This category recognizes work that doesn’t just perform, it matters: campaigns that raise awareness, inspire action, and make a real-world impact.
That’s exactly what “Keep It Real” set out to do.
Because behind every scam statistic is a person who thought they were making the right call. And too often, what follows isn’t just financial loss. It’s embarrassment, silence, and stigma.
We wanted to change that.
The campaign launched alongside McAfee Scam Detector to address a growing reality: scams powered by AI are becoming harder to recognize and easier to fall for.
“Keep It Real” paired real survivor stories with AI-driven protection to show how scams actually happen and how people can stop them in the moment.
The goal was simple:
Normalize the experience
Remove shame around being scammed
Help more people recognize scams faster
Because when people feel safe talking about scams, they’re more likely to spot them and stop them.
What Are the Shorty Awards?
The Shorty Awards honor the best work in social media, digital campaigns, and online storytelling across brands, creators, and organizations.
Now in their 18th year, the awards recognize campaigns that combine creativity, impact, and real-world relevance. Finalists are selected alongside leading global brands and judged on both industry evaluation and public voting.
How McAfee’s Scam Detector Fits In
McAfee’s Scam Detector is designed to help people identify scams across everyday digital moments.
It uses AI to fight AI by flagging suspicious:
Text messages and emails
QR codes and links
Social media messages
AI-generated and deepfake content
By combining automatic detection with clear guidance, Scam Detector helps people better understand what they’re seeing and decide what to trust.
Real Stories Behind the Campaign
A core part of “Keep It Real” was giving space to people who experienced scams to share what happened, in their own words.
These stories helped show that scams can happen to anyone and played a key role in breaking the stigma around being targeted.
This recognition reflects the work across McAfee teams who built and brought this campaign to life, including product, engineering, research, creative, and communications.
It also reflects the individuals who chose to share their real scam stories to help others recognize scams, stay safer, and end the shame and stigma around being scammed.
Support the Campaign
The Shorty Awards include a public voting component.
McAfee’s mobile research team has uncovered a large-scale Android malware campaign we’re tracking as Operation NoVoice.
The campaign was distributed through more than 50 apps previously available on Google Play, disguised as everyday tools like cleaners, games, and photo utilities. Together, the apps were downloaded more than 2.3 million times, though it’s unclear how many devices may have been impacted.
If the attack succeeds, the malware can gain deep control of a device, allowing attackers to inject malicious code into apps as they are opened and access sensitive data.
However, the most serious impact depends on the device.
On older or unpatched Android devices, the malware can install a highly persistent form of infection that may survive a standard factory reset. Newer Android devices with up-to-date security protections are not vulnerable to the root exploit observed in this campaign, though they may still be exposed to other types of malicious activity from these apps.
In other words, on vulnerable devices, the malware can behave like a kind of digital “zombie,” continuing to operate in the background even after a reset.
Operation NoVoice is what security experts call a rootkit malware attack.
A rootkit is a type of malware designed to gain deep, privileged control of a device while hiding its presence from the user and the operating system’s normal security tools.
Breaking the term down:
“Root” refers to the highest level of access on a system (administrator-level control).
“Kit” refers to a collection of tools used by an attacker to maintain that control.
Put simply, a rootkit allows attackers to operate underneath the normal apps and security protections on a phone, giving them powerful control while staying difficult to detect.
In the case of Operation NoVoice, the attack unfolds in several steps.
1) A normal-looking app starts the attack
The campaign began with apps that appeared harmless on the Google Play Store. These apps advertised themselves as tools like phone cleaners, puzzle games, or gallery utilities.
When a user downloaded and opened one of these apps, it appeared to work normally. There are no obvious signs to the user that anything is wrong.
2) The malware quietly checks the device
Behind the scenes, the app contacts a remote server controlled by the attackers.
The server collects information about the device, things like its hardware, operating system version, and security patch level. Based on that information, the attackers send back custom exploit code designed for that specific device.
3) The attack gains deep system access
If the exploit succeeds, the malware gains root-level access to the device.
At that point, the attackers can install additional malicious components and modify parts of the Android operating system itself.
4) Every app on the phone can be affected
Once the rootkit is installed, it modifies a core Android system library that every app relies on.
This allows attacker-controlled code to run inside any app the user opens.
That means the attackers could potentially access data from messaging apps, financial apps, or social media apps without the user noticing.
5) The malware can remain even after a reset
Operation NoVoice also includes persistence mechanisms designed to keep the malware active.
In some cases, the infection could survive a standard factory reset, because the malicious components modify parts of the system software that resets typically do not replace.
Fully removing the infection may require reinstalling the device’s firmware, something most users cannot easily do themselves.
*To be clear, these apps have been removed from Google Play and are no longer available for download.
Why The Name “Operation NoVoice”
The name Operation NoVoice comes from a hidden component inside the malware itself.
Researchers discovered a resource labeled “novioce” embedded in one of the attack’s later stages. The file contains a silent audio track that plays at zero volume.
This may seem strange, but it serves a purpose.
By continuously playing silent audio in the background, the malware can keep a foreground service running without drawing attention. This allows the malicious code to remain active while appearing harmless to the operating system.
The researchers believe the name “novioce” is likely a misspelling of “no voice,” referring to the silent audio trick used to keep the malware running.
How To Stay Safe from Malware Disguised as Apps
Operation NoVoice highlights an important reality: even apps that appear legitimate can sometimes hide malicious behavior.
Fortunately, there are several steps users can take to reduce their risk.
Be cautious with unfamiliar apps
Even if an app appears on the Google Play Store, it’s still important to review:
the developer’s name
the number of downloads
recent user reviews (check for negative reviews)
Apps with very few reviews, vague descriptions, or suspicious developer accounts can sometimes be part of malware campaigns. And exercise even greater caution with apps promoted through advertisements or that create a a sense of urgency.
Keep your phone updated
Many attacks rely on exploiting known vulnerabilities in older versions of Android.
Installing system updates and security patches helps reduce the chance that these exploits will work.
Remove apps you don’t recognize
If you notice apps on your device that you don’t remember installing, review them carefully and remove anything suspicious.
Keeping your phone’s app list clean reduces the potential attack surface.
Use mobile security protection
Mobile security software can help detect suspicious behavior and block known malware.
What Operation NoVoice Tells Us About the Future of Mobile Threats
Operation NoVoice highlights how mobile malware is evolving. Instead of obvious malicious apps, attackers are increasingly hiding their operations inside ordinary-looking tools distributed through legitimate app stores.
What makes this campaign particularly concerning isn’t just the number of downloads or the technical complexity. It’s the way the malware combines several advanced techniques, device-specific exploits, modular plugins, and deep system persistence, into a single attack chain.
That approach allows attackers to quietly turn an everyday app download into long-term control of a device.
That’s why keeping devices updated, reviewing apps carefully, and using mobile security protection are becoming increasingly important. As Operation NoVoice shows, today’s malware isn’t just trying to get onto devices; it’s trying to stay there.
McAfee’s mobile research team identified and investigated an Android rootkit campaign tracked as Operation Novoice. The malware described in this blog relies on vulnerabilities Android made patches available for in 2016 – 2021. All Android devices with a security patch level of 2021-05-01 or higher are not susceptible to the exploits that we were able to obtain from the command-and-control server. However patched devices that downloaded these apps could have been exposed to unknown potential payloads outside of what we discovered. The attack begins with apps that were previously available on Google Play that appear to be simple tools such as cleaners, games, or gallery utilities. When a user downloaded and opened one of these apps, it appeared to behave as advertised, giving no obvious signs of malicious activity.
In the background, however, the app contacts a remote server, profiles the device, and downloads root exploits tailored to that device’s specific hardware and software. If the exploits succeed, the malware gains full control of the device. From that moment onward, every app that the user opens are injected with attacker‑controlled code.
This allows the operators to access any app data and exfiltrate it to their servers. One of the targeted apps is WhatsApp. We recovered a payload designed to execute when WhatsApp launches, gather all necessary data to clone the session, and send it to the attacker’s infrastructure.
On older, unsupported devices (Android 7 and lower) that no longer receive Android security updates as of September 2021, this rootkit is highly persistent; a standard factory reset will not remove it, and only reflashing the device with a clean firmware will fully restore the device.
In total, we identified more than 50 of these malicious apps on Google Play, with at least 2.3 million downloads.
McAfee identified the malicious apps, conducted the technical analysis, and reported its findings to Google through responsible disclosure channels. Following McAfee’s report, Google removed the identified apps from Google Play and banned the associated developer accounts. McAfee is a member of the App Defense Alliance, which supports collaboration across the mobile ecosystem to improve user protection. McAfee Mobile Security detects this malware as a High-Risk Threat. For more information, and to get fully protected, visit McAfee Mobile Security.
Background And Key Findings
Android malware has been moving toward modular frameworks that update themselves remotely and adapt to each device. Campaigns like Triada and Keenadu have shown that replacing system libraries gives attackers persistence to survive factory resets. BADBOX has shown that backdoors pre-installed through the supply chain can reach millions of devices. Recent research has confirmed links between several of these families, suggesting shared tooling rather than isolated efforts.
NoVoice fits both trends but does not rely on supply chain access. It reaches devices through Google Play and achieves the same level of persistence through exploitation. McAfee’s investigation revealed the following key findings:
All carrier apps were distributed through Google Play. No sideloading required, no user interaction beyond opening the app.
C2 infrastructure remains active at the time of publication.
The C2 server profiles each device and delivers root exploits matched to its hardware and software version.
The rootkit overwrites a core system library, causing every app on the device to run attacker code at launch.
The infection survives factory reset and can only be removed by reflashing the firmware.
The chain is fully plugin-based. Operators can push any payload to any app on the device at runtime.
The only task we recovered clones WhatsApp sessions, but the framework is designed to accept any objective.
Naming
The name comes from R.raw.novioce, a silent audio resource embedded in one of the later-stage payloads. It plays at zero volume to keep a foreground service alive, abusing Android’s media playback exemption. We believe it is a deliberate misspelling of “no voice.”
Distribution Method
All carrier apps were distributed through Google Play and request no unusual permissions. Their manifests include the same SDKs any legitimate app would (Firebase, Google Analytics, Facebook SDK, AndroidX). The malicious components are registered under tampered com.facebook.utils, blending in with the real Facebook SDK classes the apps already include.
Figure 1: One of the carrier apps on Google Play
The initial payload is embedded in the app’s asset directory as a polyglot image. This means the file displays and renders a normal image, but a deeper inspection reveals that the encrypted malicious payload is appended after the PNG IEND marker. Since that marker signals to image viewers that the image data ends there, the appended payload remains hidden during normal viewing.
Geographical Prevalence
The geographical prevalence map shows the highest infection rates in Nigeria, Ethiopia, Algeria, India, and Kenya, regions where budget devices and older Android versions that no longer receive security updates are common.
Figure 2: Affected users around the world
Malware Analysis
The following breakdown walks through each stage of the chain in order, from the moment a user opens the app to the moment stolen data leaves the device. No single file contains the full chain. Each stage decrypts and loads the next, most are delivered from the server at runtime.
Figure 3. The NoVoice rootkit payloads
Stage 1: The Delivery
The moment the app opens, code injected into the legitimate Facebook SDK initialization path runs automatically. No user interaction is needed. It first checks whether the device has already been processed and, in most samples, whether it is running Android 12L or below. A subset of the carrier apps skips the version check entirely. If either check fails, it stops and logs a message disguised as a Facebook SDK error: “FacebookSdk: Failed in initStore.”
If the device was already processed, the code cleans up files assumed to be left behind by previous runs, including paths that do not belong to any standard Android component. None of these are visible to the user.
If the checks pass, the app reads a polyglot image from its own assets’ directory, extracts the encrypted payload (enc.apk) hidden after the image data, decrypts it to produce h.apk, and loads it into memory. It then deletes all intermediate files, temporary directories.
Figure 4: Normal looking image with malicious payloadFigure 5: The malicious payload begins after the IEND marker, starting with the magic value CAFEBABE
Stage 2: The Gatekeeper
The decrypted payload (h.apk) loads a native library (libkwc.so) that controls the rest of this stage. It first verifies it is running inside the intended carrier app by checking the package name and signing certificate against hardcoded values. It also checks whether the app is running in a debug environment.
libkwc.so contains two encrypted embedded payloads. The first (sec.jar) is a gate designed to detect analysis environments. It runs 15 checks, including emulator detection, root indicators, debuggers, VPN and proxy connections, Xposed hooks, and GPS geofencing. If any check fails, the chain stops silently. The geofence compares the device’s location against bounding boxes for Beijing and Shenzhen hardcoded in the native library and excludes devices confirmed to be inside them. If the app does not have location permission, it cannot determine the device’s position and defaults to letting the chain continue. Two brands get special treatment: on Gionee devices, all checks except the geofence are skipped; on Meizu devices, the chain follows a separate code path entirely. Gionee devices have a documented history of shipping with pre-installed malware through supply chain compromise.
Only if all checks in sec.jar pass does libkwc.so decrypt and load the second payload (hex.jar), which begins contacting the C2 server. If the gate fails, it deletes the working directory and stops.
Figure 6: 15 validation checks before proceeding to the next stage
Stage 3: The Plugin
Once the gate passes, hex.jar sets up a plugin framework built on an internal codebase the authors refer to as “kuwo” in their package names. It checks in with a C2 server every 60 seconds. Updates are delivered the same way as the initial payload: as image files with encrypted data hidden after the image content. The server returns download URLs in a response field named warningIcon, disguising plugin downloads as icon fetches. A log-deletion routine runs alongside the framework to remove forensic traces from the device.
The first plugin delivered (rt) acts as an orchestrator. It manages sub-plugins and handles C2 communication. It checks in with the server, sending over 30 device identifiers including hardware model, kernel version, installed packages, and whether the device has already been rooted. The campaign’s name comes from this plugin: it embeds a silent audio resource named R.raw. novioce.
The checkin tells the server two things: who this device is and whether it has already been rooted. If it has not, rt_plugin downloads security.jar, moving the chain into root exploitation.
Figure 7: MediaPlayer initialized to load the embedded NoVoice audio
Stage 4: The Exploit
security.jar first checks whether the device is already rooted. If it has been, it stops. For unrooted devices, it sends the device’s chipset, kernel version, security patch date, and other identifiers to the C2. The server responds with a list of exploit binaries matched to that specific device.
Before running any exploit, the rootkit installer (CsKaitno.d) is decrypted from an embedded resource and written to disk. The rootkit is already in place before any exploit runs.
The exploits are downloaded one at a time from the C2’s CDN, each encrypted and verified before execution. We recovered 22 exploits in total. Our deep analysis of one revealed a three-stage kernel attack: an IPv6 use-after-free for kernel read, a Mali GPU driver vulnerability for kernel read/write, and finally credential patching and SELinux disablement.
The expected end result is the same across all exploits: a root shell with SELinux disabled. From that shell, the exploit loads CsKaitno.d. This is where exploitation ends and persistence begins.
Figure 8: SELinux enforcement disabled as part of the exploit chain
Stage 5: The Rootkit
CsKaitno.d carries four encrypted payloads: library hooks for ARM32 and ARM64 (asbymol and bdlomsd), a bytecode patcher (jkpatch), and a persistence daemon (watch_dog). It first removes files associated with possible competing rootkits, then decrypts and writes its own payloads to disk.
The installer backs up the original libandroid_runtime.so and replaces it with a hook binary matched to the device’s architecture. It also replaces libmedia_jni.so. The replacements are not copies of the original libraries. They are wrappers that intercept the system’s own functions. When any hooked function runs, it redirects to attacker code.
Figure 9: Rootkit copying and preparing modified system libraries before remounting the filesystem as writable
After replacing the libraries, jkpatch modifies pre-compiled framework bytecode on disk. This is a second layer of persistence: even if someone restores the original library, the framework’s own compiled code still contains the injected redirections
Stage 6: The Watchdog
To survive reboots, the installer replaces the system crash handler with a rootkit launcher, installs recovery scripts, and stores a fallback copy of the exploitation stage on the system partition. If any component is removed, the rootkit can reinstall itself.
It then deploys a watchdog daemon (watch_dog) that checks the installation every 60 seconds. If anything is missing, it reinstalls it. If that fails repeatedly, it forces a reboot, bringing the device back up with the rootkit intact.
After cleaning up all staging files, the installer marks the device as compromised. On the next boot, the system’s process launcher (zygote) loads the replaced library, and every app it starts inherits the attacker’s code.
Figure 10: Watchdog payload decrypted, written to disk, permissioned, and launched with a 60‑second restart interval
Stage 7: The Injection
On the next boot, every app on the device loads the replaced system library. The injected code decides what to do based on which app it is running inside. Two payloads activate depending on the app. The malware authors named them BufferA and BufferB in their own code. Both are embedded as fragments inside the replaced libandroid_runtime.so from Stage 5, assembled in memory at runtime, and deleted from disk immediately after loading, leaving no files behind. BufferA runs inside the system’s package installer and can silently install or uninstall apps. BufferB runs inside any app with internet access.
BufferB is the campaign’s primary post-exploitation tool. It operates two independent C2 channels with separate encryption keys and beacon intervals. Both channels send device fingerprints to the C2 and receive task instructions in return.
If all primary domains fail and three or more days pass without contact, a fallback routine activates between 1 and 4 AM, reaching out to api[.]googlserves[.]com for a fresh domain list. Because BufferB runs inside any app with internet access, it can be active in dozens of apps simultaneously on a single device.
Figure 11: Injection logic selecting BufferA for the package installer and BufferB for all other apps
Stage 8: The Theft
The only task payload we recovered is PtfLibc, delivered to BufferB from Alibaba Cloud OSS. Its target is WhatsApp.
PtfLibc copies WhatsApp’s encryption database, extracts the device’s Signal protocol identity keys and registration ID, and pulls the most recent signed prekey. It also reads 12 keys from WhatsApp’s local storage, including the phone number, push name, country code, and Google Drive backup account. For the client keypair, it tries multiple decryption methods depending on how the device stores the key.
It sends the stolen data to api[.]googlserves[.]com through multiple layers of encryption and deletes the temporary database copy when done.
With these keys and session data, an attacker can clone the victim’s WhatsApp session onto another device.
Figure 12: Code accessing and copying WhatsApp’s encrypted Signal protocol databases for exfiltration
Infrastructure
The campaign spreads its C2 communication across multiple domains, each serving a different function.
fcm[.]androidlogs[.]com handles initial device enrollment. Once the plugin framework activates, stat[.]upload-logs[.]com takes over as the primary C2 for plugin delivery, device checkin, exploit distribution, and result reporting. config[.]updatesdk[.]com serves as its fallback. Exploit binaries are hosted separately on download[.]androidlogs[.]com, with an S3-accelerated endpoint (logserves[.]s3-accelerate[.]amazonaws[.]com) as the primary CDN. This endpoint returned 403 errors during our analysis.
Task payloads for BufferB are hosted on Alibaba Cloud OSS (prod-log-oss-01[.]oss-ap-southeast-1[.]aliyuncs[.]com). PtfLibc beacons to api[.]googlserves[.]com, a domain designed to look like Google service traffic at a glance.
The domain separation is deliberate. Taking down one domain does not affect the others. The C2 can update BufferB’s domain lists at runtime, and a fallback routine fetches fresh domains from hardcoded backup endpoints if all configured domains go silent for three or more days.
Recommendations
Because the rootkit writes to the system partition, a factory reset does not remove it. A reset wipes user data but leaves system files intact. Compromised devices require a full firmware reflash to return to a clean state. Blocking the C2 domains and beacon patterns listed in this report at the network level can disrupt the chain at multiple stages.
Attribution
Several indicators link NoVoice to the Android.Triada family. The property (os.config.ppgl.status)NoVoice sets to mark a device as compromised is a known indicator of compromise for Android.Triada.231, a variant that uses the same property to track installation state. Both NoVoice and Triada.231 persist by replacing libandroid_runtime.so and hooking system functions so that every app runs attacker code at launch. Whether NoVoice is a direct evolution of Triada.231, a fork of its codebase, or a separate group reusing proven techniques, the shared approach suggests access to a common toolchain.
Conclusion
What makes NoVoice dangerous is not any single technique. It is the engineering effort behind the full chain: a self-healing pipeline that goes from a Play Store install to code execution inside every app on the device, survives factory reset, and monitors its own installation. The operators built a delivery system, an infrastructure.
We recovered one task. The framework is designed to accept any number of them, for any app, at any time. The C2 infrastructure remains active. We do not know what other objectives have been deployed before, during, or after our analysis. The WhatsApp session theft we observed may be the least of it.
The rootkit’s persistence model, overwriting a system library inherited by every process, patching pre-compiled framework bytecode, and monitoring its own installation with a watchdog, makes remediation difficult.
This research underscores McAfee’s ongoing role in identifying advanced mobile threats and working with platform partners to protect users before large‑scale harm occurs.
A text that looks like it came straight from a courthouse is making the rounds across the U.S. And yes, I got it too.
First things first, that’s a scam. And to be clear: DON’T SCAN THAT QR CODE.
It’s the same playbook as last year’s toll road scams, just dressed up with a little more authority and a lot more pressure.
Before doing anything, our team ran it through McAfee’s Scam Detector. It immediately flagged the message as suspicious, and that’s exactly the kind of moment this tool is built for. When something feels just real enough to second guess, it gives you a clear signal before you click, scan, or spiral.
A screenshot showing Scam Detector in action.
How the scam works
The text claims you’ve missed a payment, violated a law, or have some kind of outstanding “case.” It then pushes you to scan a QR code or click a link to resolve it quickly.
From there, one of two things usually happens:
You’re taken to a fake payment page designed to steal your money, or
You’re prompted to download something that gives scammers access to your device or data
Either way, the goal is the same: get you to act fast before you have time to question it.
Here’s the scam text I got in California. You’ll notice it looks exactly like the others across the country.
The red flags in this message
Urgent, threatening language about fines, penalties, or legal action
Vague accusations with no real details about what you supposedly did
Official-looking formatting like case numbers, clerk signatures, and judge names
Copy-paste consistency across states: McAfee employees in New York and California received nearly identical messages with the same names
There are reports of this scam popping up nationwide, but the rule is simple: law enforcement does not text you to demand payment or resolve legal issues.
What to do if you scanned the QR code
First, don’t panic. Then:
Do not pay anything or enter personal information
Do not delete apps you were told to install (this can make it harder to detect what happened)
Run a device scan using a trusted security tool like McAfee’s free antivirus
Keep an eye on your financial accounts and logins for unusual activity
And that, my friends, is scam number one in this week’s This Week in Scams (new format, we’re experimenting a little).
Let’s get into what else is on our radar.
What to Know About an Alleged Crunchyroll Breach
Anime streaming platform Crunchyroll is investigating claims of a data breach involving customer support ticket data, potentially impacting millions of users.
According to TechCrunch, access appears to involve a third-party vendor system, a reminder that even strong security setups still rely on people and partners, which can introduce risk in everyday moments.
Even if you’ve never entered your credit card into a support form, these tickets can still include:
Email addresses
Usernames
Screenshots or account details
Conversations that reveal habits, subscriptions, or personal context
That’s more than enough for scammers to build highly believable follow-ups.
Why this matters right now
When breaches like this surface, scammers don’t wait. They use the moment to send emails and messages that feel timely, relevant, and legitimate.
For example, scammers might send messages pretending to be Crunchyroll and suggesting you “click this link to secure your account” after the breach. In reality, that “security check” exposes your information.
This is where tools like Scam Detector come back into play, flagging suspicious links and messages even when they reference real companies or real events.
What to do if you have a Crunchyroll account
Change your password, especially if you’ve reused it elsewhere
Turn on two-factor authentication
Be cautious of emails referencing the breach or asking you to “secure your account”
Avoid clicking links and go directly to the official site instead
How McAfee Helps You Stay Ahead of Scams and Breaches
McAfee+ Advanced gives you multiple layers working together so you’re not left figuring it out in the moment:
Scam Detector flags suspicious texts, emails, links, and even deepfake videos before you engage
Safe Browsing helps block risky sites if you do click or scan
Device Security helps detect and remove malicious apps or downloads
Identity Monitoring alerts you if your personal info shows up where it shouldn’t, so you can act fast
Personal Data Cleanup helps remove your information from data broker sites, making you a harder target in the first place
Secure VPN keeps your data private, especially on public Wi-Fi
Plus our instant QR code scam checks will flag suspicious QR codes before you scan them.
Safety tips to carry into next week
Slow down when a message creates urgency. That’s the hook
Don’t scan QR codes or click links from unexpected texts
Go directly to official websites instead of using links sent to you
Use tools that flag scams in real time so you don’t have to guess
The reality is, these scams are designed to look normal. You shouldn’t have to be an expert to spot them. That’s why McAfee’s here to help.
We’ll be back next week with more scams making headlines.
Today marks the start of Spring in the Northern Hemisphere, and with warmer weather setting in summer trips are vacation planning are starting to take shape.
But before you respond to that message about your hotel booking or payment confirmation, it’s worth asking: is it actually legit?
This week in scams, we’re breaking down a travel phishing scheme making the rounds through realistic booking messages, as well as new McAfee research on betting scams and AI-driven malware.
Scammers Who Know Your Exact Travel Reservation Details
A new phishing campaign targeting travelers is exploiting hotel booking platforms like Booking.com, and it’s convincing enough to fool even cautious users.
According to reporting from ITBrew and Cybernews, attackers are running a multi-stage scam:
How The Booking Scam Works
Scam Stage
How It Works
What You’ll Notice
How to Protect Yourself
Where McAfee Helps
Stage 1: Hotel account gets compromised
Attackers phish or hack hotel staff to access booking platforms and guest reservation data.
You won’t see this part — it happens behind the scenes.
Use strong, unique passwords and enable multi-factor authentication on your own accounts to reduce risk of similar breaches.
Identity Monitoring can alert you if your personal information appears in suspicious places or data leaks.
Stage 2: You receive a realistic message
Scammers use stolen booking data to send messages via WhatsApp, email, or even booking platforms.
The message includes your real name, hotel, and travel dates, making it feel legitimate.
Be cautious of unexpected outreach, even if the details are correct. Don’t assume accuracy means authenticity.
Scam detection tools can help flag suspicious messages and identify potential phishing attempts.
Stage 3: Urgency is introduced
The message claims there’s an issue with your reservation and pushes you to act quickly.
Phrases like “confirm within 12 hours” or “risk cancellation” create pressure.
Pause before acting. Legitimate companies rarely require urgent payment changes without prior notice.
Scam detection can help identify high-risk messages designed to pressure you into quick decisions.
Stage 4: You’re sent to a fake payment page
A link leads to a convincing lookalike site designed to steal your payment details.
The page looks real but may have subtle URL differences or unusual formatting.
Always navigate directly to the official website or app instead of clicking links in messages.
Safe Browsing tools can help block risky or known malicious websites before you enter sensitive information.
March Madness Brackets, Bets, and Bad Actors
March Madness brings brackets, bets, and a flood of bad actors.
New McAfee research found that 1 in 3 Americans (32%) say they’ve experienced a betting or gambling scam, and nearly a quarter (24%) say they’ve lost money to one. On average, victims reported losing $547.
That’s not surprising when you look at the environment around the tournament. More than half of Americans are watching, more than half are participating in some form of betting, and 82% say they’ve seen betting promotions in the past year.
Some of the most common setups this season include:
“Guaranteed win” or “can’t lose” betting tips that require payment upfront
Fake sportsbook promotions offering bonus bets or free credits
Messages claiming you have winnings, but need to pay a fee to unlock them
Impersonation scams posing as sportsbook support or betting platforms
Invitations to private “VIP betting groups” on WhatsApp or Telegram
The takeaway: If a betting offer promises guaranteed results, demands the use of bizarre apps and sites, asks for money upfront, or pushes you to act quickly, it’s not an edge. It’s a scam.
“AI-Written” Malware Is Hiding in Everyday Downloads
Not all scams start with a message. Some start with a search.
443 malicious ZIP files disguised as legitimate software
1,700+ file names used to make those downloads look credible
48 variants of a malicious DLL file used to infect devices
These weren’t hosted on obscure corners of the internet either. The files were distributed through platforms people recognize, including Discord, SourceForge, and file-sharing sites.
Here’s how the attack typically works:
You search for a tool.
You download what looks like the right file.
It opens normally at first.
Then, behind the scenes, malware loads quietly and begins pulling in additional code. In some cases, victims are shown fake error messages while the real infection happens in the background.
From there, attackers can:
Turn your device into a cryptocurrency mining machine
Install additional malware like infostealers or remote access tools
Slow down your system while running hidden processes
What makes this campaign stand out is that some of the code appears to have been generated with help from AI tools.
That doesn’t mean AI is running the attack on its own. But it does suggest attackers are using AI to:
Generate code faster
Create more variations of malware
Scale campaigns more efficiently
In other words, the barrier to building malware is getting lower.
The takeaway: If a download is unofficial, hard to find, or feels like a shortcut, it’s worth slowing down. The file may look right, but that doesn’t mean it’s safe.
How McAfee+ Advanced Works in These Scam Moments
Whether it’s a message about your booking, a betting offer that looks legitimate, or a download that appears to be exactly what you were searching for, these scams all rely on the same thing: they blend into everyday moments.
That’s where having backup like McAfee+ Advanced comes in. It includes:
McAfee’s Scam Detector, which helps flag suspicious links in texts and messages like the ones used in these booking and betting scams, so you can spot something risky before you engage
Web protection and real-time device security, helping protect against risky links, malicious sites, and evolving threats if you do click, including fake betting platforms or malware hidden in downloads
Personal Data Cleanup, which helps remove your information from sites that sell it, making it harder for scammers to access the personal details that make messages and scams feel legitimate
Secure VPN, which helps keep your personal info safe and private anywhere you use public Wi-Fi, like hotels, airports, and cafés while traveling
Identity Monitoring and alerts, with 24/7 scans of the dark web to help ensure your personal and financial information isn’t being exposed or reused
Credit and transaction monitoring, so you can get alerts about suspicious financial activity if your information is ever compromised
Identity restoration support and up to $2 million in identity theft coverage, giving you access to US-based experts and added peace of mind if something does go wrong
Stay skeptical, verify before you click, and we’ll see you next week with more.
McAfee Labs has uncovered a widespread malware campaign hiding inside fake downloads for things like game mods, AI tools, drivers, and trading utilities.
What makes this campaign especially notable is that some parts of it appear to have been built with help from large language models (LLMs). McAfee researchers found signs that certain scripts likely used AI-generated code, which may have helped the attackers create and scale the campaign faster.
That does not mean AI created the whole operation on its own. But it does suggest AI may be helping cybercriminals lower the effort needed to build malware and launch attacks.
Attackers created many different fake downloads to reach more victims
48 malicious DLL variants
The campaign used multiple versions of the malware, not just one file
1,700+ file names observed
The same threat was repackaged under many different names to look convincing
17 distinct kill chains
Researchers found multiple attack flows, but they followed a similar overall pattern
Hosted on familiar platforms
The malware was distributed through services users may recognize, including Discord and SourceForge
AI-assisted code suspected
Some scripts contained explanatory comments and patterns that strongly suggest LLM assistance
Cryptomining and additional malware observed
Infected devices could be used to mine cryptocurrency or receive more malicious payloads
What Is “AI-Written Malware”?
In this case, “AI-written malware” does not meanan AI system independently invented and launched the attack.
Instead, McAfee Labs found evidence that the attackers very likely used AI tools to help generate some of the code used in the campaign, especially in certain PowerShell scripts.
Put simply:
Term
Plain-English meaning
Large language model (LLM)
An AI system that can generate text and code based on prompts
AI-assisted malware
Malware where attackers appear to have used AI tools to help write or structure parts of the code
Vibe coding
A style of coding where someone describes what they want and an AI does much of the writing
This matters because it can make malware development faster, easier, and more scalable for attackers.
Figure 1: Attack Vector
How The Fake Download Attack Works
The attack begins when someone searches for software online and downloads what looks like the tool they wanted.
That tool might appear to be a game mod, AI voice changer, emulator, trading utility, VPN, or driver. But behind the scenes, the ZIP archive includes malicious components that start the infection.
Step
What happens
1. A user downloads a fake file
The ZIP archive is disguised as something useful or desirable, such as a mod menu, AI tool, or driver
2. The file appears normal at first
In some cases, the package includes a legitimate executable so it feels more convincing
3. A malicious DLL is loaded
A hidden malicious file, often WinUpdateHelper.dll, starts the real attack
4. The user is distracted
The malware may display a fake “missing dependency” message and redirect the user to install unrelated software
5. A PowerShell script is pulled from a remote server
While the user is distracted, the malware contacts a command-and-control server and runs additional code
6. More malware is installed
Depending on the sample, the device may receive coin miners, infostealers, or remote access tools
7. The infected device is abused for profit
In many cases, attackers use the victim’s system resources to mine cryptocurrency in the background
What Kinds of Files Were Used as Bait
McAfee found that the attackers cast a very wide net. The malicious ZIP files impersonated many types of software, including:
Bait category
Examples
Gaming tools
game mods, cheats, executors, Roblox-related tools
AI-themed tools
AI image generators, AI voice changers, AI-branded downloads
System utilities
graphics drivers, USB drivers, emulators, VPNs
Trading or finance tools
stock-market utilities and related downloads
Fake security or malware tools
fake stealers, decryptors, and other risky-looking utilities
That broad range is part of what made the campaign effective. It was designed to catch people already looking for shortcuts, unofficial tools, or hard-to-find software.
Why McAfee Researchers Believe AI Was Used
One of the strongest clues came from the comments inside some of the attack scripts.
McAfee researchers found explanatory comments that looked more like AI-generated instructions than the kind of shorthand attackers usually leave for themselves. In one example, a comment referred to downloading a file from “your GitHub URL,” which suggests the code may have come from a generated template and was not fully cleaned up before use.
These details do not prove every part of the campaign was AI-made. But they do support McAfee’s assessment that certain components were likely generated with help from large language models.
What Happens on an Infected Device
In many cases, the malware was used to turn victims’ computers into quiet crypto-mining machines.
McAfee observed mining activity involving several cryptocurrencies, including:
Ravencoin
Zephyr
Monero
Bitcoin Gold
Ergo
Clore
Some samples also downloaded additional payloads such as SalatStealer or Mesh Agent.
For victims, that can mean:
Possible effect
What it may look like
Slower performance
apps lag, games stutter, system feels unusually sluggish
High CPU or GPU usage
fans run constantly, laptop gets hot, battery drains faster
if an infostealer or remote access tool is installed
McAfee was also able to trace several Bitcoin wallets tied to the campaign. At the time of the report, those wallets held about $4,536 in Bitcoin, while total funds received were approximately $11,497.70. Researchers note the real total could be higher because some of the currencies involved are harder to trace.
Who Was Targeted Most
This campaign was observed most heavily in:
United States
United Kingdom
India
Brazil
France
Canada
Australia
That does not mean users elsewhere were unaffected. These were simply the countries where researchers saw the highest prevalence.
Figure 2: Geographical Prevalence
Red Flags To Watch For
Even though the campaign used advanced techniques, the warning signs for users were often familiar.
Red flag
Why it matters
You found the file through a random link
Unofficial forums, Discord links, and file-hosting pages are common malware delivery paths
The download is a ZIP for something sketchy or unofficial
Cheats, cracks, mod tools, and unofficial utilities carry higher risk
You get a “missing dependency” message
Attackers may use this to push a second download while the real infection happens in the background
The file name looks right, but the source feels wrong
Familiar names can be faked easily
Your PC suddenly slows down or overheats
Hidden cryptominers often abuse system resources
You notice new, unrelated software installed
The campaign sometimes used unwanted software installs as a distraction
How To Stay Safe From Malware Hidden in Fake Downloads
This campaign is a reminder that not every convincing file is a safe one. A few habits can reduce your risk significantly.
Safety step
Why it helps
Download software only from official sources
This lowers the chance of accidentally installing a trojanized file
Avoid cheats, cracks, and unofficial mods
These categories are common bait for malware campaigns
Be skeptical of dependency prompts
Unexpected requests to install helper files or missing components can be part of the attack
Keep your security software updated
Current protection can help detect known threats and suspicious behavior
Pay attention to system performance
A suddenly hot, loud, or slow PC may be a sign something is running in the background
Review what you download before opening it
Even a familiar file name does not guarantee a file is legitimate
McAfee helps protect against malware threats like these with multiple layers of security, including malware detection and safer browsing protections designed to help stop risky downloads before they can do damage.
What To Do If You Think You Opened One of These Files
If you think you downloaded and ran a suspicious file like one described in this campaign:
Action
Why it matters
Disconnect from the internet
This can help interrupt communication with attacker-controlled servers
Run a full security scan
A trusted scan can help identify malicious files and behavior
Delete suspicious downloads
Remove the file and avoid reopening it
Check for unfamiliar software or startup items
The infection may have installed additional components
Change important passwords from a clean device
This is especially important if data-stealing malware may have been involved
Monitor accounts for unusual activity
Keep an eye on email, banking, and other sensitive accounts
If your computer continues acting strangely after a scan, it may be worth getting professional help.
What This Means for the Future of Malware
This campaign highlights how cybercrime is evolving.
The core risk is not just fake downloads. It is the fact that attackers are using AI tools to help generate code, create variations, and speed up parts of the malware development process.
That can make campaigns like this easier to scale and harder to ignore.
For everyday users, the takeaway is simple: if a file seems unofficial, rushed, or too good to be true, pause before opening it. A fake download may look like a shortcut, but it can quietly turn your device into a target.
Frequently Asked Questions
FAQs
Q: What is AI-written malware?
A: AI-written malware generally refers to malicious code, or parts of a malware campaign, that appear to have been created with help from AI coding tools or large language models.
Q: Did AI create this entire malware campaign?
A: McAfee Labs did not say that. The research suggests that certain components, especially some scripts, were likely generated with help from large language models.
Q: What was this malware disguised as?
A: The malicious files impersonated game mods, AI tools, drivers, trading utilities, VPNs, emulators, and other software downloads.
Q: What can happen if you open one of these fake files?
A: Depending on the sample, the malware may install coin miners, steal data, establish persistence, or download additional malicious tools.
Q: Can malware really use my computer to mine cryptocurrency?
A: Yes. McAfee observed samples in this campaign that used victims’ CPU and GPU resources to mine cryptocurrency in the background.
Q: What is the safest way to avoid this kind of malware?
A: Download software only from official or trusted sources, avoid unofficial tools and cheats, be cautious of fake dependency prompts, and keep your security protection up to date.
Whether you’re a hardcore basketball fan or the office colleague who gets roped into filling out a bracket every year, March Madness is the season for brackets, office pools, and last-minute picks.
More than half of Americans (57%) plan to watch the NCAA basketball tournament, and 55% say they participate in some kind of betting or bracket activity during March Madness, from office pools to licensed sportsbook wagers.
But where there’s excitement and money, scammers aren’t far behind.
New research from McAfee finds that 1 in 3 Americans (32%) say they’ve experienced a betting or gambling scam, and 24% say they’ve lost money to one, with victims losing an average of $547.
Big events like March Madness create the perfect storm: massive attention, constant betting promotions, and fans searching online for predictions, tips, and an edge.
Scammers know it, and they’re exploiting the moment.
This example shows an incredibly realistic, but fake, FanDuel site created by scammers to impersonate the real thing.
Why March Madness is Prime Time for Betting Scams
Sports betting promotions are everywhere during major events like March Madness.
According to McAfee research, 82% of Americans say they’ve seen sports betting promotions or offers in the past year, often on social media, streaming broadcasts, and sports websites.
That flood of promotions makes it easier for scams to blend in with legitimate content.
Many scams start the same way legitimate offers do, through messages, ads, or links promising bonuses or tips. But once someone clicks or responds, the situation can escalate quickly.
For example:
42% of Americans say they’ve been asked to click a link sent via email tied to a betting offer
Others report links sent through social media messages or text messages directing them to betting sites, apps, or private betting groups
In many cases, victims are then asked to send money to unlock winnings, activate accounts, or access premium betting picks.
The payout rarely exists.
The Most Common Betting Scams Fans Encounter
Betting scams come in several forms, but many follow familiar patterns.
Here are some of the most common tactics reported in McAfee’s research:
Scam Type
Definition
How It Works
Red Flags
Guaranteed Win Scam
A betting scam where someone promises a “guaranteed win,” “sure bet,” or “can’t lose” outcome in exchange for money, clicks, or sign-ups. According to McAfee Findings, about 1 in 6 Americans say they’ve received these kinds of messages, which are designed to lure fans looking for an edge.
Scammers send private messages, emails, or social posts claiming they have insider knowledge or a lock on a game. The goal is usually to get the victim to pay for picks, join a private group, or click a malicious link.
Claims that a bet is guaranteed, pressure to act fast, requests for payment to access picks, and promises that sound risk-free.
Fake Free Bet Promotion Scam
A scam that pretends to offer bonus bets, deposit matches, or free credits through a fake sportsbook promotion.
The victim sees what looks like a real sportsbook offer, often through social media, email, or text. Clicking may lead to a fake site that steals login details, payment information, or deposits.
Unfamiliar brand names, unofficial links, urgent sign-up language, and promotions that seem unusually generous.
Winnings Release Fee Scam
A scam where a victim is told they have winnings waiting, but must first pay a fee, deposit, or processing charge to collect them.
The scammer claims the user has won money, then invents a reason payment is required before the funds can be released. Once the fee is sent, the payout never arrives.
Requests to pay before receiving winnings, vague “processing” or “verification” fees, and pressure to send money immediately.
Fake Betting App or Website Scam
A scam involving a fraudulent app or website designed to look like a real sportsbook or betting platform.
Victims are directed to a fake platform where they may create an account, enter personal information, or deposit money. The site may appear legitimate, but withdrawals are blocked or impossible.
Slightly misspelled URLs, strange app download paths, poor website quality, and platforms that make deposits easy but withdrawals difficult.
Sportsbook Impersonation Scam
A scam in which someone pretends to represent a legitimate betting platform or sportsbook support team.
The scammer contacts the victim claiming there is an issue with an account, a bonus, or winnings. They then ask for login credentials, payment details, or personal information.
Requests for passwords, bank details, or identity information; unexpected outreach; and messages pushing you to resolve an “account issue” through a link.
Fake Insider Tip Scam
A scam that uses claims of insider information, fixed games, or special access to make a betting offer sound exclusive and trustworthy.
Scammers position themselves as experts, insiders, or connected sources who can help the victim beat the odds. The real goal is usually payment, account access, or enrollment in a scam betting channel.
Claims of fixed outcomes, “insider” knowledge, exclusive access, and offers that rely on secrecy or urgency.
Celebrity or Influencer Endorsement Scam
A betting scam that uses fake or misleading celebrity, athlete, or influencer endorsements to make an offer seem legitimate.
Scammers create ads, videos, or posts that appear to feature a public figure recommending a betting platform, app, or tip service. In some cases, AI-generated content makes these endorsements look more convincing.
Endorsements that seem off-brand, videos or graphics that look unnatural, unfamiliar accounts, and promotions tied to fake urgency or suspicious links.
Private Betting Group Scam
A scam that tries to move betting conversations into private channels like WhatsApp, Telegram, or Signal.
After initial contact on social media or another public platform, the scammer encourages the victim to join a private group for “exclusive picks,” “VIP bets,” or “premium insights.” These groups are often used to pressure victims into sending money or clicking malicious links.
Pressure to move off-platform quickly, promises of VIP access, requests for payment to join, and little proof that the group is legitimate.
Who Is Most Likely to Encounter Betting Scams
McAfee’s research found that Americans under 45 are significantly more likely to encounter betting scams, with 44% saying they’ve experienced one compared with 19% of those over 45.
Men also report higher exposure, with 40% saying they’ve experienced a betting scam, compared with 25% of women.
Men and younger adults are also more likely to participate in brackets, fantasy sports, or sportsbook betting, the same spaces where scams often appear.
Example of a scam March Madness betting opportunity that uses real logos and imagery
AI Is Making Betting Scams Harder to Spot
Artificial intelligence is beginning to change how scams look and sound.
About 1 in 5 Americans say they’ve encountered betting scams that appeared more realistic because of AI, and 27% believe they’ve seen AI-generated betting content such as fake promotions, images, or videos.
Among those who encountered AI-driven scams:
58% reported AI-generated images or graphics in betting ads
57% saw AI-written messages that sounded natural or personalized
45% encountered fake celebrity or influencer endorsements
36% interacted with chatbots posing as betting experts or support agents
As these tools improve, scam messages are becoming smoother, more convincing, and harder to distinguish from legitimate promotions.
Safety Check
What To Do
Be skeptical of “guaranteed wins”
No bet is risk-free. Ignore messages promising sure bets, insider picks, or guaranteed outcomes.
Use only licensed sportsbooks
Stick to official betting apps and well-known sportsbooks. Avoid unfamiliar websites or apps.
Don’t click betting links from unknown messages
If you receive a betting offer via email, text, or social media, go directly to the official site instead of clicking the link.
Never pay fees to unlock winnings
If someone says you must send money to claim winnings or activate a betting account, it’s almost certainly a scam.
Be cautious of private betting groups
Invitations to “VIP betting groups” on apps like Telegram or WhatsApp are often used to promote scam picks or collect payments.
Tools like McAfee’s Scam Detector can flag suspicious links, websites, and messages before you engage.
March Madness is meant to be fun, filling out brackets, debating picks with friends, and cheering for the next big upset. Betting can be part of that excitement, but it’s worth remembering that scammers are watching the tournament too.
A simple rule of thumb can go a long way: if a betting offer promises guaranteed wins, asks for money upfront, or pushes you to act quickly, take a step back and verify it first.
The safest plays are the ones where you slow down, stick to trusted platforms, and keep your personal information protected.
This image shows another scam site built around sports betting. It’s important to remember these sports betting scams extend beyond basketball and the U.S.
If You or Someone You Know Needs Help
Sports betting can be fun, but for some people it can become difficult to manage. If you or someone you know is struggling with gambling, help is available through the National Problem Gambling Helpline (1-800-MY-RESET), operated by the National Council on Problem Gambling.
This week in scams, the Pokémon Trainer pursuit to “catch ’em all” is being hijacked by criminals posting fake trading card listings online; duping buyers, including young collectors, out of hundreds of dollars.
Meanwhile, threatening email extortion scams claiming your personal data has been stolen are flooding inboxes around the world. And a viral “wedding photo” of Tom Holland and Zendaya shows how AI-generated images can blur the line between real and fake online.
Here’s what to know.
Pokémon Card Scams Surge on Online Marketplaces
The booming market for collectible Pokémon cards has become a new target for scammers.
According to reporting from The Straits Times, Singapore police recently arrested a 25-year-old man suspected of running a series of e-commerce scams involving Pokémon trading cards. Victims reportedly lost more than $135,000 after paying for limited-edition cards that never arrived.
Authorities say the suspect allegedly advertised pre-orders for rare cards on the online marketplace Carousell. After receiving payment through bank transfers or digital payment apps, the seller either became unreachable or claimed there were delivery problems.
Police say at least 35 reports tied to the suspect have been filed since October 2025, and more broadly there have been over 600 reported Pokémon card e-commerce scams totaling more than $1.1 million in losses during that same period.
Why this matters:
Collectibles create the perfect storm for online scams. Limited releases, hype, and rising resale values make buyers feel pressure to act quickly before items “sell out.” Scammers take advantage of that urgency.
How to Stay Safe When Buying Collectibles Online
If you’re buying trading cards or other collectibles online:
Buy from authorized retailers or well-established marketplaces
Avoid sellers who require direct bank transfers or payment apps upfront
Use platforms with buyer protection or escrow payment systems
Be cautious of sellers who suddenly move the conversation to WhatsApp, Telegram, or other messaging apps
When demand spikes for a product, whether it’s sneakers, concert tickets, or Pokémon cards, scams usually follow.
The “Your Data Was Stolen” Email Extortion Scam
Another scam spreading widely right now arrives in a much more intimidating format: a threatening email claiming hackers have stolen your personal data.
According to reporting from Fox News, many people are receiving messages that claim the sender has access to their passwords, files, or financial information. The message then demands payment in Bitcoin to prevent the data from being sold on the dark web.
At first glance, these emails can feel frightening. They often use dramatic language like:
“I have your complete personal information”
“Your files and devices are compromised”
“Pay within 48 hours or your data will be leaked”
But in most cases, there’s one major problem with the claim.
There’s no proof.
Security experts note that these messages usually include no screenshots, no passwords, and no evidence of a real breach. Instead, scammers send the same message to thousands of email addresses at once, hoping a small percentage of recipients will panic and pay.
Often, the scammers obtained your email address from old data breach lists circulating online, which makes the message feel more believable.
What to Do If You Receive One of These Emails
If you receive a threatening extortion email:
Do not reply
Do not send money
Mark the message as spam or phishing
Delete it
Reporting the message helps email providers improve spam filters and prevent similar scams from reaching others.
The biggest tactic here is fear. Once you slow down and evaluate the message, the scam usually falls apart.
That Viral Tom Holland and Zendaya “Wedding Photo”? AI
A viral image circulating on social media this week claimed to show Tom Holland and Zendaya’s wedding, sparking massive speculation online.
But many viewers quickly suspected the image wasn’t real.
According to reporting on Yahoo Entertainment, the photo appeared to originate from a fan account on X (formerly Twitter) that claimed the image had been “confirmed” by major outlets like Vogue and Cosmopolitan. However, no such confirmation existed, and soon the official label was added marking the content as AI-generated.
A screenshot of the viral AI-generated image.
Celebrity rumors already spread quickly online. Add generative AI to the mix, and fabricated images can travel even faster.
While a fake celebrity wedding photo may seem harmless, the same technology can easily be used in more serious ways.
AI-generated visuals are already being used to create:
Fake celebrity endorsements
Fabricated news events
Scam ads featuring public figures
Fraudulent investment promotions
The line between real and synthetic content is getting harder to spot.
How to Spot Potential AI Images
If a viral image seems surprising or dramatic:
Check whether credible news outlets or verified accounts are reporting it
Look for visual inconsistencies in hands, text, or background details
Reverse image search the photo to see where it first appeared
Verify through official sources before sharing
When something looks shocking online, that’s often exactly why it spreads. McAfee’s built-in Scam Detector can help you spot AI-generated audio and video.
McAfee’s Safety Tips This Week
A few simple habits can help reduce your risk across all three of these scenarios:
Be cautious when buying high-demand collectibles online
Never send money in response to threatening emails
Treat viral images and breaking celebrity news with healthy skepticism
Use strong, unique passwords and enable two-factor authentication
Verify surprising claims through trusted sources before reacting
Scams today don’t always look like scams. They often look like exciting deals, urgent warnings, or AI depictions of people you trust.
The best defense is slowing down before clicking, paying, or sharing.
We’ll Be Back Next Week
From collectible card fraud to email extortion campaigns and AI-generated viral content, the tactics scammers use may change, but the strategy is the same: manipulate emotion and urgency.
Stay skeptical, verify before you trust, and we’ll be back next week with another breakdown of the scams making headlines, and what they mean for your security.
Tax season is a headache for many people, and when a shortcut promises to make filing easier, it’s hard to resist. This year, one of the newest trends is using AI chatbots like ChatGPT to help prepare tax returns.
According to new McAfee research, 30% of people say they plan to use an AI tool, such as ChatGPT, to help with their taxes, with younger adults leading the trend.
At first glance, it makes sense. AI tools can explain confusing tax rules, summarize IRS forms, and answer questions instantly.
But there’s an important line that should never be crossed: Do not enter your personal tax information into AI chatbots.
That includes Social Security numbers, income records, home addresses, bank details, or anything else tied to your identity.
Here’s why:
Typing Your Tax Info Into a Chatbot Is Like Posting It Online
Think about it this way: when you type something into an AI chatbot, you’re sending that information over the internet to a system that processes and stores data.
In practical terms, entering sensitive information into an AI tool is similar to typing it directly into a search engine or submitting it to an online form.
Once it leaves your device, you lose direct control over where it travels and how it may be stored.
Even companies with strong security protections are transparent about this risk.
OpenAI’s privacy documentation explains that they use encryption and strict access controls to protect user data. However, they also note that no internet transmission or digital storage system can be guaranteed completely secure.
This is true across the internet, not just for AI tools.
Even Secure Systems Can Experience Breaches
Security incidents can happen anywhere online, including companies with robust security programs.
For example, in late 2025, OpenAI disclosed a security incident involving a third-party analytics provider called Mixpanel. The breach occurred within the vendor’s systems, not OpenAI’s infrastructure, but some limited user profile data associated with the platform was exposed.
According to OpenAI’s disclosure, the data involved information such as:
Names associated with accounts
Email addresses
Approximate location data
Browser and device information
Importantly, chat content, passwords, payment information, and government IDs were not exposed in that incident.
But the event highlights a broader cybersecurity reality:
Even when a company takes strong security precautions, third-party services, vendors, and other parts of the digital ecosystem can still introduce risk.
That’s why cybersecurity experts recommend limiting what personal information you share online whenever possible.
Why Tax Data Is Especially Dangerous to Share
Tax information is one of the most valuable targets for cybercriminals.
If scammers obtain the details commonly found in tax filings, they may be able to:
Commit tax refund fraud
Open financial accounts in your name
Conduct identity theft
Launch highly personalized phishing attacks
Tax returns typically include multiple pieces of highly sensitive data, including:
Social Security numbers
Home addresses
Employer and income information
Banking details for refunds
Family member information
Entering these details into any tool outside of a secure tax platform significantly increases risk.
Safer Ways to File Your Taxes
Instead of relying on AI chatbots for filing, stick with trusted tax preparation options designed to securely handle sensitive data:
Official tax software platforms
Licensed tax professionals
IRS-approved free filing services
These systems are specifically built with compliance, encryption, and identity verification in mind.
AI tools can be incredibly useful for learning and research. But they are not secure tax filing platforms.
If you wouldn’t feel comfortable posting your Social Security number publicly online, you shouldn’t paste it into a chatbot either. When it comes to taxes, the safest rule is simple: Use AI for advice, not for your personal data.
We’re back with another roundup of must-know scams and cybersecurity news making headlines this week, including a scam that features the name of the Jim Carrey movie, The Truman Show.
Let’s break it down.
Why Reports Call it the “Truman Show” Scam
So, why the name of this scam?
In the 1998 film The Truman Show, the main character unknowingly lives inside a staged reality TV world where everything around him is carefully controlled. In the “Truman Show” scam, criminals try to place victims into a similarly staged investment environment, complete with fake group chats, fake investors, and fake profits designed to build trust. It doesn’t actually have anything to do with the movie.
What is the “Truman Show” Scam?
The “Truman Show” scam is an AI-powered investment scam where criminals create an entire fake online community to convince victims an investment opportunity is real.
According to reports, scammers invite people into group chats on platforms like Telegram or WhatsApp that appear full of investors sharing tips and celebrating profits. In reality, many of the participants, moderators, and conversations may be run by AI bots designed to simulate a lively trading community.
Security researchers say the moderator and the other “investors” in the group may actually be AI-driven bots, programmed to simulate real conversations and enthusiasm around the investment strategy.
The scam often includes:
A group chat on Telegram or WhatsApp
A downloadable trading app or website
Screenshots showing fake profits
Encouragement from “other members” to invest more
The app itself may appear legitimate. But in reality, it often redirects users to a malicious website where scammers collect personal and financial information.
Once victims deposit money, the criminals can quickly drain accounts or block withdrawals.
McAfee’s State of the Scamiverse research shows just how convincing scams have become. One in three Americans (33%) say they feel less confident spotting scams than they did a year ago, as criminals increasingly use polished branding, realistic conversations, and AI-generated content to make fraudulent opportunities look legitimate.
Why this works: people naturally trust social proof. When it looks like dozens of other investors are making money, people lower their skepticism.
Fake Government Letters Are Targeting Residents Across Towns
Another scam to be aware of this week includes spoofed letters impersonating local government offices.
According to reporting from WGME in Maine, residents in multiple towns recently received official-looking notices requesting payment for supposed municipal fees tied to development applications.
The letters appeared convincing. They used formal language, official seals, and department names.But there was a problem.
One of the notices claimed it came from a “Board of Commissioners,” even though the town in question does not have one.
Officials say the letters instructed recipients to send payments by wire transfer, a method legitimate government offices almost never use for these kinds of transactions.
McAfee’s experts say these scams are effective because they rely on volume. Fraudsters send thousands of letters hoping a small percentage of recipients will respond before verifying the request. And remember, these types of scams occur all the time and across the globe. While today’s reports are in Maine, it’s important to be vigilant wherever you live.
Red flags to watch for:
Requests for wire transfers, gift cards, or crypto payments
Pressure to pay quickly to avoid penalties
Official-looking letters with subtle inconsistencies
Contact information that doesn’t match the official government website
The safest move is simple: verify the request independently. Contact the government office directly using phone numbers listed on its official website, not the ones in the letter.
LexisNexis Confirms Data Breach After Hackers Leak Files
Meanwhile, a well-known data analytics company is dealing with a breach after hackers published stolen files online.
According to BleepingComputer, LexisNexis Legal & Professional confirmed that attackers accessed some of its servers and obtained limited customer and business information. The confirmation came after a hacking group leaked roughly 2GB of stolen data on underground forums.
LexisNexis says the compromised systems contained mostly older or “legacy” data from before 2020, including:
Customer names
User IDs
Business contact information
Product usage details
Support tickets and survey responses
The company says highly sensitive financial information, Social Security numbers, and active passwords were not part of the exposed data.
However, attackers claim they accessed millions of database records and hundreds of thousands of cloud user profiles tied to the company’s systems.
LexisNexis says it has contained the intrusion and is working with cybersecurity experts and law enforcement.
Why breaches like this matter: even when the stolen data appears limited, it can still be used in targeted phishing attacks.
For example, scammers might use real names, email addresses, or business roles to send convincing messages that appear legitimate.
Breaches often trigger waves of follow-up scams weeks or months later. (We know we cover this one a lot, but it’s key to remember!)
McAfee’s Safety Tips This Week
A few simple habits can make these schemes much easier to spot.
Be skeptical of investment groups online. Real trading communities rarely pressure you to deposit money quickly or download unfamiliar apps.
Verify government payment requests independently. If you receive a letter demanding payment, contact the agency directly using information from its official website.
Treat breach-related messages cautiously. After a breach makes headlines, phishing emails often follow pretending to offer “account verification” or “security updates.”
Avoid clicking unfamiliar links in emails or texts. Tools like McAfee’s free WebAdvisor can help flag risky websites and block known malicious pages before they load.
Pause before sending money or personal information. Many scams rely on urgency. Slowing down gives you time to verify what’s real.
We’ll be back next week with another roundup of the scams and cybersecurity news making headlines and what they mean for your digital safety.
John C. isn’t the person you picture getting scammed.
He’s 36. He’s tech-savvy. He’s a mechanical engineer leading a team at a national energy lab in Denver. And he told us his story for one reason: “Scammers will target anyone.”
It began with a phone call from someone claiming to be the IRS. They said John had underpaid his taxes and needed to resolve it quickly. The caller sounded polished and convincing, so convincing that John didn’t stop to question it.
“I thought maybe they sent back too much money [in my refund], and they needed it back,” he said. “I was just so busy and overwhelmed that I never really stopped to think about the situation.”
A follow-up email arrived with IRS logos, clean formatting, and a big payment button. John was trying to move fast between classes as he finished up his PhD, and he wanted to correct the situation as quickly as possible.
“I was like, let me just hurry up and do this, get it over with.”
He clicked. He paid. But later, when he checked his statement, he saw the charge didn’t look like an IRS payment at all. In fact, it was an international charge. The whole thing was a scam.
John said the scammer on the phone had appealed to his emotions and been incredibly convincing.
“It was absolutely masterful,” John said. “I would give him an Oscar for it.
And new McAfee research shows John isn’t alone, with nearly 1 in 4 (23%) US adults surveyed revealing they’ve lost money to a tax scam.
Example of a tax scam text message
Key findings from McAfee’s 2026 Tax Season Survey
Here’s what our January 2026 survey of 3,008 U.S. adults found:
The big picture: lots of worry, not enough confidence
82% of Americans say they’re concerned about tax fraud this season.
67% say they’re seeing the same or more tax scam messages than last year.
40% say tax scam messages are more sophisticated than last year.
84% are concerned about AI making tax scams more realistic.
Only 29% say they’re very confident they could spot a deepfake tax scam.
How often scams are reaching people
34% say they’ve been contacted by someone claiming to be the IRS or another tax authority (phone, text, or email).
38% say they’ve been asked to click a link or send payment related to a “tax issue.”
Common asks include SSNs (15%), birth dates (11%), addresses (10%), “you owe back taxes” pressure (9%), and banking details (8%).
Who is getting hit hardest
Nearly 1 in 4 Americans (23%) say they’ve fallen for a tax scam.
Young adults report the highest exposure: 42% of 18–24-year-olds say they’ve fallen for at least one tax scam.
11% of Americans report tax-related identity theft, rising to 17% among ages 25–34.
The money is real
Among people who say they’ve fallen for a tax scam, the average loss is $1,020.
Separately, nearly 1 in 5 Americans say they’ve lost money to a tax scam.
Tax filing is increasingly digital (and that changes the risk)
55% say they file taxes online (software or IRS Free File).
75% say they receive refunds or pay taxes electronically (direct deposit, cards, apps, EFTPS, etc.).
30% say they plan to use an AI tool (like ChatGPT) to help prepare taxes, especially younger adults. This is highly dangerous, even with platform security protections. For example, if an AI tool were compromised in a data breach, user messages with personal tax information (like social security numbers, home address, and more) could be made public.
Tax Scams Now Hit Year-Round, McAfee Labs Finds
In addition to our consumer survey findings, McAfee Labs analyzed malicious URLs, apps, texts, and emails in the months leading up to filing season.
The major takeaway: tax scams don’t wait for April.
Scam activity began climbing as early as November and has again continued building steadily into 2026.
Between September 1, 2025, and February 19, 2026, McAfee Labs identified 1,468 malicious or suspicious tax-themed unique domains, an average of 43 new fake tax websites every day.
In early November 2025 alone, the average number of new tax-themed malicious domains nearly doubled in just over a week. After a brief dip in late December, activity resumed climbing into February, a pattern we expect to intensify as the April filing deadline approaches.
A chart showing the unique, malicious domains detected by McAfee’s Web Advisor
Fake IRS Websites Are A Major Threat
Scammers are rapidly creating lookalike IRS domains that mimic official government URLs.
They use small changes, extra letters, added words, subtle misspellings, to trick taxpayers into believing they’re on a legitimate IRS site.
Examples include domains that insert additional text around “irs.gov” or add misleading subdomains designed to pass a quick glance.
These fake portals are used to:
Steal login credentials
Harvest Social Security numbers and tax IDs
Capture payment details
Charge bogus “processing fees”
In some cases, these sites don’t just steal, they overcharge.
McAfee Labs observed scam services offering to file for an EIN (Employer Identification Number), something the IRS provides for free, and charging as much as $319 for it.
Example of a scam website we found charging for an EIN.
The official IRS website explicitly warns: you never have to pay a fee to obtain an EIN.
Other scam sites misuse legitimate policy terms, like the “Fresh Start Initiative,” to harvest personal data and enroll victims in aggressive robocall and marketing campaigns.
Tax scams don’t always steal outright. Sometimes they monetize confusion.
Here it shows them charging $319 for an EIN, and collecting their personal information.
How a Typical Tax Scam Unfolds
Most tax scams aren’t one single message. They’re a sequence, designed to make you panic, click, and comply.
Below is the common playbook, plus the red flags that show up repeatedly.
*Note: Scammers may swap the details like AI voice, fake IRS videos, cloned websites, or impersonating tax software, but the pattern stays familiar.
Step
What happens
Red flags you’ll see at this step
Red flags that are true every time
What to do instead
1) The hook
You get a call, text, or email claiming there’s a tax issue (refund problem, underpayment, verification needed).
Message arrives out of nowhere, often during busy hours; “final notice” language; spoofed caller ID.
Unexpected contact + urgency.
Don’t engage. Pause. Go directly to IRS.gov or your tax provider’s official site (type it in).
2) The authority move
They lean hard on being “the IRS” or “state tax authority,” sometimes with personal details.
They sound polished; may use AI voice cloning; may cite a “case number.” Fake or meaningless case numbers are very common.
They want you to trust the title, not verify the source.
Ask for written notice and time. Real tax issues can be verified through official channels.
3) The link
They send a link to a “secure portal” or “refund page.”
Never click the link. Navigate to the real site yourself. If unsure, delete it.
4) The data grab
The site (or “agent”) asks for SSN, banking info, login credentials, or details from a prior return.
Requests that are broader than needed; “verify identity” prompts; form fields that feel too invasive.
They want sensitive info fast.
Stop. Don’t type anything. If you already did, assume it’s compromised and act quickly (see next section).
5) The payment push
They demand payment to “avoid penalties,” “release your refund,” or “resolve a mistake.”
Gift cards, crypto, wire transfers, payment apps; pressure to pay today; threats.
Urgency + unusual payment method.
The IRS does not demand immediate payment via text/social, and doesn’t require gift cards or crypto. Verify independently.
6) The escalation
If you hesitate, they intensify: threats, “law enforcement,” or AI video/audio that “proves” it’s real.
Deepfake IRS video, intimidating language, “you’ll be arrested,” “your license will be revoked.”
Fear is the product.
Hang up. Save evidence. Talk to a trusted person. Contact official support through verified numbers.
7) The aftermath
You realize it was a scam—often after noticing a strange charge or login activity.
Charges from odd merchants; new accounts; IRS account alerts; failed tax filing due to “duplicate return.”
Shame keeps people quiet—scammers count on that.
Report it and protect your identity right away. You’re not alone, and it’s not your fault.
Key point: A message can look “official” and still be fake. AI is making scam language smoother and scams more believable. The safest habit is simple: slow down, and verify using official sources you navigate to yourself.
What to do if you’ve been involved in a tax scam
First: take a breath. Scams are designed to trick you, especially when you’re overwhelmed, rushed, or just trying to fix a problem quickly.
John said it plainly: “Don’t be embarrassed. It does happen. It’s common… they will target anyone.”
And he’s right. The most important thing is what you do next.
1) Stop the bleeding: cut off contact
Stop replying
Don’t click anything else
Don’t send more information or money
2) Capture proof (before it disappears)
Take screenshots and save:
Phone numbers, email addresses, usernames
The message content
Links (don’t click them, just copy)
Payment receipts and transaction IDs
3) Lock down your accounts (especially email)
If a scammer gets into your email, they can reset passwords for everything else.
Do this today:
Change your email password first, then banking/tax accounts
Turn on two-factor authentication (2FA)
If you reused passwords anywhere, change those too
Important: If you clicked a suspicious link, downloaded a file, or gave someone remote access to your computer, make sure you use a different, trusted device (like your phone or another computer) to change passwords. Why? If a scammer installed malware or has access to your computer, they may be able to see all of your brand-new passwords as you’re making them.
Tip: A password manager like McAfee’s can help you create strong, unique passwords quickly, without having to memorize them all.
4) Check for identity theft signals
Tax scams often turn into identity theft. Watch for:
IRS notices about a return you didn’t file
Trouble e-filing because a return was already submitted
Alerts about a new IRS online account you didn’t create
If you suspect tax-related identity theft:
Consider filing an IRS identity theft report (commonly done with IRS Form 14039, Identity Theft Affidavit).
Create or log into your IRS account periodically to review account activity (John now does this every few months).
IRS phishing email: If you received a scam email posing as the IRS, you can forward it to phishing@irs.gov.
Your bank or card provider: If you paid, contact them immediately. Even if recovery isn’t guaranteed, speed matters.
6) Clean up your digital footprint
Scammers don’t just use what you give them. They also use what they can look up.
Removing your personal details from risky data broker sites can reduce how easily scammers can target you again. Tools like Personal Data Cleanup can help you identify where your information is exposed and guide removal.
7) Add protection for the next attempt
Tax season scams often come in waves, especially if scammers think your info is “good.”
Helpful layers include:
Web protection to warn you about risky links and lookalike sites before you enter info – get our free WebAdvisor download here
Scam detection that can flag suspicious messages
Identity monitoring to alert you if key personal info shows up in risky places
Run a free antivirus scan to check your device for malware or unwanted programs (especially if you clicked a link or downloaded anything)
The key takeaway
Tax season creates the perfect storm: time pressure, sensitive data, and a lot of official-looking communication.
Our research shows most people are worried, and for good reason. Scammers are getting more convincing, and AI is raising the bar on what “real” looks and sounds like.
“Tell your friends, tell your family,” John said. “Everyone I know at some point has heard this story, and it might just prevent someone from losing… thousands of dollars.”
If you remember just three things this season, make them these:
Pause before you click.
Verify through official channels you navigate to yourself.
If something happens, act quickly, and don’t blame yourself.
This week in scams, we’re looking at three very different stories with the same underlying theme: trust is being exploited at scale.
A massive government contractor data breach has quietly grown to affect more than 25 million people. Meanwhile, a viral AI-generated image of Mary-Kate and Ashley Olsen posing in a fake luxury campaign is spreading across social media, fooling some users and alarming others.
And in a new threat report, OpenAI detailed how its own tools are being misused for dating scams, impersonation, and influence operations.
Let’s break it down.
The Conduent Data Breach Now Impacts 25+ Million People
The fallout from a ransomware attack on Conduent, one of the largest government contractors in the U.S., continues to expand.
According to reporting from TechCrunch, updated state-level breach notifications now indicate that more than 25 million people across the U.S. have had personal data exposed.
Conduent provides services tied to state benefit programs, including food assistance, unemployment systems, and other government payment processing operations. The company has said its services reach over 100 million people.
Data reportedly exposed in the breach includes:
Names
Dates of birth
Addresses
Social Security numbers
Health insurance and medical information
TechCrunch noted that the majority of affected individuals appear to be in Oregon and Texas, based on state breach disclosures. Other states have also reported an impact.
The attack has been described as one of the largest government-contractor-related data breaches in recent memory.
Why this matters: When companies that process government benefits are hit, the exposed data often includes highly sensitive identity information. Social Security numbers combined with medical or insurance details can significantly increase the risk of identity theft and fraud.
How to Protect Yourself After a Major Data Breach
If you believe your data may have been exposed:
Monitor your credit reports for unfamiliar activity
Consider placing a free credit freeze
Be wary of phishing emails or texts referencing benefits or account verification
Never share personal information in response to unexpected outreach
Breaches like this often lead to secondary scams months later. The breach itself is only phase one. Phishing campaigns usually follow.
That Viral Olsen Twins “Louis Vuitton” Image? It’s AI.
A supposed luxury campaign featuring Mary-Kate and Ashley Olsen began circulating widely on X and Facebook this week, racking up millions of views.
The images show the twins styled in what appears to be a high-end fashion shoot, drawing numerous comments over their styling. But social media users quickly pointed out visual irregularities and inconsistencies commonly associated with AI-generated imagery.
A screenshot of one of the AI images making thr rounds across social media.
While this doesn’t fall into our typical “scam” roundup, the normalization of AI-generated visuals that look close enough to real to confuse people are a growing issue that can lead to real confusion and distrust.
We have entered a phase where:
Fake ads look legitimate
Public figures appear in campaigns they never participated in
Synthetic images spread faster than corrections
Today it’s a fashion ad. Tomorrow it could be a fake political endorsement, financial announcement, or emergency alert.
The takeaway: If you see a surprising campaign or announcement, verify it through official brand websites or verified accounts before assuming it’s real.
OpenAI Details How ChatGPT Is Being Misused
In a newly released threat report, OpenAI outlined several ways its tools have been abused by bad actors.
A cluster of accounts used ChatGPT to run a dating scam targeting Indonesian men, allegedly defrauding hundreds of victims per month.
Some accounts used the tool to generate promotional copy and ads for a fake dating platform that pressured users into completing costly “tasks.”
Other accounts posed as law firms, impersonating real attorneys and U.S. law enforcement to target fraud victims.
OpenAI also banned accounts linked to activity believed to be part of influence operations, including efforts targeting Japanese political figures.
OpenAI stated that the activity was detected and accounts were removed.
Why this matters: AI tools themselves are not inherently scams. But they dramatically lower the cost and increase the scale of fraud operations. Writing persuasive emails, generating fake legal letters, building scam ads… these now require fewer technical skills than ever before.
The technology doesn’t create the criminal intent. It just accelerates it.
McAfee’s Safety Tips This Week
Assume viral images could be AI-generated until verified
Verify unexpected announcements through official websites
Treat post-breach emails as suspicious by default
Be skeptical of online “consultation” invites that promise payment
Never send money to someone you’ve only met online
We’ll Be Back Next Week
From ransomware breaches to AI-generated impersonations, the pattern is clear: scammers are scaling trust manipulation with technology.
Stay skeptical. Verify before you click. And we’ll be back next week with another breakdown of what’s making headlines, and what it actually means for your security.
AI is supposed to make the internet easier. But right now, it’s also making scams easier.
Every week, we round up the biggest scam and cybersecurity stories of the moment so you can recognize red flags, protect your accounts, and avoid the most common traps scammers are using.
This week in scams, we’re talking AI-powered search scams, a major fintech data breach, and an unexpected ticket fraud scheme that allegedly cost the Louvre millions.
Let’s jump in:
Google AI Overviews Are Being Used to Scam People Out of Money
Google Search doesn’t just show links anymore. Now, it often shows AI-generated summaries at the top of the page called AI Overviews, quick answers designed to save you time.
But according to reporting from WIRED, scammers are finding ways to exploit these AI summaries by planting fake customer support phone numbers into search results.
Here’s how the scam works: Someone searches for a bank, airline, or service provider, usually something like “Company name customer support number.” Then Google’s AI Overview pulls a phone number from somewhere online and displays it as if it’s legitimate.
The problem? Sometimes that number doesn’t connect you to the company at all.
Instead, it connects you to a scammer impersonating customer service, someone trained to sound helpful, calm, and official, while quietly steering you toward sharing payment information, account details, or verification codes.
This isn’t just misinformation. It’s a direct path into fraud.
Google told WIRED it’s working to strengthen anti-spam protections in AI Overviews, but also recommends users double-check customer support numbers through additional searches.
Key red flags to watch for
The AI Overview provides a phone number without clearly showing where it came from
The “support agent” asks for payment information immediately
The person asks for your login credentials, bank info, or verification codes
The caller pressures you to act quickly (“your account will be frozen”)
The number doesn’t match what’s listed on the company’s official website
How to protect yourself
If you’re looking for a customer support number, don’t rely on an AI summary.
Go directly to the company’s official website and find their contact page
Verify the phone number through multiple sources
If the person on the phone asks for passwords or MFA codes, hang up immediately
Treat any urgency or threats (“you must act now”) as a scam signal
The big lesson: AI can summarize the internet, but it can’t always verify the truth.
Data Breach Watch: Fintech Firm Figure Exposes Nearly 1 Million Accounts
If you’ve applied for a loan, worked with a fintech service, or interacted with a home equity platform recently, this one is worth paying attention to.
According to BleepingComputer, fintech company Figure Technology Solutions was breached in a social engineering attack, with hackers reportedly stealing personal data tied to nearly 967,200 accounts.
The exposed data reportedly included names, email addresses, phone numbers, physical addresses, and dates of birth. And that’s exactly what scammers use to build believable impersonation attempts.
Why this matters
Even if you’ve never heard of Figure, data breaches like this can ripple outward fast.Once scammers have your email, phone number, and date of birth, they can launch more convincing scams like:
Fake “account verification” calls
Fraudulent loan or credit applications
Phishing emails pretending to be financial institutions
Identity theft attempts using your personal details
And because this breach was reportedly caused by social engineering, it’s also a reminder that the weakest link in security isn’t always technology, it’s human trust.
Key red flags to watch for after a breach
Calls claiming your loan account needs immediate verification
Emails asking you to “confirm your identity” using a link
Messages that include personal details to sound legitimate
Fake financial support agents asking for payment or login credentials
What to do right now
Change passwords (especially if you reuse them across accounts)
Turn on multi-factor authentication where possible
Monitor your credit report for unusual activity
Be skeptical of unexpected financial messages, even if they seem personalized
After breaches like this, scammers often wait weeks or months before striking, because they know people stop paying attention.
A Scam at the Louvre Allegedly Cost $12 Million
Not every scam story is about malware or phishing links. Some are about old-fashioned fraud, executed at a scale that feels almost unbelievable.
According to reporting from The New York Times, French investigators uncovered a ticket fraud scheme that may have cost the Louvre in Paris nearly $12 million over a decade.
Officials say the suspected scam involved tour guides allegedly reusing tickets multiple times, bribes paid to museum employees, and tourist groups being split up to avoid additional fees.
Last week, police reportedly arrested nine people in the case, including two museum employees.
Investigators also believe similar fraud may have taken place at Versailles.
The Takeaway
This wasn’t a one-time trick. Investigators believe the network may have been running for years, allegedly bringing in multiple tour groups per day.
It’s a reminder that scammers don’t always need to “hack” a system.
Sometimes, they just find a weak point, then repeat it until it becomes a business model.
The bottom line: the Louvre story is dramatic, but the lesson is familiar. Scams thrive anywhere oversight is stretched thin, systems are overwhelmed, and people assume someone else is double-checking.
Whether it’s a museum ticket scanner or an AI-generated search result, scammers will always look for the fastest path through the cracks.
McAfee’s Safety Tips for This Week
This week’s scam pattern is all about one theme: trust shortcuts.
AI summaries that feel official. Phone numbers that look real. Support agents who sound convincing. Breach data that makes phishing more believable.
The best defense is slowing down and verifying before you act.
Here are the smartest moves to make right now:
Don’t trust AI Overviews (or search snippets) for customer support phone numbers. Always verify through the company’s official website.
Treat “customer service” calls with caution, especially if they ask for payment info, passwords, or MFA codes.
Never share verification codes, even if someone claims they’re just “confirming your identity.”
Watch for phishing attempts after major breaches. Scammers often use stolen data to make messages feel personal and urgent.
Be suspicious of pressure tactics like “your account will be frozen” or “you must act immediately.”
If you think your personal data may be exposed, monitor your credit and update your passwords now, not later.
Use tools like McAfee Web Protectionto avoid dangerous links, bad downloads, malicious websites, and more.
We’ll be back next week with another roundup of the scams making headlines, and what you can do to stay ahead of them.
You don’t always realize your YouTube channel has been hacked right away.
Sometimes it’s a sudden spike in notifications. Sometimes it’s a flood of confused comments. And sometimes it’s the worst-case scenario: you wake up to find your channel renamed, your videos hidden, and a scam livestream running under your brand.
This is one of the most common forms of creator-targeted account takeover today. Attackers hijack real channels because they already have an audience, and then use that trust to promote fake crypto giveaways, “investment” livestreams, or malicious links in video descriptions.
A YouTube channel hack can also put your account at risk of Community Guidelines strikes or monetization penalties, even if you didn’t upload the content yourself.
This guide walks you through exactly what to do if your YouTube channel has been compromised: how to regain owner access, stop scam live streams fast, and secure your Google Account so it doesn’t happen again.
Signs Your YouTube Channel May Be Compromised
A hacked YouTube channel usually means your Google Account has also been compromised, since every YouTube channel is tied to at least one Google Account.
Watch for these red flags:
Changes you didn’t make: Your channel name, profile photo, handle, description, or external links were updated.
Videos or live streams you didn’t create: You may see uploads you don’t recognize, scam live streams, or replays that weren’t posted by you.
You receive warnings or strikes: YouTube may send emails about Community Guidelines violations, copyright claims, or suspicious activity tied to content you didn’t publish.
You can’t log in or your password stops working: A sudden login failure may mean your password was changed or your account access was locked.
Monetization or AdSense settings changed: Attackers may try to redirect revenue or alter payment associations.
If any of these are happening, assume your channel is compromised and start recovery steps immediately.
What to Change Immediately If Your YouTube Channel Was Hacked
If your YouTube channel was hacked, assume your Google login details may have been stolen.
That means simply getting back into your channel isn’t enough; you also need to update the passwords and settings attackers could still use.
Here’s what to change right away:
Change your Google Account password
Enable two-factor authentication (2FA)
Remove unknown devices and active sessions
Check and update your recovery email and recovery phone number
Remove any unfamiliar channel owners/managers/editors
Remove suspicious connected apps or third-party access
Review your AdSense/monetization settings for changes
Update any other accounts that share the same password
If you suspect the takeover started through malware or phishing, it’s also smart to update passwords for other sensitive accounts tied to your Google identity, like Gmail, Google Drive, banking accounts, or payment apps.
One of the most common ways YouTube channels get hacked is through phishing.
Scammers impersonate:
YouTube support
YouTube Partner Program emails
Copyright violation notices
Brand sponsorship offers
Verification or monetization warnings
They try to pressure you into clicking a link, downloading a file, or logging in through a fake Google sign-in page.
If you receive a suspicious email or message, don’t click.
Instead, open YouTube Studio directly and check your account status from inside the platform.
Final Tips: Recovering From a YouTube Channel Hack
A hacked YouTube channel is stressful for a reason: it doesn’t just affect your account. It affects your audience, your reputation, and your income, especially if monetization is involved.
YouTube may be able to help restore access, reverse changes, or provide instructions for appealing a termination if your channel was taken down during the hack.
Q: How do I know if my YouTube channel was hacked? A: Common signs include channel name or branding changes you didn’t make, scam livestreams, videos uploaded that aren’t yours, suspicious external links added to your channel, or being locked out of your account.
Q: Why does a hacked YouTube channel usually mean my Google Account was hacked too? A: Because YouTube channels are tied to Google Accounts. If your channel was taken over, your Google login credentials or active session may have been compromised.
Q: What should I do if my channel is live-streaming a crypto scam? A: End the livestream immediately if you still have access. Then change your Google password, remove unknown channel managers, enable 2FA, and remove scam links from your channel page and video descriptions.
Q: Can I get strikes or lose my channel because of videos the hacker uploaded? A: Potentially, yes. Scam uploads can trigger Community Guidelines or copyright violations. That’s why it’s important to remove unauthorized content quickly and review YouTube Studio for strikes.
Q: What if I can’t log in at all? A: Start Google’s account recovery process as soon as possible. If you’re still locked out after recovery attempts, visit YouTube’s official hacked channel support resources for next steps.
Q: How do I know if the hacker is fully kicked out? A: Review your Google Account security settings, logged-in devices, recovery email/phone settings, and channel permissions. Remove anything unfamiliar and enable 2FA to reduce the chance of re-entry.
It’s Friday the 13th, but you have nothing to fear online if you’re scam-savvy and well protected.
Every week, we round up the biggest scam and cybersecurity stories of the moment so you can recognize red flags, protect your accounts, and avoid the most common traps scammers are using.
This week in scams, we’re talking Valentine’s Day, deepfake deception, and online privacy.
Let’s jump in:
New McAfee Research Shows Romance Scams Spiking
Valentine’s Day is supposed to be peak season for connection. But for scammers, it’s peak season for something else: emotional leverage.
New McAfee research shows romance scams are not rare edge cases, they’re becoming a common part of the online dating experience. In fact, 1 in 7 American adults (15%) say they’ve lost money to an online dating or romance scam. Even more alarming: of the people who lost money, only 1 in 4 (24%) were able to recover all of it.
And many scams start exactly the way real relationships do.
One McAfee interviewee, Jules, a healthcare professional in her 40s, joined a dating app hoping to meet someone as a busy working single mom. She met “Andy,” who seemed local, charming, and emotionally invested. He didn’t rush into money. He built trust. He mirrored her life. He made her feel safe.
Then he introduced a “crypto opportunity” that looked legitimate. The app showed gains. She even withdrew small amounts at first. But weeks later, her account froze, and she was told she needed to pay a $25,000 “tax payment” to unlock it.
She paid. Then the account froze again.
By the time Jules realized the truth, she had lost more than $80,000, including $25,000 borrowed from her elderly mother.
This is the new shape of romance scams: slow, believable, and psychologically engineered. McAfee Labs also reports that romance-related scam activity spikes during peak dating season, including fake profiles, cloned apps, and AI-driven spam behavior.
Key red flags to watch for
They move fast emotionally (“I’ve never felt this way before”)
They push you off-platform quickly (WhatsApp, Telegram, Signal)
Their story sounds polished but hard to verify (military, oil rig, entrepreneur)
They introduce “investment advice” or crypto opportunities
They ask for payment apps, gift cards, wire transfers, QR payments, or “fees”
They claim your money is “frozen” unless you pay one more time
How romance scams typically unfold
While scams can take many forms, most follow a familiar pattern. Understanding the progression can help people recognize risk earlier.
Stage
The Red Flags / How it Unfolds
What the scammer wants
What to do instead
1) The hook
A friendly DM, a “wrong number” text, a dating match, a comment reply, a follow request
A response. Any response.
Don’t move fast. Keep the convo on-platform. Don’t give out your number.
2) Love bombing
Daily messages, fast intimacy, mirroring your interests, “I’ve never felt this way”
Trust and routine
Slow it down. Ask for a real-time video call and a specific, verifiable detail.
3) Private channels
“Let’s talk on WhatsApp/Telegram/Signal.” “Don’t tell anyone yet.”
Control and privacy
If someone pushes you off-platform quickly, treat it as a red flag.
4) Building credibility
A “job” story (military, oil rig, entrepreneur), polished photos, voice notes, even AI-assisted video
Believability
Verify independently. Reverse image search photos. Watch for inconsistencies.
5) A financial request
A “small” emergency, a plane ticket, a crypto opportunity, “help me unlock my account,” gift cards, payment app request
Money or financial access
Never send money to someone you haven’t met. Never share financial info or account details.
6) Escalation
“I need a verification code.” “Can you receive money for me?” “Open an account.” “Co-sign.”
Identity theft, account takeover, new credit
Never share MFA codes. Don’t open accounts for anyone. Lock credit if you’ve shared info.
7) Ghosting
Ghosting, deleted accounts, new persona, rinse-and-repeat
Exit before consequences hit them
Preserve evidence, report, and secure your accounts immediately.
Key point: the scariest scams may never send you a sketchy link. They may only send convincing words, and the pressure to act.
Deepfake Fraud Is Going “Industrial”
Deepfake scams used to sound like something only elite hackers could pull off. Not anymore.
Reporting from The Guardian highlights a new analysis from AI experts suggesting deepfake fraud has gone “industrial,” meaning it’s now cheap, scalable, and increasingly accessible to non-experts. Researchers tied to the AI Incident Database described a landscape where impersonation scams are becoming one of the most common types of AI-driven incidents reported month after month.
Instead of crude phishing emails, scammers can now use AI tools to generate:
Realistic fake videos of public figures
Fake doctors promoting products
Fake journalists endorsing scams
Realistic job applicants and “candidates” who aren’t real people at all
One example described in the reporting involved an AI security CEO who posted a job listing and quickly received a referral for a candidate who looked perfect on paper. The resume was strong. The emails were polished. The interview was scheduled.
But when the video call began, the candidate’s image loaded slowly, and the background looked artificial. The face was blurred around the edges. The person glitched slightly as they spoke. A deepfake detection firm later confirmed: the interviewee was AI-generated.
The most unsettling part? Even the target didn’t know what the scammer was after…. a salary? access to internal systems? company secrets?
This is what makes deepfake scams uniquely dangerous: they’re not always about stealing money immediately. They’re often about getting trust, access, and leverage first.
Key red flags of deepfake impersonation scams
Video or audio glitches (especially around facial edges)
Backgrounds that look “too smooth” or artificial
Delays before video loads or odd syncing between voice and mouth movement
Overly polished speech with little natural hesitation
Pressure to move fast, hire fast, or approve payments quickly
This is also why deepfake fraud is so effective: it exploits the assumption that “seeing is believing.” In 2026, that assumption is no longer safe.
This is also backed up by McAfee’s previous research. In 2025, McAfee Labs conducted a study of 17 different deepfake-creation tools and found that for just $5 and with just 10 minutes of setup time, scammers can create powerful, realistic-looking deepfake video and audio scams.
This example from our 2025 State of the Scamivers report shows how a deepfake creation tool can realistically transform a live video chat with our McAfee researcher into a chat with “Tom Cruise” or “Keanu Reeves.”
Google “Results About You” Update Shows How Personal Data Fuels Scams
Not every scam story this week is about criminals. This update is about fighting scammers, as shared by Google.
Google announced this week that it has expanded its “Results about you” tool, which helps people monitor and remove sensitive personal information from Search results. Previously, the tool focused on personal contact details like phone numbers, email addresses, and home addresses.
Now, users can also request the removal of Search results that include highly sensitive information like:
This matters because personal data is often the fuel behind the scams we’ve been tracking all year, including romance scams.
Removing sensitive data from search results doesn’t erase it from the internet completely but it can reduce how easily scammers can weaponize it. To take your online privacy to the next level, consider McAfee’s Personal Data Cleanup, which will help remove your personal information across the web.
What this tool helps protect against
Identity theft attempts
Impersonation scams
Doxxing threats
Fake “verification” schemes
Social engineering and targeted romance scams
The scam lesson here is simple: the less information scammers can find, the harder it is for them to tailor the con.
McAfee’s Safety Tips for This Week
This week’s scam pattern is all about emotional manipulation + AI credibility + personal data exposure. The best defense is slowing down and verifying before you trust.
Here are the smartest moves to make right now:
Don’t confuse emotional intensity with authenticity. Love bombing is a tactic, not a love language.
Never send money to someone you haven’t met in real life, no matter how convincing their story is.
Treat “crypto investing tips” from strangers as an immediate red flag.
Don’t move off-platform quickly. If someone insists on WhatsApp, Telegram, or Signal early on, assume they’re trying to isolate you.
Never share verification codes or screenshots of financial apps, even if they claim it’s “just for confirmation.”
Reverse image search profile photos and look for inconsistencies in background details, timelines, or personal stories.
If a video call feels off, trust your instincts. Deepfakes often look almost real, but “almost” is the danger zone.
Reduce your digital footprint. The more personal info available online, the easier it is for scammers to tailor believable impersonations.
“I signed up for an app because it felt like the only realistic way to meet people as a working single mom.”
Jules, a healthcare professional in her 40s, turned to online dating while balancing work, school, and raising her child after the pandemic. Then she met “Andy.”
He seemed like a great guy. He knew her area and even shared pictures of himself at restaurants, wineries, and neighborhood spots Jules recognized. Their early conversations felt ordinary and he seemed invested in her life and well-being.
“He didn’t ask for money right away; he built trust first,” she said. “So when the investment came up, it didn’t feel risky. It felt like help.”
Andy claimed he was successful in cryptocurrency and said he could show her how to pay down debt, get ahead financially, and finally have some breathing room. Jules decided, cautiously, to try it. And because the accounts appeared to show gains, and she was even able to withdraw small amounts of money, Jules believed the opportunity was real.
But the crypto app wasn’t real. And neither was Andy.
One day, weeks later, the account was suddenly frozen. A message popped up saying the only way to access her funds would be through a $25,000 “tax payment”. She paid the “tax,” worried about losing her investments. But the account immediately froze again, this time facing the claim of money laundering.
That’s when she realized something wasn’t right. And Andy suddenly disappeared.
By the time Jules realized it was a scam, she had lost more than $80,000. Jules said $25,000 of that was borrowed from her elderly mother.
“The financial loss was devastating, but the emotional toll was worse. I felt ashamed and completely alone.”
New research: Romance scams climb ahead of Valentine’s Day
Jules isn’t alone. Unfortunately, this type of long-con romance scam is increasingly common. And AI-powered tools are only helping scammers increase their attack volume.
According to McAfee’s 2026 Valentine’s Day research, 1 in 7 American adults (15%) say they have lost money to an online dating or romance scam.
The cost of losses varied widely between age groups. American adults between ages 35 to 44 were among the most likely to report higher losses, over $5,000, while younger Gen Z victims reported smaller losses under $500.
Of the people who’ve lost money to an online dating scam, just 1 in 4 (24%) were able to recover all their money.
Exposure is widespread even when money is not lost. More than half of Americans say they have been asked to send money or share financial information by a potential romantic partner, often through payment apps, wire transfers, gift cards, QR codes, or cryptocurrency.
McAfee Labs data reinforces what consumers are experiencing. During the peak dating season leading into Valentine’s Day, Labs blocked hundreds of thousands of romance-related malicious URLs and observed surging activity tied to fake profiles, cloned dating apps, and AI-driven chat behavior. In fact, Labs reported significant AI chat bot spam, with some users receiving more than 60 messages in 12 hours, even without a profile photo.
At the same time, fewer scams relied on obvious malicious links, suggesting scammers are shifting toward persuasion and relationship-building instead.
The research at a glance: Fast facts
47% of American adults have used an online platform to meet a romantic partner
35% have encountered fake profiles or AI-generated images while dating online
1 in 4 say they discovered they were interacting with a fake profile or AI bot
22% say they have been a victim of catfishing
53% have been asked to send money or financial info by a romantic interest
Payment apps are the most common path for money requests, especially among adults under 35
32% believe it is possible to develop romantic feelings toward an AI bot
9% say they have personally experienced romantic feelings for an AI chatbot
Men are significantly more likely than women to encounter romance scams weekly
Nearly everyone who experienced a romance scam says it had a lasting emotional impact
How romance scams typically unfold
While scams can take many forms, most follow a familiar pattern. Understanding the progression can help people recognize risk earlier.
Stage
The Red Flags / How it Unfolds
What the scammer wants
What to do instead
1) The hook
A friendly DM, a “wrong number” text, a dating match, a comment reply, a follow request
A response. Any response.
Don’t move fast. Keep the convo on-platform. Don’t give out your number.
2) Love bombing
Daily messages, fast intimacy, mirroring your interests, “I’ve never felt this way”
Trust and routine
Slow it down. Ask for a real-time video call and a specific, verifiable detail.
3) Private channels
“Let’s talk on WhatsApp/Telegram/Signal.” “Don’t tell anyone yet.”
Control and privacy
If someone pushes you off-platform quickly, treat it as a red flag.
4) Building credibility
A “job” story (military, oil rig, entrepreneur), polished photos, voice notes, even AI-assisted video
Believability
Verify independently. Reverse image search photos. Watch for inconsistencies.
5) A financial request
A “small” emergency, a plane ticket, a crypto opportunity, “help me unlock my account,” gift cards, payment app request
Money or financial access
Never send money to someone you haven’t met. Never share financial info or account details.
6) Escalation
“I need a verification code.” “Can you receive money for me?” “Open an account.” “Co-sign.”
Identity theft, account takeover, new credit
Never share MFA codes. Don’t open accounts for anyone. Lock credit if you’ve shared info.
7) Ghosting
Ghosting, deleted accounts, new persona, rinse-and-repeat
Exit before consequences hit them
Preserve evidence, report, and secure your accounts immediately.
Key point: the scariest scams may never send you a sketchy link. They may only send convincing words, and the pressure to act.
Watch out for AI.
AI reduces the “tells” that used to give scammers away. Deepfake audio and video can make someone appear real-time credible. Bot-driven chat can sound polished, attentive, and emotionally responsive.
People who discovered they were dealing with a bot or fake profile said the biggest clues were:
Responses felt scripted or repetitive (52%)
They replied instantly and flawlessly (41%)
Photos looked unnatural or AI-generated (38%)
They avoided voice/video calls (32%)
They made unusual requests early (26%)
The important point is: a smooth conversation is not proof of authenticity. It may be proof of automation.
What to do if you think you’re involved in a romance scam
If you’re reading this and feeling that slow stomach-drop of recognition, the priority is to protect yourself before the situation escalates.
1) Stop sending money and stop sharing information
No more payments. No more screenshots. No more “verification” codes. No more personal details.
If you’ve already shared sensitive info, don’t panic, but act quickly.
2) Document everything
Take screenshots. Save usernames, phone numbers, email addresses, payment handles, transaction confirmations, and any images they sent. If the account disappears, this may be all you have.
3) Lock down your accounts
Change passwords for email, banking, and the platform where you met them
Turn on multi-factor authentication (MFA) everywhere
If you reused passwords anywhere, change those too
4) Check your financial exposure
Romance scams often lead to identity misuse: new accounts, fraudulent applications, or attempts to access your credit.
If you’ve shared identifying details (full name, address, DOB, SSN, photos of documents), consider a protective step that blocks new credit from being opened in your name. McAfee’s Credit Monitoring and Identity Monitoring can help regain security.
5) Reduce your public data footprint
Scammers don’t just use what you tell them. They use what they can look up.
Your phone number, address, relatives, old accounts, and leaked details can be stitched together to make impersonation easier and manipulation more convincing.
Unfriend the scammer on social platforms and tighten your account privacy. Consider options like McAfee’s Personal Data Cleanup
If you sent money, notify your bank/payment provider immediately.
The takeaway:
Romance scams work because they feel real. They exploit trust, vulnerability, and the very human desire for connection, especially in digital spaces where so much of our social and romantic lives now take place.
If you recognize pieces of your own experience in Jules’s story or the research here, you are not alone, and you have nothing to be ashamed of. These scams are designed to be convincing, and anyone can be targeted.
Protections like McAfee’s Scam Detector are built to catch risky messages across text, email, and social channels, adding an extra layer of defense while you focus on building genuine connections.
Awareness, support, and protection go a long way, and help is available when you need it.
This week in scams, three headlines tell the same story: attackers are getting better at manipulating people, not just breaking into systems. We’re seeing a wave of intrusions tied to social engineering, a major delivery platform confirming a breach amid extortion claims, and a big tech headline that has a lot of people rethinking how apps handle their data.
Every week, this roundup breaks down the scam and cybersecurity stories making news and explains how they actually work, so you can spot risk earlier and avoid getting pulled into someone else’s playbook.
Let’s get into it.
A Wave of Cyberattacks Hits Bumble, Match, Panera, and CrunchBase
The big picture: Several major brands were hit by cybersecurity incidents tied to social engineering tactics like phishing and vishing.
What happened: Bloomberg reported that Bumble, Match Group, Panera Bread, and CrunchBase each confirmed incidents.
Bumble said a contractor account was compromised in a phishing incident, which led to brief unauthorized access to a small portion of its network, and said its member database, accounts, messages, and profiles were not accessed.
Panera said an attacker accessed a software application it used to store data, and said the data involved was contact information.
Match said the incident affected a limited amount of user data, and said it saw no indication that user logins, financial information, or private communications were accessed.
CrunchBase said documents on its corporate network were impacted, and said it contained the incident.
According to Bloomberg, cybersecurity firm Mandiant has also warned about a hacking campaign linked to a group that calls itself ShinyHunters. The group is using vishing, which means scam phone calls, to trick people into giving up their login information. Once attackers get those logins, they can access cloud tools and online work systems that companies use every day. The group has said they are behind some of these recent attacks, but that has not been independently confirmed.
Red flags to watch for:
Calls that pressure you to approve a login, reset credentials, or share a one-time code
Messages posing as IT support, a vendor, or “security” that try to rush you
MFA prompts you did not initiate
“Quick verification” requests that bypass normal internal processes
How this works: Social engineering works because it blends into normal life. A convincing message or call gets someone to do one small “reasonable” thing. Approve a prompt. Read a code. Reset access. That is often all an attacker needs to get inside with legitimate credentials, then pivot into the tools where valuable data lives.
TikTok’s Privacy Policy Update Sparks Backlash
Ok, we know this is called “This Week in Scams” but this is also a cybersecurity newsletter. So when the biggest tech and privacy headline of the week is TikTok updating its privacy policy, we have to talk about it.
The big picture: TikTok’s updated terms and privacy policy are raising fresh questions about what data is collected, especially around location.
CBS reported that one major point of concern is language stating TikTok may collect precise location information if users enable location services in device settings. This is reportedly a shift from previous policy language, and TikTok said it plans to give U.S. users a prompt to opt in or opt out when precise location features roll out.
According to CBS, some users are also concerned the new privacy policy would allow the TikTok to more easily share their private data with the federal and local government.
That fear is based on a change in policy language stating that TikTok “processes such sensitive personal information in accordance with applicable law.”
A quick, practical takeaway: This is a good reminder that “privacy policy drama” usually comes down to one thing you can actually control: your app permissions.
What to do (general privacy steps):
Check your phone settings for TikTok and confirm whether location access is Off, While Using, or Always.
If your device supports it, consider turning off precise location for apps that do not truly need it.
Do a quick permission sweep across social apps: location, contacts, photos, microphone, camera, and Bluetooth.
Make sure your account is protected with a strong, unique password and two-factor authentication.
Note: This is not a recommendation about whether to keep or remove any specific app. It’s a reminder that your device settings matter and they are worth revisiting.
Grubhub Confirms a Data Breach Amid Reports of Extortion
The big picture: Even when a company says payment details were not affected, a breach can still create risk because stolen data often gets reused for phishing.
What happened: According to BleepingComputer, Grubhub confirmed unauthorized individuals downloaded data from certain systems and that it investigated, stopped the activity, and is taking steps to strengthen security. Sources told BleepingComputer the company is facing extortion demands tied to stolen data. Grubhub said sensitive information like financial details and order history was not affected, and did not provide more detail on timing or scope.
Red flags to watch for next: Breach headlines are often followed by scam waves. Be on alert for:
“Refund” or “order problem” emails you did not request
Fake customer support messages asking you to verify account details
Password reset prompts you did not initiate
Links to “resolve your account” that don’t come from a known, official domain
How this works: Customer support systems can contain personal details that make scams feel real. Names, emails, and account notes are often enough for attackers to craft messages that sound like legitimate help, especially when the brand is already in the news.
Fake Chrome Extensions Are Quietly Taking Over Accounts
The big picture: Some browser extensions that look like normal workplace tools are actually designed to hijack accounts and lock users out of their own security controls.
What happened: Security researchers told Fox News that they uncovered a campaign involving malicious Google Chrome extensions that impersonate well-known business and human resources platforms, including tools commonly used for payroll, benefits, and workplace access.
Researchers identified several fake extensions that were marketed as productivity or security tools. Once installed, they quietly ran in the background without obvious warning signs. According to Fox News, Google said the extensions have been removed from the Chrome Web Store, but some are still circulating on third-party download sites.
How the scam actually works: Instead of stealing passwords directly, the extensions captured active login sessions. When you sign into a website, your browser stores small files that keep you logged in. If attackers get access to those files, they can enter an account without ever knowing the password.
Some extensions went a step further by interfering with security settings. Victims were unable to change passwords, review login history, or reach account controls. That made it harder to detect the intrusion and even harder to recover access once something felt off.
Why this matters: This kind of attack removes the safety net people rely on when accounts are compromised. Password resets and two-factor authentication only help if you can reach them. By cutting off access to those tools, attackers can maintain control longer and move through connected systems with less resistance.
What to watch for:
Browser extensions you don’t remember installing
Add-ons claiming to manage HR, payroll, or internal business access
Missing or inaccessible security settings on accounts
Being logged into accounts you did not recently open
A quick safety check: Take a few minutes to review your browser extensions. Remove anything unfamiliar or unnecessary, especially tools tied to work platforms. Extensions have deep access to your browser, which means they deserve the same scrutiny as any other software you install.
McAfee’s Safety Tips for This Week
Be skeptical of “helpful” tools. Browser extensions, workplace add-ons, and productivity tools can have deep access to your accounts. Only install what you truly need and remove anything unfamiliar.
Treat calls and prompts with caution. Unexpected login requests, MFA approvals, or “IT support” outreach are common entry points for social engineering. If you didn’t initiate it, pause and verify.
Review app and browser permissions. Take a few minutes to check what apps and extensions can access your location, accounts, and data. Small changes here can significantly reduce risk.
Protect your logins first. Use strong, unique passwords and enable two-factor authentication on email and work-related accounts. If attackers get your email, they can reset almost everything else. McAfee’s Password Manager can help you create and store unique passwords for all of your accounts.
Expect follow-up scams after headlines. When breaches or policy changes make the news, scammers often follow with phishing messages that reference them. Extra skepticism in the days and weeks after a story breaks can prevent bigger problems later.
As Harry Styles concert tickets go on sale for his first tour in years, cybersecurity experts warn that the same excitement driving ticket registrations and social chatter will also drive a spike in ticket scams across social media, email, and text messages.
“When demand spikes around a major tour, ticket scams spike too,” said Abhishek Karnik, Head of Threat Research at McAfee. “We saw this during recent major ticket releases, including the Oasis reunion, when McAfee Labs identified more than 2,000 suspicious ticket listings online.”
“Scammers take advantage of the urgency fans already feel, and the fear of missing out, inserting themselves into social posts, DMs, and text threads with offers that sound normal and believable,” Karnik added.
“Avoid interacting with unknown sellers, especially when offers are made over social media,” Karnik said. “Payments made via wire transfers, cryptocurrency, gift cards, or peer-to-peer platforms like Venmo or Zelle are often not recoverable, which is why it’s safer to buy directly from official ticketing sites or well known resale platforms.”
Where, When, and How to Get Harry Styles Tickets
Styles announced Together, Together on January 22, marking his first tour since 2023.
The residency-style run spans seven cities worldwide: Amsterdam, London, São Paulo, Mexico City, New York, Melbourne, and Sydney. Shows begin in May and continue through December.
According to The Hollywood Reporter, that means just 5% of people who signed up for U.S. tickets will be able to buy them when they go on sale this week.
American Express access presale ticket sales are already live, and Ticketmaster is the primary platform handling official sales.
The rest of the Together, Together tour tickets will be released in two stages:
General on sale for NYC dates August 26 – October 9 begins on Friday, January 30.
General on sale for October 10 – 31 begins Wednesday, February 4.
That staggered release schedule matters. Multiple on-sale moments mean repeated waves of urgency, which scammers often mirror with fake “last chance” messages, counterfeit presale links, or impersonations of ticketing platforms and customer support.
What do Harry Styles tickets cost right now
Ticket prices range widely by seat location and package, with outlets reporting lower prices starting in the $100 range. However, premium seats climb past $1,000. According to Forbes,the average ticket price of his 2022 tour was $113.
That context matters, because it helps fans recognize the biggest red flag in ticket fraud: a too-good-to-be-true price.
If you are seeing “floor seats for $50” while reputable platforms are showing far higher prices for comparable sections, that is not a deal. It is a hook for a scammer.
How ticket scams work
Ticket scams rarely start with “Buy my fake ticket.” They start with the conditions that make people easy to rush: too much noise, too many messages, and too little time to verify what’s real.
McAfee’s State of the Scamiverse survey of 7,500 consumers found people now receive 14 scam messages per day on average, and spend a “time tax” of 114 hours a year sorting real from fake. In that environment, criminals don’t need you to be careless. They just need you to be busy. And major ticket drops create the perfect opening: high demand, fast-moving queues, and price shock that makes a “good deal” feel like something you have to grab immediately.
What’s changed is that scams don’t even need a link anymore. The report found more than 1 in 4 people (26%) say suspicious social messages now arrive without a URL, and 44% admit they reply to those linkless DMs anyway, often triggering the next step of the scam. That’s the blueprint behind many ticket scams today: a believable message, a quick pivot to payment, and pressure to move fast before you can verify.
Below are among the most common ticket-scam patterns to watch for, and exactly how they play out.
Ticket fraud
Ticket fraud is when someone advertises tickets, takes payment, and delivers nothing, or delivers tickets that do not work at the door. This includes fake screenshots, fake confirmation emails, and counterfeit QR codes.
How it plays out:
A seller claims they “cannot make the show.”
They ask you to pay quickly to “hold” the tickets.
They send a screenshot of a ticket or order email.
The tickets never arrive, or the QR code fails when scanned.
Resale duplication scams
A resale duplication scam happens when the scammer sells the same ticket to multiple buyers. Sometimes the scammer has one legitimate ticket and sells it repeatedly. Sometimes they have none and simply reuse the same screenshot.
How it plays out:
You receive something that looks real.
Multiple people show up with the same ticket.
Only the first scan gets in.
Phishing scams
A phishing scam is a message designed to trick you into clicking a link or sharing personal information. Ticket phishing often pretends to be from Ticketmaster, a venue, a presale program, or customer support.
How it plays out:
“Your tickets are on hold, confirm within 10 minutes.”
“Unusual activity detected. Verify your account.”
“Your payment failed. Update billing.”
Modern phishing messages can look polished and grammatically clean, which is why relying on spelling errors is no longer a reliable defense.
Cloned ticket websites
A cloned ticket website is a fake site made to look like a legitimate seller. These sites are built to capture your payment info, personal data, or both.
How it plays out:
You click an ad or link from social media.
The site looks legitimate, but the URL is slightly off.
You “buy” tickets and either receive nothing or later see fraud on your card.
Ticket transfer and account takeover scams
A ticket transfer scam exploits the fact that many tickets are digital and transferable. A related risk is account takeover, where scammers steal your ticketing login and transfer tickets out of your account.
How it plays out:
You get a message claiming your account needs verification.
You enter credentials on a fake page.
The attacker logs in and transfers tickets away.
Fake customer support scams
A fake customer support scam is when scammers pose as a company’s help desk, often after you post publicly that you need help.
How it plays out:
You tweet, post, or comment about ticket issues.
An “agent” messages you first.
They ask for login details, a code, or payment to “unlock” tickets.
A true scam story: Henry’s last-minute ticket scam
Henry A. had been trying for weeks to score a ticket to see Tyler, the Creator in Dallas. Even without a confirmed seat, he headed to the venue hoping for a miracle. And that’s when the message came in, someone nearby claimed to have extra tickets.
The seller said he was just outside too. The price? Reasonable enough. The tone? Casual and confident. All Henry had to do was send half the money to hold the tickets.
Minutes later, he sent the full $280.
“I was already in line—excited, hopeful, and just trying to get in. That made me an easy target.”
The seller began stalling. Then came a screenshot—another buyer offering a higher price. He pressured Henry to pay more. When Henry refused, the seller blocked him.
“I sent $280 and got blocked. We never made it inside.”
What makes Henry’s experience so common is not the platform. It is the pattern:
A believable story
A “reasonable” price
A fast-moving negotiation
A sudden change in terms
Pressure, then disappearance
How to spot a ticket scam fast
Use these red flags as a reality filter:
Red Flag
What It Looks Like in Real Life
Price mismatch
Tickets priced far below or far above comparable listings on official or verified resale platforms.
Urgency tactics
Messages pushing “last chance,” “only today,” or claiming someone else is about to buy.
Unprotected payment requests
Asking for wire transfers, cryptocurrency, gift cards, or peer-to-peer payments to strangers.
Off-platform pressure
Requests to move the transaction to text, DMs, or email instead of using an official site.
Refusal to verify tickets
Sellers unwilling to use a verified resale platform or provide proof that can be independently confirmed.
Suspicious links
Shortened URLs, unusual domains, or ticket links sent through direct messages.
Safer ways to buy tickets
If you want the simplest rule: buy through official ticketing and verified resale platforms that offer buyer protection. Scammers can create fake accounts anywhere, but they cannot easily bypass legitimate purchase protections.
Practical steps:
Go direct: Type the official ticketing URL into your browser, do not follow random links.
Use protected payment: Credit cards generally offer stronger dispute options than unprotected transfers.
Avoid risky payment demands: Crypto, gift cards, and wires are common in fraud because they are hard to reverse.
Secure your accounts: Use strong passwords and enable two-factor authentication where available.
Pause before paying: Scammers depend on emotional momentum.
How Scam Detector can help
Tools like McAfee’s Scam Detector can act as a second set of eyes when messages or links are designed to rush you.
Scam detection can help flag suspicious language patterns, risky links, and social engineering tactics before money leaves your account.
Scams don’t always arrive with obvious warning signs.
They show up as QR codes on parking meters. As casual DMs that start with “Hey.” As social messages that feel routine enough to respond to without thinking twice.
That shift has created a new burden for consumers. According to McAfee’s 2026 State of the Scamiverse report, Americans now spend 114 hours a year trying to figure out what’s real and what’s fake online. That is nearly three full workweeks lost to second-guessing messages, alerts, links, and notifications.
McAfee’s upgraded Scam Detector is designed to meet people in those exact moments, with enhancements rolling out across core McAfee plans beginning in February.
The latest improvements add instant QR code scam checks and smarter social messaging protection, making it easier to spot scams before they escalate.
Figure 1: An example of a suspicious text being flagged by McAfee’s Scam Detector
What’s new in McAfee’s Scam Detector
Scams now move quickly across platforms and formats, often escalating in minutes once someone engages. Among people who were harmed by a scam, the typical scam unfolded in about 38 minutes.
That speed leaves little room for hesitation. Scam protection has to work in real time, not after the damage is done.
McAfee’s latest Scam Detector upgrades are designed around that reality, adding:
Instant QR code safety checks, so users can assess risk before tapping
Smarter social messaging protection, with clearer warnings for suspicious texts, emails, and DMs, even when no link is present
These Scam Detector upgrades will begin rolling out in February across all core McAfee plans, bringing real-time protection to the moments where scams escalate fastest.
QR codes, quishing, and why instant scans are needed
QR codes were designed for convenience. That is exactly why scammers use them.
Cybercriminals increasingly hide malicious links behind QR codes placed on menus, parking meters, packages, posters, and public signage. People scan quickly, often without stopping to evaluate where the code leads.
McAfee research shows how common this risk has become:
68% of people scanned a QR code in the past three months
18% landed on a suspicious or unsafe page after scanning
Among those who did, more than half took risky actions such as entering personal information, installing an app, or connecting a digital wallet
Figure 2. A still from a demo video, showing a risky QR code being blocked by McAfee’s Scam Detector
Social media scams and the rise of linkless messages
Phishing is no longer confined to emails with obvious red flags.
Scams now arrive through WhatsApp, Instagram, Messenger, Telegram, and other social platforms, often starting as vague or friendly messages designed to lower suspicion rather than trigger alarm.
McAfee’s research highlights a key shift: more than one in four suspicious social messages contain no link at all, and 44% of Americans say they have replied to a suspicious DM with no link.
These messages rely on familiarity and momentum. A short greeting. A warning about an account issue. A promise of easy money. By the time a request or link appears, the conversation already feels normal.
And the economic impact of these scams is significant. According to the FTC, social media scams drove $1.9 billion in reported losses in 2024, making social platforms one of the top channels for fraud and identity theft.
That’s why McAfee’s Scam Detector includes smarter social messaging protection, delivering clearer warnings for suspicious texts, emails, and DMs, even those without risky links, across popular platforms. The focus is on identifying suspicious patterns and behavior, not just URLs.
Users can take a quick screenshot of their social media content on social media, and McAfee’s Scam Detector will analyze the message for suspicious activity.
Get protection that works before scams escalate
The stakes are high:
One in three Americans has lost money to a scam
Among those who lost money, the average loss was $1,160
15% of scam victims fall for another scam within a year
Scams are not just increasing in volume. They are becoming more personal, more believable, and easier to scale using AI.
McAfee’s upgraded Scam Detector is designed to stay ahead of those shifts, offering real-time guidance when it matters most, whether that’s a suspicious QR code, a vague DM, or a message that feels just normal enough to trust.
The enhanced Scam Detector, including instant QR code checks and smarter social messaging protection, will begin rolling out in February across all core McAfee plans.
Merriam-Webster’s word of 2025 was “slop.” Specifically, AI slop.
Low-effort, AI-generated content now fills social feeds, inboxes, and message threads. Much of it is harmless. Some of it is entertaining. But its growing presence is changing what people expect to see online.
McAfee’s 2026 State of the Scamiverse report shows that scammers are increasingly using the same AI tools and techniques to make fraud feel familiar and convincing. Phishing sites look more legitimate. Messages sound more natural. Conversations unfold in ways that feel routine instead of suspicious.
According to McAfee’s consumer survey, Americans now spend an average of 114 hours a year trying to determine whether the messages they receive are real or scams. That’s nearly three full workweeks lost not to fraud itself, but to hesitation and doubt.
As AI-generated content becomes more common, the traditional signals people relied on to spot scams, such as strange links and awkward grammar, are fading. That shift does not mean everything online is dangerous. It means it takes more effort to tell what is real from what is malicious.
The result is growing uncertainty. And a rising cost in time, attention, and confidence.
The average American receives 14 scam messages a day
Scams are no longer occasional interruptions. They are a constant background noise.
According to the report, Americans receive an average of 14 scam messages per day across text, email, and social media.
Many of these messages do not look suspicious at first glance. They resemble routine interactions people are conditioned to respond to.
Delivery notices
Account verification requests
Subscription renewals
Job outreach
Bank alerts
Charity appeals
And with the use of AI tools, scammers are churning out these scam messages and making them look extremely realistic.
That strategy is working. One in three Americans says they feel less confident spotting scams than they did a year ago.
Figure 1. Types of scams reported in our consumer survey.
Most scams move fast, and many are over in minutes
The popular image of scams often involves long email threads or elaborate schemes. In reality, many modern scams unfold quickly.
Among Americans who were harmed by a scam, the typical scam played out in about 38 minutes.
That speed matters. It leaves little time for reflection, verification, or second opinions. Once a person engages, scammers often escalate immediately.
Still, some scammers play the long game with realistic romance or friendship scams that turn into crypto pitches or urgent requests for financial support. Often these scams start with no link at all, but just a familiar DM.
In fact, the report found that more than one in four suspicious social messages contain no link at all, removing one of the most familiar warning signs of a scam. And 44% of people say they have replied to a suspicious direct message without a link.
The cost is not just money. It is time and attention.
Financial losses from scams remain significant. One in three Americans report losing money to a scam. Among those who lost money, the average loss was $1,160.
But the report argues that focusing only on dollar amounts understates the broader impact: scams also cost time, attention, and emotional energy.
People are forced to second-guess everyday digital interactions. Opening a message. Answering a call. Scanning a QR code. Responding to a notification. That time adds up.
And who doesn’t know that sinking feeling when you realize a message you opened or a link you clicked wasn’t legitimate?
Figure 3. World Map of Average Scam Losses.
Why AI slop makes scams harder to spot
The rise of AI-generated content has changed the baseline of what people expect online. It’s now an everyday part of life.
According to the report, Americans say they see an average of three deepfakes per day.
Most are not scams. But that familiarity has consequences.
When AI-generated content becomes normal, it becomes harder to recognize when the same tools are being used maliciously. The report found that more than one in three Americans do not feel confident identifying deepfake scams, and one in ten say they have already experienced a voice-clone scam. Voice clone scams often feature AI deepfake audio of public figures, or even people you know, requesting urgent financial support and compromising information.
These AI-generated scams also come in the form of phony customer support outreach, fake job opportunities and interviews, and illegitimate investment pitches.
Account takeovers are becoming routine
Scams do not always end with an immediate financial loss. Many are designed to gain long-term access to accounts.
The report found that 55% of Americans say a social media account was compromised in the past year.
Once an account is taken over, scammers can impersonate trusted contacts, spread malicious links, or harvest additional personal information. The damage often extends well beyond the original interaction.
Scams are blending into everyday digital life
What stands out most in the 2026 report is how thoroughly scams have blended into normal online routines.
Scammers are embedding fraud into the same systems people rely on to work, communicate, and manage their lives.
Cloud storage alerts (such as Google Drive or iCloud notices) warning that storage is full or access will be restricted unless action is taken, pushing users toward fake login pages.
Shared document notifications that appear to come from coworkers or collaborators, prompting recipients to open files or sign in to view a document that does not exist.
Payment confirmations that claim a charge has gone through, pressuring people to click or reply quickly to dispute a transaction they do not recognize.
Verification codes sent unexpectedly, often as part of account takeover attempts designed to trick people into sharing one-time passwords.
Customer support messages that impersonate trusted brands, offering help with an issue the recipient never reported.
Figure 4: Example of a cloud scam message.
The Key Takeaway
Not all AI-generated content is a scam. Much of what people encounter online every day is harmless, forgettable, or even entertaining. But the rapid growth of AI slop is creating a different kind of risk.
Constant exposure to synthetic images, videos, and messages is wearing down people’s ability to tell what is real and what is manipulated. The State of the Scamiverse report shows that consumers are already struggling with that distinction, and the data suggests the consequences are compounding. As digital noise increases, so does fatigue. And fatigue is exactly what scammers exploit.
FTC data shows losses from scams continuing to climb, and McAfee Labs is tracking a rise in fraud that blends seamlessly into everyday digital routines. Cloud storage warnings, shared document notifications, payment confirmations, verification codes, and customer support messages are increasingly being mimicked or abused by scammers because they look normal and demand quick action.
The danger of the AI slop era is not that everything online is fake. The danger is that people are being forced to question everything. That constant doubt slows judgment, erodes confidence, and creates openings for fraud to scale.
In 2026, the cost of scams is no longer measured only in dollars lost. It is measured in time, attention, and trust, and those losses are still growing.
FAQ: Understanding the AI Slop Era and Modern Scams
Q: What is AI slop?
A: The term refers to the flood of low-quality, AI-generated content now common online. While much of it is harmless, constant exposure can make it harder to identify when similar technology is used for scams.
Q: How much time do Americans lose to scams?
A: Americans spend 114 hours a year determining whether digital messages and alerts are real or fraudulent. That is nearly three workweeks.
Q: How fast do scams happen today?
A: Among people harmed by scams, the typical scam unfolds in about 38 minutes from first interaction to harm.
Q: How common are deepfake scams?
A: Americans report seeing three deepfakes per day on average, and one in ten say they have experienced a voice-clone scam.
Login
Figure 1. Types of scams reported in our consumer survey.
