your password security. With a few practical changes, you can make your accounts dramatically harder to compromise.

Password security basics

Modern password strength comes down to three truths. First, length matters more than complexity. Every extra character multiplies the number of guesses an attacker must make. Second, unpredictability matters because attack tools prioritize the most expected human choices first. Third, usability matters because rules that are painful to follow lead to workarounds like reuse, tiny variations, or storing written passwords in unsafe ways. Strong password security is a system you can sustain, not a heroic one-time effort.

Protection that strong passwords provide

Strong passwords serve as digital barriers that are more difficult for attackers to compromise. Mathematically, password strength works in your favor when you choose well. A password containing 12 characters with a mix of uppercase letters, lowercase letters, numbers, and symbols creates over 95 trillion possible combinations. Even with advanced computing power, testing all these combinations requires substantial time and resources that most attackers prefer to invest in easier targets.

This protection multiplies when you use a unique password for each account. Instead of one compromised password providing access to multiple services, attackers must overcome several independent security challenges, dramatically reducing your overall risk profile.

Benefits of good password habits

Developing strong password security habits offers benefits beyond protecting your accounts. These habits contribute to your overall digital security posture and create positive momentum for other security improvements, such as:

• Reduced attack success: Strong, unique passwords make you a less attractive target for cybercriminals who prefer easier opportunities.
• Faster recovery: When security incidents do occur, good password practices limit the scope of damage and accelerate recovery.
• Peace of mind: Knowing your accounts are well-protected reduces anxiety about potential security threats.
• Professional credibility: Good security habits demonstrate responsibility and competence in professional settings.
• Family protection: Your security practices often protect family members who share devices or accounts.

The impact of weak passwords

On the other hand, weak passwords are not just a mild inconvenience. They enable account takeovers and identity theft, and can become the master key to your other accounts. Here’s a closer look at the consequences:

Your digital identity becomes someone else’s

Account takeover happens when cybercriminals gain unauthorized access to your online accounts using compromised credentials. They could impersonate you across your entire digital presence, from email to social media. For instance, they can send malicious messages to your contacts, make unauthorized purchases, and change your account recovery information to lock you out permanently.

The effects of an account takeover can persist for years. You may discover that attackers used your accounts to create new accounts in your name, resulting in damaged relationships and credit scores, contaminated medical records, employment difficulties, and legal complications with law enforcement.

The immediate and hidden costs of financial loss

Financial losses from password-related breaches aren’t limited to money stolen from your accounts. Additional costs often include:

• Bank penalty fees from overdrawn accounts
• Needing to hire credit monitoring services to prevent future fraud
• Legal fees for professional help resolving complex cases
• Lost income from time spent dealing with fraud resolution
• Higher insurance premiums due to damaged credit

The stress and time required to resolve these issues also affect your overall well-being and productivity.

Your personal life becomes public

Your passwords also guard your personal communications, private photos, confidential documents, and intimate details about your life. When these barriers fail, you could find your personal photos and messages shared without consent, confidential business information in competitors’ hands. The psychological, emotional, and professional impact of violated trust can persist long after the immediate crisis passes.

15 tips for better password security: Small steps, big impact

You can dramatically improve your password security with relatively small changes. No need to invest in expensive or highly technical tools to substantially improve your security. Here are some simple tips for better password security:

1) Long passwords are better than short, “complex” passwords

If you take away only one insight from this article, let it be this: password length is your biggest advantage. A long password creates a search effort that brute force tools will take a long time to finish. Instead of trying to remember short strings packed with symbols, use passphrases made of several unrelated words. Something like “candle-river-planet-tiger-47” is both easy to recall and extremely hard to crack. For most accounts, 12–16 characters is a solid minimum; for critical accounts, longer is even better.

2) Never reuse passwords

Password reuse is the reason credential stuffing works. When one site is breached, attackers immediately test those leaked credentials on other services. If you reuse those credentials, you have effectively given the keys to your kingdom. Unique passwords can block that entry. Even if a shopping site leaks your password, your email and banking stay protected because their passwords are different.

3) Don’t use your personal information

Attackers always try the obvious human choices first: names, birthdays, pets, favorite teams, cities, schools, and anything else that could be pulled from social media or public records. Even combinations that feel “creative,” such as a pet name plus a year, tend to be predictable to cracking tools. Your password should be unrelated to your life.

4) Avoid patterns and common substitutions

In the past, security experts encouraged people to replace letters with symbols such as turning “password” into “P@ssw0rd” and calling it secure. That advice no longer holds today, as attack tools catch these patterns instantly. The same goes for keyboard walks (qwerty, asdfgh), obvious sequences (123456), and small variations like “MyPassword1” and “MyPassword2.” If your password pattern makes sense to a human, a modern cracking tool will decipher it in seconds.

5) Use a randomness method you trust

Humans think they’re random, but they aren’t. We pick symbols and words that look good together, follow habits, and reuse mental templates. Two reliable ways to break that habit are using Diceware—an online dice-rolling tool that selects words from a list—and password generators, which create randomness better than your human brain. In addition, the variety of characters in your password impacts its strength. Using only lowercase letters gives you 26 possible characters per position, while combining uppercase, lowercase, numbers, and symbols expands this to over 90 possibilities.

6) Match password strength to account importance

Not every account needs the same level of complexity, but every account needs to be better than weak. For email, banking, and work systems, use longer passphrases or manager-generated passwords of 20 characters or more. For daily convenience accounts such as shopping or social media, a slightly shorter but still unique passphrase is fine. For low-stakes logins you rarely use, still keep at least a 12-character unique password. This keeps your accounts secure without being mentally exhausting.

7) Turn on multi-factor authentication where possible

Multi-factor authentication (MFA) adds a second checkpoint in your security, stopping most account takeovers even if your password leaks. Authenticator apps are stronger than SMS codes, which can be intercepted in SIM-swap attacks. Hardware or physical security keys are even stronger. Start with your email and financial accounts, then expand to everything that offers MFA.

8) Learn to spot phishing scams to prevent stolen passwords

A perfect password is useless if you type it into the wrong place. Phishing attacks work by imitating legitimate login pages or sending urgent messages that push you to click. Build the habit of checking URLs in unsolicited emails or texts, being wary of pressure tactics, and taking a moment to question the message. When in doubt, open a fresh tab and navigate to the service directly.

9) Avoid signing in on shared devices

You may not know it, but shared computers may carry keyloggers, unsafe browser extensions, or saved sessions from other users. If you have no choice but to sign in using a shared device, don’t allow the browser to save your log-in details, log out fully afterward, and change the password later from your own device.

10) Be careful with public Wi-Fi

On public networks in places like such as cafes or airports, cybercriminals could be prowling for their next victim. Attackers sometimes create fake hotspots with familiar names to trick people into connecting. Even on real public Wi-Fi, traffic can be intercepted. The safest choice is to avoid logging into sensitive accounts on public networks. If you must use public Wi-Fi, protect yourself by using a reputable virtual private network and verify the site uses HTTPS.

11) Ensure your devices, apps, and security tools are updated

Many password thefts happen as a result of compromised devices and software. Outdated operating systems and browsers can contain security vulnerabilities known to hackers, leading to malware invasion, session hijacking, or credential harvesting. The best recourse is to set up automatic updates for your OS, browser, and antivirus tool to remove a huge chunk of risk with no additional effort from you.

12) Use a reputable password manager

Password managers solve two hard problems at once: creating strong unique passwords and remembering them. They store credentials in an encrypted vault protected by a master password, generate high-entropy passwords automatically, and often autofill only on legitimate sites (which also helps against phishing). In practice, password managers are what make “unique passwords everywhere” feasible.

13) Protect your password manager like it’s your digital vault

Among all others, your master password that opens your password manager is the one credential you must memorize. Make it long, passphrase-style, and make sure you have never reused it anywhere else. Then add MFA to the manager itself. This makes it extremely difficult for someone to get into your vault even if they somehow learn your master password.

14) Audit and update passwords when there’s a reason

The old “change every 90 days no matter what” guideline could backfire, leading to password-creation fatigue and encouraging people to make only tiny predictable tweaks. A smarter approach is to update only when something changes in your risk: a breach, a suspicious login alert, or a health warning from your password manager. For critical accounts, doing a yearly review is a reasonable rhythm.

15) Reduce your attack surface by cleaning up old accounts

Unused accounts are easy to forget and easy to compromise. Delete services you don’t use anymore, and review which third-party apps are connected to your Google, Apple, Microsoft, or social logins. Each unnecessary connection is another doorway you don’t need open.

Practical implementation strategies for passphrases

As mentioned in the tips above, passphrases have become the better, more secure alternative to traditional passwords. A passphrase is essentially a long password made up of multiple words, forming a phrase or sentence that’s meaningful to you but not easily guessed by others.

Attackers use sophisticated programs that can guess billions of predictable password combinations per second using common passwords, dictionary words, and patterns. But when you string together four random words, you create over 1.7 trillion possible combinations, even though the vocabulary base contains only 2,000 common words.

Your brain, meanwhile, is great at remembering stories and images. When you think “Coffee Bicycle Mountain 47,” you might imagine riding your bike up a mountain with your morning coffee, stopping at mile marker 47. That mental image sticks with you in ways that “K7#mQ9$x” never could.

The approach blending unpredictability and the human ability to remember stories offers the ideal combination of security and usability.

To help you create more effective passphrases, here are a few principles you can follow:

• Use unrelated words: Choose words that don’t naturally go together. “Sunset beach volleyball Thursday” is more predictable than “elephant tumbler stapler running” because the first phrase contains related concepts.
• Add personal meaning: While the words shouldn’t be personally identifiable, you can create a mental story or image that helps you remember them. This personal connection makes the passphrase memorable without making it guessable.
• Avoid quotes and common phrases: Don’t use song lyrics, movie quotes, or famous sayings. These appear in dictionaries and can be vulnerable to specialized attacks.
• The sentence method: Create a memorable sentence and use the first letter of each word, plus some numbers or punctuation. “I graduated from college in 2010 with a 3.8 GPA!” becomes “IgfCi2010wa3.8GPA!” This method naturally creates long, unique passwords.
• The story method: Create a memorable short story using random elements and turn it into a passphrase. “The purple elephant drove a motorcycle to the library on Tuesday” becomes “PurpleElephantMotorcycleLibraryTuesday” or can be used as-is with spaces.
• The combination method: Combine a strong base passphrase with site-specific elements. For example, if your base is “CoffeeShopRainbowUnicorn,” you might add “Amazon” for your Amazon account: “CoffeeShopRainbowUnicornAmazon.”
• Use mixed case: For maximum security, the mixed-case approach capitalizes on random letters within words: “coFfee biCycLe mouNtain 47.” This dramatically increases entropy while remaining typeable.
• Add symbols: When used sparingly, this technique adds complexity. You can separate the words or substitute some letters with random symbols. But make sure you will remember them.
• Use words from other languages: Multi-language passphrases offer a layer of security, assuming you’re comfortable with multiple languages. “Coffee Bicicleta Mountain Vier” combines English, Spanish, and German words, creating combinations that appear in no standard dictionary.
• Personalize it: For the security-conscious, consider adding random elements that hold personal meaning, as long as this information isn’t publicly available. It could be the coordinates of a special place or a funny inside story within your family.

Password managers: Your password vault

Password managers are encrypted digital vaults that store all your login credentials behind a single master password. They are your personal security assistant that never forgets, never sleeps, and constantly works to keep your accounts protected with unique, complex passwords.

Modern password managers create passwords that are truly random, combining uppercase and lowercase letters, numbers, and special characters in patterns that are virtually impossible for cybercriminals to guess or crack through brute force attacks. These passwords typically range from 12 to 64 characters long, exceeding what most people could realistically remember or type consistently.

Encryption scrambles your passwords

The encrypted format scrambles your passwords using advanced cryptographic algorithms before being saved. This means that even if someone gained access to your password manager’s servers, your actual passwords would appear as meaningless strings of random characters without the encryption key. Only you possess this key through your master password.

The auto-fill functionality also offers convenience, recognizing the login page of your account and instantly filling in your username and password with a single click or keystroke. This seamless process happens across operating systems, browsers, and devices—your computer, smartphone, and tablet—keeping your credentials synchronized and accessible wherever you need them.

Choose a reputable password manager

Selecting the right password manager requires careful consideration of several factors that directly impact your security and user experience.

The reputation and track record of the company offering the password manager should be your first consideration. Look for companies that have been operating in the security space for several years and have a transparent approach to security practices.

Reputable companies regularly undergo independent security audits by third-party cybersecurity firms to examine the password manager’s code, encryption methods, and overall security architecture. Companies that publish these audit results demonstrate transparency and commitment to security.

Also consider password managers that use AES-256 encryption, currently the gold standard for data protection used by government agencies and financial institutions worldwide. Additionally, ensure the password manager employs zero-knowledge architecture, meaning the company cannot access your passwords even if they wanted to.

Intuitive user interface, reliable auto-fill functionality, responsive customer support, and ease of use should be checked as well. A password manager that is confusing to navigate or constantly malfunctions will likely be abandoned, defeating the purpose of improved password security.

Choose a solution that offers other features aside from the basic password storage. Modern password managers often include secure note storage for sensitive information such as Social Security numbers, passport details, password sharing capabilities for family accounts, and dark web monitoring that alerts you if your credentials appear in data breaches.

Final thoughts

Strong password security doesn’t have to be complicated. Small changes you make today can dramatically improve your digital security. By creating unique, lengthy passwords or passphrases for each account and enabling multi-factor authentication on your most important services, you’re taking control of your online safety.

Consider adopting a reputable password manager to simplify the process while maximizing your protection. It’s one of the smartest investments you can make for your digital security.

The post 15 Vital Tips To Better Password Security appeared first on McAfee Blog.

Social media platforms connect you to thousands of people worldwide. But while these platforms offer incredible opportunities for bonding, learning, and entertainment, they also present personal security challenges. Navigating them safely requires being aware of risks and proactively protecting your accounts.

The three most common risks you’ll encounter are privacy exposure, account takeover, and scams. Privacy exposure occurs when your personal information becomes visible to unintended audiences, potentially leading to identity theft, stalking, or professional damage. You have control over your social media security. By implementing safe social media practices, you can dramatically reduce your risk exposure.

This guide rounds up 15 practical, everyday tips to help you secure your accounts and use them more safely. It covers smart posting habits, safer clicking and app-permission choices, stronger privacy settings, and core security basics like using updated browsers, reliable protection tools, and identity-theft safeguards—so you can enjoy social media without making yourself an easy target.

Before we dive in, we want to remind you first that our strongest recommendation amid anything and everything unsolicited, unusual, or suspicious on social media is this: verify, verify, verify through separate communication channels such as phone, email, and official websites.

15 top tips to stay safer on social media

1. Realize that you can become a victim at any time.

Not a day goes by when we don’t hear about a new hack. With 450,000 new pieces of malware released to the internet every day, security never sleeps. For your increased awareness, here’s a short list of the most common social media scams:

• Giveaway and lottery scams: Fake contests promising expensive prizes like iPhones, gift cards, or cash in exchange for personal information or payment of “processing fees” before you can claim your prize.
• Impersonation scams: Criminals create fake profiles mimicking friends, family members, celebrities, or trusted organizations to build false relationships and extract money or information from you. One warning sign is that the direct message, link, or post will originate from accounts with limited posting history or generic profile photos.
• Romance scams: Fraudsters develop fake romantic relationships on social platforms over time, eventually requesting money for emergencies, travel, or other fabricated situations. Never send money to someone you’ve only met online and use reverse image searches to verify profile photos aren’t stolen.
• Fake job offers: Scammers will post attractive employment opportunities, promising unrealistic salaries for minimal work. During your “onboarding,” the fake HR person will require upfront payments for equipment, training, or background checks, or use job interviews to harvest personal information such as Social Security numbers.
• Cryptocurrency and investment scams: Fraudulent investment schemes promise guaranteed returns through cryptocurrency trading, forex, or other financial opportunities, often using fake testimonials and urgent time pressure. The fraudsters will promise guaranteed high returns, pressure you to invest quickly, and ask you to recruit friends and family into the “opportunity.”
• Charity and disaster relief scams: Fake charitable organizations exploit current events, natural disasters, or humanitarian crises to solicit donations that never reach legitimate causes. They will pressure you for immediate donations, offer vague descriptions about how funds will be used, and request cash, gift cards, or cryptocurrency payments.
• Shopping and marketplace spoofing: Phony online stores or marketplace sellers advertise products at suspiciously low prices, then collect payment but will never deliver the goods. If they do, it will likely be counterfeit. Be on guard for prices that are way below market value, poorly presented websites or badly written advertisements, pressure tactics, and limited payment options.

2. Think before you post.

Social media is quite engaging, with all the funny status updates, photos, and comments. However, all these bits of information can reveal more about you than you intended to disclose. The examples below might be extreme, but they are real-world scenarios that continue to happen to real people daily on social media:

• Social engineering attacks: When you post details about your daily routine, workplace, or family members, scammers can use this information to build trust and manipulate you into revealing more sensitive information. Limit sharing specific details about your schedule and locations.
• Employment and reputation damage: Potential employers increasingly review social media profiles during hiring processes, and controversial opinions, inappropriate content, or unprofessional behavior can eliminate your chances of being hired for job opportunities or damage your professional reputation. Similarly, personal relationships may be strained when private information is shared publicly or when posts reveal information that others expected to remain confidential.
• Financial scams and fraud: Sharing details about expensive purchases, vacations, or financial situations makes you a target for scammers who craft personalized fraud attempts. Apply safe social media practices by avoiding posts about money, luxury items, or financial struggles that could attract unwanted attention from fraudsters.

3. Nothing good comes from filling out a “25 Most Amazing Things About You” survey.

Oversharing on social media creates significant risks that extend beyond embarrassment or regret. Identity thieves actively monitor social platforms for personal information they can use to answer security questions, predict passwords, or impersonate you in social engineering attacks.

Avoid publicly answering questionnaires with details like your middle name, as this is the type of information financial institutions—and identity thieves—may use to verify your identity.

• Password reset clues: Sharing your birth date, hometown, or pet’s name gives cybercriminals the answers to common security questions used in password resets. Do your best to keep personal details private and use unique, unguessable answers for security questions that only you would know.
• Identity theft: Oversharing personal information such as your full name, address, phone number, and family details gives identity thieves the building blocks to impersonate you or open accounts in your name. In addition, these details frequently serve as backup authentication methods for your email or bank accounts. You wouldn’t want identity thieves to know them, then. Protect your accounts by tightening privacy settings and limiting the information in your profile and posts.
• Doxxing: This publication of your private information without consent is another malicious consequence of oversharing. Your seemingly harmless social media posts can be combined with other public records to reveal your home address, workplace information, and family details, which can then be used to harass, intimidate, or endanger you and your loved ones as part of a scam or revenge scheme.
• Data collection: The scope of data collection and its potential for misuse continues to evolve. Anything you share on social media becomes data for hundreds of third-party companies for advertising and analytics purposes that you may not realize. This widespread distribution of your personal information increases the odds that your data will be involved in a breach or used in nefarious ways.

4. Think twice about applications that request permission to access your data.

Third-party apps with excessive permissions can access your personal data, post to social media at any time on your behalf, or serve as entry points for attackers, regardless of whether you’re using the application. To limit app access and reduce your attack surface significantly, review all apps and services connected to your social media accounts. Revoke permissions to applications you no longer use or don’t remember authorizing.

5. Don’t click on short links that don’t clearly show the link location.

Shortened links can be exploited in social media phishing attacks as they hide the final destination URL, making it difficult for you to determine where it actually leads. These tactics mimic legitimate communications from trusted sources and come in the form of direct messages, comments, sponsored posts, and fake verification alerts, all in an effort to steal your personal information, login credentials, or financial details. Often, these attacks appear as urgent messages claiming your account will be suspended or fake prize notifications.

When you identify phishing attempts, immediately report and block the suspicious accounts using the platform’s built-in reporting features. This will protect not only you but other users on the platform.

If the link is posted by a product seller or service provider, it is a good idea to:

1. Verify the link independently: Don’t click suspicious links or download files from unknown sources. Instead, navigate to official websites directly by typing the URL yourself or using trusted search engines.
2. Verify the profile before engaging: Look for verified checkmarks, consistent posting history spanning several months or years, and mutual connections. As scammers often use stolen photos, check if the photo appears elsewhere online by doing a reverse image search.
3. Use only trusted payment methods: Stick to secure payment platforms with buyer protection such as PayPal, credit cards, or official app payment systems. Never send money through wire transfers, gift cards, cryptocurrency, or peer-to-peer payment apps to strangers, as these transactions are irreversible and untraceable.
4. Research sellers and causes thoroughly: Before making any purchase or donation, search for the business name online, check reviews on multiple sites, and verify charity registration numbers through official databases. Look up the organization’s official website and ensure that the business has verifiable contact information, a physical address, and good reviews.
5. Keep conversations on the platform: Legitimate sellers and organizations rarely need to move discussions to private messaging apps, email, or phone calls immediately. When scammers push you off-platform, they’re avoiding security measures and community reporting systems.

6. Beware of posts with subjects along the lines of, “LOL! Look at the video I found of you!”

You might think the video or link relates directly to you. But when you click it, you get a message saying that you need to upgrade your video player in order to see the clip. When you attempt to download the “upgrade,” the malicious page will instead install malware that tracks and steals your data. As mentioned, don’t click suspicious links or download files from unknown sources before verifying independently. Visit the official websites by directly typing the URL yourself or using trusted search engines.

This also brings us to the related topic of being tagged on other people’s content. If you don’t want certain content to be associated with you, adjust the settings that enable you to review posts and photos before they appear on your profile. This allows you to maintain control over your digital presence and prevents embarrassing or inappropriate content associations.

7. Be suspicious of anything that sounds unusual or feels odd.

If one of your friends posts, “We’re stuck in Cambodia and need money,” keep your radar up as it’s most likely a scam. It is possible that a scammer has taken over your friend’s account, and is using it to impersonate them, spread malicious content, or extract sensitive information from their contacts, including you. Don’t engage with this post or the fraudster, otherwise the next account takeover could be yours.

In this kind of scam, some critical areas of your life are affected:

• Financially, successful attacks can result in unauthorized purchases, drained bank accounts, or damaged credit scores through identity theft.
• Your reputation faces threats from impersonation, where attackers post harmful content under your name, or from oversharing personal information that employers, colleagues, or family members might frown upon.
• In terms of misusing your identity, criminals could further exploit your social media profile by collecting data from your posts to conduct other fraudulent activities, from opening accounts in your name to bypassing security questions on other services.

When you encounter suspicious activity, always use official support pages rather than responding to questionable messages. Major social media platforms provide dedicated help centers and verified contact methods.

• Configure message and comment filtering: Set up keyword filters to automatically block suspicious messages and enable message request filtering from unknown users. This helps you verify suspicious messages on social media before they reach your main inbox.
• Watch for urgency and pressure tactics: Scammers create false urgency through “limited time offers” or “emergency situations” to prevent you from thinking clearly. Legitimate opportunities and genuine emergencies allow time for verification.

8. Understand your privacy settings.

Select the most secure options and check periodically for changes that can open up your profile to the public. Depending on your preference and the privacy level you are comfortable with, you can choose from these options:

• Public profiles make your content searchable and accessible to anyone, including potential employers, strangers, and data collectors. This setting maximizes your visibility and networking potential but also increases your exposure to unwanted contact and data harvesting.
• Friends-only profiles limit your content to approved connections, balancing your social interaction and privacy protection. This setting, however, doesn’t prevent your approved friends from reposting your content or protect you from data collection.
• Private profiles provide the highest level of content protection, requiring approval for anyone to see your posts. While this setting offers maximum control over your audience, it can limit legitimate networking opportunities and may not protect you from all forms of data collection.

We suggest that you review your privacy settings every three months, as platforms frequently update their policies and default settings. While you are at it, take the opportunity to audit your friend lists and remove inactive or suspicious accounts.

9. Reconsider broadcasting your location.

Posting real-time locations or check-ins can alert potential stalkers to your whereabouts and routine patterns, while geo-tagged photos can reveal where you live, study, work, shop, or work out. Location sharing creates patterns that criminals can exploit for security threats such as stalking, harassment, and other physical crimes.

To avoid informing scammers of your whereabouts, turn off location tagging in your social media apps and avoid posting about your routine. You might also consider disabling “last seen” or “active now” indicators that show when you’re online. This prevents others from monitoring your social media activity patterns and reduces unwanted contact attempts, significantly improving your personal and family safety while maintaining your ability to share experiences.

10. Use an updated browser, social media app, and devices.

Older browsers tend to have more security flaws and often don’t recognize newer scam patterns, while updated versions are crucial for security by patching vulnerabilities. Updates add or improve privacy controls such as tracking prevention, cookie partitioning, third-party cookie blocking, stronger HTTPS enforcement, transparent permission prompts. They also support newer HTML/CSS/JavaScript features, video and audio codecs, payment and login standards, and accessibility features.

In terms of performance, new browser versions offer faster performance, better memory management, and more efficient rendering, so you get fewer freezes, less fan noise, and longer battery life and better extension compatibility.

11. Choose unique logins and passwords for each of the websites you use.

Consider using password managers, which can create and store secure passwords for you. Never reuse passwords across platforms. This practice ensures that if one account is compromised, your other accounts remain secure. Password managers also help you monitor for breached credentials and update passwords regularly.

In addition, implement multi-factor authentication (MFA)on every social media account using authenticator apps. This single step can protect social media accounts from 99% of automated attacks. MFA enforcement should be non-negotiable for both personal and business accounts, as it adds critical security that makes account takeovers exponentially more difficult.

12. Check the domain to be sure that you’re logging into a legitimate website.

Scammers build fake login pages that look identical to real ones. The only obvious difference is usually the domain. They want you to type your username/password into their site, so they can steal it. So if you’re visiting a Facebook page, make sure you look for the https://www.facebook.com address.

The rule is to read the domain from right to left because the real domain is usually the last two meaningful segments before the slash. For instance, https://security.facebook.com—read from right to left—is legitimate because the main domain is facebook.com, and “security” is just a subdomain.

Watch out for scam patterns such as:

• Look-alike domains such as faceboook.com (extra “o”), facebook-login.com, fb-support.com.
• Subdomain tricks that hide the real domain such as https://facebook.com.login-security-check.ru.

13. Be cautious of anything that requires an additional login.

Within the social media platform, scammers often insert a “second” sign-in step to capture your credentials. A common trick is sending you to a page that looks like a normal email, business, or bank website but then suddenly asks you to log in again “to continue,” “to verify your identity,” or “because your session expired.” That extra login prompt is frequently a fake overlay or a malicious look-alike page designed to steal passwords.

Clicking a shared document link, viewing a receipt, or checking a delivery status usually shouldn’t require you to re-enter your email and password—especially if you’re already signed in elsewhere. Another example is a fake security notification claiming your account has been compromised, directing you to another page or website that requires a new login. Attackers usually rely on urgency, panic, and habit; you might be so used to logging in all the time, that you could do it automatically without noticing the context is wrong.

A safer habit is to stop and reset the flow. If something unexpectedly asks for another login, don’t use the embedded prompt. Instead, open a new tab, type the site’s official address yourself, check account status, and log in there if needed. If the request was legitimate, it will still work once you’re signed in through the official site; if it was a trap, you’ve just avoided handing over your credentials.

14. Make sure your security suite is up to date.

Your suite should include an antivirus, anti-spyware, anti-spam, a firewall, and a website safety advisor. Keeping your security suite up to date is essential as threats evolve daily, and outdated protection can miss new malware, phishing kits, ransomware variants, and scam techniques. Updates also patch security weaknesses in the software itself, improve detection technologies, and add protections for newer attack methods.

The McAfee Social Privacy Manager extends “security updates” beyond your device and into your social media footprint by scanning your privacy settings across supported platforms, flagging exposures, and recommending safer configurations. Because social platforms frequently change their settings and defaults, Social Privacy Manager also needs to stay updated to recognize and apply the right privacy protections.

15. Invest in identity theft protection.

Regardless of how careful you may be or any security systems you put in place, there is always a chance that you can be compromised in some way. It’s nice to have identity theft protection watching your back.

McAfee+ combines every day device security with identity monitoring in one suite. Depending on the plan, McAfee+ can watch for your personal info on the dark web and breach databases, monitor financial and credit activity, and send real-time alerts for anomalies. The Advanced and Ultimate plans add wider support such as credit monitoring and tracking for bank or investment accounts, as well as tools that reduce your exposure such as Personal Data Cleanup that removes your info from data broker sites. It doesn’t just warn you after a breach; it helps shrink the chances your data gets misused in the first place.

Final thoughts

Social media brings incredible opportunities, but privacy exposure, scams, and account takeovers remain real challenges that can impact your finances, reputation, and personal security. The tips outlined above give you practical ways to recognize the risks and protect your social media accounts. By raising your level of awareness and applying safe social media practices, you are building a stronger defense against evolving threats.

Make security a family affair by sharing these safe social media practices with everyone in your household—especially children and teens who use social media—so they can enjoy a safer experience.

The post 15 Critical Tips to Stay Safe on Social Media appeared first on McAfee Blog.

Mac users often say, “I don’t have to worry about viruses. I have a Mac!” But that sense of safety is outdated. Macs face real threats today, including scareware and fake antivirus pop‑ups designed specifically for macOS. One of the most infamous examples is the Mac Defender family, which appeared around 2011 under names like “Mac Defender,” “Mac Security,” and “Mac Protector,” luring users with fake security alerts and then installing malicious software.

These scams have long targeted Windows PCs and later expanded to Macs, using similar tactics: bogus scan results, alarming pop-ups, and fake security sites that push users to download “protection” software or pay to remove nonexistent threats. Once installed, these programs can bombard you with persistent warnings, redirect you to unwanted or explicit sites, and may even try to capture your credit card details or other sensitive information under the guise of an urgent upgrade.

In this blog, we’ll take a closer look at how you become a target for these fake antivirus pop‑up ads, how to remove them from your Mac, and practical steps you can take to block them going forward.

What is fake antivirus software?

Fake antivirus software is malicious software that tricks you into believing your Mac is infected with viruses or security threats when, in fact, it isn’t. These deceptive programs, also known as rogue antivirus or scareware, masquerade as legitimate security tools to manipulate you into taking actions that benefit cybercriminals.

On your Mac, fake antivirus pop-up ads typically appear as urgent browser warnings or system alerts claiming to have detected multiple threats on your computer. These fraudulent notifications often use official-looking logos, technical language, and alarming messages like “Your Mac is infected with 5 viruses” or “Immediate action required” to create a sense of urgency and panic.

These scams manipulate you by:

• Requesting payment: They’ll prompt you to purchase their “premium” software to remove the fake threats, often charging $50-200 for worthless programs.
• Providing fake phone numbers: The pop-up ads will display fake support numbers you can call for “immediate technical assistance.”
• Requesting personal information: Once you call the number, the scammer on the other end of the line will request your credit card details, personal information, or remote access to your computer.
• Encouraging malicious downloads: The ads will trick you into downloading actual malware disguised as security software.

Tactics scammers use to infect your device with fake antivirus pop-up ads

Fake antivirus popups are almost always the result of a sneaky delivery method designed to catch you off guard. Scammers rely on ads, compromised websites, misleading downloads, and social engineering tricks to get their scareware onto your Mac without you realizing what’s happening. Let’s take a look at the common ways these scams spread so you can avoid them.

• Deceptive online advertisements: Fake antivirus software often appears through misleading ads that claim your Mac is infected or at risk. These ads can appear on legitimate websites and use urgent language, such as “Your Mac has 3 viruses!” to create a sense of panic.
• Malvertising campaigns: Cybercriminals purchase legitimate advertising space and inject malicious code that automatically redirects you to fake antivirus download pages. This can happen even on reputable websites you trust.
• Drive-by downloads: Simply visiting a compromised website can trigger automatic downloads of fake antivirus software without your knowledge. Your Mac may store these files in your Downloads folder, where they wait for you to accidentally open them.
• Bundled software installers: Fake antivirus programs often hide in free applications from unofficial sources. During installation, you might unknowingly agree to install additional “security” software that’s actually malicious.
• Pirated applications and media: Illegal downloads of software, movies, or music frequently contain fake antivirus programs as hidden payloads. These files install malware alongside the content you wanted.
• Typosquatted domains: Scammers register URLs that are slightly altered or are misspellings of legitimate websites, such as Apple-support.com. These typosquatted links are sent via phishing emails that claim to have detected a virus on your Mac. If you click on the fake link, you could be infected with malware that displays alarming security warnings and promotes fake antivirus downloads.
• Fake technical support pages: Scammers create convincing replicas of Apple Support or legitimate security company websites that promote fake antivirus solutions. These pages often include official-looking logos and professional language to appear trustworthy.
• Browser notification abuse: Some websites request permission to send you notifications, then later spam you with fake virus alerts. Clicking on these notifications could download fake antivirus software that mimics macOS system alerts.
• Malicious configuration profiles: Fake antivirus installers may request permission to download configuration profiles onto your device, granting them deep access to your Mac’s settings and network traffic. Once installed, these profiles will redirect your browser traffic through malicious servers and display fake security warnings.

Elements of a fake virus alert

Fake virus alerts use a mix of visual tricks and psychological pressure to push you into clicking, calling, or paying before you have time to think. This section breaks down the common elements scammers use in these alerts so you can recognize a fake warning instantly and ignore it.

• Blaring alarm and full-screen browser takeover: If your browser suddenly goes full-screen with flashing red warnings and audio alarms, you’re looking at a scam designed to panic you into taking immediate action. Real Mac security notifications never lock your entire screen or play loud, startling sounds. Legitimate macOS alerts appear as small, quiet dialogs in the upper-right corner of your screen.
• Urgent countdown timers: The high-pressure countdown clocks claiming your Mac will be “permanently damaged” in minutes are artificial psychological tactics that scammers use to pressure and prevent you from thinking clearly. Apple’s real security notifications give you time to review and respond thoughtfully
• Spelling and grammar mistakes: Fake alerts often contain telltale errors such as “Your computer has been infected” or “Immediate action required.” Apple invests heavily in polished, professional communications to produce macOS security dialogs with error-free language that reflects the company’s attention to detail.
• Requests for gift cards or cryptocurrency payments: Any request for unconventional payment methods is an immediate indicator of a scam. Apple will never ask you to purchase iTunes gift cards, Amazon cards, or Bitcoin to “clean” your Mac. Authentic Apple security software uses traditional payment methods through official app stores or verified websites.
• Suspicious phone numbers for “tech support”: Scammers use phone numbers that connect you directly with fraudsters who will remotely access your Mac or extract personal information. Legitimate macOS alerts don’t include phone numbers to call for immediate help. Apple provides support through official channels, which are clearly marked on their website.
• Generic or mismatched company logos: Fake alerts often use distorted Apple logos, outdated designs, or generic “security shield” graphics instead of authentic branding. Real macOS notifications maintain consistent visual elements that match your system’s appearance and Apple’s official style guidelines.
• Misleading URLs: Scam pages often use suspicious addresses such as “apple-security-center.net” or “mac-virus-removal.com.” Authentic security alerts from macOS appear in System Settings or from apps you’ve knowingly installed from the official Apple App Store.
• Persistent pop-up ads that won’t close: Fake virus warnings often spawn multiple windows, reappear after being closed, or make it difficult to exit. Authentic macOS security features respect your control and don’t bombard you with alerts.
• Warnings that bypass System Settings: Fake alerts typically appear only as web pages or unauthorized pop-ups that don’t connect to your actual system security settings. Genuine Mac security notifications integrate with your system properly, appearing through official macOS notification systems or System Settings under Privacy & Security.
• Claims “hundreds of viruses found” without scanning: Fake alerts instantly claim to have found dozens or hundreds of viruses without performing a legitimate scan. Real security scans, however, take time to complete and provide specific, verifiable results about actual threats.

Examples of fake antivirus software and pop-ups

• Mac “Defender” variants: This notorious family of fake antivirus programs includes variants such as Mac Security, Mac Protector, and Mac Guard, appearing through deceptive search results or malicious websites. They display fake system scans that allegedly found threats on your Mac to trick you into paying $50-$99 for a useless antivirus tool. Once you enter payment information, cybercriminals will access your financial data and may continue charging your card for bogus services.
• Generic “antivirus” popups: These fake alerts have generic names such as Antivirus 10, Mac Antivirus Pro, or Advanced Mac Cleaner. These ads pop up while you browse, often accompanied by loud alarms and urgent countdown timers, claiming your Mac is infected and demanding immediate action. The scam journey involves clicking the alert, downloading malicious software disguised as security tools, and potentially compromising both your system and personal information.

Verify that an antivirus alert is fake

If you’re not sure whether an antivirus warning is real or just scareware, a quick verification is the safest next step. There are steps you can take and settings on your macOS you can check without putting your Mac at further risk.

1. Disconnect from the internet immediately: When you suspect a fake antivirus alert, the first step is to break the connection between your Mac and the internet to stop malicious processes from communicating with remote servers or downloading additional threats.
2. Check the URL and certificate details: If the alert appeared in your web browser, examine the web address carefully. Legitimate security warnings from Apple or trusted vendors will come from official domains, not URLs with misspellings or random characters.
3. Verify the app’s developer signature and source: To verify that the developer signatures are from recognized companies, open Finder, navigate to Applications, and locate the security software. Right-click the application and select “Get Info” to view the developer information. In macOS Ventura, Sonoma, and Sequoia, you can also go to Apple Menu > About This Mac > More Info > System Report > Applications to view information about the software.
4. Review configuration profiles and login items: Navigate to Apple Menu > System Settings or System Preferences > Privacy & Security to find and remove any configuration profiles you didn’t install. Next, check Login Items & Extensions or Users & Groups > Login Items for suspicious applications set to launch automatically.
5. Inspect LaunchAgents and LaunchDaemons folders: Fake antivirus software often installs persistent components in these system folders. Go to Finder > Go to Folder > ~/Library/LaunchAgents, /Library/LaunchAgents, and /Library/LaunchDaemons. Fake antivirus files typically have .plist extensions.
6. Check browser extensions and notification permissions: Fake antivirus alerts often originate from malicious browser extensions or abusive notification permissions. Review your extensions and remove those you didn’t install or revoke permissions that might be generating fake security alerts.
7. Run legitimate security scans from trusted sources: Use reputable security tools downloaded only from the Apple App Store or directly from the websites of legitimate vendors to scan your system. Apple’s built-in XProtect and Malware Removal Tool (MRT) run automatically, but you can also use the system’s First Aid feature in Disk Utility to check for file system issues.

Your action plan when a fake virus warning pops up

The moment a fake virus warning pops up, scammers are hoping you’ll react fast, click a button, call a number, or download their “fix.” However, the safest approach is the opposite: take a moment to think, don’t interact with the alert, close the browser, and clear any files it may have tried to leave behind. Here’s exactly what to do right away to stay safe.

1. Stay calm and don’t interact with the alert: Resist the urge to click anywhere on the fake virus warning pop-up window, including any “X” buttons, “OK” buttons, or phone numbers. These elements are designed to trick you into downloading malware or connecting with scammers. Avoid touching your mouse or trackpad while the alert is displayed.
2. Force-quit your browser immediately. Press Command + Option + Esc to open the Force Quit Applications window, select your browser (Safari, Chrome, Firefox, or Edge), and click “Force Quit.” If the pop-up has taken over your entire screen, try pressing Command+Q to quit the browser directly. This breaks the connection to the malicious website without triggering any hidden downloads.
3. Clear your browser’s site data and disable notifications. When you restart your browser, immediately go to Preferences/Settings and clear your browsing data, cookies, and cache. Then navigate to the Notifications section and remove permissions for suspicious websites to block the fake antivirus from returning.
4. Check and remove any malicious configuration profiles. Go to System Settings > Privacy & Security > Profiles or System Preferences > Profiles, and look for profiles you didn’t install, especially those with generic names or suspicious publishers. Select unknown profiles and click the minus (-) button to remove them.
5. Restart your Mac to clear temporary threats: A simple reboot helps clear any temporary malicious processes that might be running in memory. After restarting, check your desktop and Downloads folder, move unfamiliar files to the Trash, and empty it completely.
6. Update your macOS and browser to the latest versions: Go to System Settings > General > Software Update and install macOS updates. Update your browsers as well to protect against the latest fake antivirus tactics and browser exploits.
7. Run a full security scan with trusted software: Use reputable security software to scan your entire system for lingering threats. Focus on applications that have been specifically designed for Mac and have current threat definitions.
8. Monitor and validate financial statements: If you provided payment information to what you now suspect was fake antivirus software, immediately check your bank and credit card statements for unauthorized charges. Report these fraudulent charges to your financial institutions and place fraud alerts on your accounts over the next few weeks.
9. Report the scam to protect others: Report the fake antivirus website to the Federal Trade Commission and to Google’s Safe Browsing if you encountered it through search results. You can also report it to your browser manufacturer. Your report helps security teams identify and block these threats more quickly, thereby protecting other Mac users from falling victim to the same scam.

Final thoughts

Your Mac experience should be enjoyable and secure. With the right awareness and tools, it absolutely can be, especially when you know what to look for and follow the right practices. By recognizing the warning signs of fake antivirus pop-ups, downloading software only from trusted sources, keeping your macOS and applications updated, and following the prevention tips outlined above, you can avoid falling victim to these fake antivirus scams.

Remember that legitimate security alerts from Apple come through System Preferences and official macOS notifications, not through alarming browser pop-ups demanding immediate payment or phone calls. Use reputable security tools from a trusted vendor, such as McAfee, that provides real-time protection and regular updates about emerging threats.

Share these tips with your family and friends, especially those who might be less tech-savvy and more vulnerable to these deceptive tactics. The more people understand how fake antivirus schemes operate, the safer our entire digital community is.

The post Stop Fake Antivirus Popups on Your Mac appeared first on McAfee Blog.