McAfee Labs has uncovered a widespread malware campaign hiding inside fake downloads for things like game mods, AI tools, drivers, and trading utilities.
What makes this campaign especially notable is that some parts of it appear to have been built with help from large language models (LLMs). McAfee researchers found signs that certain scripts likely used AI-generated code, which may have helped the attackers create and scale the campaign faster.
That does not mean AI created the whole operation on its own. But it does suggest AI may be helping cybercriminals lower the effort needed to build malware and launch attacks.
Attackers created many different fake downloads to reach more victims
48 malicious DLL variants
The campaign used multiple versions of the malware, not just one file
1,700+ file names observed
The same threat was repackaged under many different names to look convincing
17 distinct kill chains
Researchers found multiple attack flows, but they followed a similar overall pattern
Hosted on familiar platforms
The malware was distributed through services users may recognize, including Discord and SourceForge
AI-assisted code suspected
Some scripts contained explanatory comments and patterns that strongly suggest LLM assistance
Cryptomining and additional malware observed
Infected devices could be used to mine cryptocurrency or receive more malicious payloads
What Is “AI-Written Malware”?
In this case, “AI-written malware” does not meanan AI system independently invented and launched the attack.
Instead, McAfee Labs found evidence that the attackers very likely used AI tools to help generate some of the code used in the campaign, especially in certain PowerShell scripts.
Put simply:
Term
Plain-English meaning
Large language model (LLM)
An AI system that can generate text and code based on prompts
AI-assisted malware
Malware where attackers appear to have used AI tools to help write or structure parts of the code
Vibe coding
A style of coding where someone describes what they want and an AI does much of the writing
This matters because it can make malware development faster, easier, and more scalable for attackers.
Figure 1: Attack Vector
How The Fake Download Attack Works
The attack begins when someone searches for software online and downloads what looks like the tool they wanted.
That tool might appear to be a game mod, AI voice changer, emulator, trading utility, VPN, or driver. But behind the scenes, the ZIP archive includes malicious components that start the infection.
Step
What happens
1. A user downloads a fake file
The ZIP archive is disguised as something useful or desirable, such as a mod menu, AI tool, or driver
2. The file appears normal at first
In some cases, the package includes a legitimate executable so it feels more convincing
3. A malicious DLL is loaded
A hidden malicious file, often WinUpdateHelper.dll, starts the real attack
4. The user is distracted
The malware may display a fake “missing dependency” message and redirect the user to install unrelated software
5. A PowerShell script is pulled from a remote server
While the user is distracted, the malware contacts a command-and-control server and runs additional code
6. More malware is installed
Depending on the sample, the device may receive coin miners, infostealers, or remote access tools
7. The infected device is abused for profit
In many cases, attackers use the victim’s system resources to mine cryptocurrency in the background
What Kinds of Files Were Used as Bait
McAfee found that the attackers cast a very wide net. The malicious ZIP files impersonated many types of software, including:
Bait category
Examples
Gaming tools
game mods, cheats, executors, Roblox-related tools
AI-themed tools
AI image generators, AI voice changers, AI-branded downloads
System utilities
graphics drivers, USB drivers, emulators, VPNs
Trading or finance tools
stock-market utilities and related downloads
Fake security or malware tools
fake stealers, decryptors, and other risky-looking utilities
That broad range is part of what made the campaign effective. It was designed to catch people already looking for shortcuts, unofficial tools, or hard-to-find software.
Why McAfee Researchers Believe AI Was Used
One of the strongest clues came from the comments inside some of the attack scripts.
McAfee researchers found explanatory comments that looked more like AI-generated instructions than the kind of shorthand attackers usually leave for themselves. In one example, a comment referred to downloading a file from “your GitHub URL,” which suggests the code may have come from a generated template and was not fully cleaned up before use.
These details do not prove every part of the campaign was AI-made. But they do support McAfee’s assessment that certain components were likely generated with help from large language models.
What Happens on an Infected Device
In many cases, the malware was used to turn victims’ computers into quiet crypto-mining machines.
McAfee observed mining activity involving several cryptocurrencies, including:
Ravencoin
Zephyr
Monero
Bitcoin Gold
Ergo
Clore
Some samples also downloaded additional payloads such as SalatStealer or Mesh Agent.
For victims, that can mean:
Possible effect
What it may look like
Slower performance
apps lag, games stutter, system feels unusually sluggish
High CPU or GPU usage
fans run constantly, laptop gets hot, battery drains faster
if an infostealer or remote access tool is installed
McAfee was also able to trace several Bitcoin wallets tied to the campaign. At the time of the report, those wallets held about $4,536 in Bitcoin, while total funds received were approximately $11,497.70. Researchers note the real total could be higher because some of the currencies involved are harder to trace.
Who Was Targeted Most
This campaign was observed most heavily in:
United States
United Kingdom
India
Brazil
France
Canada
Australia
That does not mean users elsewhere were unaffected. These were simply the countries where researchers saw the highest prevalence.
Figure 2: Geographical Prevalence
Red Flags To Watch For
Even though the campaign used advanced techniques, the warning signs for users were often familiar.
Red flag
Why it matters
You found the file through a random link
Unofficial forums, Discord links, and file-hosting pages are common malware delivery paths
The download is a ZIP for something sketchy or unofficial
Cheats, cracks, mod tools, and unofficial utilities carry higher risk
You get a “missing dependency” message
Attackers may use this to push a second download while the real infection happens in the background
The file name looks right, but the source feels wrong
Familiar names can be faked easily
Your PC suddenly slows down or overheats
Hidden cryptominers often abuse system resources
You notice new, unrelated software installed
The campaign sometimes used unwanted software installs as a distraction
How To Stay Safe From Malware Hidden in Fake Downloads
This campaign is a reminder that not every convincing file is a safe one. A few habits can reduce your risk significantly.
Safety step
Why it helps
Download software only from official sources
This lowers the chance of accidentally installing a trojanized file
Avoid cheats, cracks, and unofficial mods
These categories are common bait for malware campaigns
Be skeptical of dependency prompts
Unexpected requests to install helper files or missing components can be part of the attack
Keep your security software updated
Current protection can help detect known threats and suspicious behavior
Pay attention to system performance
A suddenly hot, loud, or slow PC may be a sign something is running in the background
Review what you download before opening it
Even a familiar file name does not guarantee a file is legitimate
McAfee helps protect against malware threats like these with multiple layers of security, including malware detection and safer browsing protections designed to help stop risky downloads before they can do damage.
What To Do If You Think You Opened One of These Files
If you think you downloaded and ran a suspicious file like one described in this campaign:
Action
Why it matters
Disconnect from the internet
This can help interrupt communication with attacker-controlled servers
Run a full security scan
A trusted scan can help identify malicious files and behavior
Delete suspicious downloads
Remove the file and avoid reopening it
Check for unfamiliar software or startup items
The infection may have installed additional components
Change important passwords from a clean device
This is especially important if data-stealing malware may have been involved
Monitor accounts for unusual activity
Keep an eye on email, banking, and other sensitive accounts
If your computer continues acting strangely after a scan, it may be worth getting professional help.
What This Means for the Future of Malware
This campaign highlights how cybercrime is evolving.
The core risk is not just fake downloads. It is the fact that attackers are using AI tools to help generate code, create variations, and speed up parts of the malware development process.
That can make campaigns like this easier to scale and harder to ignore.
For everyday users, the takeaway is simple: if a file seems unofficial, rushed, or too good to be true, pause before opening it. A fake download may look like a shortcut, but it can quietly turn your device into a target.
Frequently Asked Questions
FAQs
Q: What is AI-written malware?
A: AI-written malware generally refers to malicious code, or parts of a malware campaign, that appear to have been created with help from AI coding tools or large language models.
Q: Did AI create this entire malware campaign?
A: McAfee Labs did not say that. The research suggests that certain components, especially some scripts, were likely generated with help from large language models.
Q: What was this malware disguised as?
A: The malicious files impersonated game mods, AI tools, drivers, trading utilities, VPNs, emulators, and other software downloads.
Q: What can happen if you open one of these fake files?
A: Depending on the sample, the malware may install coin miners, steal data, establish persistence, or download additional malicious tools.
Q: Can malware really use my computer to mine cryptocurrency?
A: Yes. McAfee observed samples in this campaign that used victims’ CPU and GPU resources to mine cryptocurrency in the background.
Q: What is the safest way to avoid this kind of malware?
A: Download software only from official or trusted sources, avoid unofficial tools and cheats, be cautious of fake dependency prompts, and keep your security protection up to date.
The term ‘Vibe coding,’ first coined back in February of 2025 by OpenAI researchers, has exploded across digital platforms. With hundreds of articles and YouTube Videos discussing the dangers of Vibe coding and warning the internet about the rise of “Vibe Coders”, while others labelled it as the fundamental shift in software development and the future of coding.
Vibe Coding is an approach where the AI does heavy lifting, rather than the user. Instead of manually writing code or implementing algorithms, users describe their intent through text-based prompt, and the LLMs respond with fully functional code and explanation. Unsurprisingly, the internet is now flooded with guides on the best LLMs and prompts to generate “perfect” code.
Given the ease of generating fully functional code, McAfee Labs has also seen a rise in vibe-coded malware. In these campaigns, certain components of the kill chain contain AI-generated code, significantly reducing the effort and knowledge required to execute new malware campaigns. This shift not only makes malware campaigns more scalable but also lowers the barrier to entry for new malware authors.
Executive summary
In January 2026, McAfee Labs observed 443 malicious zip files impersonating a wide range of software, including AI image generators and voice-changing tools, stock-market trading utilities, game mods and modding tools, game hacks, graphics card and USB drivers, ransomware decryptors, VPNs, emulators, and even infostealer, cookie-stealer, and backdoor malware, to infect users.
Across the 440+ zip files, we observed 48 unique malicious WinUpdateHelper.dll variants, responsible for the infections. McAfee has been detecting variants of this threat since December 2024, although the vibe coding observed in certain components appears to be a recent addition. These files are distributed through various legitimate content delivery network (CDN) services and file-hosting websites, such as Discord, SourceForge, FOSSHub, and MediaFire, to name a few. Another website that was actively delivering this malware was mydofiles[.]com.
Here, the attackers implement volume-driven malware distribution techniques to infect as many users as possible.
Figure 1: Attack Vector
This attack begins when users surf the internet looking for tools and software that promise to simplify their tasks. Instead, they encounter trojanized zip files.
We discovered over 100 URLs actively spreading this malware, of which approximately 61 were hosted on Discord, 17 on SourceForge, and 15 on mydofiles[.]com.
On running the executable, it loads a malicious WinUpdateHelper.dll file, which redirects the user to file-hosting websites, under the disguise that they are missing crucial dependencies and tricks them into installing unrelated software, which is a distraction. Meanwhile, the DLL has already requested and executed a malicious PowerShell script from a command-and-control (C2) server.
This script infects the user’s system and downloads additional mining software, and abuses the system’s resources, or it downloads additional payloads such as SalatStealer or Mesh Agent, depending on the WinUpdateHelper.dll sample which infected the user.
In this PowerShell script, the presence of explanatory comments and structured sections strongly indicates the use of LLM models to generate this code.
Read more about this in the Using AI to generate malware? section below.
So far, we’ve observed the mining of Ravencoin, Zephyr, Monero, Bitcoin Gold, Ergo, andClorecryptocurrencies.
Due to the presence of hardcoded Bitcoin wallet credentials within these malware samples, we were able to trace on-chain transactions and identify wallets containing over $4,500 USD that are part of this campaign.
Since most of the mining activity targets privacy-focused cryptocurrencies such as Zephyr, Ravencoin and Monero, the real financial impact is likely to be nearly double the amount identified through Bitcoin tracing alone.
Geographical Prevalence
Figure 2: Geographical Prevalence
This malware campaign has specifically targeted users in the following counties, ranked by prevalence: The United States of America, followed by United Kingdom, India, Brazil, France, Canada, Australia.
Bottom Line
The availability of LLMs capable of generating code instantly, combined with the widespread accessibility of technical knowledge, has created a low-effort, high-reward environment, making malware deployment increasingly accessible.
At McAfee Labs, we have been doing hard work so that you don’t need to worry. But it always helps to be informed and educated on the latest threat that steps into the threat landscape. We will continue monitoring these campaigns to ensure our customers remain informed and protected across platforms.
Technical Analysis
Impersonated Applications
Here we see malware distribution at a large scale and by analyzing the filenames of these ZIP archives, we can infer to the users that are being targeted. These are some of the names we’ve witnessed in the wild.
Figure 3: Malware Impersonating gaming software
The attackers are actively impersonating video game cheats and game mods for popular titles, and well-known script executors for Roblox, such as Delta Executor and Solara as seen above.
Figure 4: Malware Impersonating tools, malware and drivers
Names such as Panther-Stealer and Zerotrace-Stealer indicate that even users looking for malware on the internet are not safe either, reinforcing the notion that there is truly no honor among thieves.
The campaign also leverages drivers and AI-themed tools as part of its lure portfolio among other tools. Interestingly, we see the name ‘DeepSeek.zip’, where attackers are exploiting a prominent LLM model, DeepSeek. McAfee had encountered these types of attacks in early 2025 and covered them extensively.
Once the user downloads the ZIP archive from Discord or any other website. They get the following set of files.
Figure 5: Files within the zip archive.
Here, the executable named ‘gta-5-online-mod-menu.exe’ (Highlighted in Blue) is a legitimate and clean file. Whereas the file named ‘WinUpdateHelper.dll’ (Highlighted in Red) is malicious.
Figure 6: Command Prompt misinforming the user
On executing ‘gta-5-online-mod-menu.exe’, the malicious DLL is loaded. The user is informed that they are missing dependencies, and they’re redirected to the following URL via default browser.
Here, within the URL, a tracker variable is used to identify which malware has infected the user. In this instance, it was ‘gta-5-online-mod-menu’.
Figure 7: Website prompting users to download dependencycore.zip
Dependecycore.zip is a setup file. On execution, it installs unrelated 3rd party software on the victim’s system.
Figure 8: Files dropped by Dependecycore.zip in temp folder
In this instance, iTop Easy Desktop was installed.
This unwanted installation is meant to subvert users’ attention. As, the WinUpdateHelper.dll has already connected to the C2 server and infected the system.
Stage 1 Payload – Malicious Functionality
Once the redirection code is executed, the malware executes the malicious code.
Figure 9: Malicious code within WinUpdateHelper.dll
In the above code snippet, which is present in the WinUpdateHelper.dll, we can see that a new service has been created under the name “Microsoft Console Host” to make it appear to be benign (Highlighted in Red). The parameters passed to this service ensure that it executes at system boot. This is done to maintain persistence in the system.
The service executes a PowerShell command that dynamically generates the C2 domain using the UNIX time stamp.
Using the following code, $([Math]::Floor([DateTimeOffset]::UtcNow.ToUnixTimeSeconds() / 5000000) * 5000000).xyz
It generates a domain name that changes once every 5,000,000 seconds or 58 days.
The latest C2 domain we’ve discovered that is up and running is 1770000000[.]xyz/script?id=fA9zQk2L0M&tag=WinUpdateHelper
During our analysis we observed the following domain 1765000000[.]xyz/script?id=fA9zQk2L0M&tag=WinUpdateHelper, which is present in the following images.
Here the id=fA9zQk2L0M is randomly generated, to uniquely identify the user and tag=WinUpdateHelper is used to identify the malware campaign.
The malware connects to the above-mentioned C2 server to download a PowerShell script and execute it in memory. This fileless execution ensures improved evasion against signature-based detections.
Stage 2 Payload – PowerShell Script
Figure 10: PowerShell downloaded from the C2 server
It is funny to note here, that the first comment of this script says “# I am forever sorry” which indicates that the attacks do carry some guilt regarding their actions, but not enough to stop the campaign. We found similar comments, such as “# sorry lol”, across multiple PowerShell scripts we discovered.
The first set of commands (Highlighted in Green) are used to delete windows services and scheduled tasks. This is done to remove older or conflicting persistence mechanisms and to avoid duplicate miners from running on the same system.
The second set of commands (Highlighted in Red) are registry modifications, that adds “C:\ProgramData” to Windows Defender exclusion paths. That is, ProgramData Folder won’t be scanned by Windows Defender anymore. This exclusion allows malware to drop additional payloads to disk, without the risk of them being detected and removed.
The third set of commands (Highlighted in Blue) does exactly that. It downloads the next level payload from the URL “hxxps://1765000000[.]xyz/download/xbhgjahddaa” and stored it at this path “C:\ProgramData\fontdrvhost.exe”.
Again the name ‘fontdrvhost.exe’ imitates a legitimate Windows binary, to masquerade its true intent. After the download, the file is decoded using a simple arithmetic decryption routine. This provides protection against static signature detection and network detection.
The payload is an XMRIG miner sample. In the next command, the miner is initialized and executed. Here, we see the miner connecting to “solo-zeph.2miners.com:4444” and start CPU based Zephyr coin mining using the following wallet address: ‘ZEPHsCY4zbcHGgz2U8PvkEjkWjopuPurPNv8nnSFnM5MN8hBas8kBN4hoNKmc7uMRfUQh4Fc9AHyGxL6NFARnc217m2vYgbKxf’.
Figure 11: PowerShell downloaded from the C2 server continued
In the second half of the script, we see another miner being set up and executed using the same technique (Highlighted in Red). This time the file is stored as “RuntimeBroker.exe” in the ProgramData folder. The miner is connecting to “solo-rvn.2miners.com:7070” to mine Ravencoin and it is using the system’s GPU instead of the CPU for mining (Highlighted in Blue).
This is the wallet address used for mining in this instance ‘bc1q9a59scnfwkdlm6wlcu5w76zm2uesjrqdy4fr8r’.
Hence, we see a dual coin-mining deployment infrastructure utilizing both CPU and GPU resources to optimize mining efficiency.
Bitcoin? Interesting…
What is interesting here is that attackers have used a bitcoin wallet address for mining Ravencoin, which indicates they are using multi-coin pools for mining. The attackers are using the victims’ machine to mine Ravencoin and automatically convert the mining rewards to Bitcoin before the payout.
This is done for a variety of reasons, such as, bitcoin offers higher liquidity and has broader acceptance, but most importantly, Ravencoin is computationally easier and economically viable to mine on victim’s system. Bitcoin requires specialized ASIC hardware for profitable mining and attempting to mine Bitcoin directly on infected systems would generate negligible returns. We’ve seen the same behaviour in multiple samples.
This is a smoking gun. Unlike Zephyr coin or Monero, Bitcoin’s blockchain is fully traceable. Every Satoshi, the smallest unit of Bitcoin, can be traced across the blockchain from the moment it was mined to its current holder. From there, it becomes easy to determine how much cryptocurrency the threat actor is receiving. More on this later.
Anti-Analysis Techniques
The attackers have meticulously designed the campaign and have implemented various anti-analysis techniques to thwart researchers.
The PowerShell script we’ve seen above is responsible for downloading and initializing the coin miner samples. It is only accessible via PowerShell. If we try to access the server via Curl, we get the following response.
Figure 12: 301 Response from the server
This indicates that the server is actively monitoring the User-Agent of incoming requests and deploys the payload only when the request originates from PowerShell.
Similarly, the URLs embedded within the PowerShell script that download the next payload are unique to each victim and remain active for 60 seconds. After that, they return a 404 Not Found error.
Figure 13: URLs within the PowerShell
These techniques are meant to confuse and disorient researchers, making the analysis difficult.
Using AI to generate malware?
While working on this malware campaign, we came across over 440 unique zip files. These same zip files were distributed with over 1700 different names, targeting various software.
Across these 440 zip files, we noticed 48 unique variants of WinUpdateHelper.dll. These 48 files can be clustered together into 17 distinct kill chains, each featuring their own C2 infrastructure, misleading installation setups, second-stage PowerShell scripts and final payloads, yet the cryptocurrency wallet credentials remain similar.
In the above technical analysis, we’ve only covered 1 kill chain. Yet, across these 17 kill chains, we’ve noticed the flow remain the same.
Figure 14: PowerShell Script with LLM-Generated Comments
Across multiple second stage payloads, we encounter multiple comments such as the following, embedded within the code:
# === Create and execute run.bat in C:\ProgramData ===
:: This batch file:
:: – Creates the hidden folder C:\ProgramData\cvtres if it doesn”t exist (using CMD attrib for hidden + system)
:: – Downloads cvtres.exe from your GitHub URL
:: – Saves it to C:\ProgramData\cvtres\cvtres.exe
:: – Executes it immediately
:: – Runs completely hidden/minimized (no window visible)
The presence of such explanatory-style comments indicates that large language models were likely used during the development of these scripts. Especially, the comment “Downloads cvtres.exe from your GitHub URL”, where ‘Your GitHub URL’ refers to the threat actor’s GitHub repository that is hosting the malware, which indicates potential vibe coding.
Tracking Bitcoin Across the Blockchain
During analysis of this malware campaign, we came across few instances where the final payload was Infostealer malware. In most cases it was coin miner samples. In these cases, we encountered wallet credentials and mining pool URLs for several alternative cryptocurrencies such as Ravencoin, Zephyr, Monero, which aren’t traceable.
Fortunately, we came across 7 bitcoin wallets that are part of this malware campaign and are actively receiving mined cryptocurrency.
Whether you’re a hardcore basketball fan or the office colleague who gets roped into filling out a bracket every year, March Madness is the season for brackets, office pools, and last-minute picks.
More than half of Americans (57%) plan to watch the NCAA basketball tournament, and 55% say they participate in some kind of betting or bracket activity during March Madness, from office pools to licensed sportsbook wagers.
But where there’s excitement and money, scammers aren’t far behind.
New research from McAfee finds that 1 in 3 Americans (32%) say they’ve experienced a betting or gambling scam, and 24% say they’ve lost money to one, with victims losing an average of $547.
Big events like March Madness create the perfect storm: massive attention, constant betting promotions, and fans searching online for predictions, tips, and an edge.
Scammers know it, and they’re exploiting the moment.
This example shows an incredibly realistic, but fake, FanDuel site created by scammers to impersonate the real thing.
Why March Madness is Prime Time for Betting Scams
Sports betting promotions are everywhere during major events like March Madness.
According to McAfee research, 82% of Americans say they’ve seen sports betting promotions or offers in the past year, often on social media, streaming broadcasts, and sports websites.
That flood of promotions makes it easier for scams to blend in with legitimate content.
Many scams start the same way legitimate offers do, through messages, ads, or links promising bonuses or tips. But once someone clicks or responds, the situation can escalate quickly.
For example:
42% of Americans say they’ve been asked to click a link sent via email tied to a betting offer
Others report links sent through social media messages or text messages directing them to betting sites, apps, or private betting groups
In many cases, victims are then asked to send money to unlock winnings, activate accounts, or access premium betting picks.
The payout rarely exists.
The Most Common Betting Scams Fans Encounter
Betting scams come in several forms, but many follow familiar patterns.
Here are some of the most common tactics reported in McAfee’s research:
Scam Type
Definition
How It Works
Red Flags
Guaranteed Win Scam
A betting scam where someone promises a “guaranteed win,” “sure bet,” or “can’t lose” outcome in exchange for money, clicks, or sign-ups. According to McAfee Findings, about 1 in 6 Americans say they’ve received these kinds of messages, which are designed to lure fans looking for an edge.
Scammers send private messages, emails, or social posts claiming they have insider knowledge or a lock on a game. The goal is usually to get the victim to pay for picks, join a private group, or click a malicious link.
Claims that a bet is guaranteed, pressure to act fast, requests for payment to access picks, and promises that sound risk-free.
Fake Free Bet Promotion Scam
A scam that pretends to offer bonus bets, deposit matches, or free credits through a fake sportsbook promotion.
The victim sees what looks like a real sportsbook offer, often through social media, email, or text. Clicking may lead to a fake site that steals login details, payment information, or deposits.
Unfamiliar brand names, unofficial links, urgent sign-up language, and promotions that seem unusually generous.
Winnings Release Fee Scam
A scam where a victim is told they have winnings waiting, but must first pay a fee, deposit, or processing charge to collect them.
The scammer claims the user has won money, then invents a reason payment is required before the funds can be released. Once the fee is sent, the payout never arrives.
Requests to pay before receiving winnings, vague “processing” or “verification” fees, and pressure to send money immediately.
Fake Betting App or Website Scam
A scam involving a fraudulent app or website designed to look like a real sportsbook or betting platform.
Victims are directed to a fake platform where they may create an account, enter personal information, or deposit money. The site may appear legitimate, but withdrawals are blocked or impossible.
Slightly misspelled URLs, strange app download paths, poor website quality, and platforms that make deposits easy but withdrawals difficult.
Sportsbook Impersonation Scam
A scam in which someone pretends to represent a legitimate betting platform or sportsbook support team.
The scammer contacts the victim claiming there is an issue with an account, a bonus, or winnings. They then ask for login credentials, payment details, or personal information.
Requests for passwords, bank details, or identity information; unexpected outreach; and messages pushing you to resolve an “account issue” through a link.
Fake Insider Tip Scam
A scam that uses claims of insider information, fixed games, or special access to make a betting offer sound exclusive and trustworthy.
Scammers position themselves as experts, insiders, or connected sources who can help the victim beat the odds. The real goal is usually payment, account access, or enrollment in a scam betting channel.
Claims of fixed outcomes, “insider” knowledge, exclusive access, and offers that rely on secrecy or urgency.
Celebrity or Influencer Endorsement Scam
A betting scam that uses fake or misleading celebrity, athlete, or influencer endorsements to make an offer seem legitimate.
Scammers create ads, videos, or posts that appear to feature a public figure recommending a betting platform, app, or tip service. In some cases, AI-generated content makes these endorsements look more convincing.
Endorsements that seem off-brand, videos or graphics that look unnatural, unfamiliar accounts, and promotions tied to fake urgency or suspicious links.
Private Betting Group Scam
A scam that tries to move betting conversations into private channels like WhatsApp, Telegram, or Signal.
After initial contact on social media or another public platform, the scammer encourages the victim to join a private group for “exclusive picks,” “VIP bets,” or “premium insights.” These groups are often used to pressure victims into sending money or clicking malicious links.
Pressure to move off-platform quickly, promises of VIP access, requests for payment to join, and little proof that the group is legitimate.
Who Is Most Likely to Encounter Betting Scams
McAfee’s research found that Americans under 45 are significantly more likely to encounter betting scams, with 44% saying they’ve experienced one compared with 19% of those over 45.
Men also report higher exposure, with 40% saying they’ve experienced a betting scam, compared with 25% of women.
Men and younger adults are also more likely to participate in brackets, fantasy sports, or sportsbook betting, the same spaces where scams often appear.
Example of a scam March Madness betting opportunity that uses real logos and imagery
AI Is Making Betting Scams Harder to Spot
Artificial intelligence is beginning to change how scams look and sound.
About 1 in 5 Americans say they’ve encountered betting scams that appeared more realistic because of AI, and 27% believe they’ve seen AI-generated betting content such as fake promotions, images, or videos.
Among those who encountered AI-driven scams:
58% reported AI-generated images or graphics in betting ads
57% saw AI-written messages that sounded natural or personalized
45% encountered fake celebrity or influencer endorsements
36% interacted with chatbots posing as betting experts or support agents
As these tools improve, scam messages are becoming smoother, more convincing, and harder to distinguish from legitimate promotions.
Safety Check
What To Do
Be skeptical of “guaranteed wins”
No bet is risk-free. Ignore messages promising sure bets, insider picks, or guaranteed outcomes.
Use only licensed sportsbooks
Stick to official betting apps and well-known sportsbooks. Avoid unfamiliar websites or apps.
Don’t click betting links from unknown messages
If you receive a betting offer via email, text, or social media, go directly to the official site instead of clicking the link.
Never pay fees to unlock winnings
If someone says you must send money to claim winnings or activate a betting account, it’s almost certainly a scam.
Be cautious of private betting groups
Invitations to “VIP betting groups” on apps like Telegram or WhatsApp are often used to promote scam picks or collect payments.
Tools like McAfee’s Scam Detector can flag suspicious links, websites, and messages before you engage.
March Madness is meant to be fun, filling out brackets, debating picks with friends, and cheering for the next big upset. Betting can be part of that excitement, but it’s worth remembering that scammers are watching the tournament too.
A simple rule of thumb can go a long way: if a betting offer promises guaranteed wins, asks for money upfront, or pushes you to act quickly, take a step back and verify it first.
The safest plays are the ones where you slow down, stick to trusted platforms, and keep your personal information protected.
This image shows another scam site built around sports betting. It’s important to remember these sports betting scams extend beyond basketball and the U.S.
If You or Someone You Know Needs Help
Sports betting can be fun, but for some people it can become difficult to manage. If you or someone you know is struggling with gambling, help is available through the National Problem Gambling Helpline (1-800-MY-RESET), operated by the National Council on Problem Gambling.
McAfee Total Protection has been recognized with three major honors in the AV-TEST Best Awards 2025, receiving awards for Best Performance, Best Advanced Protection, and Best Usability.
Among consumer security products, McAfee was the only solution to receive both the Best Performance and Best Advanced Protection awards, highlighting its ability to deliver strong security while keeping everyday devices running smoothly.
The awards are issued by AV-TEST, an independent cybersecurity research institute that evaluates security products through thousands of lab tests each year.
Together, these recognitions reinforce what matters most for people using security software every day: protection that works quietly in the background without slowing down your system or interrupting your workflow.
How Big is an AV-TEST Award?
Pretty big! The AV-TEST Awards recognize security products that deliver consistently strong results across independent testing throughout the year.
To qualify, products must demonstrate exceptional performance across multiple categories, including protection against modern threats, system performance impact, and usability.
In the 2025 test cycle, McAfee Total Protection earned recognition in three key areas.
Best Performance Award
Security software needs to protect your system without slowing it down.
In AV-TEST’s Windows performance testing, researchers measure how much a security solution impacts system resources during everyday tasks such as launching applications, installing programs, browsing the web, and copying files.
McAfee Total Protection earned the Best Performance Award for maintaining strong protection while keeping system impact minimal.
For users, that means protection that runs efficiently in the background so your PC stays responsive while you work, stream, or game.
Best Advanced Protection Award
Modern cyberattacks rarely rely on a single tactic. Today’s threats often combine multiple techniques, including ransomware, infostealers, and other advanced attack methods.
To evaluate how well security products handle these complex threats, AV-TEST runs Advanced Threat Protection (ATP) tests, which simulate real-world attacks using the latest techniques.
In the 2025 testing cycle, McAfee Total Protection delivered consistently strong results across these real-world attack scenarios, earning the Best Advanced Protection Award for consumer users.
These results demonstrate how multiple protection layers inside the product work together to detect and stop threats, even if an attack attempts to bypass initial defenses.
Best Usability Award
Strong security should also be easy to live with.
In AV-TEST’s usability tests, researchers evaluate how accurately a product distinguishes between legitimate files and malicious ones, while monitoring for false alarms.
McAfee Total Protection earned the Best Usability Award for its accurate threat detection and low rate of false positives.
That means fewer unnecessary alerts and interruptions, while still maintaining strong protection against real threats.
Recognition from AV-TEST
According to AV-TEST’s testing team, McAfee stood out across multiple categories in the 2025 evaluation.
“The team of the AV-TEST Institute is delighted to present McAfee with three of the highly coveted trophies. The manufacturer received recognition for its consistently efficient use of system resources, clear distinction between benign and malicious files, and strong results in Advanced Threat Protection testing.” — Marcel Wabersky, Lead Mobile & Network Testing, AV-TEST
What is the AV-TEST Institute
Independent testing plays an important role in helping consumers evaluate cybersecurity tools.
The AV-TEST Institute is an independent IT security research organization based in Germany and operating for more than 20 years. The institute runs one of the world’s largest testing laboratories dedicated to cybersecurity products.
From its headquarters in Magdeburg, Germany, AV-TEST researchers analyze new malware, study emerging attack techniques, and conduct large-scale comparative testing of security software used by both consumers and businesses.
These tests are designed to be standardized, transparent, and repeatable, allowing security products to be evaluated under the same conditions across multiple vendors.
The AV-TEST Best Awards recognize products that deliver consistently strong results across a full year of testing. Because the awards are based on sustained performance rather than a single test cycle, they are widely used as an indicator of long-term security reliability.
For McAfee users, these awards reinforce the goal behind McAfee Total Protection: delivering powerful protection that stays fast, accurate, and easy to use.
Frequently Asked Questions
FAQ
Q: What are the AV-TEST Best Awards?
A: The AV-TEST Best Awards are annual honors given by the independent cybersecurity testing institute AV-TEST. The awards recognize security products that deliver consistently strong results across a full year of testing in areas such as protection, performance, and usability.
Q: What awards did McAfee win in the AV-TEST Awards 2025?
A:McAfee Total Protection received three AV-TEST Best Awards for 2025: Best Performance, Best Advanced Protection, and Best Usability. McAfee was also the only consumer security product to receive both the Best Performance and Best Advanced Protection awards in the 2025 evaluation.
Q: What does the AV-TEST Best Performance award mean?
A: The AV-TEST Best Performance award recognizes security software that provides strong protection while using minimal system resources. AV-TEST measures how security products affect everyday activities such as launching programs, installing applications, browsing the web, and copying files.
Q: What is Advanced Threat Protection (ATP) testing?
A:Advanced Threat Protection (ATP) testing simulates real-world cyberattacks using techniques such as ransomware and infostealer malware. AV-TEST runs these scenarios to evaluate how well security products detect and stop attacks at multiple stages of an infection attempt.
Q: What does the AV-TEST Best Usability award measure?
A: The AV-TEST Best Usability award evaluates how accurately security software distinguishes between safe files and malicious threats. Products that score well demonstrate strong detection capabilities while minimizing false alarms and unnecessary alerts.
Q: Why do independent cybersecurity tests matter?
A:Independent cybersecurity testing organizations like AV-TEST evaluate security products using standardized and transparent testing methods. These tests help consumers compare protection tools based on measurable results rather than marketing claims.
This week in scams, the Pokémon Trainer pursuit to “catch ’em all” is being hijacked by criminals posting fake trading card listings online; duping buyers, including young collectors, out of hundreds of dollars.
Meanwhile, threatening email extortion scams claiming your personal data has been stolen are flooding inboxes around the world. And a viral “wedding photo” of Tom Holland and Zendaya shows how AI-generated images can blur the line between real and fake online.
Here’s what to know.
Pokémon Card Scams Surge on Online Marketplaces
The booming market for collectible Pokémon cards has become a new target for scammers.
According to reporting from The Straits Times, Singapore police recently arrested a 25-year-old man suspected of running a series of e-commerce scams involving Pokémon trading cards. Victims reportedly lost more than $135,000 after paying for limited-edition cards that never arrived.
Authorities say the suspect allegedly advertised pre-orders for rare cards on the online marketplace Carousell. After receiving payment through bank transfers or digital payment apps, the seller either became unreachable or claimed there were delivery problems.
Police say at least 35 reports tied to the suspect have been filed since October 2025, and more broadly there have been over 600 reported Pokémon card e-commerce scams totaling more than $1.1 million in losses during that same period.
Why this matters:
Collectibles create the perfect storm for online scams. Limited releases, hype, and rising resale values make buyers feel pressure to act quickly before items “sell out.” Scammers take advantage of that urgency.
How to Stay Safe When Buying Collectibles Online
If you’re buying trading cards or other collectibles online:
Buy from authorized retailers or well-established marketplaces
Avoid sellers who require direct bank transfers or payment apps upfront
Use platforms with buyer protection or escrow payment systems
Be cautious of sellers who suddenly move the conversation to WhatsApp, Telegram, or other messaging apps
When demand spikes for a product, whether it’s sneakers, concert tickets, or Pokémon cards, scams usually follow.
The “Your Data Was Stolen” Email Extortion Scam
Another scam spreading widely right now arrives in a much more intimidating format: a threatening email claiming hackers have stolen your personal data.
According to reporting from Fox News, many people are receiving messages that claim the sender has access to their passwords, files, or financial information. The message then demands payment in Bitcoin to prevent the data from being sold on the dark web.
At first glance, these emails can feel frightening. They often use dramatic language like:
“I have your complete personal information”
“Your files and devices are compromised”
“Pay within 48 hours or your data will be leaked”
But in most cases, there’s one major problem with the claim.
There’s no proof.
Security experts note that these messages usually include no screenshots, no passwords, and no evidence of a real breach. Instead, scammers send the same message to thousands of email addresses at once, hoping a small percentage of recipients will panic and pay.
Often, the scammers obtained your email address from old data breach lists circulating online, which makes the message feel more believable.
What to Do If You Receive One of These Emails
If you receive a threatening extortion email:
Do not reply
Do not send money
Mark the message as spam or phishing
Delete it
Reporting the message helps email providers improve spam filters and prevent similar scams from reaching others.
The biggest tactic here is fear. Once you slow down and evaluate the message, the scam usually falls apart.
That Viral Tom Holland and Zendaya “Wedding Photo”? AI
A viral image circulating on social media this week claimed to show Tom Holland and Zendaya’s wedding, sparking massive speculation online.
But many viewers quickly suspected the image wasn’t real.
According to reporting on Yahoo Entertainment, the photo appeared to originate from a fan account on X (formerly Twitter) that claimed the image had been “confirmed” by major outlets like Vogue and Cosmopolitan. However, no such confirmation existed, and soon the official label was added marking the content as AI-generated.
A screenshot of the viral AI-generated image.
Celebrity rumors already spread quickly online. Add generative AI to the mix, and fabricated images can travel even faster.
While a fake celebrity wedding photo may seem harmless, the same technology can easily be used in more serious ways.
AI-generated visuals are already being used to create:
Fake celebrity endorsements
Fabricated news events
Scam ads featuring public figures
Fraudulent investment promotions
The line between real and synthetic content is getting harder to spot.
How to Spot Potential AI Images
If a viral image seems surprising or dramatic:
Check whether credible news outlets or verified accounts are reporting it
Look for visual inconsistencies in hands, text, or background details
Reverse image search the photo to see where it first appeared
Verify through official sources before sharing
When something looks shocking online, that’s often exactly why it spreads. McAfee’s built-in Scam Detector can help you spot AI-generated audio and video.
McAfee’s Safety Tips This Week
A few simple habits can help reduce your risk across all three of these scenarios:
Be cautious when buying high-demand collectibles online
Never send money in response to threatening emails
Treat viral images and breaking celebrity news with healthy skepticism
Use strong, unique passwords and enable two-factor authentication
Verify surprising claims through trusted sources before reacting
Scams today don’t always look like scams. They often look like exciting deals, urgent warnings, or AI depictions of people you trust.
The best defense is slowing down before clicking, paying, or sharing.
We’ll Be Back Next Week
From collectible card fraud to email extortion campaigns and AI-generated viral content, the tactics scammers use may change, but the strategy is the same: manipulate emotion and urgency.
Stay skeptical, verify before you trust, and we’ll be back next week with another breakdown of the scams making headlines, and what they mean for your security.
We’re back with another roundup of must-know scams and cybersecurity news making headlines this week, including a scam that features the name of the Jim Carrey movie, The Truman Show.
Let’s break it down.
Why Reports Call it the “Truman Show” Scam
So, why the name of this scam?
In the 1998 film The Truman Show, the main character unknowingly lives inside a staged reality TV world where everything around him is carefully controlled. In the “Truman Show” scam, criminals try to place victims into a similarly staged investment environment, complete with fake group chats, fake investors, and fake profits designed to build trust. It doesn’t actually have anything to do with the movie.
What is the “Truman Show” Scam?
The “Truman Show” scam is an AI-powered investment scam where criminals create an entire fake online community to convince victims an investment opportunity is real.
According to reports, scammers invite people into group chats on platforms like Telegram or WhatsApp that appear full of investors sharing tips and celebrating profits. In reality, many of the participants, moderators, and conversations may be run by AI bots designed to simulate a lively trading community.
Security researchers say the moderator and the other “investors” in the group may actually be AI-driven bots, programmed to simulate real conversations and enthusiasm around the investment strategy.
The scam often includes:
A group chat on Telegram or WhatsApp
A downloadable trading app or website
Screenshots showing fake profits
Encouragement from “other members” to invest more
The app itself may appear legitimate. But in reality, it often redirects users to a malicious website where scammers collect personal and financial information.
Once victims deposit money, the criminals can quickly drain accounts or block withdrawals.
McAfee’s State of the Scamiverse research shows just how convincing scams have become. One in three Americans (33%) say they feel less confident spotting scams than they did a year ago, as criminals increasingly use polished branding, realistic conversations, and AI-generated content to make fraudulent opportunities look legitimate.
Why this works: people naturally trust social proof. When it looks like dozens of other investors are making money, people lower their skepticism.
Fake Government Letters Are Targeting Residents Across Towns
Another scam to be aware of this week includes spoofed letters impersonating local government offices.
According to reporting from WGME in Maine, residents in multiple towns recently received official-looking notices requesting payment for supposed municipal fees tied to development applications.
The letters appeared convincing. They used formal language, official seals, and department names.But there was a problem.
One of the notices claimed it came from a “Board of Commissioners,” even though the town in question does not have one.
Officials say the letters instructed recipients to send payments by wire transfer, a method legitimate government offices almost never use for these kinds of transactions.
McAfee’s experts say these scams are effective because they rely on volume. Fraudsters send thousands of letters hoping a small percentage of recipients will respond before verifying the request. And remember, these types of scams occur all the time and across the globe. While today’s reports are in Maine, it’s important to be vigilant wherever you live.
Red flags to watch for:
Requests for wire transfers, gift cards, or crypto payments
Pressure to pay quickly to avoid penalties
Official-looking letters with subtle inconsistencies
Contact information that doesn’t match the official government website
The safest move is simple: verify the request independently. Contact the government office directly using phone numbers listed on its official website, not the ones in the letter.
LexisNexis Confirms Data Breach After Hackers Leak Files
Meanwhile, a well-known data analytics company is dealing with a breach after hackers published stolen files online.
According to BleepingComputer, LexisNexis Legal & Professional confirmed that attackers accessed some of its servers and obtained limited customer and business information. The confirmation came after a hacking group leaked roughly 2GB of stolen data on underground forums.
LexisNexis says the compromised systems contained mostly older or “legacy” data from before 2020, including:
Customer names
User IDs
Business contact information
Product usage details
Support tickets and survey responses
The company says highly sensitive financial information, Social Security numbers, and active passwords were not part of the exposed data.
However, attackers claim they accessed millions of database records and hundreds of thousands of cloud user profiles tied to the company’s systems.
LexisNexis says it has contained the intrusion and is working with cybersecurity experts and law enforcement.
Why breaches like this matter: even when the stolen data appears limited, it can still be used in targeted phishing attacks.
For example, scammers might use real names, email addresses, or business roles to send convincing messages that appear legitimate.
Breaches often trigger waves of follow-up scams weeks or months later. (We know we cover this one a lot, but it’s key to remember!)
McAfee’s Safety Tips This Week
A few simple habits can make these schemes much easier to spot.
Be skeptical of investment groups online. Real trading communities rarely pressure you to deposit money quickly or download unfamiliar apps.
Verify government payment requests independently. If you receive a letter demanding payment, contact the agency directly using information from its official website.
Treat breach-related messages cautiously. After a breach makes headlines, phishing emails often follow pretending to offer “account verification” or “security updates.”
Avoid clicking unfamiliar links in emails or texts. Tools like McAfee’s free WebAdvisor can help flag risky websites and block known malicious pages before they load.
Pause before sending money or personal information. Many scams rely on urgency. Slowing down gives you time to verify what’s real.
We’ll be back next week with another roundup of the scams and cybersecurity news making headlines and what they mean for your digital safety.
John C. isn’t the person you picture getting scammed.
He’s 36. He’s tech-savvy. He’s a mechanical engineer leading a team at a national energy lab in Denver. And he told us his story for one reason: “Scammers will target anyone.”
It began with a phone call from someone claiming to be the IRS. They said John had underpaid his taxes and needed to resolve it quickly. The caller sounded polished and convincing, so convincing that John didn’t stop to question it.
“I thought maybe they sent back too much money [in my refund], and they needed it back,” he said. “I was just so busy and overwhelmed that I never really stopped to think about the situation.”
A follow-up email arrived with IRS logos, clean formatting, and a big payment button. John was trying to move fast between classes as he finished up his PhD, and he wanted to correct the situation as quickly as possible.
“I was like, let me just hurry up and do this, get it over with.”
He clicked. He paid. But later, when he checked his statement, he saw the charge didn’t look like an IRS payment at all. In fact, it was an international charge. The whole thing was a scam.
John said the scammer on the phone had appealed to his emotions and been incredibly convincing.
“It was absolutely masterful,” John said. “I would give him an Oscar for it.
And new McAfee research shows John isn’t alone, with nearly 1 in 4 (23%) US adults surveyed revealing they’ve lost money to a tax scam.
Example of a tax scam text message
Key findings from McAfee’s 2026 Tax Season Survey
Here’s what our January 2026 survey of 3,008 U.S. adults found:
The big picture: lots of worry, not enough confidence
82% of Americans say they’re concerned about tax fraud this season.
67% say they’re seeing the same or more tax scam messages than last year.
40% say tax scam messages are more sophisticated than last year.
84% are concerned about AI making tax scams more realistic.
Only 29% say they’re very confident they could spot a deepfake tax scam.
How often scams are reaching people
34% say they’ve been contacted by someone claiming to be the IRS or another tax authority (phone, text, or email).
38% say they’ve been asked to click a link or send payment related to a “tax issue.”
Common asks include SSNs (15%), birth dates (11%), addresses (10%), “you owe back taxes” pressure (9%), and banking details (8%).
Who is getting hit hardest
Nearly 1 in 4 Americans (23%) say they’ve fallen for a tax scam.
Young adults report the highest exposure: 42% of 18–24-year-olds say they’ve fallen for at least one tax scam.
11% of Americans report tax-related identity theft, rising to 17% among ages 25–34.
The money is real
Among people who say they’ve fallen for a tax scam, the average loss is $1,020.
Separately, nearly 1 in 5 Americans say they’ve lost money to a tax scam.
Tax filing is increasingly digital (and that changes the risk)
55% say they file taxes online (software or IRS Free File).
75% say they receive refunds or pay taxes electronically (direct deposit, cards, apps, EFTPS, etc.).
30% say they plan to use an AI tool (like ChatGPT) to help prepare taxes, especially younger adults. This is highly dangerous, even with platform security protections. For example, if an AI tool were compromised in a data breach, user messages with personal tax information (like social security numbers, home address, and more) could be made public.
Tax Scams Now Hit Year-Round, McAfee Labs Finds
In addition to our consumer survey findings, McAfee Labs analyzed malicious URLs, apps, texts, and emails in the months leading up to filing season.
The major takeaway: tax scams don’t wait for April.
Scam activity began climbing as early as November and has again continued building steadily into 2026.
Between September 1, 2025, and February 19, 2026, McAfee Labs identified 1,468 malicious or suspicious tax-themed unique domains, an average of 43 new fake tax websites every day.
In early November 2025 alone, the average number of new tax-themed malicious domains nearly doubled in just over a week. After a brief dip in late December, activity resumed climbing into February, a pattern we expect to intensify as the April filing deadline approaches.
A chart showing the unique, malicious domains detected by McAfee’s Web Advisor
Fake IRS Websites Are A Major Threat
Scammers are rapidly creating lookalike IRS domains that mimic official government URLs.
They use small changes, extra letters, added words, subtle misspellings, to trick taxpayers into believing they’re on a legitimate IRS site.
Examples include domains that insert additional text around “irs.gov” or add misleading subdomains designed to pass a quick glance.
These fake portals are used to:
Steal login credentials
Harvest Social Security numbers and tax IDs
Capture payment details
Charge bogus “processing fees”
In some cases, these sites don’t just steal, they overcharge.
McAfee Labs observed scam services offering to file for an EIN (Employer Identification Number), something the IRS provides for free, and charging as much as $319 for it.
Example of a scam website we found charging for an EIN.
The official IRS website explicitly warns: you never have to pay a fee to obtain an EIN.
Other scam sites misuse legitimate policy terms, like the “Fresh Start Initiative,” to harvest personal data and enroll victims in aggressive robocall and marketing campaigns.
Tax scams don’t always steal outright. Sometimes they monetize confusion.
Here it shows them charging $319 for an EIN, and collecting their personal information.
How a Typical Tax Scam Unfolds
Most tax scams aren’t one single message. They’re a sequence, designed to make you panic, click, and comply.
Below is the common playbook, plus the red flags that show up repeatedly.
*Note: Scammers may swap the details like AI voice, fake IRS videos, cloned websites, or impersonating tax software, but the pattern stays familiar.
Step
What happens
Red flags you’ll see at this step
Red flags that are true every time
What to do instead
1) The hook
You get a call, text, or email claiming there’s a tax issue (refund problem, underpayment, verification needed).
Message arrives out of nowhere, often during busy hours; “final notice” language; spoofed caller ID.
Unexpected contact + urgency.
Don’t engage. Pause. Go directly to IRS.gov or your tax provider’s official site (type it in).
2) The authority move
They lean hard on being “the IRS” or “state tax authority,” sometimes with personal details.
They sound polished; may use AI voice cloning; may cite a “case number.” Fake or meaningless case numbers are very common.
They want you to trust the title, not verify the source.
Ask for written notice and time. Real tax issues can be verified through official channels.
3) The link
They send a link to a “secure portal” or “refund page.”
Never click the link. Navigate to the real site yourself. If unsure, delete it.
4) The data grab
The site (or “agent”) asks for SSN, banking info, login credentials, or details from a prior return.
Requests that are broader than needed; “verify identity” prompts; form fields that feel too invasive.
They want sensitive info fast.
Stop. Don’t type anything. If you already did, assume it’s compromised and act quickly (see next section).
5) The payment push
They demand payment to “avoid penalties,” “release your refund,” or “resolve a mistake.”
Gift cards, crypto, wire transfers, payment apps; pressure to pay today; threats.
Urgency + unusual payment method.
The IRS does not demand immediate payment via text/social, and doesn’t require gift cards or crypto. Verify independently.
6) The escalation
If you hesitate, they intensify: threats, “law enforcement,” or AI video/audio that “proves” it’s real.
Deepfake IRS video, intimidating language, “you’ll be arrested,” “your license will be revoked.”
Fear is the product.
Hang up. Save evidence. Talk to a trusted person. Contact official support through verified numbers.
7) The aftermath
You realize it was a scam—often after noticing a strange charge or login activity.
Charges from odd merchants; new accounts; IRS account alerts; failed tax filing due to “duplicate return.”
Shame keeps people quiet—scammers count on that.
Report it and protect your identity right away. You’re not alone, and it’s not your fault.
Key point: A message can look “official” and still be fake. AI is making scam language smoother and scams more believable. The safest habit is simple: slow down, and verify using official sources you navigate to yourself.
What to do if you’ve been involved in a tax scam
First: take a breath. Scams are designed to trick you, especially when you’re overwhelmed, rushed, or just trying to fix a problem quickly.
John said it plainly: “Don’t be embarrassed. It does happen. It’s common… they will target anyone.”
And he’s right. The most important thing is what you do next.
1) Stop the bleeding: cut off contact
Stop replying
Don’t click anything else
Don’t send more information or money
2) Capture proof (before it disappears)
Take screenshots and save:
Phone numbers, email addresses, usernames
The message content
Links (don’t click them, just copy)
Payment receipts and transaction IDs
3) Lock down your accounts (especially email)
If a scammer gets into your email, they can reset passwords for everything else.
Do this today:
Change your email password first, then banking/tax accounts
Turn on two-factor authentication (2FA)
If you reused passwords anywhere, change those too
Important: If you clicked a suspicious link, downloaded a file, or gave someone remote access to your computer, make sure you use a different, trusted device (like your phone or another computer) to change passwords. Why? If a scammer installed malware or has access to your computer, they may be able to see all of your brand-new passwords as you’re making them.
Tip: A password manager like McAfee’s can help you create strong, unique passwords quickly, without having to memorize them all.
4) Check for identity theft signals
Tax scams often turn into identity theft. Watch for:
IRS notices about a return you didn’t file
Trouble e-filing because a return was already submitted
Alerts about a new IRS online account you didn’t create
If you suspect tax-related identity theft:
Consider filing an IRS identity theft report (commonly done with IRS Form 14039, Identity Theft Affidavit).
Create or log into your IRS account periodically to review account activity (John now does this every few months).
IRS phishing email: If you received a scam email posing as the IRS, you can forward it to phishing@irs.gov.
Your bank or card provider: If you paid, contact them immediately. Even if recovery isn’t guaranteed, speed matters.
6) Clean up your digital footprint
Scammers don’t just use what you give them. They also use what they can look up.
Removing your personal details from risky data broker sites can reduce how easily scammers can target you again. Tools like Personal Data Cleanup can help you identify where your information is exposed and guide removal.
7) Add protection for the next attempt
Tax season scams often come in waves, especially if scammers think your info is “good.”
Helpful layers include:
Web protection to warn you about risky links and lookalike sites before you enter info – get our free WebAdvisor download here
Scam detection that can flag suspicious messages
Identity monitoring to alert you if key personal info shows up in risky places
Run a free antivirus scan to check your device for malware or unwanted programs (especially if you clicked a link or downloaded anything)
The key takeaway
Tax season creates the perfect storm: time pressure, sensitive data, and a lot of official-looking communication.
Our research shows most people are worried, and for good reason. Scammers are getting more convincing, and AI is raising the bar on what “real” looks and sounds like.
“Tell your friends, tell your family,” John said. “Everyone I know at some point has heard this story, and it might just prevent someone from losing… thousands of dollars.”
If you remember just three things this season, make them these:
Pause before you click.
Verify through official channels you navigate to yourself.
If something happens, act quickly, and don’t blame yourself.
This week in scams, we’re looking at three very different stories with the same underlying theme: trust is being exploited at scale.
A massive government contractor data breach has quietly grown to affect more than 25 million people. Meanwhile, a viral AI-generated image of Mary-Kate and Ashley Olsen posing in a fake luxury campaign is spreading across social media, fooling some users and alarming others.
And in a new threat report, OpenAI detailed how its own tools are being misused for dating scams, impersonation, and influence operations.
Let’s break it down.
The Conduent Data Breach Now Impacts 25+ Million People
The fallout from a ransomware attack on Conduent, one of the largest government contractors in the U.S., continues to expand.
According to reporting from TechCrunch, updated state-level breach notifications now indicate that more than 25 million people across the U.S. have had personal data exposed.
Conduent provides services tied to state benefit programs, including food assistance, unemployment systems, and other government payment processing operations. The company has said its services reach over 100 million people.
Data reportedly exposed in the breach includes:
Names
Dates of birth
Addresses
Social Security numbers
Health insurance and medical information
TechCrunch noted that the majority of affected individuals appear to be in Oregon and Texas, based on state breach disclosures. Other states have also reported an impact.
The attack has been described as one of the largest government-contractor-related data breaches in recent memory.
Why this matters: When companies that process government benefits are hit, the exposed data often includes highly sensitive identity information. Social Security numbers combined with medical or insurance details can significantly increase the risk of identity theft and fraud.
How to Protect Yourself After a Major Data Breach
If you believe your data may have been exposed:
Monitor your credit reports for unfamiliar activity
Consider placing a free credit freeze
Be wary of phishing emails or texts referencing benefits or account verification
Never share personal information in response to unexpected outreach
Breaches like this often lead to secondary scams months later. The breach itself is only phase one. Phishing campaigns usually follow.
That Viral Olsen Twins “Louis Vuitton” Image? It’s AI.
A supposed luxury campaign featuring Mary-Kate and Ashley Olsen began circulating widely on X and Facebook this week, racking up millions of views.
The images show the twins styled in what appears to be a high-end fashion shoot, drawing numerous comments over their styling. But social media users quickly pointed out visual irregularities and inconsistencies commonly associated with AI-generated imagery.
A screenshot of one of the AI images making thr rounds across social media.
While this doesn’t fall into our typical “scam” roundup, the normalization of AI-generated visuals that look close enough to real to confuse people are a growing issue that can lead to real confusion and distrust.
We have entered a phase where:
Fake ads look legitimate
Public figures appear in campaigns they never participated in
Synthetic images spread faster than corrections
Today it’s a fashion ad. Tomorrow it could be a fake political endorsement, financial announcement, or emergency alert.
The takeaway: If you see a surprising campaign or announcement, verify it through official brand websites or verified accounts before assuming it’s real.
OpenAI Details How ChatGPT Is Being Misused
In a newly released threat report, OpenAI outlined several ways its tools have been abused by bad actors.
A cluster of accounts used ChatGPT to run a dating scam targeting Indonesian men, allegedly defrauding hundreds of victims per month.
Some accounts used the tool to generate promotional copy and ads for a fake dating platform that pressured users into completing costly “tasks.”
Other accounts posed as law firms, impersonating real attorneys and U.S. law enforcement to target fraud victims.
OpenAI also banned accounts linked to activity believed to be part of influence operations, including efforts targeting Japanese political figures.
OpenAI stated that the activity was detected and accounts were removed.
Why this matters: AI tools themselves are not inherently scams. But they dramatically lower the cost and increase the scale of fraud operations. Writing persuasive emails, generating fake legal letters, building scam ads… these now require fewer technical skills than ever before.
The technology doesn’t create the criminal intent. It just accelerates it.
McAfee’s Safety Tips This Week
Assume viral images could be AI-generated until verified
Verify unexpected announcements through official websites
Treat post-breach emails as suspicious by default
Be skeptical of online “consultation” invites that promise payment
Never send money to someone you’ve only met online
We’ll Be Back Next Week
From ransomware breaches to AI-generated impersonations, the pattern is clear: scammers are scaling trust manipulation with technology.
Stay skeptical. Verify before you click. And we’ll be back next week with another breakdown of what’s making headlines, and what it actually means for your security.
Start using a new app and you’ll often be asked to grant it permissions. But blindly accepting them could expose you to serious privacy and security risks.
One minute you’re scrolling like normal. The next, your account is posting crypto promotions, sending spam DMs, or following hundreds of random accounts you’ve never heard of. Sometimes you don’t even notice until a friend asks why you’re suddenly “giving away” gift cards.
If you use X for work, your personal brand, or your business, a takeover can do real damage quickly. And in many cases, the hacker isn’t just trying to cause chaos, they’re trying to use your account to scam your followers while you still look trustworthy.
This guide walks you through exactly what to do if your X account has been hacked: how to spot the warning signs, how to regain access, and what to change immediately so it doesn’t happen again.
X account takeovers don’t always start with a full lockout. Often, the first signs are strange activity you didn’t authorize.
Watch for these red flags:
Unexpected posts: Tweets you didn’t write, especially spam, crypto links, or promotions.
Unusual DMs: Messages sent from your account that you don’t remember sending.
Account behavior changes: Random follows, unfollows, blocks, or profile changes you didn’t approve.
Security notifications: Alerts from X that your account may be compromised.
Account info changed: Notifications that your email, phone number, or password was updated without your permission.
Password suddenly stops working: You’re prompted to reset your password even though you didn’t request it.
If any of these are happening, assume your account is compromised and start recovery steps immediately.
What to Change Immediately If Your X Account Was Hacked
If your X account was hacked, assume your login details may have been stolen.
That means simply getting back into your account isn’t enough, you also need to update the passwords and settings attackers could still use.
Here’s what to change right away:
Change your X password
Change the password for the email account connected to X
Turn on two-factor authentication (2FA)
Confirm your email address and phone number are correct
Revoke access for any suspicious third-party apps
Review X Pro / Teams access (if you use it) and remove unfamiliar users
Update any other accounts that share the same password
Delete unauthorized posts and DMs (once you regain control)
If you suspect the hack started through malware or phishing, it’s also smart to update passwords for other sensitive accounts tied to your identity, like banking apps, payment apps, or your Apple/Google account.
One of the most common ways X accounts get hacked is through phishing.
Scammers impersonate:
X support
“verified account” teams
copyright warnings
fake sponsorship offers
fake security alerts claiming your account will be suspended
They try to pressure you into clicking a link and logging in on a fake page designed to steal your password.
If you receive a suspicious email or DM, don’t click.
Instead, open X directly in the app or browser and check your account settings from there.
Final Tips: Recovering From an X Hack
A hacked X account can spread scams quickly, especially if the attacker uses your account to message followers directly.
The most important steps are:
Act quickly
Change your password immediately
Secure the email account connected to X
Revoke suspicious third-party app access
Review X Pro / Teams access if applicable
Enable two-factor authentication (2FA)
Delete unauthorized posts once you regain control
Scan your device for malware
McAfee offers a free antivirus scan that can help you detect malware or suspicious programs that may have compromised your account in the first place.
And if you’re still locked out or something doesn’t look right, use X’s official support request form to report the account as hacked or compromised.
Frequently Asked Questions
Q: How do I know if my X account was hacked? A: Common signs include posts or DMs you didn’t send, unusual follows/unfollows, account changes you didn’t authorize, security alerts from X, or a password that suddenly stops working.
Q: If I change my password, will the hacker be logged out? A: Changing your password is critical, but some mobile sessions may remain active. X recommends revoking app access in your settings if suspicious activity continues.
Q: What should I do if my email address was changed? A: Check your inbox for an email from X about the change. In some cases, you may be able to reverse it using the security link. If you can’t, start account recovery immediately and submit a support request if needed.
Q: Should I remove third-party apps after a hack? A: Yes. X notes that malicious or untrusted third-party apps can compromise your account. Remove anything you don’t recognize or no longer use.
Q: What if I still can’t log in after resetting my password? A: Submit a hacked account support request through X’s official form. Be sure to include your username and the last date you had access.
Q: What’s the biggest mistake people make after their X account gets hacked? A: Only changing their password. If the attacker still has access through connected apps, a compromised email account, or saved sessions, they can regain control quickly.
Instagram hacks don’t always start with a dramatic “you’ve been locked out” moment.
More often, it starts with something small: your followers asking why you just sent them a weird link. Your account suddenly following hundreds of random profiles. A post you didn’t write showing up in your feed. Or an email from Instagram saying your login details were changed.
By the time you realize what’s happening, scammers may already be using your account to impersonate you, message your followers, or promote fake giveaways and crypto scams through your profile.
This guide walks you through exactly what to do if your Instagram account has been hacked: how to spot the warning signs, how to regain access, and what to change immediately so it doesn’t happen again.
And if you’re still having trouble at any stage, be sure to visit Instagram’s official recovery tools for additional support.
Signs Your Instagram Account May Be Compromised
Instagram account takeovers don’t always look obvious at first. In many cases, the first signs are subtle changes you didn’t make.
Watch for these red flags:
Password or email changes you didn’t request: You may receive an email saying your account information was updated.
Suspicious login alerts: Notifications about a login attempt, new device, or verification code you didn’t request.
Posts, Stories, or Reels you didn’t publish: Scammers often post crypto promotions, fake giveaways, or sketchy links.
DMs you didn’t send: A common tactic is using your account to message your followers with phishing links.
Your account starts following random accounts: Hackers may use compromised accounts to inflate scam pages or bot networks.
Your profile info has been edited: Name, bio, profile photo, or website links changed without your permission.
If any of these are happening, assume your account is compromised and start recovery steps immediately.
What to Change Immediately If Your Instagram Account Was Hacked
If your Instagram account was hacked, assume your login details may have been stolen.
That means simply getting back into your account isn’t enough, you also need to update the passwords and settings attackers could still use.
Here’s what to change right away:
Change your Instagram password
Change the password for the email account connected to Instagram
Turn on two-factor authentication (2FA)
Log out of all active sessions/devices
Remove suspicious third-party apps connected to your account
Confirm your phone number and email address are correct
Check Accounts Center and remove linked accounts you don’t recognize
Update any other accounts that share the same password
If you suspect the hack started through malware or a phishing link, it’s also smart to update passwords for other sensitive accounts tied to your identity, like banking apps, payment apps, or your Apple/Google account.
One of the most common ways Instagram accounts get hacked is through phishing.
Scammers impersonate:
Instagram support
verification teams
copyright violation notices
“your account will be deleted” warnings
fake giveaway collaborations
Their goal is to pressure you into clicking a link and entering your password on a fake login page.
If you receive a suspicious email or DM, don’t click.
Instead, open Instagram directly in the app and check your security settings from there.
If you think you entered your login info into a suspicious link, change your password immediately and secure your account right away.
Final Tips: Recovering From an Instagram Hack
A hacked Instagram account is stressful for a reason: it doesn’t just affect your profile. It affects your followers, your reputation, and your private messages.
The most important steps are:
Act quickly
Check your email for Instagram security alerts
Use Instagram’s official hacked account recovery tools
Change your password immediately
Log out of all active sessions
Remove suspicious apps and linked accounts
Enable two-factor authentication (2FA)
Scan your device for malware
McAfee offers a free antivirus scan that can help you detect malware or suspicious programs that may have compromised your account in the first place.
And if you’re still locked out or something doesn’t look right, follow Instagram’s official recovery guidance and contact Instagram support directly.
Frequently Asked Questions
Q: How do I know if my Instagram account was hacked? A: Common signs include password or email changes you didn’t request, suspicious login alerts, DMs you didn’t send, posts you didn’t publish, or unexpected changes to your profile details.
Q: What if my Instagram email address was changed? A: Check your inbox for an email from Instagram about the change. In some cases, Instagram may provide a security link that lets you reverse it. If you can’t undo the change, start the hacked account recovery process as soon as possible.
Q: What if I can’t log in at all? A: Use Instagram’s official hacked account recovery tools. Depending on your situation, Instagram may offer login links, security codes, or identity verification options to help you regain access.
Q: Should I remove third-party apps after a hack? A: Yes. Some account takeovers happen because an unsafe app was given access. Remove anything you don’t recognize or no longer use.
Q: What’s the biggest mistake people make after getting hacked? A: Only changing their Instagram password. If the attacker still has access through your email account, linked accounts, or suspicious third-party apps, they can regain control quickly.
Q: Can Instagram ask me to verify my identity? A: Yes. In some cases, Instagram may ask you to confirm ownership through verification steps. This can include submitting additional information or completing a video selfie process.
A password reset email you don’t remember requesting. A login alert that doesn’t make sense. Strange comments showing up under your username that you swear you didn’t write.
Sometimes you don’t notice at all…until someone messages you asking why you’re suddenly promoting crypto giveaways, posting spam links, or commenting across random subreddits.
A hacked Reddit account isn’t just embarrassing. It can be a real security risk. Attackers often use compromised accounts to spread scams, steal personal information, or take advantage of your reputation in online communities.
This guide walks you through exactly what to do if your Reddit account has been compromised: how to spot the warning signs, how to regain control, and what security steps to take so it doesn’t happen again.
Signs Your Reddit Account May Be Compromised
Reddit account takeovers don’t always look dramatic at first. The earliest warning signs often feel subtle.
Watch for these red flags:
Password or email changes you didn’t make: You may receive an email from Reddit saying your password or email address was updated.
Posts, comments, votes, or chat messages you don’t recognize: Hackers often use your account to upvote scam content or spam communities.
Authorized apps you don’t remember approving: Some attackers compromise accounts through unsafe third-party apps or browser extensions.
Unusual login activity or unfamiliar IP history: Reddit allows you to review recent account activity, which may show logins from locations you’ve never visited.
Sudden account lock or forced reset notice: In some cases, Reddit may lock your account or prompt a password reset as a security precaution.
What to Change Immediately If Your Reddit Account Was Hacked
If your Reddit account was hacked, assume your login details may have been stolen.
That means simply getting back into your account isn’t enough, you also need to update the passwords and settings attackers could still use.
Here’s what to change right away:
Change your Reddit password
Change the password for the email account connected to Reddit
Update any other accounts that share the same password
Remove suspicious authorized apps
Log out of all active sessions/devices
Turn on two-factor authentication (2FA)
Update your recovery options (email, phone, backup codes)
If you think the hack started from malware or a phishing link, it’s also smart to update passwords for other sensitive accounts, like banking, payment apps, or your Apple/Google account. Using a password manager like McAfee’s can help you create strong, unique passwords for every account, and store them securely in one place.
Step-by-Step: How to Recover a Hacked Reddit Account
Step
What to Do
Why It Matters
1. Reset your password immediately
Use Reddit’s password reset flow and create a strong new password.
This is the fastest way to cut off unauthorized access. Resetting your password can also log you out across devices.
2. Check your inbox for Reddit security emails
Look for emails saying your password or email address was changed. Follow any “this wasn’t me” instructions if available.
If a hacker changed your account details, Reddit’s security email may be your best chance to reverse it quickly.
3. Review account activity and active sessions
Check where your account is logged in and log out of unfamiliar sessions/devices.
Hackers often stay logged in even after making changes, especially if you don’t remove active sessions.
4. Remove suspicious authorized apps
Review connected apps and revoke access for anything you don’t recognize or no longer use.
Some account takeovers happen through unsafe third-party apps, not password guessing.
Reddit may be able to confirm suspicious activity, restore access, or help reverse account changes.
Frequently Asked Questions
Q: How do I know if my Reddit account was hacked?
A: Common signs include password or email changes you didn’t request, unfamiliar authorized apps, unusual IP history, and posts/comments/votes you don’t remember making. If any of these appear, treat your account as compromised.
Q: Will resetting my Reddit password log out the hacker?
A: In many cases, yes. Reddit notes that resetting your password can log you out across devices, which is one of the fastest ways to cut off unauthorized access.
Q: What if my Reddit email address was changed?
A: Check your email inbox for a message from Reddit. Reddit may provide instructions to reverse the change, but you’ll typically need to input the original email address associated with the account.
Q: What should I do if I can’t get my account back?
A: Yes. Reddit specifically warns that unsafe authorized apps can lead to account compromise. Remove anything you don’t recognize or no longer use.
Q: What’s the biggest mistake people make after a Reddit hack?
A: Only changing their Reddit password. If your email account or device is compromised, attackers can regain access quickly. You should secure your email, scan your device, and update reused passwords.
It’s Friday the 13th, but you have nothing to fear online if you’re scam-savvy and well protected.
Every week, we round up the biggest scam and cybersecurity stories of the moment so you can recognize red flags, protect your accounts, and avoid the most common traps scammers are using.
This week in scams, we’re talking Valentine’s Day, deepfake deception, and online privacy.
Let’s jump in:
New McAfee Research Shows Romance Scams Spiking
Valentine’s Day is supposed to be peak season for connection. But for scammers, it’s peak season for something else: emotional leverage.
New McAfee research shows romance scams are not rare edge cases, they’re becoming a common part of the online dating experience. In fact, 1 in 7 American adults (15%) say they’ve lost money to an online dating or romance scam. Even more alarming: of the people who lost money, only 1 in 4 (24%) were able to recover all of it.
And many scams start exactly the way real relationships do.
One McAfee interviewee, Jules, a healthcare professional in her 40s, joined a dating app hoping to meet someone as a busy working single mom. She met “Andy,” who seemed local, charming, and emotionally invested. He didn’t rush into money. He built trust. He mirrored her life. He made her feel safe.
Then he introduced a “crypto opportunity” that looked legitimate. The app showed gains. She even withdrew small amounts at first. But weeks later, her account froze, and she was told she needed to pay a $25,000 “tax payment” to unlock it.
She paid. Then the account froze again.
By the time Jules realized the truth, she had lost more than $80,000, including $25,000 borrowed from her elderly mother.
This is the new shape of romance scams: slow, believable, and psychologically engineered. McAfee Labs also reports that romance-related scam activity spikes during peak dating season, including fake profiles, cloned apps, and AI-driven spam behavior.
Key red flags to watch for
They move fast emotionally (“I’ve never felt this way before”)
They push you off-platform quickly (WhatsApp, Telegram, Signal)
Their story sounds polished but hard to verify (military, oil rig, entrepreneur)
They introduce “investment advice” or crypto opportunities
They ask for payment apps, gift cards, wire transfers, QR payments, or “fees”
They claim your money is “frozen” unless you pay one more time
How romance scams typically unfold
While scams can take many forms, most follow a familiar pattern. Understanding the progression can help people recognize risk earlier.
Stage
The Red Flags / How it Unfolds
What the scammer wants
What to do instead
1) The hook
A friendly DM, a “wrong number” text, a dating match, a comment reply, a follow request
A response. Any response.
Don’t move fast. Keep the convo on-platform. Don’t give out your number.
2) Love bombing
Daily messages, fast intimacy, mirroring your interests, “I’ve never felt this way”
Trust and routine
Slow it down. Ask for a real-time video call and a specific, verifiable detail.
3) Private channels
“Let’s talk on WhatsApp/Telegram/Signal.” “Don’t tell anyone yet.”
Control and privacy
If someone pushes you off-platform quickly, treat it as a red flag.
4) Building credibility
A “job” story (military, oil rig, entrepreneur), polished photos, voice notes, even AI-assisted video
Believability
Verify independently. Reverse image search photos. Watch for inconsistencies.
5) A financial request
A “small” emergency, a plane ticket, a crypto opportunity, “help me unlock my account,” gift cards, payment app request
Money or financial access
Never send money to someone you haven’t met. Never share financial info or account details.
6) Escalation
“I need a verification code.” “Can you receive money for me?” “Open an account.” “Co-sign.”
Identity theft, account takeover, new credit
Never share MFA codes. Don’t open accounts for anyone. Lock credit if you’ve shared info.
7) Ghosting
Ghosting, deleted accounts, new persona, rinse-and-repeat
Exit before consequences hit them
Preserve evidence, report, and secure your accounts immediately.
Key point: the scariest scams may never send you a sketchy link. They may only send convincing words, and the pressure to act.
Deepfake Fraud Is Going “Industrial”
Deepfake scams used to sound like something only elite hackers could pull off. Not anymore.
Reporting from The Guardian highlights a new analysis from AI experts suggesting deepfake fraud has gone “industrial,” meaning it’s now cheap, scalable, and increasingly accessible to non-experts. Researchers tied to the AI Incident Database described a landscape where impersonation scams are becoming one of the most common types of AI-driven incidents reported month after month.
Instead of crude phishing emails, scammers can now use AI tools to generate:
Realistic fake videos of public figures
Fake doctors promoting products
Fake journalists endorsing scams
Realistic job applicants and “candidates” who aren’t real people at all
One example described in the reporting involved an AI security CEO who posted a job listing and quickly received a referral for a candidate who looked perfect on paper. The resume was strong. The emails were polished. The interview was scheduled.
But when the video call began, the candidate’s image loaded slowly, and the background looked artificial. The face was blurred around the edges. The person glitched slightly as they spoke. A deepfake detection firm later confirmed: the interviewee was AI-generated.
The most unsettling part? Even the target didn’t know what the scammer was after…. a salary? access to internal systems? company secrets?
This is what makes deepfake scams uniquely dangerous: they’re not always about stealing money immediately. They’re often about getting trust, access, and leverage first.
Key red flags of deepfake impersonation scams
Video or audio glitches (especially around facial edges)
Backgrounds that look “too smooth” or artificial
Delays before video loads or odd syncing between voice and mouth movement
Overly polished speech with little natural hesitation
Pressure to move fast, hire fast, or approve payments quickly
This is also why deepfake fraud is so effective: it exploits the assumption that “seeing is believing.” In 2026, that assumption is no longer safe.
This is also backed up by McAfee’s previous research. In 2025, McAfee Labs conducted a study of 17 different deepfake-creation tools and found that for just $5 and with just 10 minutes of setup time, scammers can create powerful, realistic-looking deepfake video and audio scams.
This example from our 2025 State of the Scamivers report shows how a deepfake creation tool can realistically transform a live video chat with our McAfee researcher into a chat with “Tom Cruise” or “Keanu Reeves.”
Google “Results About You” Update Shows How Personal Data Fuels Scams
Not every scam story this week is about criminals. This update is about fighting scammers, as shared by Google.
Google announced this week that it has expanded its “Results about you” tool, which helps people monitor and remove sensitive personal information from Search results. Previously, the tool focused on personal contact details like phone numbers, email addresses, and home addresses.
Now, users can also request the removal of Search results that include highly sensitive information like:
This matters because personal data is often the fuel behind the scams we’ve been tracking all year, including romance scams.
Removing sensitive data from search results doesn’t erase it from the internet completely but it can reduce how easily scammers can weaponize it. To take your online privacy to the next level, consider McAfee’s Personal Data Cleanup, which will help remove your personal information across the web.
What this tool helps protect against
Identity theft attempts
Impersonation scams
Doxxing threats
Fake “verification” schemes
Social engineering and targeted romance scams
The scam lesson here is simple: the less information scammers can find, the harder it is for them to tailor the con.
McAfee’s Safety Tips for This Week
This week’s scam pattern is all about emotional manipulation + AI credibility + personal data exposure. The best defense is slowing down and verifying before you trust.
Here are the smartest moves to make right now:
Don’t confuse emotional intensity with authenticity. Love bombing is a tactic, not a love language.
Never send money to someone you haven’t met in real life, no matter how convincing their story is.
Treat “crypto investing tips” from strangers as an immediate red flag.
Don’t move off-platform quickly. If someone insists on WhatsApp, Telegram, or Signal early on, assume they’re trying to isolate you.
Never share verification codes or screenshots of financial apps, even if they claim it’s “just for confirmation.”
Reverse image search profile photos and look for inconsistencies in background details, timelines, or personal stories.
If a video call feels off, trust your instincts. Deepfakes often look almost real, but “almost” is the danger zone.
Reduce your digital footprint. The more personal info available online, the easier it is for scammers to tailor believable impersonations.
A login alert you don’t remember triggering. A password that suddenly doesn’t work. A friend asking why you just posted something… bizarre.
Sometimes it’s even worse: you open your Facebook Page and realize you’re no longer an admin.
Facebook account takeovers often don’t look dramatic at first. They start quietly: a new device login, a recovery email you didn’t add, or a Page role you never approved. But once someone has access, they can lock you out fast, post scams to your followers, and even run unauthorized ads.
This guide walks you through exactly what to do if your Facebook account or Page has been compromised: how to spot the warning signs, how to recover access if you’re locked out, how to remove rogue admins, and how to lock down your account so it doesn’t happen again.
Signs Your Facebook Account May Be Compromised
Facebook hacks often start quietly. The first signs usually look like small changes you don’t remember making.
Watch for these red flags:
Login alerts you didn’t trigger: Notifications about new devices, unfamiliar locations, or verification codes you didn’t request.
Posts or messages you didn’t send: Spam posts, strange DMs, or comments that don’t sound like you.
Account details changed: Your password, email address, phone number, or two-factor authentication settings were updated without you.
Page or Business access changes: New admins added, your role downgraded, unknown partners connected, or ad accounts you don’t recognize.
Unexpected ad spend or billing activity: Ads running that you didn’t create, new payment methods, or charges you can’t explain.
If any of these are happening, assume your account is compromised and start recovery steps immediately.
Step-by-Step: How to Regain Control of a Hacked Facebook Page
Step
What to Do
Where to Go
1. Secure your personal Facebook account first
Log out of all sessions, change your password, and enable two-factor authentication (2FA). If your profile is compromised, your Page will stay vulnerable.
Settings → Password and security
2. Check whether you still have Page access
Go to your Page and see if you can access settings. If you still have partial access, move fast—attackers often remove legitimate admins quickly.
Your Facebook Page → Settings
3. Review Page roles / Page access
Look for unfamiliar admins or anyone with “Full control.” Remove them immediately if you still have permission.
Page Settings → Page access / Page roles
4. Check Meta Business Suite permissions
Hackers may add themselves through Business Manager instead of Page roles. Review who has access to the business and Page assets.
Meta Business Suite → Settings → Business settings → People
5. Remove suspicious partners
If an unknown Business Manager or partner account is connected, remove it. Rogue partners can retain access even after passwords are changed.
Business settings → Partners
6. Audit Ad Accounts and active campaigns
Check if unauthorized ads are running. Pause campaigns immediately and remove unfamiliar users tied to ad access.
Business settings → Ad accounts
7. Review payment methods for fraud
Look for unfamiliar credit cards or PayPal accounts. If charges occurred, contact your payment provider immediately.
Business settings → Payments / Billing
8. Start a Page admin dispute if you lost access
If all admins were removed or your role was downgraded, submit a Page admin dispute through Meta’s Business Help tools and begin the recovery process.
Meta Business Help Center → Page admin dispute / compromised Page support
9. Gather proof of ownership
Prepare evidence like business documentation, domain verification, screenshots of prior Page access, and ad account billing history. The more proof you provide, the faster recovery usually moves.
Business documents + screenshots + domain records
10. Lock down Page security after recovery
Remove rogue admins, reduce admin permissions, require 2FA for everyone, and limit who can manage ads. Treat this like a full security reset.
Page Settings + Meta Business Suite
What to Do After You Regain Control of Your Page
Once you’re back in, don’t stop there.
Attackers often return if they still have access through third-party permissions or compromised admin accounts.
Immediately:
Remove rogue admins
Remove unknown partners
Reset Page access roles
Review ad accounts and billing
Turn on 2FA for everyone with Page access
Reduce admin permissions wherever possible
A good rule: most people don’t need Admin access.
Use Editor, Advertiser, or Moderator roles unless someone truly needs full control.
Lock Down Facebook Security So It Doesn’t Happen Again
Getting back into your account is only half the job. The real goal is making sure the hacker can’t come back.
Turn on login alerts
Facebook can notify you every time a new device logs in.
Go to: Settings → Password and security → Alerts about unrecognized logins
Turn them on for email and notifications.
Use stronger passwords everywhere
Hackers often gain access through reused passwords from older data breaches.
If you’ve used the same password across platforms, change it immediately.
Even if you removed suspicious apps earlier, do a full audit again after recovery.
Go to: Settings → Apps and websites
Remove anything you don’t actively use.
Keep your phone and Facebook app updated
Security updates matter.
Running outdated apps makes it easier for attackers to exploit known vulnerabilities.
Watch out for phishing “Meta Support” scams
Many Facebook hacks don’t happen through technical hacking, they happen through social engineering.
Common scams include:
Fake copyright violation notices
Fake Meta verification warnings
Messages claiming your Page will be deleted
“Support” DMs asking you to click a link and confirm login
If you ever get one of these messages, don’t click.
Open Facebook directly, go to Settings, and check your account status from inside the platform.
Quick Recovery Table: What to Do If Your Facebook Account or Page Is Hacked
Situation
What to Do (Step-by-Step)
Where to Go in Facebook
You see a suspicious login alert
1) Log out of all sessions 2) Change your password immediately 3) Turn on two-factor authentication (2FA)
Settings → Password and security → Where you’re logged in
Your password suddenly doesn’t work
1) Tap Forgot password? 2) Follow recovery prompts 3) Use identity verification if needed
Facebook login screen → Forgot password?
You’re still logged in, but things look “off”
1) Remove unfamiliar devices 2) Check your email/phone info 3) Remove suspicious connected apps
Settings → Accounts Center Settings → Apps and websites
Your email or phone number was changed
1) Check your email for Facebook security alerts 2) Click “This wasn’t me” if available 3) Start recovery and select No longer have access?
Email inbox + recovery flow
Your Facebook Page has a new admin you didn’t add
1) Secure your personal account first 2) Remove the unfamiliar admin immediately 3) Review Page roles for other changes
Page Settings → Page access / Page roles
You lost admin access to your Page
1) Secure your Facebook profile first 2) Check Meta Business Suite permissions 3) Start a Page admin dispute with Meta
Meta Business Suite → Business settings
Unauthorized ads are running
1) Pause all campaigns immediately 2) Remove unfamiliar users/partners 3) Check payment methods for fraud
Business Manager → Ad accounts Business settings → Payments
You want to prevent this from happening again
1) Enable 2FA 2) Use a unique password 3) Turn on login alerts 4) Remove unnecessary admins
Settings → Password and security
Final Tips: Recovering From a Facebook Hack
A Facebook hack is stressful for a reason: it doesn’t just affect your account. It can affect your reputation, your Page, your followers, and even your finances if ads are involved.
The most important steps are:
Act quickly
Secure your email before finishing recovery
Log out all sessions and reset your password
Remove rogue admins and unknown partners
Lock down Business Manager permissions
Enable 2FA for every admin who touches your Page
Once you take control back, reduce access to only the people who truly need it, and keep a close eye on logins and billing activity.
With the right steps, you can recover a hacked Facebook account, remove unauthorized admins, and rebuild trust with your audience.
And most importantly: you can make sure it doesn’t happen again.
Finally, you can always reach out directly and seek support via Facebook’s help center and official contact channels if you still need help.
Frequently Asked Questions
Q: How do I log out of all devices on Facebook?
A: Go to Settings → Password and security → Where you’re logged in, then select Log out of all sessions. After that, change your password and enable 2FA.
Q: What if my email and phone number were changed?
A: Start account recovery through Forgot password? and look for the option No longer have access to these? If you still have access to your original email inbox, check for Facebook security emails and use the “This wasn’t me” link to reverse changes.
Q: How do I remove an admin from a Facebook Page?
A: If you still have Page access, go to Page Settings → Page access / Page roles and remove the person. If you no longer have admin access, you may need to start a Page admin dispute through Meta Business Help Center.
Q: What if someone is running ads from my Page?
A: Go to Meta Business Suite → Business settings → Ad accounts and pause campaigns immediately. Remove unfamiliar users or partners and check billing settings for unauthorized charges.
Q: Are authenticator apps safer than SMS codes?
A: Yes. Authenticator apps (and hardware security keys) are generally stronger than SMS because they’re harder to intercept through SIM-swapping or text message compromise.
Q: Should I warn my followers?
A: If your Page or profile posted spam, sent DMs, or promoted suspicious links, yes. A short post warning followers not to click links or respond to messages can prevent others from getting scammed.
It usually starts with a small, uneasy moment. A notification you don’t recognize. A login code you didn’t request. A friend texting to ask why you just posted something… weird.
If you’re staring at your phone wondering whether your TikTok account was hacked, you’re not alone, and you’re not being paranoid.
Account takeovers often don’t look dramatic at first. They show up as subtle changes: a password that suddenly doesn’t work, a new device logged in overnight, or settings you swear you never touched.
This guide walks you through exactly what to do if your TikTok account has been compromised: how to spot the warning signs, how to recover access if you’re locked out, and how to lock down active sessions so it doesn’t happen again.
Signs Your TikTok Account May Be Compromised
When someone else gets into your account, things usually start behaving in ways that don’t feel like you. Pay attention to changes like these:
Profile or settings changes you didn’t make Your display name, bio, password, linked email, phone number, or privacy settings look different, even though you never touched them.
Content or activity you don’t recognize Videos you didn’t post. Comments or DMs you didn’t send. New follows or likes that don’t match how you use the app.
Login alerts that come out of nowhere Notifications about a new device, verification codes you didn’t request, or emails confirming changes you didn’t initiate.
Other warning signs include being locked out of your usual login method, missing recovery options, or friends telling you your account is sending strange messages.
How to Regain Access to Your TikTok Account
Speed matters here. The longer someone has access, the more they can change, or use your account to scam others.
If you can still log in
Secure the account immediately.
Change your password: Use the “Forgot password?” option if needed and choose a strong, unique password you haven’t used anywhere else.
Check your account details: Confirm the email address and phone number are yours. Remove anything you don’t recognize.
Look for unfamiliar devices or sessions: You’ll deal with this more thoroughly below, but flag anything that looks off.
Be ready to prove ownership. That usually includes:
Your username
A previous email or phone number linked to the account
Devices you’ve used to log in before
Screenshots of changes, if you have them
TikTok uses this information to verify that the account is yours and roll back unauthorized changes.
Secure your email and phone, too
This step is critical and often overlooked.
Change the password on the email account linked to TikTok.If someone controls your email, they can keep resetting your social accounts.
Confirm your phone number is correct and remove any unfamiliar contact info.
Once you regain access, clean up anything the attacker touched, delete suspicious posts, undo profile changes, and revoke access for any apps you don’t recognize.
Figure 1: How to remove TikTok logins from other devices.
Lock Down Sessions and Strengthen Your TikTok Security
Getting back in is only half the job. The next step is making sure whoever got in can’t come back.
Turn on two-step verification
In Settings & Privacy, enable two-factor verification (2FA) and choose your preferred method. An authenticator app offers the strongest protection, but SMS or email is still far better than nothing.
Review active sessions and devices
Head to Security and look for Manage devices or Active sessions.
Remove any devices you don’t recognize.
If available, use “Log out of all devices” to force everyone, including an attacker, out at once.
Revoke third-party app access
Check which apps or tools are connected to your TikTok account and remove anything you don’t use or trust.
Use a strong, unique password
Aim for 12+ characters with a mix of letters, numbers, and symbols.
Updates often include security fixes. Running outdated software makes it easier for attackers to exploit known issues.
Be cautious with links and messages
Unexpected DMs, “copyright warnings,” fake verification notices, or links asking you to log in again are common hacker tactics. When in doubt, don’t click, open the app directly instead.
Figure 2: Where in “Security & permissions” to find security updates and 2FA.
How to Report an Impersonation Account on TikTok
Discovering a fake account that’s using your name, photos, or videos can feel like a second violation on top of having your account hacked.
Luckily, TikTok has a way to flag these imposters, both from inside the app and, in some regions, through an official web form.
Open the impostor’s profile: Head to the account that’s pretending to be you.
Tap the share icon: On mobile, this is usually the arrow at the top of the profile.
Select “Report”: Choose the option to report the account.
Choose “Report account” → “Pretending to Be Someone”: That’s TikTok’s way of flagging impersonation specifically.
Indicate who is being impersonated: Select Me if it’s your identity, or Celebrity/Another person if it’s someone else. Then submit.
Figure 3: A screenshot showing where in TikTok you report fake profiles.
Choose whether you’re reporting or appealing an impersonation.
Enter your email and country.
Upload valid ID or other proof that you’re who you say you are.
Confirm the statements and submit the form.
For accounts outside the U.S., the public Help Center form lets you select Report a potential violation → Account violation → Impersonation and walk through similar steps.
Frequently Asked Questions
Q: How do I lock down sessions on TikTok? A: Go to Settings & Privacy → Security, then open Manage devices or Active sessions. Remove unfamiliar devices, log out of all sessions if possible, change your password, and enable two-step verification.
Q: Can I recover my account if the email and phone number were changed? A: Yes. Start an account recovery request through TikTok support and provide proof of ownership, including previous contact details and device information.
Q: What if I keep getting verification codes I didn’t request? A: That’s a sign someone is trying to get in. Change your password immediately, enable two-step verification, and review active sessions. If it continues, contact TikTok support
Q: Should I warn my followers? A: If your account posted or messaged others without your permission, yes. Let people know your account was compromised so they don’t engage with scam links or requests.
You block a caller, feel a moment of relief, and then the phone rings again. If you’re wondering why you still get spam calls even after blocking numbers, you’re not alone.
Spammers evolve quickly. They rotate phone numbers, spoof caller IDs, and use automated dialers to bypass basic defences, which is why many people see blocked calls still coming through and ask, can blocked numbers call you?
In this guide, we’ll explain what’s happening behind the scenes, share proven steps for how to stop getting spam calls, and help you protect your privacy and finances with confidence.
What Counts as a Spam Call?
Spam calls are unsolicited calls that aim to sell, deceive, or defraud. They include aggressive sales pitches, fake giveaways, tech support scams, and impersonations of banks or government agencies. Some are placed by people, while many are robocalls that play prerecorded messages at scale. Legality often hinges on consent and compliance with regulations, but harmful calls tend to ignore the rules.
The typical scam call red flags: 1) Urgent or threatening language. 2) Pressure to pay right now. 3) Requests for sensitive details like Social Security numbers, bank information, or one-time passcodes.
Robocalls drive much of the volume today. They’re inexpensive, fast, and highly automated. While appointment reminders or pharmacy updates can be helpful and legitimate, scam robocalls promote fake debt collection, prize schemes, or malicious tech support. Their scale is precisely why blocked calls still coming through remains a persistent frustration.
Inbox of spam calls feel familiar?
Why Blocking Numbers Doesn’t Stop Spam
Blocking prevents repeat calls from the same caller ID. Spammers know this and adapt. They rotate through vast pools of numbers, so each attempt looks new. You block one, and the next call arrives from a different number. It’s a cat-and-mouse game that leads many to ask, can blocked numbers call you or why is a blocked number still calling?
Caller ID spoofing amplifies the problem. Spoofing lets scammers display any number they want, including matching your area code or appearing as a trusted organisation. This undermines caller ID and weakens number-based blocking. Some spoofed calls even show familiar names, increasing the chance you’ll answer.
Behind the scenes, spam operations acquire and discard numbers rapidly through VoIP services and disposable lines. Large campaigns can cycle through thousands of numbers daily, which makes manual blocking a limited defense. That’s why you still get spam calls even after blocking numbers and why many people wonder how to stop getting spam calls for good.
Layered Measures to Reduce Spam Calls
A stronger strategy combines smarter tools with practical policies that work together. Here’s how we approach it:
Use call-protection apps: Choose reputable apps that leverage threat intelligence, crowdsourced reports, and machine learning. These tools detect patterns, silence high-risk calls, and warn you before you answer. Many provide enhanced caller ID and category-based filtering to cut down the noise.
Register with the National Do Not Call Registry: Add your number at donotcall.gov to reduce lawful telemarketing. It won’t stop illegal spam calls, but it trims legitimate sales outreach and supports enforcement when violators call.
Use your mobile carrier’s protections: Most phone carriers offer built-in features that help identify and block spam calls, often at no extra cost. When these tools are turned on, your phone may label suspicious calls as “Scam Likely,” warn you before you answer, or automatically block known spam numbers. Some carriers can also verify when a call is coming from a real business, which makes it harder for scammers to fake caller IDs and pretend to be someone they’re not.
Used together, these layers reduce the chance that a blocked number still calling will get through and provide practical answers for how to stop getting spam calls without missing important calls.
Best Practices for Handling Incoming Calls
Build habits that make suspicious calls easier to spot and manage:
Spot potential spam: Be cautious with unknown numbers, urgent demands, and offers that sound too good to be true. Don’t share personal information, one-time passcodes, or payment details. If someone claims to be from your bank, healthcare provider, or a government agency, hang up and call back using a verified number from their official website.
Report spam quickly: File complaints with the Federal Trade Commission (FTC) at reportfraud.ftc.gov and the Federal Communications Commission (FCC) at consumercomplaints.fcc.gov. Include caller ID, time, message content, and any request for data or payment. Many call-protection apps and carriers support in-app reporting, which improves filters for everyone.
Use call screening: Turn on features like Silence Unknown Callers on iOS or Filter Spam Calls on Android. Enable voicemail transcription and consider Do Not Disturb with exceptions for contacts and verified callers. Use screening assistants where available to prompt unknown callers to state their purpose. This reduces interruptions and blocks automated spam.
Stay Safe from Social Engineering
Phone scams often rely on social engineering. Recognising common tactics helps you pause and protect yourself.
Spot voice phishing: Be wary of claims that your account is locked, a payment is overdue, or an immediate verification code is needed. Legitimate organisations do not ask for full Social Security numbers, passwords, or 2FA codes over the phone. If you’re concerned, contact the company through a trusted channel.
Protect personal information: Keep sensitive data private. Don’t share account numbers, PINs, passwords, or security codes in response to an incoming call. Use strong, unique passwords and enable multi-factor authentication. If you receive a verification code you didn’t request, secure your account right away.
If you responded to a spam call: If you disclosed financial details or made a payment, contact your bank or card issuer immediately. Change passwords, enable account alerts, and review recent activity. Report the incident to the FTC and local law enforcement if needed. Consider a credit freeze with the major credit bureaus. If a device may be compromised, run a trusted security app to scan and remove suspicious software.
Quick Comparison of Anti-Spam Call Options
Option
What It Does
Pros
Limitations
Manual Number Blocking
Blocks repeat calls from a specific caller ID
Built into phones; easy to use
Spammers rotate and spoof numbers; limited reach
Call-Protection Apps
Uses threat intelligence, AI, and community reports
Detects patterns; warns before you answer; auto-blocks known spam
May filter legitimate calls; requires setup and permissions
Carrier Protections
Network-level filtering and caller authentication (STIR/SHAKEN)
Silences unknown callers and transcribes voicemail
Minimises interruptions; helps you review safely
May miss important calls from new contacts
If you’re asking why you still get spam calls even after blocking numbers or seeing a blocked number still calling, this table shows how layered options work together to reduce risks.
Go Beyond Blocking: Remove Your Number From the Dark Web and Data Broker Lists
Blocking spam callers treats the symptom, not the source. One reason spam keeps coming is that your phone number may already be circulating in data broker databases or dark web marketplaces after a breach, app signup, or form fill. Once your number is out there, it gets resold, bundled, and targeted repeatedly.
McAfee Data Cleanup tackles that upstream problem. It helps find where your personal data, including your phone number, appears online and works to remove it from risky sources. Fewer listings mean fewer lists for spammers to buy and fewer campaigns aimed at your number.
How your number ends up being targeted
Data brokers: Many sites legally collect and resell contact details. Spammers buy access and blast calls at scale.
Breaches and leaks: Stolen databases often end up on underground forums, where numbers are traded and reused.
Public profiles and apps: Old accounts, giveaways, and permissions can expose your number without you realising.
What Data Cleanup adds to your defense
Finds exposures: Scans for your number across broker sites and known risk areas.
Removes listings: Submits opt-out and removal requests on your behalf, reducing where your data lives online.
Keeps watch: Monitors for reappearance so your number doesn’t quietly get relisted later.
Think of this as turning down the tap, not just mopping the floor. When fewer databases have your number, spam operations have fewer ways to reach you.
If you’re serious about how to stop getting spam calls, add data cleanup to your toolkit. Reducing your digital footprint won’t eliminate every bad call overnight, but over time, it lowers exposure, cuts repeat targeting, and helps reclaim your phone from constant interruptions.
Blocking Isn’t Protection. Layering Is.
If spam calls feel endless, it’s because blocking numbers was never designed to stop modern scam operations. Today’s callers rotate numbers, spoof trusted IDs, and pull your phone number from massive data ecosystems that don’t disappear when you tap “Block.”
The real fix is layered protection. Call filtering and carrier tools help stop suspicious calls at the door. Screening features reduce interruptions. And addressing the source, by limiting where your number exists online, cuts down the number of campaigns that ever reach you in the first place.
No single tool will end spam calls overnight. But when you combine smart call protections, cautious habits, and proactive data cleanup, the volume drops, the risks shrink, and your phone becomes a lot quieter.
If you’ve been asking why you still get spam calls even after blocking numbers, this is the answer. Blocking is reactive. Protection works best when it’s proactive.
FAQs
Q: Why do spam calls look like they’re from my area code?
A: Scammers use caller ID spoofing to display local-looking numbers, increasing the chances you’ll answer. Spoofing can mimic legitimate numbers, so don’t rely on caller ID alone. If you’re seeing a blocked number still calling with a local prefix, turn on carrier protections and call screening.
Q: Do call-blocking apps really help?
A: Yes. Quality apps combine real-time threat intelligence with community reports and machine learning to spot patterns and flag risky calls. While no tool catches everything, they significantly reduce spam calls and help address why you still get spam calls even after blocking numbers.
Q: Will the Do Not Call Registry stop all spam calls?
A: No. It reduces lawful telemarketing but does not stop illegal or scam calls. Registering still helps cut legitimate outreach and supports enforcement against violators, which is an important step in how to stop getting spam calls.
Q: What should I do after receiving a suspicious call?
A: Don’t share information. Hang up, verify the caller using a trusted number, and report the incident to the FTC or FCC. If you clicked a link or provided details, secure your accounts and contact your bank or service provider right away.
Q: Can my mobile carrier block spoofed calls?
A: Carriers support caller authentication through STIR/SHAKEN, which helps identify and flag spoofed calls. Turn on your carrier’s spam protection features and screening options to reduce the chances of blocked calls still coming through.
This week in scams, attackers are leaning hard on familiar brands, everyday tools, and routine behavior to trigger fast, unthinking reactions. From fake Netflix billing alerts to malicious browser extensions and QR code phishing tied to foreign espionage, the common thread is trust being weaponized at exactly the right moment.
Every week, this roundup breaks down the scam and cybersecurity stories making news and explains how they actually work, so readers can better recognize risk and avoid being manipulated.
Let’s get into it.
Netflix Billing Emails Are Back… And Still Catching People Off Guard
The big picture:Subscription phishing is resurging, with scammers impersonating Netflix and using fake billing failures to push victims into handing over payment details.
What happened:Multiple Netflix impersonation emails circulated again this month, warning recipients that a payment failed and urging them to “update payment” to avoid service interruption. The messages closely mirror Netflix’s real branding and include polished formatting, official-looking language, and even PDF attachments designed to feel like legitimate billing notices.
What makes these scams effective is timing. Victims often receive them while actively reviewing subscriptions, updating payment methods, or considering canceling services. That context lowers skepticism just enough for a quick click before slowing down to verify.
McAfee’s Scam Detector flagged the messages (which one of our own employees received this week) as phishing, confirming they were designed to steal payment information rather than resolve a real billing issue.
Red flags to watch for:
Unexpected billing problems paired with urgent calls to act
Payment requests delivered by email instead of inside the app
Attachments or buttons asking you to “fix” account issues
Sender addresses that don’t match official Netflix domains
How this scam works:This is classic brand impersonation phishing. Scammers don’t need to hack Netflix itself. They rely on people recognizing the logo, trusting the message, and reacting emotionally to the idea of losing access. The attachment and clean design help bypass instinctive spam filters in the brain, even when technical filters catch it later.
Netflix has warned customers about these scams and offers advice on its site if you encounter one.
What to do instead: If you get a billing alert, don’t click. Open the Netflix app or manually type the site address to check your account. If there’s no issue there, the email wasn’t real.
Fake Ad Blocker Crashes Browsers to Push “Fix It” Malware
The big picture: Attackers are exploiting browser crashes themselves as a social engineering tool, turning technical disruption into a pathway for malware installation.
What happened: Researchers reported a malvertising campaign promoting a fake ad-blocking browser extension called “NexShield,” which falsely claimed to be created by the developer of a well-known, legitimate ad blocker. Once installed, the extension intentionally overwhelmed the browser, causing freezes, crashes, and system instability.
After restart, victims were shown fake security warnings instructing them to “fix” the problem by running commands on their own computer. Following those instructions triggered the download of a remote access tool capable of spying, executing commands, and installing additional malware. The reporting was first detailed by Bleeping Computer, with technical analysis from security researchers.
Red flags to watch for:
Browser extensions promising performance boosts or “ultimate” protection
Crashes immediately after installing a new extension
Pop-ups instructing you to run commands manually
“Security fixes” that require copying and pasting code
How this scam works: This is a variant of ClickFix attacks. Instead of faking a problem, attackers cause a real one, then position themselves as the solution. The crash creates urgency and confusion, making people more likely to follow instructions they’d normally question. It turns frustration into compliance.
FBI Warns QR Code Phishing Is Being Used for Cyber Espionage
The big picture:QR codes are being used as stealth phishing tools, with highly targeted attacks tied to foreign intelligence operations.
What happened:The Federal Bureau of Investigation issued a warning about QR code phishing, or “quishing,” campaigns linked to a North Korean government-backed hacking group. According to reporting by Fox News, attackers sent emails containing QR codes that redirected victims to fake login pages or malware-hosting sites.
In some cases, simply visiting the site allowed attackers to collect device data, location details, and system information, even if no credentials were entered. These campaigns are highly targeted, often aimed at professionals in policy, research, and technology sectors.
Red flags to watch for:
QR codes sent by email or messaging apps
QR codes leading to login pages for work tools or cloud services
Messages that feel personalized but unexpected
Requests to scan instead of click
How this scam works: QR codes hide the destination URL, removing the visual cues people rely on to judge safety. Because scanning feels faster and more “passive” than clicking a link, people often skip verification entirely. That moment of trust is what attackers exploit.
Verify inside official apps. Billing or security issues should be confirmed directly in the app or website you normally use, not through email links or QR codes.
Treat extensions like software installs. Only install browser extensions from trusted publishers you already know, and remove anything that causes instability.
Slow down with QR codes. If a QR code leads to a login page or download, close it and navigate manually instead.
Watch for urgency + familiarity. Scammers increasingly rely on brands, tools, and behaviors you already trust to short-circuit caution.
McAfee will be back next week with another roundup of the scams making headlines and the practical steps you can take to stay safer online.
Microsoft users across the U.S. experienced widespread disruptions Thursday after a technical failure prevented people from sending or receiving email through Outlook, a core service within Microsoft 365.
The outage occurred during U.S. business hours and quickly affected schools, government offices, and companies that rely on Outlook for daily operations. Microsoft confirmed the issue publicly and said it was working to restore service. There is no indication the disruption was caused by a cyberattack, according to company statements.
Still, McAfee warns in these situations to be wary of phishing attempts as scammers latch onto these outages to take advantage of innocent users.
“Outages like this create uncertainty, and scammers move fast to take advantage of it,” said Steve Grobman, McAfee’s Chief Technology Officer. “When people can’t get into email or the tools they use every day, it’s easy to assume something is wrong with your account — and that’s exactly the moment attackers look for.”
“Fake alerts start circulating that look like they’re coming from the real company, with logos and urgent language telling you to reset a password or verify your information,” Grobman added. “Some push fake support numbers or messages claiming they can restore access. If you’re impacted, slow down, go straight to the official source for updates, and don’t share passwords, verification codes, or payment details in response to an unexpected message.”
“Tools that can spot suspicious links and fake login pages help reduce risk — especially when people are trying to get back online quickly,” Grobman said.
Here, we break down what happened and why outages are prime time for scammers.
What happened to Microsoft Outlook?
A Microsoft infrastructure failure disrupted email delivery.
Microsoft said the outage was caused by a portion of its North American service infrastructure that was failing to properly handle traffic. Users attempting to send or receive email encountered a “451 4.3.2 temporary server issue” error message.
Microsoft also warned that related services, including OneDrive search and SharePoint Online, could experience slowdowns or intermittent failures during the incident.
When did the Microsoft outage happen?
The disruption unfolded over several hours on Thursday afternoon (ET).
Based on timelines reported by CNBC and live coverage from Tom’s Guide, the outage progressed as follows:
Around 2:00 p.m. ET: User reports spike across Microsoft services, especially Outlook, according to Down Detector data cited by Tom’s Guide.
2:37 p.m. ET: Microsoft confirms it is investigating an Outlook email issue, per CNBC.
3:17 p.m. ET: Microsoft says it identified misrouted traffic tied to infrastructure problems in North America, CNBC reports.
4:14 p.m. ET: The company announces affected infrastructure has been restored and traffic is being redirected to recover service.
Tom’s Guide reported that while outage reports declined after Microsoft’s fix, some users continued to experience intermittent access issues as systems rebalanced.
Was this a hack or cyberattack?
No. Microsoft says the outage was caused by technical infrastructure issues.
According to CNBC, Microsoft has not indicated that the outage was the result of hacking, ransomware, or any external attack. Instead, the company attributed the disruption to internal infrastructure handling errors, similar to a previous Outlook outage last July that lasted more than 21 hours.
A message sent by Microsoft about the server issue.
Why outages cause widespread disruption
Modern work depends on shared cloud infrastructure.
That sudden loss of access often leaves users unsure whether:
Their account has been compromised
Their data is at risk
They need to take immediate action
That uncertainty is exactly what scammers look for.
How scammers exploit big tech outages
They impersonate the company and trick users into signing in again.
After major outages involving Microsoft, Google, or Amazon Web Services, security researchers, including McAfee, have observed scam campaigns emerge within hours.
These scams typically work by:
Impersonating Microsoft using logos, branding, and language copied from real outage notices
Sending fake “service restoration” emails or texts claiming users must re-authenticate
Linking to realistic login pages designed to steal Microsoft usernames and passwords
Posing as IT support or Microsoft support and directing users to fake phone numbers
Once credentials are stolen, attackers can access email accounts, reset passwords on other services, or launch further phishing attacks from a trusted address.
How to stay safe during a Microsoft outage
Outages are confusing. Scammers rely on urgency and familiarity.
To reduce risk:
Do not click links in emails or texts about outages or “account recovery.”
Go directly to official sources, such as Microsoft’s status page or verified social accounts.
Never re-enter your password through links sent during an outage.
Ignore urgent fixes that ask for downloads, payments, or credentials.
Using advanced artificial intelligence, McAfee’s built-in Scam Detector automatically detects scams across text, email, and video, blocks dangerous links, and identifies deepfakes, helping stop harm before it happens.
McAfee’s identity protection tools also monitor for signs your personal information may be exposed and guide you through recovery if scammers gain access.
FAQ
Q: Is Microsoft Outlook still down? A: Microsoft said Thursday afternoon that it had restored affected infrastructure and was redirecting traffic to recover service, according to CNBC. Some users may still experience intermittent issues.
Q: Was the Microsoft outage caused by hackers? A: No. Microsoft has not reported any cyberattack or data breach related to the outage, per CNBC.
Q: Can scammers really use outages to steal accounts? A: Yes. During major outages, scammers often impersonate companies like Microsoft and trick users into signing in again on fake websites.
Q: Should I reset my password after an outage? A: Only if you clicked a suspicious link or entered your credentials somewhere outside Microsoft’s official site. Otherwise, resetting passwords isn’t necessary.
Or paying for parking. Or checking a package notice taped to your door. A quick scan, a familiar logo, a page that loads instantly on your phone.
Nothing about it felt risky.
That’s exactly why QR code scams are spreading so quickly.
QR codes have become part of everyday life. They’re on restaurant tables, public signs, emails, mailers, and payment screens. We’re taught to treat them as shortcuts—faster than typing a URL, easier than downloading an app, safer than clicking a link.
Scammers know that.
Instead of asking you to click something suspicious, they ask you to scan something ordinary. Once you do, you can be routed to fake login pages, payment requests, or malicious sites designed to steal your information before you realize anything is wrong.
This tactic has a name: quishing.
And as QR codes continue to replace links in the real world, understanding how quishing works is essential to staying safe online.
What Is Quishing?
Quishing is a form of phishing that uses QR codes instead of clickable links to trick people into visiting malicious websites or giving up sensitive information.
The term combines QR and phishing, and it reflects a simple but dangerous shift in scam tactics:instead of asking you to click, scammers ask you to scan.
Once scanned, a fake QR code can lead to:
Credential-harvesting login pages
Payment requests or fake invoices
Malware downloads
Fake customer support portals
Subscription traps
Because QR codes don’t show a visible URL before you scan, they remove one of the most important scam warning signs people rely on.
Common QR Code Scams to Watch Out For
While quishing attacks vary, most fall into a few predictable patterns.
1. Fake parking and payment QR codes
Scammers place stickers over legitimate parking meter QR codes. When scanned, victims are taken to fake payment pages that steal card details.
Red flag: A QR code that asks for full payment details without redirecting to a known parking or city service.
2. Restaurant menu swaps
Fraudsters replace real menu QR codes with fake ones that redirect to phishing pages or malicious downloads.
Red flag: A menu page that asks you to “sign in,” download an app, or confirm personal details.
3. Delivery and package alerts
Flyers or door tags claim you missed a delivery and instruct you to scan a QR code to reschedule.
Red flag: Vague delivery details and pressure to act quickly.
4. Fake account security warnings
QR codes claim your bank, streaming service, or email account needs verification.
Red flag: Any QR code that demands immediate action for “security reasons.”
5. Subscription traps and fake offers
Some QR codes promise discounts, refunds, or rewards but quietly enroll users in recurring charges.
Red flag: Fine print that’s hard to find, or missing entirely.
What Makes Quishing Especially Dangerous
QR scams succeed not because people are careless, but because they exploit trust and routine.
Unlike traditional phishing emails, quishing:
Happens offline and online at the same time
Often appears in trusted physical locations
Feels faster and more “legit”
Bypasses visual link inspection
Once a victim lands on a fake site, the damage can escalate quickly, from stolen credentials to drained accounts to identity theft.
How to Spot a Fake QR Code Before You Scan
You don’t need to avoid QR codes entirely, but you do need to slow down.
Check the physical context
Is the QR code taped on, scratched, or layered over another code? That’s a common tactic.
Look for branding inconsistencies
Misspellings, generic logos, or mismatched colors are red flags.
Preview the link
Most phone cameras now show the URL before opening it. Take a second to read it.
Be skeptical of urgency
Any QR code that pressures you to act immediately deserves extra scrutiny.
How to Protect Yourself From QR Scams
Step 1: Treat QR codes like links
A QR code is a shortcut to a website. Apply the same caution you would to any link.
Step 2: Avoid entering sensitive information
Legitimate services rarely ask for passwords, payment info, or personal details via QR codes.
Step 3: Use mobile security tools
Security software can help detect malicious sites and block risky downloads before damage is done.
Step 4: When in doubt, go direct
Instead of scanning, manually visit the official website or app you trust.
What to Do If You Scanned a Suspicious QR Code
If you think you interacted with a malicious QR code:
Stop engaging with the site immediately
Do not enter additional information
Monitor your financial accounts for unusual activity
Login
