McAfee Labs has recently uncovered a large scale CountLoader campaign that uses multiple layers of obfuscation and staged payload delivery to evade detection and maintain persistence in infected systems. The infection process relies on several layers of loaders, including PowerShell scripts, obfuscated JavaScript executed through mshta.exe, and in memory shellcode injection, each stage decrypting and launching the next. The attackers employ a custom encrypted communication protocol to interact with their C2 servers. By registering a backup domain used by the malware, we were able to sinkhole the traffic and observe thousands of infected machines connecting to the C2 infrastructure. Final payload deployed in this campaign is a cryptocurrency clipper, which monitors clipboard activity and replaces copied wallet addresses with attacker controlled ones to redirect cryptocurrency transactions.
Sinkholing
Sinkholing is a defensive technique in which researchers take control of malicious domains or infrastructure used by malware. Instead of allowing infected systems to communicate with attacker controlled C2 servers, the traffic is redirected to a researcher controlled server. This approach enables researchers to monitor infected hosts, collect telemetry, measure the scale and spread of a campaign.
Key Findings
McAfee researchers identified a large-scale CountLoader campaign using multi-stage payload delivery and heavy obfuscation techniques.
Researchers successfully sinkholed malware communication using a backup C2 domain, enabling visibility into the campaign’s infrastructure and infected hosts.
The sinkhole received approximately 5,000 connections per minute from infected systems.
Telemetry collected during the investigation revealed around 86,000 unique infected machines.
The malware also spreads through USB drives, with approximately 9,000 infections attributed to removable media.
The final payload deployed in this campaign is cryptocurrency clipper malware that hijacks clipboard data to redirect cryptocurrency transactions.
C2 Sinkholing and Geographical Prevalence
As the malware contacts the C2 servers in the reverse order and only hell1-kitty[.]cc was used by attackers, we were able to register hell10-kitty[.]cc and were able to gain insights into the campaign.
Figure 1: Sinkholing malware communication
On average, around 5,000 infected clients contacted our server every minute.
In total, we observed approximately 86,000 unique infections.
Telemetry collected revealed that this CountLoader campaign has a broad global footprint. The highest number of infections were observed in India, followed by Indonesia, the United States, and several countries across Southeast Asia.
Figure 2: Global distribution of CountLoader infections.
Conclusion
CountLoader is a multistage malware loader that uses obfuscated JavaScript and trusted Windows utilities to deliver additional payloads. It ensures persistence via scheduled tasks and uses multiple fallback C2 domains to maintain reliability. Malware employs in-memory execution and security bypass techniques to evade detection.
In recent campaigns, it has been observed deploying cryptocurrency clipper malware to silently hijack transactions.
McAfee Researchers identified a flaw in its communication mechanism and were able to exploit it to gain insights into the campaign.
Technical Analysis
The following diagram illustrates the complete infection chain used in this CountLoader campaign, from the initial execution to the deployment of the final payload.
Figure 3: Infection Chain
The infection begins when an EXE file is executed. This file launches a PowerShell command, which downloads and executes an obfuscated JavaScript loader known as CountLoader. The loader is executed using mshta.exe, a legitimate Windows utility often abused by malware to run scripts.
Once executed, it performs several tasks:
Establishes persistence by creating a scheduled task that runs every 30 minutes.
Contacts multiple C2 servers, trying them in reverse order until a connection is successful.
Attempts to spread via USB drives by replacing files with malicious LNK shortcuts that execute the malware when opened.
Wait for the C2 server to issue commands to download and execute payloads.
The payload execution chain consists of several stages:
Launcher: A secondary JavaScript component creates another scheduled task that runs every 60 minutes, ensuring long term persistence.
PowerShell Packer: The launcher executes an obfuscated PowerShell script that acts as a packer. This script decrypts and launches the next stage.
Injector: The next PowerShell stage disables security mechanisms such as AMSI and injects shellcode into a legitimate process.
Shellcode Execution: The injected shellcode unpacks the final payload directly in memory.
Final Payload: The final payload is executed under the process systeminfo.exe. In this campaign, the deployed payload was identified as a cryptocurrency clipper malware, which monitors clipboard activity and replaces copied cryptocurrency wallet addresses with attacker controlled addresses.
Stage 1–Exe
The infection chain begins with the execution of a malicious EXE file, it immediatelyruns aPowerShellone-liner as shown in the below image.
Stage 2 – PowerShell
The PowerShell script fetched from the URL decodes a Base64-encoded string and executes the resulting content. It also employs an unusual obfuscation technique, where the variable names are crafted to resemble the highlighted pattern, making the script harder to read and analyze.
Multiple such variables are used to create a complete base64 string which is then decoded and executed through Invoke-Expression.
Stage 3 – CountLoader
The file is a HTA file with JavaScript that uses string obfuscation technique to evade detection.
It starts by hiding the mshta window to ensure that the malicious activity runs silently in the background without alerting the user.
The script then attempts to delete its own file in case it was executed locally. If the script determines that it is not being executed from a URL, it terminates immediately.
Then the script tries to contact C2 servers, iterating through the list in reverse order.
Figure 4: C2 communication protocol.
A handshake process is performed to verify connectivity with the server. The client sends an encrypted “checkStatus” message, and the server responds with an encrypted “success” message if the connection is valid
All communications between the client and the server are encrypted, with slightly different encryption schemes used for each direction:
Client to Server: text → (key+(base64encode(utf16le(xor(text, key)))))
Server to Client: text → (key+(base64encode(xor(text, key))))
The key is a randomly generated six digit number created for each message.
If the handshake is successful, the corresponding domain is selected as the active C2 server, which is used for all subsequent communications.
To maintain persistence on the infected system, the malware creates a scheduled task if one does not already exist.
The scheduled task command line is slightly different if it detects CrowdStrike or Reason AV installed on the system, likely as an attempt to evade detection from these AVs.
After establishing persistence, the malware gets a JWT token from the C2 server, which is used to authenticate further requests.
The get_jwt_token function sends system information about the infected host to the server.
This includes details related to cryptocurrency usage, such as installed wallets and browser extensions, allowing the attackers to determine whether the victim is likely involved with cryptocurrency.
Finally, the malware gets commands from the C2 server, which is then executed on the compromised system.
Each command contains a taskType value that determines the action to be performed on the infected system.
The table below shows the command codes and their actions.
Code
Command
1
execute exe file
2
execute python file
3
execute dll file
4
uninstall itself
5
send domain info to C2
6
execute msi file
9
spread by infecting usb files
10
execute HTA file
11
execute powershell file
We observed two commands from the above list being sent to the malwareas highlighted below:
Spreading via USB drives (taskType – 9)
When instructed by the C2 server to spread via USB drives, the malware replaces certain file types on all connected external drives with LNK shortcut files. These shortcuts are crafted so that when a user opens them, the malware executes while simultaneously opening the original file to avoid suspicion.
Targeted file types are exe , pdf , doc and docx.
The build ID of the malware is appended with “_usb”.
Deploying payload using powershell (taskType – 11)
The CountLoader is capable of running many types of executable files, In this campaign, it deploys a separate execution chain that ultimately leads to a clipper malware.
CountLoader launches the next stage using the following command line:
Payload Launcher
The Payload Launcher is very similar to CountLoader in terms of both functionality and obfuscation techniques.
However, unlike CountLoader, which retrieves tasks from the C2 server, the launcher contains hard-coded task information.
For persistence, it creates a scheduled task which executes “mshata.exe {domain}/{name}“ every 60 minutes.
In the task configuration:
“url” specifies the url of the payload.
“taskType” is set to 11, indicating that the payload should be executed as a PowerShell script.
Powershell Packer
The PowerShell script executed by the launcher acts as a simple packer. It is obfuscated using the same obfuscation technique mentioned earlier. Its primary function is to decrypt and execute another PowerShell script.
Injector
The next stage is another PowerShell script responsible for injecting shellcode into a running process.
After disabling AMSI, the script executes code that performs shellcode injection,
And injects in one of theselegitimateprocesses:
Shellcode
The injected shellcode unpacks and loads the final payload directly into memory,
Final Payload
The payload observed in this campaign is a clipper malware. This type of malware changes cryptocurrency address in clipboard to that of attacker’s when user copies any address.
It starts by fetching the C2 server address, which it gets by a technique called EtherHiding, where the C2 server address is fetched from Ethereum blockchain.
Once the C2 server address is obtained, the malware begins reporting system activity to the server.
It then continuously monitors the clipboard contents.
McAfee Coverage
McAfee provides extensive coverage against CountLoader:
Graduation season should be about launching your career, not dodging scams.
But for many new grads, the job search now comes with a hidden risk: fake recruiters, fraudulent job offers, and convincing messages designed to steal money, personal information, or both.
The threat is larger than many people realize. According to McAfee’s 2026 State of the Scamiverse report, 76% of Americans have encountered a scam, and the average person receives 14 scam messages every day through text, email, and social media. Americans now spend an estimated 114 hours each year trying to figure out what is real online and what is not.
Young adults are among the most heavily targeted groups. Nearly 3 in 10 people ages 18 to 24 (28%) report receiving conversational scams that begin with casual outreach such as “Hey, how are you?” or a “wrong number” text. Those same tactics increasingly appear in fake recruiter messages, LinkedIn outreach, and texts promoting remote job opportunities.
Today’s job scams can look highly professional. Scammers build polished LinkedIn profiles, clone legitimate company websites, and even use AI-generated interviews to appear credible. Many scams unfold quickly, with nearly half completed in less than an hour, creating pressure to act before candidates have time to verify what is real.
That’s where tools like McAfee’s Scam Detector come in—flagging suspicious emails, texts, links, and messages before you engage, so you can tell what’s real before you click.
Here’s how to avoid job scams and stay safe with McAfee:
How Job Scams Actually Work
Step
What Happens
Red Flags
What Scammers Want
1. The Outreach
You’re contacted via email, text, or social media about a job
Then came the shift. He was told he needed to deposit money to continue working and kept paying more to “unlock” earnings that never came.
This type of advance fee scam is increasingly common in job fraud, and it works because it builds trust first.
What the Data Says
Recent graduates are entering the workforce at a time when scams are more sophisticated, more personalized, and harder to spot than ever before. McAfee’s 2026 State of the Scamiverse report highlights why younger job seekers should be especially cautious.
Young Adults Face Higher Risk
Younger adults report the highest rates of repeat scam victimization. McAfee’s research found that scam victims under 35 are more likely than older adults to be targeted again, suggesting that early-career professionals may be especially vulnerable as they navigate job searches, salaries, and onboarding for the first time.
Scam Messages Are Constant
Americans receive 14 scam messages per day on average.
76% of Americans say they have encountered an online scam.
People spend 114 hours per year, nearly three full workweeks, trying to determine what is real and what is fake online.
Professional Platforms Are Not Immune
7% of respondents reported encountering scams on LinkedIn.
44% have replied to suspicious messages that contained no link at all.
Many modern scams begin with a simple message such as “I came across your profile” or “We’d like to discuss an opportunity,” rather than an obviously suspicious URL.
Job Scams Move Fast
The average scam unfolds in just 38 minutes.
Scammers often create urgency by claiming a role is limited, an offer will expire quickly, or onboarding must begin immediately.
AI Makes Fake Recruiters More Convincing
35% of Americans are not confident they can spot deepfake scams.
McAfee predicts job scams will become increasingly personalized as scammers use AI to create tailored outreach, onboarding documents, and contracts that closely match a candidate’s background.
Job Scams Are a Growing Financial Threat
FTC-reported job scam losses rose nearly 40% year over year, increasing from $543 million in 2024 to $752 million in 2025.
For new graduates eager to land their first job, the lesson is simple: if an opportunity seems rushed, asks for money, or feels too good to be true, take a step back and verify before you respond.
Where McAfee Comes In
Job scams don’t just happen in one moment. They unfold in stages—first a message, then a conversation, then a request for information or money.
That’s why protection needs to work the same way: across the entire experience. McAfee’s comprehensive protection helps you stay ahead of job scams at every step:
McAfee+ Advancedgives you multiple layers working together so you are not left figuring it out after the damage is done:
Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast
Personal Data Cleanup helps remove your information from data broker sites, making you harder to target in the first place
Scam Detector flags suspicious texts, emails, links, and even deepfake videos before you engage
Safe Browsing helps block risky sites if you do click
Secure VPN keeps your data private, especially on public Wi-Fi
The Biggest Red Flags to Watch For
These patterns show up again and again in job scams:
Red Flag
What It Looks Like
Why It’s a Problem
What to Do Instead
Requests for Sensitive Information Too Early
Asked for your Social Security number, banking info, or ID details early in the process
Scammers use this to steal your identity or access your accounts
Only share sensitive info after accepting a verified job—and through secure onboarding systems
You’re Asked to Pay to Work
Fees for training, equipment, onboarding, or background checks
Legitimate employers don’t charge candidates to get hired
Walk away immediately—this is one of the clearest signs of a scam
The Job Sounds Too Good to Be True
High pay, low hours, minimal experience required, vague responsibilities
Designed to hook attention and lower your guard
Research typical salaries and ask detailed questions about the role
The Hiring Process Moves Too Fast
Immediate job offers or rushed decisions without interviews
Real hiring processes involve multiple steps and evaluations
Be cautious of offers that skip standard hiring steps
No Real Interaction
Communication only via email or chat, refusal to do video or phone calls
Scammers avoid real-time interaction to stay anonymous
Request a video call or verify the recruiter through official company channels
How to Protect Yourself
You don’t need to overcomplicate it. Stick to a few grounded habits:
Verify the company independently: Search the company, check official sites, confirm recruiter identities
Keep communication on trusted platforms: Be cautious with offers coming from unexpected channels
Never pay upfront for a job: That’s a dealbreaker
Pause before sharing personal information: Especially early in the process
Use tools that flag risks automatically: Scam Detector helps catch what looks legitimate, but isn’t
What to Do If You Think It’s a Scam
If something feels off:
Stop communication immediately
Do not send money or personal information
Report the scam to the FTC
Monitor your accounts for suspicious activity
If you’ve already shared sensitive information, act quickly to secure your accounts.
With McAfee’s comprehensive protection, you’re not left to figure it out on your own.
From blocking risky links to monitoring your identity and helping you respond quickly, it’s designed to help you stay one step ahead, and recover faster if needed. Because job searching is stressful enough without scammers, and you deserve to land your next job with confidence.
If you have ever checked your child’s grades online, submitted a college paper through a school portal, downloaded homework assignments, or received messages from a teacher through a classroom app, there is a good chance you have used Canvas, a nationwide learning management system that was just in a massive data breach.
This is exactly the moment McAfee+ Advanced was built for. With our built-in Scam Detector to flag risky links, QR codes, and deepfakes; Identity Monitoring that alerts you when your data appears where it shouldn’t; and Personal Data Cleanup that removes your information from the dark web and data brokers, McAfee+ Advanced is an all-in-one solution for protection after a data breach.
Now let’s get into what you need to know about this breach:
Who Is Behind the Canvas Breach?
The ransomware group ShinyHunters is claiming responsibility for the attack. The group alleges it stole roughly 275 million records tied to nearly 9,000 schools and educational institutions worldwide.
How Did the Canvas Cyberattack Happen?
Instructure, the company behind Canvas, confirmed a cyber incident affecting its cloud-hosted environment. The attackers later posted claims about the breach on their leak site, where ransomware groups pressure organizations into paying by threatening to release stolen data publicly.
What Information Was Stolen in the Canvas Breach?
The stolen data reportedly includes:
Student names
Teacher and staff names
Email addresses
Student IDs
Course and enrollment information
School-related records
ShinyHunters claims the breach exposed roughly 275 million records and more than 231 million unique email addresses.
How Could the Canvas Data Breach Impact Families and Students?
Even if financial information was not exposed, this kind of data can still be extremely valuable to scammers. Criminals can use real school names, real classes, teacher names, and student information to create highly convincing phishing emails, fake school alerts, scholarship scams, tuition scams, or password reset messages.
A scam message referencing your child’s actual school or assignment is much harder to spot as fake.
This is what a Canvas message might look like when forwarded to your email inbox. Hackers claim to have millions of these types of messages.
This is a real message from Canvas from a community college professor after yours truly took an anthropology class for fun during the pandemic. It’s full of links to apply for programs and reach out to professors. It has exact details about courses I’ve taken.
While this correspondence is real, it’s exactly the type of messaging that scammers could fake and replicate, replacing real links with fake “paid” opportunities to pursue degrees.
Now think of the millions of messages and specific scenarios scammers have access to, to create dubious and convincing scams. That’s why protecting yourself after a breach is key.
What To Do Right Now
Here are some actions you can take immediately ot protect yourself after this breach:
Change you or your child’s Canvas password immediately, and update any other accounts where they reuse that password
Turn on multi-factor authentication(2FA) on parent and student accounts wherever the school permits it — Instructure’s own post-incident guidance specifically called out enforcing MFA as a recommended precaution
Ask your school what identity protection is being offered if sensitive data was involved
Consider placing a credit freeze on your or your child’s file to block new accounts from being opened in their name
Avoid clicking links in any messages that reference the breach, go directly to the official site instead
And that, my friends, is issue number one in this week’s This Week in Scams. Let’s get into what else is on our radar in cybersecurity and scam news.
Fake Amazon Recall Texts Are Targeting Shoppers
Your phone buzzes. It’s a text from an unknown number, but the message looks official.
“Dear Amazon Customer, we are writing to inform you that an item from your March 2026 order has been identified for recall.” There’s an order number. A link at the top of the message. A note about quality standards and a refund waiting for you.
It looks real. It has the Amazon logo, the branded formatting, even a reference to the “Amazon Customer Safety Team.” The only thing it doesn’t have? Any connection to Amazon at all.
A photo of a scam recall text I received this week. Luckily Scam Detector flags the link as risky if you try to click.
This is a fake Amazon recall scam, and it is making the rounds right now. The goal is to get you to click that link, which takes you to a site designed to harvest your login credentials, payment information, or both.
If you get a text like this, do not click the link. Go directly to amazon.com in your browser, log in, and check your orders and messages from there. Amazon does not initiate recall or refund processes through unsolicited texts with outside links.
What Is a Fake Amazon Recall Scam And How Does It Work?
A fake Amazon recall scam is a text message or email in which criminals impersonate Amazon to convince you that one of your recent orders has been flagged for a product recall. The message directs you to an external link leading to a phishing site designed to steal your Amazon credentials, credit card details, or personal information.
Red Flags To Watch For
The text comes from an unknown number, not a short code or verified sender
The link goes to a domain that is not amazon.com
The message asks you to complete a refund through an external link
Small typos or awkward phrasing appear in what looks like official communication
The greeting says “Dear Amazon Customer” rather than your actual name
What To Do If You Get One
Do not click the link
Go to amazon.com directly and check your orders and account notifications
Where McAfee Steps In (So You Don’t Have to Guess)
Scams today are layered. A fake email leads to stolen credentials. A breach leads to targeted phishing. And those follow-ups are getting harder to spot.
With McAfee+ Advanced, multiple layers work together so you’re not left figuring it out after the damage is done:
Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast
According to McAfee’s 2026 State of the Scamiverse report, Americans now spend 114 hours a year trying to figure out what’s real and what’s fake online. That’s nearly three full workweeks lost to second-guessing messages, alerts, and links.
And when scams do succeed, they move quickly. The typical scam unfolds in about 38 minutes, leaving little room for hesitation.
That creates a gap: People want to check before they act, but the tools haven’t always met them in that moment.
ChatGPT + McAfee is designed to close that gap, bringing scam detection directly to a platform people are already using to ask questions and make decisions.
And it’s available to anyone. You don’t have to be a McAfee subscriber.
This isn’t just detection. It’s guidance in the exact moment you’re deciding what to do.
Instead of guessing, you can paste a message or drop in a screenshot and get a clear explanation of what’s risky, and what to do next, powered by McAfee’s threat intelligence.
What You Can Do with ChatGPT + McAfee
With this integration, checking something suspicious becomes as simple as asking a question.
Paste a message. Drop in a link. Upload a screenshot.
McAfee analyzes it and explains what’s going on clearly and in context.
Here’s how it works:
Feature
What it does
How it protects you
Link safety check
Paste a suspicious URL and get a reputational analysis based on McAfee threat intelligence
Scam links are often designed to look legitimate. A quick check helps avoid phishing and malware
Message analysis
Submit texts, emails, or social messages for evaluation
Many scams now rely on urgency and tone. Analysis helps surface subtle red flags
Screenshot uploads
Upload screenshots of messages, emails, or posts for review
Scams don’t always come as clean text. This makes it easier to check what you’re actually seeing
Clear explanations
Get a breakdown of why something is flagged as risky or safe
Not just a warning—an explanation that helps you recognize patterns next time
Guided next steps
Receive recommendations on what to do next
Helps prevent escalation, especially in moments of uncertainty
It’s a quick, accessible way to get answers in the moment. But it’s just one part of a broader system designed to protect you more comprehensively.
Behind the scenes, ChatGPT + McAfee is powered by the same intelligence that fuels McAfee’s broader scam protection ecosystem.
When you submit something for review:
Links are checked against known threat signals
Messages are analyzed for scam patterns and language cues
Results are translated into clear, human-readable explanations
The goal isn’t just to flag risk. It’s to help you understand it.
A New Way to Stay Ahead of Scams
Scams aren’t slowing down. If anything, they’re becoming more convincing, more personalized, and harder to detect.
That’s where ChatGPT + McAfee comes in. But this is only one part of a much bigger system designed to protect you before, during, and after a scam attempt.
With McAfee+ Advanced, multiple layers work together so you’re not left figuring it out after the damage is done:
Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast
Graduating should feel like a fresh start, a time when the whole world is at your fingertips.
Unfortunately, scammers often see graduates and think “student loans.” Or more specifically “student loan scams.”
As student loan payments resume or repayment plans shift, scammers move in fast; posing as loan servicers, promising forgiveness, or offering to “simplify” your loans for a fee.
The tricky part? These messages often look real.
That’s where tools like McAfee’s Scam Detector come in. It flags suspicious emails, texts, links, and even deepfake-style messages, helping you spot what’s real before you click, respond, or pay.
Here’s how to spot these scams and stay safe with McAfee:
What Is a Student Loan Consolidation Scam?
Student loan consolidation itself is a legitimate option. It allows you to combine multiple federal loans into one, often to simplify payments.
Scammers exploit that confusion.
Instead of helping, they pose as government partners or “relief experts” and charge you for services you can do yourself…for free.
According to Federal Student Aid, you never have to pay for help managing or consolidating your federal student loans.
That’s the baseline truth most scams try to blur.
How These Scams Actually Work
Step
What Happens
Red Flags
What Scammers Want
1. The Outreach
You get an email, text, or call about “loan consolidation” or “forgiveness”
Urgent tone, unfamiliar sender, “final notice” language
Your attention and quick reaction
2. The Hook
They claim you qualify for a special program or limited-time offer
“Act now,” “guaranteed forgiveness,” or “new law” claims
Your trust
3. The Ask
They request payment or personal info
Upfront fees, requests for FSA ID or bank info
Money + account access
4. The Control
They may ask for authorization to manage your loans
Power of attorney forms, account takeover steps
Full control of your loan account
Luckily, for McAfee+ Advanced users, they have access to Scam Detector which alerts users to suspicious emails, messages, links, and deepfakes that are often employed by scammers in these student loan fraud scenarios.
The Most Common Lies to Watch For
Scammers tend to recycle the same scripts. Federal Student Aid warns about messages like:
“Act immediately to qualify for student loan forgiveness before the program is discontinued.”
“You’re eligible for total loan discharge. Call now.”
“Your loans are flagged for forgiveness pending verification.”
These messages are designed to create urgency, not clarity.
And importantly, they are notcoming from the U.S. Department of Education or its partners.
Image Courtesy of STUDENTAID.GOV.
Where McAfee’s Scam Detector Comes In
This is exactly the kind of gray-area messaging that trips people up.
Federal Student Aid also recommends reviewing your account activity and confirming no unauthorized changes were made.
The Bottom Line
Student loan consolidation scams don’t look like scams anymore.
They look like helpful emails. Official notices. Last chances.
That’s why protection today isn’t just about knowing the rules, it’s about having backup when something feels off.
With McAfee, you’re not left guessing. You can spot suspicious messages, understand the risks, and move forward with confidence, without handing your time, money, or identity to someone who doesn’t deserve it.
Because starting your post-grad life shouldn’t come with a scam attached.
A new scam making the rounds takes a familiar delivery trick and upgrades it with hyper‑realistic messaging and a QR code that looks safe to scan.
But don’t be fooled.
It’s the same delivery scam playbook scammers have relied on for years, just repackaged with better design and more convincing details.
You get a message with a notice that looks something like this, a real message received by our team and tested against McAfee’s Scam Detector.
This is an example of the scam message we received, impersonating the USPS.
That added layer of realism is what makes this version more dangerous. But it doesn’t hold up under scrutiny. McAfee’s Scam Detector flagged both the suspicious language and the QR code in this message before any interaction.
If you receive something like this, pause. Do not scan the code.
You can also protect yourself with McAfee’s Scam Detector, which flags suspicious links and messages, including delivery scams and QR‑based attacks, and explains why they may be risky.
What is the USPS QR Code Scam and How Does it Work?
The USPS QR code scam is a phishing attempt where scammers impersonate postal services and use QR codes instead of clickable links to direct victims to malicious websites.
Once scanned, the QR code can lead to a fake USPS page that asks for payment, login credentials, or personal information.
How the scam works
Step
What happens
The red flags
What to do
How McAfee helps
1
You receive a text about a delivery issue or missed package
Requests for small “redelivery” or “processing” fees are not normal
Exit immediately and do not submit anything
Scam Detector explains why the page is risky, and Identity Monitoring supports you when if your info gets out.
What To Do If You Get This Message
Do not scan the QR code
Go directly to the official USPS website to check tracking
Delete the message
Report it as spam
Monitor your accounts if you interacted with it
And that, my friends, is scam number one in this week’s This Week in Scams.
Let’s get into what else is on our radar.
A Major Health Data Breach Exposes 500,000 Records
A massive health data incident is raising new concerns about how sensitive information is handled and shared.
According to reporting from the Associated Press, data tied to 500,000 participants in a major U.K. health research project was found listed for sale online. The dataset included biological and health-related information, though it did not contain direct identifiers like names or contact details.
Access to the data had been granted to research institutions, but that access has since been revoked. Authorities say no purchases were made, and the listing has been removed.
Still, the situation highlights a growing reality: once data is accessed or shared, control over it becomes harder to guarantee.
What This Breach Says About Data Privacy
Scams are no longer isolated events. They are layered.
A data breach does not just stay a breach. It becomes fuel for future scams. Exposed information can be used to make phishing messages more convincing, personalize attacks, and build trust with targets.
That is why detection alone is not enough anymore. Protection has to account for both incoming threats and what happens when data is already out there.
How McAfee Protects You In A World of Scams and Data Breaches
McAfee+ Advanced gives you multiple layers working together so you are not left figuring it out after the damage is done:
Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast
Personal Data Cleanup helps remove your information from data broker sites, making you harder to target in the first place
Scam Detector flags suspicious texts, emails, links, and even deepfake videos before you engage
Safe Browsing helps block risky sites if you do click
Your data might be safe today. But that doesn’t mean it’s safe forever.
A growing number of sophisticated actors are collecting encrypted data now, with the goal of decrypting it later, when more powerful technology becomes available.
This strategy is known as Harvest Now, Decrypt Later (HNDL). And it’s not a future problem. It’s already happening, according to research from our McAfee VPN team.
For everyday people, that means private messages, financial records, and sensitive documents could be exposed years from now if protections don’t evolve today.
That’s why security teams, including McAfee’s VPN engineers, are already working on ways to strengthen encryption for both today and what comes next.
What “Harvest Now, Decrypt Later” Means
At its core, HNDL is simple: Attackers collect encrypted data now, store it, and wait until they have the tools to unlock it later.
Even though today’s encryption is incredibly strong, the strategy doesn’t rely on breaking it today. It relies on patience.
A Simple Way to Think About It
You put valuable belongings and documents in a safe at home that’s locked and secured. This works at preventing crimes of opportunity. But let’s say there’s a thief who steals the entire safe, knowing they have tools they can use later to access what’s inside. They wait, and once the tools are available, they break into your safe and access everything inside.
That’s one way to think of HNDL. The safe is the encryption. The quantum computing is the tool they can use later.
But in real life, you’d probably notice if your safe is gone. In the case of HNDL, if you’re not monitoring your data, you may not even notice encrypted information has been stolen to be decrypted.
Key Terms Explained
Term
What it means
Encryption
Scrambling data so others can’t read it
Quantum computing
A new type of computing that can break some encryption
HNDL
A strategy to collect encrypted data now and decrypt it later
Why This Matters Right Now
This isn’t about whether your data is valuable today. It’s about whether it might be valuable later.
Data with a long shelf life is especially at risk, including:
Financial records
Medical information
Private messages
Legal or identity documents
Even something that feels low-stakes today could become sensitive in the future.
And because the collection phase is already happening, the risk isn’t hypothetical. It’s already in motion.
How This Affects VPNs (and what doesn’t change)
VPNs remain one of the most effective ways to protect your data today. That hasn’t changed.
But HNDL introduces a new layer of complexity.
What’s still strong: The encryption that protects your data in transit remains highly resilient.
Where the risk is: The “handshake” process (how a secure connection is established) is more vulnerable to future quantum attacks.
In simple terms: Your data is well protected today, but parts of how that protection is set up may need to evolve for the future.
What Quantum Computing Changes
Traditional computers process information in a linear way.
Quantum computers work differently. They can solve certain types of problems much faster, including the kinds of mathematical challenges that protect today’s encryption.
That’s why attackers are willing to wait.
Once quantum computing reaches a certain level, it could unlock data that was previously considered secure.
What McAfee’s VPN Team is Working On
McAfee’s VPN team is already preparing for this shift.
Evaluating quantum-safe encryption approaches
Exploring hybrid models that protect both now and long-term
Building toward a more resilient VPN experience
This work builds on a broader privacy-by-design approach, where systems are designed to minimize risk from the start, not react after the fact.
Because with HNDL, waiting isn’t an option.
What You Can Do Now
You don’t need to wait for quantum computing to take steps today.
Use a trusted VPN to encrypt your connection
Be mindful of long-term sensitive data you share online
Avoid unsecured public Wi-Fi when possible
Keep your apps and devices updated
These steps help protect your data now while the industry builds toward future-ready security.
How McAfee Helps Protect You
McAfee+ Advanced gives you multiple layers working together so you are not left figuring it out after the damage is done:
Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast
Personal Data Cleanup helps remove your information from data broker sites, making you harder to target in the first place
Scam Detector flags suspicious texts, emails, links, and even deepfake videos before you engage
Safe Browsing helps block risky sites if you do click
Secure VPN keeps your data private, especially on public Wi-Fi
Frequently Asked Questions (FAQs)
FAQ
Q: Is my data safe right now?
A: In most cases, yes—today’s encryption is extremely strong and is designed to protect your data from current threats. If you’re using trusted security tools like a VPN, safe browsing protections, and device security, your data is actively protected while it’s in transit and in use. However, no system is risk-free. Data exposed through phishing, weak passwords, breaches, or unsecured networks may still be vulnerable. And with “Harvest Now, Decrypt Later,” even properly encrypted data could be collected today and targeted for decryption in the future.
Q: What is quantum-safe encryption?
A: Quantum-safe (or post-quantum) encryption refers to new types of cryptography designed to remain secure even against future quantum computers. Today’s encryption relies on math problems that are extremely difficult for classical computers to solve, but quantum computers could eventually solve some of them much faster. Quantum-safe approaches use different mathematical foundations that are believed to resist those capabilities. In practice, many companies are moving toward hybrid encryption, combining today’s proven methods with newer quantum-resistant techniques to protect data both now and long-term.
Q: Should I still use a VPN?
A: Yes. A VPN remains one of the most effective ways to protect your data today, especially on public or unsecured networks. It encrypts your internet traffic and helps prevent interception by hackers, internet providers, or other third parties. While VPN protocols are evolving to address future quantum risks, they still provide strong, essential protection against today’s threats.
Q: When will this become a real threat?
A: The risk unfolds in two phases. The collection phase is already happening today, where sophisticated actors gather encrypted data and store it. The decryption phase depends on when quantum computing advances far enough to break certain types of encryption, which could take years but is actively progressing. This means data with a long lifespan, such as financial records, personal communications, and sensitive documents, is most at risk because it only needs to remain valuable until those capabilities exist.
You open your inbox and see it: Your cloud storage is full.
There’s a warning about photos being deleted, your account being suspended, or a renewal failing. There’s a button to “fix it now.” Or a warning to “act today.”
It looks routine. Maybe even urgent enough to click.
That’s exactly the point.
An example of a cloud storage scam detected by McAfee.
Cloud storage scams are making headlines again, building on patterns we flagged earlier this year in our State of the Scamiverse research.
These emails have circulated steadily since 2025, often impersonating trusted brands like Apple, Microsoft, and Google. Many are timed to moments when people are already thinking about storage, backups, or subscriptions.
The safest move is simple: pause and don’t click. If there’s a real issue, go directly to your account through the official app or website.
You can also protect yourself with McAfee’s Scam Detector, which flags suspicious links and messages, including cloud storage scams, and explains why they may be risky.
What Is A Cloud Storage Scam And How Does It Work?
Cloud storage scams are phishing attacks designed to trick you into believing there’s an issue with your account so you’ll click a malicious link.
They often look like this, and include 3 key red flags:
Messages that create urgency like “act now or lose your data”
Generic greetings instead of your name
Links that don’t match the official domain
How the scam works (step-by-step)
Step
What happens
What to do
How McAfee helps
1. You receive a message
Email or text claims your storage is full or your account has an issue
Don’t click links directly from the message
Scam Detector flags suspicious messages before you interact
2. Urgency is introduced
Warning that files or photos will be deleted if you don’t act
Investment-related fraud topped the charts, with over $8.5 billion lost to investment cybercrime in 2025. And that’s just losses that were reported. Not everyone reports when they were scammed. (Image Courtesy FBI)
This is where layered protection matters. It’s not just about catching one bad link. It’s about recognizing patterns across messages, platforms, and moments when something feels slightly off.
How McAfee Protects You From Scams and Cyber Threats
McAfee+ Advanced gives you multiple layers working together so you are not left figuring it out after the damage is done:
Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast
Personal Data Cleanup helps remove your information from data broker sites, making you harder to target in the first place
Scam Detector flags suspicious texts, emails, links, and even deepfake videos before you engage
Safe Browsing helps block risky sites if you do click
Emails claiming to be from Social Security are making the rounds right now.
They look official. They sound official. And they’re designed to get you to click before you think twice.
The Social Security Administration’s Office of Inspector General is warning about a spike in messages that claim your Social Security statement is ready to download. The goal is simple. Get you to click a link or open an attachment.
From there, things can go sideways fast.
Before interacting with anything like this, it’s worth pausing and running it through a tool like McAfee’s Scam Detector. This is exactly the kind of message it’s built to flag. Something that looks legitimate, but feels just slightly off.
How The Scam Works
The email mimics official government communication, using logos, formatting, and language that feels familiar. It might say your statement is ready, your account needs attention, or you need to review a document.
Once you click:
You may be sent to a fake website designed to capture your personal information
You may download malware without realizing it
Or you may be prompted to enter sensitive financial details
Either way, the goal is the same: get access to your identity.
The Red Flags In These Emails
Messages claiming your social security statement is ready to download
Links or attachments labeled as official documents
Urgency pushing you to act quickly
Sender addresses that do not end in “.Gov”
The biggest tell: Social Security does not send emails like this asking you to download statements or provide sensitive information.
What To Do If You Get One
Do not click links or download attachments
Delete the email immediately
Access your account by going directly to the official SSA website
Report the message to the SSA Office of Inspector General
If you already clicked:
Stop communication immediately
Contact your financial institutions
Monitor your accounts closely
Report the incident to the FTC or the FBI’s IC3
And that, my friends, is scam number one in this week’s This Week in Scams.
Let’s get into what else is on our radar.
A Healthcare Data Breach That Could Lead to Follow-Up Scams
Healthcare data breaches don’t always make headlines the same way big tech breaches do, but they can be just as serious.
According to reporting from Fox News, CareCloud, a company that supports electronic health records for tens of thousands of providers, recently confirmed a security incident involving unauthorized access to one of its systems.
The access lasted several hours. And while it’s still unclear whether any data was taken, that uncertainty is exactly what makes situations like this risky.
Because even if you’ve never heard of the company, your doctor might use it.
Why This Matters
Healthcare data is incredibly valuable. It can include:
Names and social security numbers
Insurance details
Medical history
Billing information
Unlike a credit card, you can’t just cancel your medical history.
And when that kind of data is exposed or even potentially exposed, scammers often follow up with messages that feel highly specific and personal.
What To Watch For Next
After incidents like this, scammers often move quickly:
Emails or texts pretending to be your provider
Messages about billing issues or medical records
Requests to “verify” your information
Links to log in or update your account
These scams work because they’re timed perfectly and feel relevant.
This is another moment where Scam Detector can help flag suspicious links or messages before you engage, even when they reference real healthcare providers.
How To Protect Yourself
Review medical bills and insurance statements for unfamiliar activity
Enable two-factor authentication on patient portals
Use strong, unique passwords
Avoid clicking links in unexpected healthcare-related messages
Consider identity monitoring to catch misuse early
Where McAfee Steps In (So You Don’t Have to Guess)
Scams today are layered.
A fake email leads to stolen credentials. A breach leads to targeted phishing. And those follow-ups are getting harder to spot.
McAfee+ Advancedgives you multiple layers working together so you are not left figuring it out after the damage is done:
Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast
Personal Data Cleanup helps remove your information from data broker sites, making you harder to target in the first place
Scam Detector flags suspicious texts, emails, links, and even deepfake videos before you engage
Safe Browsing helps block risky sites if you do click
We’re excited to share that McAfee’s Scam Detector has been named a finalist in the 2026 Webby Awards.
Recognized in the AI Experiences & Applications – Consumer Application category and named a Webby Honoree for Best Use of AI & Machine Learning, Scam Detector is being acknowledged for its effectiveness as an AI-driven consumer tool.
This recognition of Scam Detector validates something key in research findings. According to McAfee’s 2026 State of the Scamiverse report, Americans now spend 114 hours a year trying to decide what’s real and what’s fake online.
Scam Detector was built with this era of uncertainty in mind, designed to help people cut through confusion and identify scams as they appear. The Webby recognition reinforces to us that McAfee’s Scam Detector is doing exactly that.
What Are the Webby Awards?
The Webby Awards are presented by the International Academy of Digital Arts & Sciences and recognize excellence across the internet, including apps, software, AI, and digital experiences.
Each year, thousands of entries are evaluated, with finalists representing the top work in their category globally.
In addition to judged awards, the Webby Awards include a People’s Voice Award, which is decided by public vote.
How McAfee’s Scam Detector Uses AI to Stop Scams
Scam Detector is designed to help people identify scams where they’re most likely to happen, always ready to help you spot what’s real and what’s not when you least expect it.
It uses AI to analyze and flag suspicious:
Text messages and emails
Links and websites
QR codes
Social media messages
AI-generated and deepfake content
Beyond detection, Scam Detector explains why something was flagged as risky. That transparency helps show how decisions are made, so people can quickly understand the risk and feel more confident trusting what’s flagged.
As scams become more personalized and harder to detect, this combination of automatic detection and clear guidance is critical to preventing financial loss and identity theft.
Vote for McAfee’s Scam Detector
Scam Detector is eligible for the Webby People’s Voice Award, which is decided by public vote.
Voting is open through Thursday, April 16 at 11:59 pm PDT.
Winners will be announced on April 21, 2026.
And a big thank you to the McAfee teams who brought Scam Detector to life and who continuously improve how Scam Detector identifies new threats and adapts to the evolving world of AI-driven scams.
A tax system breach in Oklahoma is putting highly sensitive personal information at risk. And unfortunately, this is exactly the kind of situation scammers love to exploit.
Hackers reportedly accessed W-2 and 1099 files through Oklahoma’s online tax portal, according to state officials, exposing the kind of information that can open the door to tax fraud, identity theft, and highly targeted phishing attempts.
Before the follow-up scams start rolling in, this is the kind of moment where layered protection matters. McAfee+ Advanced includes identity monitoring and data cleansup that can help alert you if your personal information starts circulating where it shouldn’t, and Scam Detector can flag suspicious messages if scammers try to use this breach as a hook.
What Happened in Oklahoma
According to a statement by the Oklahoma Tax Commission and reported by KOCO News 5, a local ABC affiliate, suspicious activity inside the state’s Oklahoma Taxpayer Access Point system was identified in December 2025. The agency says impacted individuals have been notified directly by mail, and complimentary credit monitoring and fraud assistance are being offered.
When W-2s, 1099s, Social Security numbers, and tax-related records are exposed, scammers can use that information to:
File fraudulent tax returns
Try to open new accounts
Build phishing emails or texts that feel unusually real
Either way, the goal is the same: use real information to make the next scam more believable.
Red Flags of a Scam After a Breach Like This
The breach itself is real. But what often follows is a second wave of scams pretending to help.
Watch For:
Emails or texts about your “tax account” that create urgency
Messages asking you to verify personal information
Fake alerts about refunds, filings, or suspicious activity
Links telling you to log in and “secure” your account
That’s where people can get hit twice: once by the breach, and again by the scam that follows it.
What To Do If You’re Impacted
First, don’t panic. Then:
Take advantage of any free credit monitoring or fraud assistance being offered
Monitor your bank accounts, tax records, and credit reports closely
Consider placing a fraud alert or credit freeze if needed
Be extra careful with any message referencing taxes, refunds, or account access
Go directly to official sites instead of clicking links in emails or texts
And that, my friends, is scam number one in this week’s This Week in Scams.
Let’s get into what else is on our radar.
The FBI Impersonation Scam Showing Up Across the U.S.
Scammers pretending to be federal agents are making the rounds across the country, and this one is built to make people panic fast.
Field offices, including Chicago and Houston, are warning the public about fraudsters posing as FBI agents in calls, texts, and emails. In some cases, the scammers claim you’re connected to an investigation. In others, they say you’re a victim of fraud and need to act immediately to protect yourself.
Sometimes they do not stop there. They may also pretend to be bank employees working alongside the FBI, all to make the story feel more convincing and get access to your money or personal information.
The FBI has shared images of these suspects pretending to be agents. If you are contacted by these officials, report it to the FBI.
Why This Scam Works
This scam plays on the same pressure tactics we’ve seen over and over again: authority, urgency, and confusion.
If someone claims to be a federal agent, many people freeze up and assume they need to cooperate immediately. That’s exactly what scammers are counting on.
The FBI has been clear about this: federal law enforcement will not ask you for money or sensitive personal information over the phone, by text, or by email.
The Red Flags in This Message
Unsolicited outreach from someone claiming to be federal law enforcement
Pressure to act immediately
Requests for money, gift cards, prepaid cards, or personal information
Instructions to keep the conversation secret
Stories involving a bank “working with” the FBI
If it feels dramatic, high-pressure, and just a little off, trust that instinct.
What To Do if You Get One Of These Messages
Do not respond
Do not send money or share personal information
Contact the agency directly using publicly listed contact information
Save the message for your records
Report it to the FBI: 1-800-CALL-FBI (225-5324), or online at tips.fbi.gov.
This is also exactly the kind of message McAfee’s Scam Detector is built to flag before you get pulled in.
How McAfee Helps You Stay Ahead of Scams and Breaches
McAfee+ Advancedgives you multiple layers working together so you are not left figuring it out after the damage is done:
Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast
Personal Data Cleanup helps remove your information from data broker sites, making you harder to target in the first place
Scam Detector flags suspicious texts, emails, links, and even deepfake videos before you engage
Safe Browsing helps block risky sites if you do click
Secure VPN keeps your data private, especially on public Wi-Fi
This kind of layered protection is critical in cases like ghost student scams, where the first sign of fraud often comes after financial damage has already happened.
Safety tips to carry into next week
Be extra cautious after any real breach makes headlines
Do not trust unsolicited messages just because they reference real institutions
Never send money to someone claiming to be law enforcement
Go directly to official websites instead of clicking links
Use tools that flag suspicious messages in real time so you do not have to guess
The reality is, scams are getting better at looking official.
You should not have to be an expert to spot them. That’s why McAfee is here to help. We’re Safer Together.
We’ll be back next week with more scams making headlines.
Rob J., 31, an internal auditor in California, thought he was doing everything right this tax season. He filed his return as usual, even early, and expected a state refund just short of $400.
Instead, he got a letter saying the state had taken it.
The notice from the California Franchise Tax Board said his refund had been intercepted to pay a debt owed to a local community college.
There was just one problem: Rob had never attended that school.
“How could the state be taking my tax refund to pay a debt to a community college I’ve never attended?” he told us at McAfee. “I immediately knew something was wrong.”
“I started researching and came across the term ‘ghost student,’ and that’s when it clicked. Someone had used my identity to enroll in a college like they were me.”
How McAfee+ Advanced Helps Protect You from Identity Theft
Scams like this do not start with a suspicious text or email. They start with your data being exposed somewhere you cannot see.
That is why protection has to go beyond one moment and cover the full lifecycle of identity theft.
McAfee+ Advancedgives you multiple layers working together so you are not left figuring it out after the damage is done:
Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast
Personal Data Cleanup helps remove your information from data broker sites, making you harder to target in the first place
Scam Detector flags suspicious texts, emails, links, and even deepfake videos before you engage
Safe Browsing helps block risky sites if you do click
Secure VPN keeps your data private, especially on public Wi-Fi
This kind of layered protection is critical in cases like ghost student scams, where the first sign of fraud often comes after financial damage has already happened.
What Is a Ghost Student Scam?
A ghost student scam is a form of identity theft where someone uses your stolen personal information, often your Social Security number, to enroll in a college or university under your name.
The scammer is not trying to attend school. They are trying to use your identity to access financial aid, create accounts, or generate funds tied to a real person.
In many cases, the victim has no idea anything happened until the consequences show up later, such as a tax refund being taken, a debt appearing, or a loan being opened in their name.
That is exactly what happened to Rob.
“I started researching and came across the term ‘ghost student,’ and that’s when it clicked,” he said. “Someone had used my identity to enroll in a college like they were me.”
How Ghost Student Scams Happen
These scams typically follow a predictable pattern, even if the victim does not see it happening in real time:
Stage
What happens
Why it matters
Data exposure
Your personal information is leaked in a data breach or collected from data broker sites
Scammers get the core details they need to impersonate you
Identity misuse
Your information is used to apply to colleges or financial aid programs
The scam is tied to your real identity, not a fake one
Enrollment activity
Fake students may enroll just long enough to access funds or create accounts
This helps scammers avoid early detection
Financial impact
Debts, balances, or aid obligations are created in your name
You become financially responsible on paper
Discovery
You find out later through a notice, refund interception, or account alert
By this point, damage has already been done
In Rob’s case, the starting point was a data breach the year before. His Social Security number had been exposed, but he had not frozen his credit.
Someone used that information to enroll at Pasadena City College. When the balance went unpaid, the state redirected his tax refund to cover it.
“Despite Being the Victim, I’m Trying to Prove My Identity”
Once Rob realized what happened, he moved quickly. He froze his credit, set up identity monitoring, filed a police report, and began working with the college to prove he was not the student.
He says the process has been slow and frustrating.
“I’ve spent hours on the phone trying to fix this… I’m exhausted,” he said. “Despite being the victim I am the one dealing with the consequences and trying to prove my identity to the same institution that let a fake me register.”
When he contacted campus police, he learned something else: “this has been happening to other people too.”
Why Ghost Student Scams Are Increasing
Ghost student scams are part of a broader shift in how identity theft works.
Instead of quick-hit fraud like a stolen credit card, scammers are using real identities to create more complex, longer-term opportunities for financial gain.
In higher education, that can include:
Enrolling fake students using stolen identities
Accessing financial aid
Holding seats in classes long enough to collect funds
This trend has already affected thousands of suspected cases across education systems and continues to grow as scammers scale their tactics
What to Do If Your Identity Is Used in a Ghost Student Scam
If something like this happens, speed matters:
Freeze your credit with all three bureaus
Check your FAFSA and student loan records
Contact the school and dispute the enrollment
File a police report
Set up identity monitoring and alerts
Remove your personal information from data broker sites
These steps help contain the damage, but they are reactive. The goal is to catch exposure earlier. McAfee+ Advanced can help you with freezing your credit, ongoing identity monitoring, and data removal from the dark web.
How Rob’s Story Ends: ‘I’m Waiting for the Other Shoe to Drop’
Rob has confirmed there are no federal loans in his name, but the situation is not fully resolved.
“I still feel like I’m waiting for the other shoe to drop,” he said.
That uncertainty is part of what makes identity theft so difficult. You are often reacting to something that started months or even years earlier. Rob said he currently has an outstanding police report and is in the process of getting his refund reclaimed.
How to Stay Ahead of Identity Theft Like This
Ghost student scams work because they operate quietly, using real data in systems most people are not actively watching. That is where ongoing protection matters.
Alerting you early when your personal data appears on the dark web or in risky environments
Reducing your exposure by removing your data from broker sites that scammers rely on
Blocking scam entry points across texts, emails, links, and deepfakes
Protecting your devices and connections so attackers have fewer ways in
Because the goal is not just to respond to identity theft, it’s to catch the signals early enough that someone cannot become a “student” in your name in the first place.
A text that looks like it came straight from a courthouse is making the rounds across the U.S. And yes, I got it too.
First things first, that’s a scam. And to be clear: DON’T SCAN THAT QR CODE.
It’s the same playbook as last year’s toll road scams, just dressed up with a little more authority and a lot more pressure.
Before doing anything, our team ran it through McAfee’s Scam Detector. It immediately flagged the message as suspicious, and that’s exactly the kind of moment this tool is built for. When something feels just real enough to second guess, it gives you a clear signal before you click, scan, or spiral.
A screenshot showing Scam Detector in action.
How the scam works
The text claims you’ve missed a payment, violated a law, or have some kind of outstanding “case.” It then pushes you to scan a QR code or click a link to resolve it quickly.
From there, one of two things usually happens:
You’re taken to a fake payment page designed to steal your money, or
You’re prompted to download something that gives scammers access to your device or data
Either way, the goal is the same: get you to act fast before you have time to question it.
Here’s the scam text I got in California. You’ll notice it looks exactly like the others across the country.
The red flags in this message
Urgent, threatening language about fines, penalties, or legal action
Vague accusations with no real details about what you supposedly did
Official-looking formatting like case numbers, clerk signatures, and judge names
Copy-paste consistency across states: McAfee employees in New York and California received nearly identical messages with the same names
There are reports of this scam popping up nationwide, but the rule is simple: law enforcement does not text you to demand payment or resolve legal issues.
What to do if you scanned the QR code
First, don’t panic. Then:
Do not pay anything or enter personal information
Do not delete apps you were told to install (this can make it harder to detect what happened)
Run a device scan using a trusted security tool like McAfee’s free antivirus
Keep an eye on your financial accounts and logins for unusual activity
And that, my friends, is scam number one in this week’s This Week in Scams (new format, we’re experimenting a little).
Let’s get into what else is on our radar.
What to Know About an Alleged Crunchyroll Breach
Anime streaming platform Crunchyroll is investigating claims of a data breach involving customer support ticket data, potentially impacting millions of users.
According to TechCrunch, access appears to involve a third-party vendor system, a reminder that even strong security setups still rely on people and partners, which can introduce risk in everyday moments.
Even if you’ve never entered your credit card into a support form, these tickets can still include:
Email addresses
Usernames
Screenshots or account details
Conversations that reveal habits, subscriptions, or personal context
That’s more than enough for scammers to build highly believable follow-ups.
Why this matters right now
When breaches like this surface, scammers don’t wait. They use the moment to send emails and messages that feel timely, relevant, and legitimate.
For example, scammers might send messages pretending to be Crunchyroll and suggesting you “click this link to secure your account” after the breach. In reality, that “security check” exposes your information.
This is where tools like Scam Detector come back into play, flagging suspicious links and messages even when they reference real companies or real events.
What to do if you have a Crunchyroll account
Change your password, especially if you’ve reused it elsewhere
Turn on two-factor authentication
Be cautious of emails referencing the breach or asking you to “secure your account”
Avoid clicking links and go directly to the official site instead
How McAfee Helps You Stay Ahead of Scams and Breaches
McAfee+ Advanced gives you multiple layers working together so you’re not left figuring it out in the moment:
Scam Detector flags suspicious texts, emails, links, and even deepfake videos before you engage
Safe Browsing helps block risky sites if you do click or scan
Device Security helps detect and remove malicious apps or downloads
Identity Monitoring alerts you if your personal info shows up where it shouldn’t, so you can act fast
Personal Data Cleanup helps remove your information from data broker sites, making you a harder target in the first place
Secure VPN keeps your data private, especially on public Wi-Fi
Plus our instant QR code scam checks will flag suspicious QR codes before you scan them.
Safety tips to carry into next week
Slow down when a message creates urgency. That’s the hook
Don’t scan QR codes or click links from unexpected texts
Go directly to official websites instead of using links sent to you
Use tools that flag scams in real time so you don’t have to guess
The reality is, these scams are designed to look normal. You shouldn’t have to be an expert to spot them. That’s why McAfee’s here to help.
We’ll be back next week with more scams making headlines.
Tax season is prime time for scammers. And in 2026, the scams are more convincing, more targeted, and increasingly powered by AI.
In this guide, we break down this year’s biggest tax scams from the IRS Dirty Dozen and show how tools like McAfee’s Scam Detector help flag malicious links, scan suspicious QR codes, and analyze risky messages across text, email, and social media to help you stay ahead of fraud.
67% are seeing the same or more scam messages than last year
40% say scams are more sophisticated
Only 29% feel very confident they can spot a deepfake scam
Nearly 1 in 4 Americans say they’ve lost money to a tax scam
Tax scams are not just increasing. They are getting harder to recognize in the moment.
What is the IRS Dirty Dozen?
The IRS Dirty Dozen is the agency’s annual list of the most common and dangerous tax scams targeting individuals and businesses.
The 2026 list highlights a clear shift toward:
AI-driven impersonation
QR code and link-based phishing
Social media misinformation
Refund and credit manipulation schemes
These scams are designed to create urgency, confusion, and quick decisions. That combination is what makes them effective.
The IRS Dirty Dozen for 2026 and how to spot each scam
Below is a full breakdown of all 12 scams identified by the IRS, along with what to look for and how protection tools can help.
#
Scam Type
How It Works
Red Flags
How McAfee Helps
1
IRS impersonation (email, text, DM)
Messages claim to be from the IRS asking you to verify info or claim a refund
Urgent tone, links, QR codes, unexpected outreach
Scam Detector flags suspicious messages and links across text, email, and social. Safe browsing blocks fake IRS sites if you click
2
AI voice scams and robocalls
AI-generated calls mimic IRS agents or officials
Threats, payment pressure, spoofed caller ID
Scam Detector helps validate follow-up messages or links tied to the call. Identity monitoring helps detect if your info is being used in impersonation attempts
3
Fake charities
Scammers pose as charities to collect donations or data
Emotional appeals, vague organization details
Scam Detector flags suspicious donation links. Safe browsing blocks fraudulent charity sites. Personal Data Cleanup reduces exposure to targeting lists
4
Social media tax misinformation
Viral posts push fake deductions or “tax hacks”
Promises of large refunds or loopholes
Scam Detector’s screenshot analysis lets you check social posts and DMs before acting, helping identify misleading or risky claims
5
IRS account takeover scams
Criminals use stolen data to access IRS accounts
Alerts about account changes you didn’t initiate
Identity monitoring and alerts notify you if your data is exposed. Device security helps prevent malware used to steal credentials
6
Abusive capital gains schemes (Form 2439)
Fake or inflated claims tied to investment credits
Complicated filings tied to unfamiliar organizations
Scam Detector flags suspicious messages and links. Safe browsing blocks fraudulent filing sites tied to these schemes
7
Fake self-employment tax credit
Misleading claims about eligibility for large credits
“You qualify” messaging without verification
Safe browsing blocks scam sites attempting to capture personal or tax info
8
Ghost tax preparers
Preparers refuse to sign returns or provide credentials
No PTIN, vague business identity
Scam Detector helps assess suspicious messages or outreach. Identity monitoring adds protection if your data is shared with a bad actor
9
Non-cash donation schemes
Inflated valuations used to reduce tax liability
Unrealistic deductions, aggressive promoters
Scam Detector flags suspicious offers and links. Safe browsing blocks sites attempting to collect sensitive financial data
10
Overstated withholding scams
False income or withholding reported to inflate refunds
Encouragement to “boost” refund numbers
Scam Detector flags misleading content. Device security helps protect against malware tied to fake filing tools
Companies overpromise tax debt relief and charge high fees
High-pressure sales tactics, guaranteed outcomes
Scam Detector flags suspicious outreach. Personal Data Cleanup reduces targeting. Identity monitoring helps catch misuse of your data
How McAfee helps protect you from tax scams
Tax scams rarely rely on just one tactic. A message leads to a link. A link leads to a fake site. A fake site leads to stolen data or payment.
That is why protection needs to work across the full chain, not just one moment.
McAfee goes beyond traditional antivirus by combining multiple layers of digital protection into one app, helping you stay safer before, during, and after a scam attempt.
Here is how each layer helps:
Scam Detector helps flag suspicious messages, links, and AI-driven scams across text, email, and social media. It can also scan QR codes and analyze screenshots of messages that feel off.
Safe browsing tools help block risky websites, including fake IRS portals and lookalike domains designed to steal personal and financial information.
Secure VPN helps keep your connection private, especially on public Wi-Fi where sensitive activity like filing taxes or accessing financial accounts can be exposed.
Identity monitoring and alerts notify you if your personal information, like your Social Security number or email, appears in places it should not, helping you act quickly if identity theft is attempted.
Personal Data Cleanup helps reduce your exposure by removing your information from high-risk data broker sites that scammers use to target you.
Device and account security helps protect the devices and accounts you rely on every day, adding another layer of defense against malware, phishing, and unauthorized access.
Together, these protections help you do more than react to scams. They help you spot them earlier, avoid risky situations, and recover faster if something goes wrong.
Today marks the start of Spring in the Northern Hemisphere, and with warmer weather setting in summer trips are vacation planning are starting to take shape.
But before you respond to that message about your hotel booking or payment confirmation, it’s worth asking: is it actually legit?
This week in scams, we’re breaking down a travel phishing scheme making the rounds through realistic booking messages, as well as new McAfee research on betting scams and AI-driven malware.
Scammers Who Know Your Exact Travel Reservation Details
A new phishing campaign targeting travelers is exploiting hotel booking platforms like Booking.com, and it’s convincing enough to fool even cautious users.
According to reporting from ITBrew and Cybernews, attackers are running a multi-stage scam:
How The Booking Scam Works
Scam Stage
How It Works
What You’ll Notice
How to Protect Yourself
Where McAfee Helps
Stage 1: Hotel account gets compromised
Attackers phish or hack hotel staff to access booking platforms and guest reservation data.
You won’t see this part — it happens behind the scenes.
Use strong, unique passwords and enable multi-factor authentication on your own accounts to reduce risk of similar breaches.
Identity Monitoring can alert you if your personal information appears in suspicious places or data leaks.
Stage 2: You receive a realistic message
Scammers use stolen booking data to send messages via WhatsApp, email, or even booking platforms.
The message includes your real name, hotel, and travel dates, making it feel legitimate.
Be cautious of unexpected outreach, even if the details are correct. Don’t assume accuracy means authenticity.
Scam detection tools can help flag suspicious messages and identify potential phishing attempts.
Stage 3: Urgency is introduced
The message claims there’s an issue with your reservation and pushes you to act quickly.
Phrases like “confirm within 12 hours” or “risk cancellation” create pressure.
Pause before acting. Legitimate companies rarely require urgent payment changes without prior notice.
Scam detection can help identify high-risk messages designed to pressure you into quick decisions.
Stage 4: You’re sent to a fake payment page
A link leads to a convincing lookalike site designed to steal your payment details.
The page looks real but may have subtle URL differences or unusual formatting.
Always navigate directly to the official website or app instead of clicking links in messages.
Safe Browsing tools can help block risky or known malicious websites before you enter sensitive information.
March Madness Brackets, Bets, and Bad Actors
March Madness brings brackets, bets, and a flood of bad actors.
New McAfee research found that 1 in 3 Americans (32%) say they’ve experienced a betting or gambling scam, and nearly a quarter (24%) say they’ve lost money to one. On average, victims reported losing $547.
That’s not surprising when you look at the environment around the tournament. More than half of Americans are watching, more than half are participating in some form of betting, and 82% say they’ve seen betting promotions in the past year.
Some of the most common setups this season include:
“Guaranteed win” or “can’t lose” betting tips that require payment upfront
Fake sportsbook promotions offering bonus bets or free credits
Messages claiming you have winnings, but need to pay a fee to unlock them
Impersonation scams posing as sportsbook support or betting platforms
Invitations to private “VIP betting groups” on WhatsApp or Telegram
The takeaway: If a betting offer promises guaranteed results, demands the use of bizarre apps and sites, asks for money upfront, or pushes you to act quickly, it’s not an edge. It’s a scam.
“AI-Written” Malware Is Hiding in Everyday Downloads
Not all scams start with a message. Some start with a search.
443 malicious ZIP files disguised as legitimate software
1,700+ file names used to make those downloads look credible
48 variants of a malicious DLL file used to infect devices
These weren’t hosted on obscure corners of the internet either. The files were distributed through platforms people recognize, including Discord, SourceForge, and file-sharing sites.
Here’s how the attack typically works:
You search for a tool.
You download what looks like the right file.
It opens normally at first.
Then, behind the scenes, malware loads quietly and begins pulling in additional code. In some cases, victims are shown fake error messages while the real infection happens in the background.
From there, attackers can:
Turn your device into a cryptocurrency mining machine
Install additional malware like infostealers or remote access tools
Slow down your system while running hidden processes
What makes this campaign stand out is that some of the code appears to have been generated with help from AI tools.
That doesn’t mean AI is running the attack on its own. But it does suggest attackers are using AI to:
Generate code faster
Create more variations of malware
Scale campaigns more efficiently
In other words, the barrier to building malware is getting lower.
The takeaway: If a download is unofficial, hard to find, or feels like a shortcut, it’s worth slowing down. The file may look right, but that doesn’t mean it’s safe.
How McAfee+ Advanced Works in These Scam Moments
Whether it’s a message about your booking, a betting offer that looks legitimate, or a download that appears to be exactly what you were searching for, these scams all rely on the same thing: they blend into everyday moments.
That’s where having backup like McAfee+ Advanced comes in. It includes:
McAfee’s Scam Detector, which helps flag suspicious links in texts and messages like the ones used in these booking and betting scams, so you can spot something risky before you engage
Web protection and real-time device security, helping protect against risky links, malicious sites, and evolving threats if you do click, including fake betting platforms or malware hidden in downloads
Personal Data Cleanup, which helps remove your information from sites that sell it, making it harder for scammers to access the personal details that make messages and scams feel legitimate
Secure VPN, which helps keep your personal info safe and private anywhere you use public Wi-Fi, like hotels, airports, and cafés while traveling
Identity Monitoring and alerts, with 24/7 scans of the dark web to help ensure your personal and financial information isn’t being exposed or reused
Credit and transaction monitoring, so you can get alerts about suspicious financial activity if your information is ever compromised
Identity restoration support and up to $2 million in identity theft coverage, giving you access to US-based experts and added peace of mind if something does go wrong
Stay skeptical, verify before you click, and we’ll see you next week with more.
Filing your taxes may not feel risky. You download a W-2. Upload a PDF. Email a document. Move on.
But tax season is one of the most active times of year for scammers, and the moment you start collecting and sharing tax documents is often when people are most exposed.
W-2s, 1099s, prior-year returns, and identity documents contain nearly everything criminals need to commit tax fraud or identity theft. And increasingly, scammers don’t need to break into systems to get them. They rely on rushed filers, familiar workflows, and convincing messages that blend into tax season noise.
The good news: securing your tax documents doesn’t require expensive tools or technical expertise. With a few deliberate steps, you can dramatically reduce your risk before anything leaves your device.
Why Scammers Want Your Tax Documents
Tax documents are valuable because they’re complete.A single W-2 includes your full name, Social Security number, employer information, and income data. Combined with other files, like a prior return or ID scan, that’s enough to:
File a fraudulent tax return
Open new credit accounts
Access financial services
Sell your identity on criminal marketplaces
That’s why tax-related phishing and document theft spike every filing season. Many scams don’t look like scams at all. They look like routine requests, delivery notices, or “quick questions” from someone you already trust.
How to Safely Handle and Share Tax Documents
Tax forms contain some of the most sensitive personal information you have. Taking a few precautions when storing and sharing them can reduce the risk of identity theft and tax fraud.
Store Your Tax Documents Securely
Before sending anything to an accountant or tax service, make sure your files are organized and stored safely.
Use a single secure folder Create one folder, on your device or in a trusted private cloud service account, specifically for tax documents. Avoid scattering files across downloads, email attachments, and screenshots.
Rename files clearly Use descriptive names such as “2025_W2_EmployerName.pdf” so you can easily identify documents without opening multiple files or re-downloading forms.
Avoid public Wi-Fi If you’re downloading tax documents, do it on a secure home network whenever possible. Public Wi-Fi can increase the risk of interception. If you must connect in public, using a trusted VPN adds another layer of protection.
Watch for Tax-Season Phishing Scams
Many tax scams don’t target software, they target people.
Common examples include:
Emails pretending to be from the IRS asking you to “verify” information
Messages that appear to come from your employer requesting a copy of your W2
Fake tax portals asking you to re-upload documents
Urgent messages claiming there is a problem with your return
These scams often arrive when you’re already expecting tax-related communication, which makes them easier to trust.
Important: The IRS does not initiate contact by email, text message, or social media to request personal or financial information.
Use Secure Ways to Share Tax Documents
Email attachments are convenient, but they can also expose sensitive information.
Safer options include:
A secure client portal provided by your accountant or tax preparer
Encrypted file-sharing services
Password-protected documents sent through a secure channel
If you must email a document, avoid sending the password in the same message.
Verify Requests Before Sending Documents
Even if a request looks legitimate, pause before sharing sensitive files.
Ask yourself:
Did I expect this request?
Is the sender using their normal contact method?
Does the message create urgency or pressure?
If something seems unusual, verify the request through a separate channel, such as calling the person directly or starting a new email thread.
Secure the Devices You Use to File
Protecting tax documents also means protecting the device where they’re stored.
Before filing your taxes:
Install the latest software updates on your computer and phone
Tax scams increasingly arrive through text messages and social media, not just email, so protection needs to cover the places scammers actually reach you.
File Early and Watch for Warning Signs
Filing early reduces the opportunity for scammers to file a fraudulent tax return in your name.
After filing:
Watch for IRS notices you didn’t expect
Monitor financial accounts for unfamiliar activity
Be cautious of follow-up messages claiming problems with your return
If something feels off, investigate before responding.
Step-by-Step: How to Encrypt Tax Documents Before Sending Them
Step
What to Do
Why It Matters
1. Put all tax files into one folder
Gather your W-2s, 1099s, receipts, PDFs, and spreadsheets in one folder.
Keeps you organized and prevents accidentally leaving something unprotected.
2. Convert photos into PDFs (if needed)
If documents are photos, save them as a PDF using your phone scanner app or printer settings.
PDFs are easier to encrypt and share securely than image files.
3. Combine files into one ZIP folder
On your computer, select all files → right click → Compress / Zip.
Creates a single package you can protect with a password.
4. Add a password to the ZIP file
Choose the “Encrypt” or “Password Protect” option when creating the ZIP file.
Password protection helps prevent unauthorized access if the file is intercepted.
5. Use a strong password
Use at least 12 characters with a mix of letters, numbers, and symbols.
Weak passwords can be cracked quickly.
6. Rename the file to something generic
Use a name like “Documents_2025.zip” instead of “Taxes_W2_SSN.zip.”
Avoids exposing sensitive info in the file name itself.
7. Send the encrypted file through a secure method
Upload via your tax preparer’s secure portal or share through a secure cloud link.
Email attachments can be risky if the wrong person gains access.
8. Send the password separately
Text or call the password—don’t include it in the same email as the file.
If someone intercepts the email, they won’t have both pieces.
Acting quickly can limit damage and help prevent long-term fallout.
Final Thoughts
Securing your tax documents doesn’t require perfection, just intention.
By slowing down, using safer sharing methods, and staying alert to tax-season scams, you can protect yourself before problems start. In a season where everyone feels rushed, a few extra minutes can save months of cleanup later.
McAfee helps protect your identity, devices, and personal information so tax season doesn’t become scam season.
Frequently Asked Questions
Q: Is it safe to email tax documents to my accountant?
A: Email is not the safest option. Secure portals or encrypted file-sharing tools are preferred for sensitive documents like W-2s and tax returns.
Q: How do W-2 phishing scams work?
A: Scammers impersonate employers or tax authorities to trick people into sending W-2s or personal information, often using urgent or official-looking messag
Q: Can scammers file taxes using my W-2?
A: Yes. With enough personal information, criminals can file fraudulent returns or commit identity theft.
Q: How can I tell if a tax message is fake? A: Be cautious of unsolicited requests, urgent language, unfamiliar links, or requests for documents outside normal filing workflows.
Q: What’s the safest way to share tax documents online?
A: Use secure portals, encrypted file-sharing, and verified communication channels. Avoid public Wi-Fi and unprotected email attachments.
McAfee Labs has uncovered a widespread malware campaign hiding inside fake downloads for things like game mods, AI tools, drivers, and trading utilities.
What makes this campaign especially notable is that some parts of it appear to have been built with help from large language models (LLMs). McAfee researchers found signs that certain scripts likely used AI-generated code, which may have helped the attackers create and scale the campaign faster.
That does not mean AI created the whole operation on its own. But it does suggest AI may be helping cybercriminals lower the effort needed to build malware and launch attacks.
Attackers created many different fake downloads to reach more victims
48 malicious DLL variants
The campaign used multiple versions of the malware, not just one file
1,700+ file names observed
The same threat was repackaged under many different names to look convincing
17 distinct kill chains
Researchers found multiple attack flows, but they followed a similar overall pattern
Hosted on familiar platforms
The malware was distributed through services users may recognize, including Discord and SourceForge
AI-assisted code suspected
Some scripts contained explanatory comments and patterns that strongly suggest LLM assistance
Cryptomining and additional malware observed
Infected devices could be used to mine cryptocurrency or receive more malicious payloads
What Is “AI-Written Malware”?
In this case, “AI-written malware” does not meanan AI system independently invented and launched the attack.
Instead, McAfee Labs found evidence that the attackers very likely used AI tools to help generate some of the code used in the campaign, especially in certain PowerShell scripts.
Put simply:
Term
Plain-English meaning
Large language model (LLM)
An AI system that can generate text and code based on prompts
AI-assisted malware
Malware where attackers appear to have used AI tools to help write or structure parts of the code
Vibe coding
A style of coding where someone describes what they want and an AI does much of the writing
This matters because it can make malware development faster, easier, and more scalable for attackers.
Figure 1: Attack Vector
How The Fake Download Attack Works
The attack begins when someone searches for software online and downloads what looks like the tool they wanted.
That tool might appear to be a game mod, AI voice changer, emulator, trading utility, VPN, or driver. But behind the scenes, the ZIP archive includes malicious components that start the infection.
Step
What happens
1. A user downloads a fake file
The ZIP archive is disguised as something useful or desirable, such as a mod menu, AI tool, or driver
2. The file appears normal at first
In some cases, the package includes a legitimate executable so it feels more convincing
3. A malicious DLL is loaded
A hidden malicious file, often WinUpdateHelper.dll, starts the real attack
4. The user is distracted
The malware may display a fake “missing dependency” message and redirect the user to install unrelated software
5. A PowerShell script is pulled from a remote server
While the user is distracted, the malware contacts a command-and-control server and runs additional code
6. More malware is installed
Depending on the sample, the device may receive coin miners, infostealers, or remote access tools
7. The infected device is abused for profit
In many cases, attackers use the victim’s system resources to mine cryptocurrency in the background
What Kinds of Files Were Used as Bait
McAfee found that the attackers cast a very wide net. The malicious ZIP files impersonated many types of software, including:
Bait category
Examples
Gaming tools
game mods, cheats, executors, Roblox-related tools
AI-themed tools
AI image generators, AI voice changers, AI-branded downloads
System utilities
graphics drivers, USB drivers, emulators, VPNs
Trading or finance tools
stock-market utilities and related downloads
Fake security or malware tools
fake stealers, decryptors, and other risky-looking utilities
That broad range is part of what made the campaign effective. It was designed to catch people already looking for shortcuts, unofficial tools, or hard-to-find software.
Why McAfee Researchers Believe AI Was Used
One of the strongest clues came from the comments inside some of the attack scripts.
McAfee researchers found explanatory comments that looked more like AI-generated instructions than the kind of shorthand attackers usually leave for themselves. In one example, a comment referred to downloading a file from “your GitHub URL,” which suggests the code may have come from a generated template and was not fully cleaned up before use.
These details do not prove every part of the campaign was AI-made. But they do support McAfee’s assessment that certain components were likely generated with help from large language models.
What Happens on an Infected Device
In many cases, the malware was used to turn victims’ computers into quiet crypto-mining machines.
McAfee observed mining activity involving several cryptocurrencies, including:
Ravencoin
Zephyr
Monero
Bitcoin Gold
Ergo
Clore
Some samples also downloaded additional payloads such as SalatStealer or Mesh Agent.
For victims, that can mean:
Possible effect
What it may look like
Slower performance
apps lag, games stutter, system feels unusually sluggish
High CPU or GPU usage
fans run constantly, laptop gets hot, battery drains faster
if an infostealer or remote access tool is installed
McAfee was also able to trace several Bitcoin wallets tied to the campaign. At the time of the report, those wallets held about $4,536 in Bitcoin, while total funds received were approximately $11,497.70. Researchers note the real total could be higher because some of the currencies involved are harder to trace.
Who Was Targeted Most
This campaign was observed most heavily in:
United States
United Kingdom
India
Brazil
France
Canada
Australia
That does not mean users elsewhere were unaffected. These were simply the countries where researchers saw the highest prevalence.
Figure 2: Geographical Prevalence
Red Flags To Watch For
Even though the campaign used advanced techniques, the warning signs for users were often familiar.
Red flag
Why it matters
You found the file through a random link
Unofficial forums, Discord links, and file-hosting pages are common malware delivery paths
The download is a ZIP for something sketchy or unofficial
Cheats, cracks, mod tools, and unofficial utilities carry higher risk
You get a “missing dependency” message
Attackers may use this to push a second download while the real infection happens in the background
The file name looks right, but the source feels wrong
Familiar names can be faked easily
Your PC suddenly slows down or overheats
Hidden cryptominers often abuse system resources
You notice new, unrelated software installed
The campaign sometimes used unwanted software installs as a distraction
How To Stay Safe From Malware Hidden in Fake Downloads
This campaign is a reminder that not every convincing file is a safe one. A few habits can reduce your risk significantly.
Safety step
Why it helps
Download software only from official sources
This lowers the chance of accidentally installing a trojanized file
Avoid cheats, cracks, and unofficial mods
These categories are common bait for malware campaigns
Be skeptical of dependency prompts
Unexpected requests to install helper files or missing components can be part of the attack
Keep your security software updated
Current protection can help detect known threats and suspicious behavior
Pay attention to system performance
A suddenly hot, loud, or slow PC may be a sign something is running in the background
Review what you download before opening it
Even a familiar file name does not guarantee a file is legitimate
McAfee helps protect against malware threats like these with multiple layers of security, including malware detection and safer browsing protections designed to help stop risky downloads before they can do damage.
What To Do If You Think You Opened One of These Files
If you think you downloaded and ran a suspicious file like one described in this campaign:
Action
Why it matters
Disconnect from the internet
This can help interrupt communication with attacker-controlled servers
Run a full security scan
A trusted scan can help identify malicious files and behavior
Delete suspicious downloads
Remove the file and avoid reopening it
Check for unfamiliar software or startup items
The infection may have installed additional components
Change important passwords from a clean device
This is especially important if data-stealing malware may have been involved
Monitor accounts for unusual activity
Keep an eye on email, banking, and other sensitive accounts
If your computer continues acting strangely after a scan, it may be worth getting professional help.
What This Means for the Future of Malware
This campaign highlights how cybercrime is evolving.
The core risk is not just fake downloads. It is the fact that attackers are using AI tools to help generate code, create variations, and speed up parts of the malware development process.
That can make campaigns like this easier to scale and harder to ignore.
For everyday users, the takeaway is simple: if a file seems unofficial, rushed, or too good to be true, pause before opening it. A fake download may look like a shortcut, but it can quietly turn your device into a target.
Frequently Asked Questions
FAQs
Q: What is AI-written malware?
A: AI-written malware generally refers to malicious code, or parts of a malware campaign, that appear to have been created with help from AI coding tools or large language models.
Q: Did AI create this entire malware campaign?
A: McAfee Labs did not say that. The research suggests that certain components, especially some scripts, were likely generated with help from large language models.
Q: What was this malware disguised as?
A: The malicious files impersonated game mods, AI tools, drivers, trading utilities, VPNs, emulators, and other software downloads.
Q: What can happen if you open one of these fake files?
A: Depending on the sample, the malware may install coin miners, steal data, establish persistence, or download additional malicious tools.
Q: Can malware really use my computer to mine cryptocurrency?
A: Yes. McAfee observed samples in this campaign that used victims’ CPU and GPU resources to mine cryptocurrency in the background.
Q: What is the safest way to avoid this kind of malware?
A: Download software only from official or trusted sources, avoid unofficial tools and cheats, be cautious of fake dependency prompts, and keep your security protection up to date.
The term ‘Vibe coding,’ first coined back in February of 2025 by OpenAI researchers, has exploded across digital platforms. With hundreds of articles and YouTube Videos discussing the dangers of Vibe coding and warning the internet about the rise of “Vibe Coders”, while others labelled it as the fundamental shift in software development and the future of coding.
Vibe Coding is an approach where the AI does heavy lifting, rather than the user. Instead of manually writing code or implementing algorithms, users describe their intent through text-based prompt, and the LLMs respond with fully functional code and explanation. Unsurprisingly, the internet is now flooded with guides on the best LLMs and prompts to generate “perfect” code.
Given the ease of generating fully functional code, McAfee Labs has also seen a rise in vibe-coded malware. In these campaigns, certain components of the kill chain contain AI-generated code, significantly reducing the effort and knowledge required to execute new malware campaigns. This shift not only makes malware campaigns more scalable but also lowers the barrier to entry for new malware authors.
Executive summary
In January 2026, McAfee Labs observed 443 malicious zip files impersonating a wide range of software, including AI image generators and voice-changing tools, stock-market trading utilities, game mods and modding tools, game hacks, graphics card and USB drivers, ransomware decryptors, VPNs, emulators, and even infostealer, cookie-stealer, and backdoor malware, to infect users.
Across the 440+ zip files, we observed 48 unique malicious WinUpdateHelper.dll variants, responsible for the infections. McAfee has been detecting variants of this threat since December 2024, although the vibe coding observed in certain components appears to be a recent addition. These files are distributed through various legitimate content delivery network (CDN) services and file-hosting websites, such as Discord, SourceForge, FOSSHub, and MediaFire, to name a few. Another website that was actively delivering this malware was mydofiles[.]com.
Here, the attackers implement volume-driven malware distribution techniques to infect as many users as possible.
Figure 1: Attack Vector
This attack begins when users surf the internet looking for tools and software that promise to simplify their tasks. Instead, they encounter trojanized zip files.
We discovered over 100 URLs actively spreading this malware, of which approximately 61 were hosted on Discord, 17 on SourceForge, and 15 on mydofiles[.]com.
On running the executable, it loads a malicious WinUpdateHelper.dll file, which redirects the user to file-hosting websites, under the disguise that they are missing crucial dependencies and tricks them into installing unrelated software, which is a distraction. Meanwhile, the DLL has already requested and executed a malicious PowerShell script from a command-and-control (C2) server.
This script infects the user’s system and downloads additional mining software, and abuses the system’s resources, or it downloads additional payloads such as SalatStealer or Mesh Agent, depending on the WinUpdateHelper.dll sample which infected the user.
In this PowerShell script, the presence of explanatory comments and structured sections strongly indicates the use of LLM models to generate this code.
Read more about this in the Using AI to generate malware? section below.
So far, we’ve observed the mining of Ravencoin, Zephyr, Monero, Bitcoin Gold, Ergo, andClorecryptocurrencies.
Due to the presence of hardcoded Bitcoin wallet credentials within these malware samples, we were able to trace on-chain transactions and identify wallets containing over $4,500 USD that are part of this campaign.
Since most of the mining activity targets privacy-focused cryptocurrencies such as Zephyr, Ravencoin and Monero, the real financial impact is likely to be nearly double the amount identified through Bitcoin tracing alone.
Geographical Prevalence
Figure 2: Geographical Prevalence
This malware campaign has specifically targeted users in the following counties, ranked by prevalence: The United States of America, followed by United Kingdom, India, Brazil, France, Canada, Australia.
Bottom Line
The availability of LLMs capable of generating code instantly, combined with the widespread accessibility of technical knowledge, has created a low-effort, high-reward environment, making malware deployment increasingly accessible.
At McAfee Labs, we have been doing hard work so that you don’t need to worry. But it always helps to be informed and educated on the latest threat that steps into the threat landscape. We will continue monitoring these campaigns to ensure our customers remain informed and protected across platforms.
Technical Analysis
Impersonated Applications
Here we see malware distribution at a large scale and by analyzing the filenames of these ZIP archives, we can infer to the users that are being targeted. These are some of the names we’ve witnessed in the wild.
Figure 3: Malware Impersonating gaming software
The attackers are actively impersonating video game cheats and game mods for popular titles, and well-known script executors for Roblox, such as Delta Executor and Solara as seen above.
Figure 4: Malware Impersonating tools, malware and drivers
Names such as Panther-Stealer and Zerotrace-Stealer indicate that even users looking for malware on the internet are not safe either, reinforcing the notion that there is truly no honor among thieves.
The campaign also leverages drivers and AI-themed tools as part of its lure portfolio among other tools. Interestingly, we see the name ‘DeepSeek.zip’, where attackers are exploiting a prominent LLM model, DeepSeek. McAfee had encountered these types of attacks in early 2025 and covered them extensively.
Once the user downloads the ZIP archive from Discord or any other website. They get the following set of files.
Figure 5: Files within the zip archive.
Here, the executable named ‘gta-5-online-mod-menu.exe’ (Highlighted in Blue) is a legitimate and clean file. Whereas the file named ‘WinUpdateHelper.dll’ (Highlighted in Red) is malicious.
Figure 6: Command Prompt misinforming the user
On executing ‘gta-5-online-mod-menu.exe’, the malicious DLL is loaded. The user is informed that they are missing dependencies, and they’re redirected to the following URL via default browser.
Here, within the URL, a tracker variable is used to identify which malware has infected the user. In this instance, it was ‘gta-5-online-mod-menu’.
Figure 7: Website prompting users to download dependencycore.zip
Dependecycore.zip is a setup file. On execution, it installs unrelated 3rd party software on the victim’s system.
Figure 8: Files dropped by Dependecycore.zip in temp folder
In this instance, iTop Easy Desktop was installed.
This unwanted installation is meant to subvert users’ attention. As, the WinUpdateHelper.dll has already connected to the C2 server and infected the system.
Stage 1 Payload – Malicious Functionality
Once the redirection code is executed, the malware executes the malicious code.
Figure 9: Malicious code within WinUpdateHelper.dll
In the above code snippet, which is present in the WinUpdateHelper.dll, we can see that a new service has been created under the name “Microsoft Console Host” to make it appear to be benign (Highlighted in Red). The parameters passed to this service ensure that it executes at system boot. This is done to maintain persistence in the system.
The service executes a PowerShell command that dynamically generates the C2 domain using the UNIX time stamp.
Using the following code, $([Math]::Floor([DateTimeOffset]::UtcNow.ToUnixTimeSeconds() / 5000000) * 5000000).xyz
It generates a domain name that changes once every 5,000,000 seconds or 58 days.
The latest C2 domain we’ve discovered that is up and running is 1770000000[.]xyz/script?id=fA9zQk2L0M&tag=WinUpdateHelper
During our analysis we observed the following domain 1765000000[.]xyz/script?id=fA9zQk2L0M&tag=WinUpdateHelper, which is present in the following images.
Here the id=fA9zQk2L0M is randomly generated, to uniquely identify the user and tag=WinUpdateHelper is used to identify the malware campaign.
The malware connects to the above-mentioned C2 server to download a PowerShell script and execute it in memory. This fileless execution ensures improved evasion against signature-based detections.
Stage 2 Payload – PowerShell Script
Figure 10: PowerShell downloaded from the C2 server
It is funny to note here, that the first comment of this script says “# I am forever sorry” which indicates that the attacks do carry some guilt regarding their actions, but not enough to stop the campaign. We found similar comments, such as “# sorry lol”, across multiple PowerShell scripts we discovered.
The first set of commands (Highlighted in Green) are used to delete windows services and scheduled tasks. This is done to remove older or conflicting persistence mechanisms and to avoid duplicate miners from running on the same system.
The second set of commands (Highlighted in Red) are registry modifications, that adds “C:\ProgramData” to Windows Defender exclusion paths. That is, ProgramData Folder won’t be scanned by Windows Defender anymore. This exclusion allows malware to drop additional payloads to disk, without the risk of them being detected and removed.
The third set of commands (Highlighted in Blue) does exactly that. It downloads the next level payload from the URL “hxxps://1765000000[.]xyz/download/xbhgjahddaa” and stored it at this path “C:\ProgramData\fontdrvhost.exe”.
Again the name ‘fontdrvhost.exe’ imitates a legitimate Windows binary, to masquerade its true intent. After the download, the file is decoded using a simple arithmetic decryption routine. This provides protection against static signature detection and network detection.
The payload is an XMRIG miner sample. In the next command, the miner is initialized and executed. Here, we see the miner connecting to “solo-zeph.2miners.com:4444” and start CPU based Zephyr coin mining using the following wallet address: ‘ZEPHsCY4zbcHGgz2U8PvkEjkWjopuPurPNv8nnSFnM5MN8hBas8kBN4hoNKmc7uMRfUQh4Fc9AHyGxL6NFARnc217m2vYgbKxf’.
Figure 11: PowerShell downloaded from the C2 server continued
In the second half of the script, we see another miner being set up and executed using the same technique (Highlighted in Red). This time the file is stored as “RuntimeBroker.exe” in the ProgramData folder. The miner is connecting to “solo-rvn.2miners.com:7070” to mine Ravencoin and it is using the system’s GPU instead of the CPU for mining (Highlighted in Blue).
This is the wallet address used for mining in this instance ‘bc1q9a59scnfwkdlm6wlcu5w76zm2uesjrqdy4fr8r’.
Hence, we see a dual coin-mining deployment infrastructure utilizing both CPU and GPU resources to optimize mining efficiency.
Bitcoin? Interesting…
What is interesting here is that attackers have used a bitcoin wallet address for mining Ravencoin, which indicates they are using multi-coin pools for mining. The attackers are using the victims’ machine to mine Ravencoin and automatically convert the mining rewards to Bitcoin before the payout.
This is done for a variety of reasons, such as, bitcoin offers higher liquidity and has broader acceptance, but most importantly, Ravencoin is computationally easier and economically viable to mine on victim’s system. Bitcoin requires specialized ASIC hardware for profitable mining and attempting to mine Bitcoin directly on infected systems would generate negligible returns. We’ve seen the same behaviour in multiple samples.
This is a smoking gun. Unlike Zephyr coin or Monero, Bitcoin’s blockchain is fully traceable. Every Satoshi, the smallest unit of Bitcoin, can be traced across the blockchain from the moment it was mined to its current holder. From there, it becomes easy to determine how much cryptocurrency the threat actor is receiving. More on this later.
Anti-Analysis Techniques
The attackers have meticulously designed the campaign and have implemented various anti-analysis techniques to thwart researchers.
The PowerShell script we’ve seen above is responsible for downloading and initializing the coin miner samples. It is only accessible via PowerShell. If we try to access the server via Curl, we get the following response.
Figure 12: 301 Response from the server
This indicates that the server is actively monitoring the User-Agent of incoming requests and deploys the payload only when the request originates from PowerShell.
Similarly, the URLs embedded within the PowerShell script that download the next payload are unique to each victim and remain active for 60 seconds. After that, they return a 404 Not Found error.
Figure 13: URLs within the PowerShell
These techniques are meant to confuse and disorient researchers, making the analysis difficult.
Using AI to generate malware?
While working on this malware campaign, we came across over 440 unique zip files. These same zip files were distributed with over 1700 different names, targeting various software.
Across these 440 zip files, we noticed 48 unique variants of WinUpdateHelper.dll. These 48 files can be clustered together into 17 distinct kill chains, each featuring their own C2 infrastructure, misleading installation setups, second-stage PowerShell scripts and final payloads, yet the cryptocurrency wallet credentials remain similar.
In the above technical analysis, we’ve only covered 1 kill chain. Yet, across these 17 kill chains, we’ve noticed the flow remain the same.
Figure 14: PowerShell Script with LLM-Generated Comments
Across multiple second stage payloads, we encounter multiple comments such as the following, embedded within the code:
# === Create and execute run.bat in C:\ProgramData ===
:: This batch file:
:: – Creates the hidden folder C:\ProgramData\cvtres if it doesn”t exist (using CMD attrib for hidden + system)
:: – Downloads cvtres.exe from your GitHub URL
:: – Saves it to C:\ProgramData\cvtres\cvtres.exe
:: – Executes it immediately
:: – Runs completely hidden/minimized (no window visible)
The presence of such explanatory-style comments indicates that large language models were likely used during the development of these scripts. Especially, the comment “Downloads cvtres.exe from your GitHub URL”, where ‘Your GitHub URL’ refers to the threat actor’s GitHub repository that is hosting the malware, which indicates potential vibe coding.
Tracking Bitcoin Across the Blockchain
During analysis of this malware campaign, we came across few instances where the final payload was Infostealer malware. In most cases it was coin miner samples. In these cases, we encountered wallet credentials and mining pool URLs for several alternative cryptocurrencies such as Ravencoin, Zephyr, Monero, which aren’t traceable.
Fortunately, we came across 7 bitcoin wallets that are part of this malware campaign and are actively receiving mined cryptocurrency.
This week in scams, the Pokémon Trainer pursuit to “catch ’em all” is being hijacked by criminals posting fake trading card listings online; duping buyers, including young collectors, out of hundreds of dollars.
Meanwhile, threatening email extortion scams claiming your personal data has been stolen are flooding inboxes around the world. And a viral “wedding photo” of Tom Holland and Zendaya shows how AI-generated images can blur the line between real and fake online.
Here’s what to know.
Pokémon Card Scams Surge on Online Marketplaces
The booming market for collectible Pokémon cards has become a new target for scammers.
According to reporting from The Straits Times, Singapore police recently arrested a 25-year-old man suspected of running a series of e-commerce scams involving Pokémon trading cards. Victims reportedly lost more than $135,000 after paying for limited-edition cards that never arrived.
Authorities say the suspect allegedly advertised pre-orders for rare cards on the online marketplace Carousell. After receiving payment through bank transfers or digital payment apps, the seller either became unreachable or claimed there were delivery problems.
Police say at least 35 reports tied to the suspect have been filed since October 2025, and more broadly there have been over 600 reported Pokémon card e-commerce scams totaling more than $1.1 million in losses during that same period.
Why this matters:
Collectibles create the perfect storm for online scams. Limited releases, hype, and rising resale values make buyers feel pressure to act quickly before items “sell out.” Scammers take advantage of that urgency.
How to Stay Safe When Buying Collectibles Online
If you’re buying trading cards or other collectibles online:
Buy from authorized retailers or well-established marketplaces
Avoid sellers who require direct bank transfers or payment apps upfront
Use platforms with buyer protection or escrow payment systems
Be cautious of sellers who suddenly move the conversation to WhatsApp, Telegram, or other messaging apps
When demand spikes for a product, whether it’s sneakers, concert tickets, or Pokémon cards, scams usually follow.
The “Your Data Was Stolen” Email Extortion Scam
Another scam spreading widely right now arrives in a much more intimidating format: a threatening email claiming hackers have stolen your personal data.
According to reporting from Fox News, many people are receiving messages that claim the sender has access to their passwords, files, or financial information. The message then demands payment in Bitcoin to prevent the data from being sold on the dark web.
At first glance, these emails can feel frightening. They often use dramatic language like:
“I have your complete personal information”
“Your files and devices are compromised”
“Pay within 48 hours or your data will be leaked”
But in most cases, there’s one major problem with the claim.
There’s no proof.
Security experts note that these messages usually include no screenshots, no passwords, and no evidence of a real breach. Instead, scammers send the same message to thousands of email addresses at once, hoping a small percentage of recipients will panic and pay.
Often, the scammers obtained your email address from old data breach lists circulating online, which makes the message feel more believable.
What to Do If You Receive One of These Emails
If you receive a threatening extortion email:
Do not reply
Do not send money
Mark the message as spam or phishing
Delete it
Reporting the message helps email providers improve spam filters and prevent similar scams from reaching others.
The biggest tactic here is fear. Once you slow down and evaluate the message, the scam usually falls apart.
That Viral Tom Holland and Zendaya “Wedding Photo”? AI
A viral image circulating on social media this week claimed to show Tom Holland and Zendaya’s wedding, sparking massive speculation online.
But many viewers quickly suspected the image wasn’t real.
According to reporting on Yahoo Entertainment, the photo appeared to originate from a fan account on X (formerly Twitter) that claimed the image had been “confirmed” by major outlets like Vogue and Cosmopolitan. However, no such confirmation existed, and soon the official label was added marking the content as AI-generated.
A screenshot of the viral AI-generated image.
Celebrity rumors already spread quickly online. Add generative AI to the mix, and fabricated images can travel even faster.
While a fake celebrity wedding photo may seem harmless, the same technology can easily be used in more serious ways.
AI-generated visuals are already being used to create:
Fake celebrity endorsements
Fabricated news events
Scam ads featuring public figures
Fraudulent investment promotions
The line between real and synthetic content is getting harder to spot.
How to Spot Potential AI Images
If a viral image seems surprising or dramatic:
Check whether credible news outlets or verified accounts are reporting it
Look for visual inconsistencies in hands, text, or background details
Reverse image search the photo to see where it first appeared
Verify through official sources before sharing
When something looks shocking online, that’s often exactly why it spreads. McAfee’s built-in Scam Detector can help you spot AI-generated audio and video.
McAfee’s Safety Tips This Week
A few simple habits can help reduce your risk across all three of these scenarios:
Be cautious when buying high-demand collectibles online
Never send money in response to threatening emails
Treat viral images and breaking celebrity news with healthy skepticism
Use strong, unique passwords and enable two-factor authentication
Verify surprising claims through trusted sources before reacting
Scams today don’t always look like scams. They often look like exciting deals, urgent warnings, or AI depictions of people you trust.
The best defense is slowing down before clicking, paying, or sharing.
We’ll Be Back Next Week
From collectible card fraud to email extortion campaigns and AI-generated viral content, the tactics scammers use may change, but the strategy is the same: manipulate emotion and urgency.
Stay skeptical, verify before you trust, and we’ll be back next week with another breakdown of the scams making headlines, and what they mean for your security.
Tax season is a headache for many people, and when a shortcut promises to make filing easier, it’s hard to resist. This year, one of the newest trends is using AI chatbots like ChatGPT to help prepare tax returns.
According to new McAfee research, 30% of people say they plan to use an AI tool, such as ChatGPT, to help with their taxes, with younger adults leading the trend.
At first glance, it makes sense. AI tools can explain confusing tax rules, summarize IRS forms, and answer questions instantly.
But there’s an important line that should never be crossed: Do not enter your personal tax information into AI chatbots.
That includes Social Security numbers, income records, home addresses, bank details, or anything else tied to your identity.
Here’s why:
Typing Your Tax Info Into a Chatbot Is Like Posting It Online
Think about it this way: when you type something into an AI chatbot, you’re sending that information over the internet to a system that processes and stores data.
In practical terms, entering sensitive information into an AI tool is similar to typing it directly into a search engine or submitting it to an online form.
Once it leaves your device, you lose direct control over where it travels and how it may be stored.
Even companies with strong security protections are transparent about this risk.
OpenAI’s privacy documentation explains that they use encryption and strict access controls to protect user data. However, they also note that no internet transmission or digital storage system can be guaranteed completely secure.
This is true across the internet, not just for AI tools.
Even Secure Systems Can Experience Breaches
Security incidents can happen anywhere online, including companies with robust security programs.
For example, in late 2025, OpenAI disclosed a security incident involving a third-party analytics provider called Mixpanel. The breach occurred within the vendor’s systems, not OpenAI’s infrastructure, but some limited user profile data associated with the platform was exposed.
According to OpenAI’s disclosure, the data involved information such as:
Names associated with accounts
Email addresses
Approximate location data
Browser and device information
Importantly, chat content, passwords, payment information, and government IDs were not exposed in that incident.
But the event highlights a broader cybersecurity reality:
Even when a company takes strong security precautions, third-party services, vendors, and other parts of the digital ecosystem can still introduce risk.
That’s why cybersecurity experts recommend limiting what personal information you share online whenever possible.
Why Tax Data Is Especially Dangerous to Share
Tax information is one of the most valuable targets for cybercriminals.
If scammers obtain the details commonly found in tax filings, they may be able to:
Commit tax refund fraud
Open financial accounts in your name
Conduct identity theft
Launch highly personalized phishing attacks
Tax returns typically include multiple pieces of highly sensitive data, including:
Social Security numbers
Home addresses
Employer and income information
Banking details for refunds
Family member information
Entering these details into any tool outside of a secure tax platform significantly increases risk.
Safer Ways to File Your Taxes
Instead of relying on AI chatbots for filing, stick with trusted tax preparation options designed to securely handle sensitive data:
Official tax software platforms
Licensed tax professionals
IRS-approved free filing services
These systems are specifically built with compliance, encryption, and identity verification in mind.
AI tools can be incredibly useful for learning and research. But they are not secure tax filing platforms.
If you wouldn’t feel comfortable posting your Social Security number publicly online, you shouldn’t paste it into a chatbot either. When it comes to taxes, the safest rule is simple: Use AI for advice, not for your personal data.
Login
