Immigration and Customs Enforcement lifted a $180 million cap on a proposed immigrant-tracking program while guaranteeing multimillion-dollar payouts for private surveillance firms.
Scammers aren’t worried about ending up on the naughty list. If anything, they’redoubling down in 2025.
This year, scammers are impersonating major brands with startling accuracy, from fake delivery updates to cloned checkout pages.
Our McAfee Labs researchers analyzed real scam texts, emails, and URLs from October through early November, along with consumer survey data, to identify the patterns shaping this season’s fraud.
Here’s what shoppers need to know, what’s trending upward, and how to spot the fakes before they reach your cart.
What Is a Holiday Brand-Impersonation Scam?
A brand-impersonation scam is when criminals copy a real brand, like a retailer, tech company, bank, or delivery service, to make fake emails, texts, ads, or websites that look legitimate.
Their goal is to trick shoppers into clicking, entering account details, or making a payment.
McAfee Labs’ brand impersonation analysis shows criminals focusing on the items people shop for most — tech gifts, luxury goods, and high-demand drops.
Fake versions of these brands typically include:
Copied product photos
Familiar layouts
Holiday sale graphics
Support pages designed to capture logins
An example of a phishing attempt this holiday season. THIS IS A FAKE PHISHING EMAIL!
Which Brands Are Being Faked the Most This Holiday Season?
Top 5 most impersonated luxury brands
Coach
Dior
Ralph Lauren
Rolex
Gucci
Top 5 most impersonated mainstream consumer brands
Apple
Nintendo
Samsung
Disney
Steam
Other Key Research Takeaways:
Email scams are exploding, up ~50% in retail and ~85% in tech as the holidays approach.
Fake storefronts are rising, with technology URL scams up nearly 50% and consumer URL scams up ~5%.
Trusted brands are the most impersonated, including Amazon, Microsoft, Apple, Walmart, and Costco.
96% plan to shop online
91% see ads from unfamiliar retailers
37% may buy from brands they don’t recognize
AI is reshaping scams, with 46% of Americans encountering fake celebrity or influencer endorsements.
How to Stay Safe While Brands Are Being Faked This Season
Scammers are getting better at copying the brands you trust, but avoiding the fakes gets much easier when you slow down, verify what you see, and use tools that check links and messages before you click.
Here’s what actually helps during a season when realistic-looking scams are everywhere:
1. Go straight to the source
If you get a message about an order, refund, delivery issue, or account lockout, don’t click the link.
Go directly to the retailer’s app or type the URL manually.
This single habit eliminates most holiday scams.
This may look exactly like the Netflix login page… but it’s not. This scam landing page is meant to steal your username and password.
2. Inspect the sender, not the graphics
Scammers can recreate logos, colors, and templates perfectly.
What they can’t easily mimic:
A legitimate domain
A verified phone number
A support email that matches the company’s format
If the sender looks off, the message is off.
3. Let security tools check the link for you
McAfee’s online protection adds a critical layer of holiday safety, especially when scammers imitate retailers with near-perfect accuracy.
Key protections include:
Web Protection
Blocks malicious or suspicious websites before they load — including fake checkout pages, login portals, and support sites.
Scam Detector Built into all core McAfee plans. It flags scam texts, emails, and even deepfake-style video promotions, letting you know a link or message is unsafe before you interact with it.
Password Manager
Creates and stores strong, unique passwords so a stolen login from one retailer doesn’t unlock your whole digital life.
Identity & Financial Monitoring
Transaction Monitoring and Credit Monitoring can alert you to unusual activity — a crucial safety net when stolen logins, card numbers, or personal details circulate quickly during the holidays.
These tools help counter the exact tactics scammers rely on: cloned websites, fake brand emails, and phishing links disguised as legitimate retailers.
This shows a SMishing text from a fake Amazon. Companies won’t text you like this.
4. Turn on two-factor authentication everywhere you shop
Even if a scammer gets your password, they can’t get in without your one-time code.
5. Treat urgency as a red flag
Legitimate companies don’t ask you to “act in minutes,” pay fees to “unlock” an account, or claim you must stay on the line.
Pressure is a tactic — not customer service.
6. Keep an eye on your accounts
Check your banking and shopping accounts weekly.
Small unauthorized charges often appear before large ones.
Born out of an internal hackathon, Amazon’s Autonomous Threat Analysis system uses a variety of specialized AI agents to detect weaknesses and propose fixes to the company’s platforms.
Leading off our news on scams this week, a heads-up for DoorDash users, merchants, and Dashers too. A data breach of an undisclosed size may have impacted you.
Per an email sent by the company to “affected DoorDash users where required,” a third party gained access to data that may have included a mix of the following:
First and last name
Physical address
Phone number
Email address
You might have got the email too. And even if you didn’t, anyone who’s used DoorDash should take note.
As to the potential scope of the breach, DoorDash made no comment in its email or a post on their help site. Of note, though, is that one of the help lines cited in their post mentions a French-language number—implying that the breach might affect Canadian users as well. Any reach beyond the U.S. and Canada remains unclear.
Per the company’s Q2 financial report this year, “hundreds of thousands of merchants, tens of millions of consumers, and millions of Dashers across over 30 countries every month.” Stats published elsewhere put the user base at more than 40 million people, which includes some 600,000 merchants.
The company underscored that no “sensitive” info like Social Security Numbers (and potentially Canadian Social Insurance Numbers) were involved in the breach. This marks the third notable breach by the well-known delivery service, with incidents in 2019 and 2022
Image of DoorDash email about data breach.
What to do if you think you got caught up in the DoorDash breach
While the types of info involved here appear to be limited, any time there’s a breach, we suggest the following:
Protect your credit and identity. Checking your credit and getting identity theft protection can help keep you safer in the aftermath of a breach. Further, a security freeze can help prevent identity theft if you spot any unusual activity. You can get all three in place with our McAfee+ Advanced or Ultimate plans.
Keep an eye out for phishing attacks. With some personal info in hand, bad actors might seek out more. They might follow up a breach with rounds of phishing attacks that direct you to bogus sites designed to steal your personal info. As with any text or email you get from a company, make sure it’s legitimate before clicking or tapping on any links. Instead, go straight to the appropriate website or contact them by phone directly. Also, protections like our Scam Detector and Web Protection can alert you to scams and sketchy links before they take you somewhere you don’t want to go.
Update your passwords and use two-factor authentication. Changing your password is a strong preventive measure. Strong and unique passwords are best, which means never reusing your passwords across different sites and platforms. Using a password manager helps you stay on top of it all while also storing your passwords securely.
Attention travelers: Now boarding, a rise in flight cancellation scams
Even as the FAA lifted recent flight restrictions on Monday morning, scammers are still taking advantage of lingering uncertainty, and upcoming holiday travel, with a spate of flight cancellation scams.
How the scam works
Fake cancellation texts
The first comes via a text message saying that your flight has been cancelled and you must call or rebook quickly to avoid losing your seat—usually in 30 minutes. It’s a typical scammer trick, where they hook you with a combination of bad news and urgency. Of course, the phone number and the site don’t connect you with your airline. They connect you to a scammer, who walks away with your money and your card info to potentially rip you off again.
Fake airline sites in search results
The second uses paid search results. We’ve talked about this trick in our blogs before. Because paid search results appear ahead of organic results, scammers spin up bogus sites that mirror legitimate ones and promote them in paid search. In this way, they can look like a certain well-known airline and appear in search before the real airline’s listing. With that, people often mistakenly click the first link they see. From there, the scam plays out just as above as the scammer comes away with your money and card info.
How to avoid flight cancellation scams
Q: How can I confirm whether my flight is really canceled? A: Check directly in your airline’s official app or website. Never click links in texts or emails.
Q: How can I spot a fake airline search result? A: Look for “Ad”/“Sponsored,” confirm the URL, and check that the site uses HTTPS, not HTTP.
Q: Is there a tool that flags fake booking sites? A: Scam-spotting tools like Scam Detector and Web Protection can identify sketchy links before you click.
In search, first isn’t always best.
Look closely to see if your top results are tagged with “Sponsored” or “Ad” in some way, realizing it might be in fine print. Further, look at the web address. Does it start with “https” (the “s” means secure), because many scam sites simply use an unsecured “http” site. Also, does the link look right? For example, if you’re searching for “Generic Airlines,” is the link the expected “genericairlines dot-com” or something else? Scammers often try to spoof it in some way by adding to the name or by creating a subdomain like this: “genericairlines.rebookyourflight dot-com.”
Get a scam detector to spot bogus links for you.
Even with these tips and tools, spotting bogus links with the naked eye can get tricky. Some look “close enough” to a legitimate link that you might overlook it. Yet a combination of features in our McAfee+ plans can help do that work for you. Our Scam Detector helps you stay safer with advanced scam detection technology built to spot and stop scams across text messages, emails, and videos. Likewise, our Web Protection will alert you if a link might take you to a sketchy site. It’ll also block those sites if you accidentally tap or click on a bad link.
Scammers Hijack a Trusted Mass Texting Provider
You’ve probably seen plenty of messages sent by short code numbers. They’re the five- or six-digit codes used to send texts instead of by a phone number. For example, your cable company might use one to send a text for resetting a streaming password, the same goes for your pharmacy to let you know a prescription is ready or your state’s DoT to issue a winter travel alert, and so on.
According to NBC News, scammers sent hundreds of thousands of texts using codes used by the state of New York, a charity, and a political organizing group. The article also cites an email sent to messaging providers by the U.S. Short Code Registry, an industry nonprofit that maintains those codes in the U.S. In the email, the registry said attempted attacks on messaging providers are on the rise.
What this means for the rest of us is that just about any text from an unknown number, and now short codes, might contain malicious links and content. It’s one more reason to arm yourself with the one-two punch of our Scam Detector and Web Protection.
What are short codes? Short codes are 5–6 digit numbers used by pharmacies, utilities, banks, and government agencies to send official alerts.
Why this attack is unusual Scammers didn’t spoof short codes—they gained access to real ones used by:
The State of New York
A charity
A political organizing group
Why this matters Even texts from legitimate short-code numbers can no longer be trusted at face value.
What to do now
Treat any unexpected text—even from a short code—as suspicious.
Don’t tap links.
Verify by going directly to the official website or app.
Plus: The SEC lets SolarWinds off the hook, Microsoft stops a historic DDoS attack, and FBI documents reveal the agency spied on an immigration activist Signal group in New York City.
At New Zealand's Kawaiicon cybersecurity convention, organizers hacked together a way for attendees to track CO2 levels throughout the venue—even before they arrived.
Want McAfee’s latest scam alerts, cybersecurity tips, and safety updates to show up automatically in your Google News feed? You can follow McAfee directly on Google News with a single tap.
Google News now gives every official publisher a dedicated page — and McAfee has one. Once you follow us, our newest articles will appear in your Following tab and throughout your personalized news feed whenever they’re relevant to you.
Contactless payments make everyday purchases fast and easy. Yet with that convenience comes a risk: ghost tapping.
In crowded spaces or rushed moments, a scammer could trigger a small tap-to-pay charge or push through a higher amount without your clear consent. Understanding what ghost tapping is, how it happens, and what to do next helps you keep your money and identity secure.
What Is Ghost Tapping?
Ghost tapping is a form of contactless fraud where someone attempts to initiate a tap-to-pay transaction without your approval.
Tap-to-pay cards and mobile wallets on phones use a technology called “near-field communication,” or NFC. That lets them communicate with things like a point-of-sale device for payment at a very close range. It’s generally quite safe, particularly because of the “near” part. You have to get very close to make the connection.
Even so, proximity and distraction can be exploited. Attackers may try to skim limited details from RFID (Radio Frequency Identification technology) cards or NFC cards, or nudge you into approving a payment you didn’t intend. If you’ve ever wondered what ghost tapping is, think of it as an opportunistic, in-person scam that abuses the tap-to-pay moment rather than a remote hack.
How Ghost Tapping Happens
Most schemes rely on getting close and catching you off guard. A criminal might carry a portable reader, press into a pocket or bag, and attempt a low-value charge. Others set up tampered terminals, rushing you so you don’t check the amount.
Consider These Two Scenarios:
You’re at a busy farmer’s market. A scammer with a phone equipped with a point-of-sale app stumbles into you and gets close enough to your card to trigger a transaction. It’s almost like a modern-day pickpocket move, where the bump distracts the victim from the theft as it happens.
In another case, you might come across a phony vendor. Maybe someone’s selling cheap hats outside a football game or someone’s going around your neighborhood selling candy, supposedly to support a charity. In scenarios like these, you tap to pay with your phone just as you’d expect… but with one exception: the “vendor” jacks up the purchase price. They hurry you through the transaction, so quickly that you don’t review the screen before you confirm payment.
We’ve also seen reports of people getting Apple Pay scammed by impostor merchants who exploit quick taps and small screens. While mobile wallets add strong safeguards, poor visibility and social pressure can still lead to losses.
“An individual is going door to door in [location redacted] claiming to be selling chocolate on behalf of [redacted] to support special needs students. He says that he can only accept tap-to-pay to get people to pay with a card. He then charges large amounts to the card without the cardholder being able to see the amount. He got my mother for $537… Another victim for $1100… He changes neighborhoods frequently to avoid getting caught.”
Signs of Ghost Tapping and Common Myths
Early ghost detecting starts with vigilance. Watch for unfamiliar small charges, especially after crowded events, and alerts tied to contactless transactions. If you see odd activity tied to RFID cards or NFC cards, act quickly.
Common myths persist. Attackers can’t drain accounts from far away, clone full cards via a tap, or bypass wallet protections easily. Most successful cases hinge on proximity, distraction, and human error. Meanwhile, Apple Pay scam stories often involve rushed taps and unverified totals.
Effective ghost detecting focuses on timely alerts, careful review, and immediate response.
How to Protect Yourself from Ghost Tapping Scams
The BBB, which recently broke the story of these scams, offers several pieces of advice. We have some advice we can add as well.
From the BBB…
Store your cards securely. An RFID-blocking wallet or sleeve can help stop wireless skimming.
Always confirm payment details. Before tapping your card or phone, check the merchant’s name and amount on the terminal screen.
Set up transaction alerts. Many banks allow real-time notifications for every charge.
Keep an eye on your accounts. Daily checks help you spot fraud faster.
Limit tap-to-pay use in high-risk areas. Consider swiping or inserting your card instead.
From us at McAfee…
Monitor your identity and your credit.
The problem with many card scams is that they can lead to further identity theft and fraud, which you only find out about once the damage is done. Actively monitoring your identity and credit goes beyond single transaction alerts from your bank and can spot an emerging problem before it becomes an even bigger one. You can take care of both easily with timely notifications from our credit monitoring and identity monitoring features, all as part of our McAfee+ plans.
When you’re out and about,consider what you’re carrying—and where you carry it.
The physical safety of your phone and cards counts as well. While ghost tapping scams are new, old-school physical pickpocketing attempts persist. When it comes to devices and things like debit cards, credit cards, and even cash, keep what you bring with you to the bare minimum when you go out. This can cut your losses if the unfortunate happens. If you have a credit card and ID holder attached to the back of your phone, you may want to remove your cards from it. That way, if your phone gets snatched, those important cards don’t get snatched as well.
When in doubt, shop with a credit card.
In the U.S., credit cards offer you additional protection that debit cards don’t. That’s thanks to the Fair Credit Billing Act (FCBA). It limits your liability to $50 for fraudulent charges on a credit card if you report the loss to your issuer within 60 days.
Generative AI is making it even easier for attackers to exploit old and often forgotten network equipment. Replacing it takes investment, but Cisco is making the case that it’s worth it.
In this episode of Uncanny Valley, we discuss our scoop about how the Department of Homeland Security illegally collected Chicago residents’ data for months, as well as the news of the week.
Schools in the US are installing vape-detection tech in bathrooms to thwart student nicotine and cannabis use. A new investigation reveals the impact of using spying to solve a problem.
As the holiday season ramps up, so do group dinners, shared travel costs, gift exchanges, and all the little moments where someone says, “Just Venmo me.”
With more people sending and splitting money this time of year, scammers know it’s prime time to target payment apps. Here’s how to keep your Venmo transactions safe during one of the busiest — and riskiest — payment seasons.
What kind of scams are on Venmo?
Venmo scams come in all shapes, and many of them look like variations of email phishing and text scams. The scammers behind them will pose as Venmo customer service reps who ask for your login credentials. Other scammers offer bogus cash prizes and pyramid schemes that lure in victims with the promise of quick cash. Some scammers will use the app itself to impersonate friends and family to steal money.
Venmo has a dedicated web page on the topic of scams, and lists the following as the top Venmo scams out there:
· Fake Prize or Cash Reward
· Call from Venmo
· Call from Tech Support
· Fake Payment Confirmation
· Pre-payment for Goods and Services
· Stranger Posing as a Friend
· Payments from Strangers
· Offers to Make Money Fast
· Paper Check Scam
· Romance Scam
Venmo has thorough instructions to combat these scams and breaks them down in detail on its site. They also provide preventative tips and steps to take if you unfortunately fall victim to one of these scams. Broadly speaking, though, avoiding Venmo scams breaks down into a few straightforward steps.
How to avoid getting scammed on Venmo
1) Never share private details.
Scammers often pose as customer service reps to pump info out of their victims. They’ll ask for things like bank account info, debit card or credit card numbers, or even passwords and authentication codes sent to your phone. Never share this info. Legitimate reps from legitimate companies like Venmo won’t request it.
2) Know when Venmo might ask for your Social Security number.
In the U.S., Venmo is regulated by the Treasury Department. As such, Venmo might require your SSN in certain circumstances. Venmo details the cases where they might need your SSN for reporting, here on their website. Note that this is an exception to what we say about sharing SSNs and tax ID numbers. As a payment app, Venmo might have legitimate reasons to request it. However, don’t send this info by email or text (any email or text that asks you to do that is a scam). Instead, always use the mobile app by going to Settings –> Identity Verification.
3) Keep an eye out for scam emails and texts.
Venmo always sends communications through its official “venmo.com” domain name. If you receive an email that claims to be from Venmo but that doesn’t use “venmo.com,” it’s a scam. Never click or tap on links in emails or texts supposedly sent by Venmo.
4) Be suspicious of the messages you get. Imposters are afoot.
Another broad category of scams includes people who aren’t who they say they are. In the case of Venmo, scammers will create imposter accounts that look like they might be a friend or family member but aren’t. If you receive an unexpected and likely urgent-sounding request for payment, contact that person outside the app. See if it’s really them.
5) When sending money, keep an eye open for alerts from the app.
Just recently, Venmo added a new feature, dynamic alerts, which helps protect people when sending money via the “Friends and Family” option. It pops up an alert if the app detects a potentially fraudulent transaction and includes info that describes the level of risk involved. In the cases of highly risky payments, Venmo might decline the transaction altogether. This adds another level of protection to Friends and Family payments, which are non-refundable in cases of fraud. Further, this underscores another important point about using Venmo: only pay people you absolutely know and trust.
More ways to stay safe on Venmo
Keep your transactions private. Venmo has a social component that can display a transaction between two people and allow others to comment on it. Payment amounts are always secret. Yet you have control over who sees what by adjusting your privacy settings:
Public – Everyone on the internet can see and comment on the transaction.
Friends – Only your Venmo friends and the other participant’s friends can see and comment on the transaction. (Note that the friends of the other participant might be strangers to you, so “friends and friends of friends” is more accurate here.)
Private – Here, only the participants can view and comment on the transaction.
This brings up the question, what if the participants in the transaction have different privacy settings? Venmo uses the most restrictive one. So, if you’re paying someone who has their privacy set to “Public” and you have yours set to “Private,” the transaction will indeed be private.
We suggest going private with your account. The less financial information you share, the better. You can set your transactions to private by heading into the Settings of the Venmo app, tapping on Privacy, and then selecting Private.
In short, just because something is designed to be social doesn’t mean it should become a treasure trove of personal data about your spending habits.
Add extra layers of security. Take extra precautions that make it difficult for others to access your Venmo app.
First off, lock your phone. Whether with a PIN or other form of protection, locking your phone prevents access to everything you keep on it, which is important in the case of loss or theft. Our own research found that only 58% of adults take the vital step of locking their phones. If you fall into the 42% of people who don’t, strongly consider changing that.
Within the Venmo app, you can also enable Face ID and a PIN (on iOS) or a PIN and biometric unlock (Android). These add a further layer of security by asking for identification each time you open the app. That way, even if someone gets access to your phone, they’ll still have to leap through that security hurdle to access your Venmo app.
Use a strong, unique password for your account. That’s a password with at least 13 characters using a mix of cases, numbers, and symbols that you don’t use anywhere else. You can also have a password manager do that work for you across all your accounts.
Keep your online finances even more secure with the right tools
For starters, it includes Web Protection and Scam Detector that can block malicious and questionable links that might lead you down the road to malware or a phishing scam, such as a phony Venmo link designed to steal your login credentials. It also includes a password manager that creates and stores strong, unique passwords for each of your accounts.
Moreover, it further protects you by locking down your identity online. Transaction Monitoring and Credit Monitoring help you spot any questionable financial activity quickly. And if identity theft unfortunately happens to you, up to $2 million in ID theft coverage & restoration can help you recover quickly.
Active Directory compromises, credential theft, lateral movement. See how identity-driven security policies stop breaches before attackers escalate privileges.
By plugging tens of billions of phone numbers into WhatsApp’s contact discovery tool, researchers found “the most extensive exposure of phone numbers” ever—along with profile photos and more.
This week, have attacks that take over Androids and iPhones, plus news that Google has gone on the offensive against phishing websites.
First up, a heads-up for iPhone owners.
The “We found your iPhone” scam
In the hands of a scammer, “Find My” can quickly turn into “Scam Me.”
Switzerland’s National Cyber Security Center (NCSC) shared word this week of a new scam that turns the otherwise helpful “Find My” iOS feature into an avenue of attack.
Now, the thought of losing your phone, along with all the important and precious things you have on it, is enough to give you goosebumps. Luckily, the “Find My” can help you track it down and even post a personalized message on the lock screen to help with its return. And that’s where the scam kicks in.
From the NCSC:
When a device is marked as lost, the owner can display a message on the lock screen containing contact details, such as a phone number or email address. This can be very helpful if the finder is honest – but in dishonest hands, the same information can be used to launch a targeted phishing attack.
With that, scammers send a targeted phishing text, as seen in the sample provided by the NCSC below …
Source: NCSC, Switzerland
What do the scammers want once you tap that link? They request your Apple ID and password, which effectively hands your phone over to them—along with everything on it and everything else that’s associated with your Apple ID.
It’s a scam you can easily avoid. So even if you’re still stuck with a lost phone that’s likely in the hands of a scammer the point of consolation is that, without your ID, the phone is useless to them.
Here’s what the NCSC suggests:
Ignore such messages. The most important rule is Apple will never contact you by text message or email to inform you that a lost device has been found.
Never click on links in unsolicited messages or enter your Apple ID credentials on a linked website.
If you lose your device, act immediately. Enable Lost Mode straight away via the Find My app on another device or at iCloud.com/find. This will lock the device.
Be careful about which contact details you show on your lost device’s lock screen. For example, use a dedicated email address created specifically for this purpose. Never remove the device from your Apple account, as this would disable the Activation Lock.
Make sure your SIM card is protected with a PIN. This simple yet effective measure prevents criminals from gaining access to your phone number.
Android phone takeover scam
Now, a different attack aimed at Android owners …
A story shared on Fox this week breaks down how a combination of paid search ads, remote access tools, and social engineering have led to hijacked Android phones.
It starts with a search, where an Android owner looks up a bank, a tech support company, or what have you. Instead of getting a legitimate result, they get a link to a bogus site via paid search results that appear above organic search results. The link, and the page it takes them to, look quite convincing, given the ease with which scammers can spin up ads and sites today. (More on that next.)
Once there, they call a support number and get connected to a phony agent. The agent convinces the victim to download an app that will help the “agent” solve their issue with their account or phone. In fact, the app is a remote access tool that gives control of the phone, and everything on it, to the scammer. That means they can steal passwords, send messages to friends, family, or anyone at all, and even go so far as to lock you out.
Basically, this scam hands over one of your most precious possessions to a scammer.
Here’s how you can avoid that:
Skip paid search results for extra security. That’s particularly true when contacting your bank or other companies you’re doing business with. Look for their official website in the organic search results below paid ads. Better yet, contact places like your bank or credit card company by calling the number on the back of your card.
Get a scam detector. A combination of our Scam Detector and Web Protection can call out sketchy links, like the bogus paid links here. They’ll even block malicious sites if you accidentally tap a bad link.
Never download apps from third-party sites outside of the Google Play Store. Google has checks in place to spot malicious apps in its store.
Lastly, never give anyone access to your phone. No bank rep needs it. So if someone on a call asks you to download an app like TeamViewer, AnyDesk, or AirDroid, it’s a scam. Hang up.
Beyond that, you can protect yourself further by installing an app like our McAfee Security: Antivirus VPN. You can pick it up in the Google Play store, which also includes our Scam Detector and Identity Monitoring. You can also get it as part of your McAfee+ protection.
Google takes aim at phishing scams with a lawsuit against an alleged criminal organization
A lawsuit alleges that a China-based company called “Lighthouse” runs a “Phishing-as-a-Service” operation that outfits scammers with quick and easy tools and templates for creating convincing-looking websites. According to Google’s general counsel, these sites could “compromise between 12.7 and 115 million credit cards in the U.S. alone.”
The suit was filed in the U.S. District Court in the Southern District of New York, which, of course, has no jurisdiction over a China-based company. The aim, per Google’s counsel, is deterrence. From the article:
“It allows us a legal basis on which to go to other platforms and services and ask for their assistance in taking down different components of this particular illegal infrastructure,” she said, without naming which platforms or services Google might focus on. “Even if we can’t get to the individuals, the idea is to deter the overall infrastructure in some cases.”
We’ll keep an eye on this case as it progresses. And in the meantime, it’s a good reminder to get Scam Detector and Web Protection on all your devices so you don’t get hoodwinked by these increasingly convincing-looking scam sites.
Again, scammers can roll them out so quickly and easily today.
And now for a quick roundup …
Here’s a quick list of a few stories that caught our eye this week:
A new US law enforcement initiative is aimed at crypto fraudsters targeting Americans—and now seeks to seize infrastructure it claims is crucial to notorious scam compounds.
New research from McAfee Labs shows just how common these scams have become.
Our 2025 Most Dangerous Celebrity: Deepfake Deception List ranks the stars and influencers whose likenesses are most hijacked by scammers, and reveals a growing market for AI-powered fake endorsements.
At the top of the list? Taylor Swift, followed by Scarlett Johansson, Jenna Ortega, and Sydney Sweeney. Globally, names like Brad Pitt, Billie Eilish, and Emma Watson also appear among the most exploited.
McAfee also released its first-ever Influencer Deepfake Deception List, led by gamer and streamer Pokimane, showing that scammers are now targeting social platforms just as aggressively as Hollywood.
Top 10 Most Dangerous Celebrities (2025): U.S
McAfee’s 2025 report reveals the most impersonated celebrities in online scams, with Taylor Swift ranking number one in the U.S.
Top 10 Most Dangerous Celebrities (2025): Global
Taylor Swift tops McAfee’s global list of celebrities most hijacked by scammers in 2025, followed by Scarlett Johansson and Jenna Ortega.
Top 10 Most Dangerous Influencers (2025): Global
From Pokimane to MrBeast, McAfee’s 2025 list shows which influencers’ likenesses are most exploited in scams.
Why Scammers Love Famous Faces
The formula is simple: use someone people trust to sell something that doesn’t exist.
Criminals clone celebrity voices and faces with AI to promote fake giveaways, skincare products, crypto investments, or “exclusive” deals that lead straight to malware or payment fraud.
According to McAfee’s survey of 8,600 people worldwide:
72% of Americans have seen fake celebrity or influencer endorsements.
39% have clicked on one.
1 in 10 lost money or personal data, an average of $525 per victim.
Scammers exploit trust. When you see a familiar face, your brain automatically lowers its guard. And that’s exactly what they count on.
How Deepfakes Are Making Headlines
AI has made these scams look frighteningly real.
Modern deepfake generators can mimic voices, facial movements, and even micro-expressions with uncanny precision. Only 29% of people feel confident identifying a fake, and 21% admit to having low confidence spotting deepfakes.
That’s how fake endorsements and AI romance scams have exploded online.
A woman in France lost nearly $900,000 to a scammer posing as Brad Pitt, complete with AI-generated images and voice messages.
TV host Al Roker was recently targeted by a fake deepfake video claiming he’d suffered heart attacks.
Tom Hanks, Oprah, and Scarlett Johansson have all been used in fraudulent ads for products they never touched.
“Seeing is believing” doesn’t apply anymore, and scammers know it.
The Psychology of The Scam
Deepfake scams don’t just rely on technology; they prey on parasocial relationships, the one-sided emotional bonds fans form with public figures.
When a “celebrity” DMs you, it doesn’t always feel strange. It feels personal. That sense of intimacy makes people act before thinking.
It’s the same psychological playbook behind romance scams, now supercharged by AI tools that make fake videos and voice messages sound heartbreakingly real.
How to Protect Yourself
Pause before you click. If an ad or post seems out of character or “too good to be true,” it probably is.
Verify at the source. Check the celebrity’s verified account on social media. Scammers often copy profile photos and bios but miss subtle details like posting style or engagement patterns.
Look for signs of AI manipulation. Watch for off-sync lip movements, robotic tone, or lighting that looks inconsistent.
Never share personal or payment details via messages, even if the sender appears to be verified.
Use McAfee’s Scam Detector, included in all core plans, to automatically analyze texts, emails, and videos for signs of fraud or deepfake manipulation.
Key Takeaways
Celebrity and influencer culture has always shaped what we buy, but now it’s shaping how scammers deceive. These deepfakes don’t just steal money; they chip away at our trust in what we see, hear, and share online.
The celebrities at the center of these scams aren’t accomplices, they’re victims, too, as criminals hijack their likenesses to exploit the bond between fans and the people they admire. And as deepfake tools become easier to use, the line between real and fake is vanishing fast.
The next viral “giveaway” might not be an ad at all…it could be bait.
You can’t stop scammers from cloning famous faces, but you can stop them from fooling you. Use McAfee’s Scam Detector to scan links, messages, and videos before you click.
Google is suing more than two dozen unnamed individuals allegedly involved in peddling a popular China-based mobile phishing service that helps scammers impersonate hundreds of trusted brands, blast out text message lures, and convert phished payment card data into mobile wallets from Apple and Google.
In a lawsuit filed in the Southern District of New York on November 12, Google sued to unmask and disrupt 25 “John Doe” defendants allegedly linked to the sale of Lighthouse, a sophisticated phishing kit that makes it simple for even novices to steal payment card data from mobile users. Google said Lighthouse has harmed more than a million victims across 120 countries.
A component of the Chinese phishing kit Lighthouse made to target customers of The Toll Roads, which refers to several state routes through Orange County, Calif.
Lighthouse is one of several prolific phishing-as-a-service operations known as the “Smishing Triad,” and collectively they are responsible for sending millions of text messages that spoof the U.S. Postal Service to supposedly collect some outstanding delivery fee, or that pretend to be a local toll road operator warning of a delinquent toll fee. More recently, Lighthouse has been used to spoof e-commerce websites, financial institutions and brokerage firms.
Regardless of the text message lure used or brand used, the basic scam remains the same: After the visitor enters their payment information, the phishing site will automatically attempt to enroll the card as a mobile wallet from Apple or Google. The phishing site then tells the visitor that their bank is going to verify the transaction by sending a one-time code that needs to be entered into the payment page before the transaction can be completed.
If the recipient provides that one-time code, the scammers can link the victim’s card data to a mobile wallet on a device that they control. Researchers say the fraudsters usually load several stolen wallets onto each mobile device, and wait 7-10 days after that enrollment before selling the phones or using them for fraud.
Google called the scale of the Lighthouse phishing attacks “staggering.” A May 2025 report from Silent Push found the domains used by the Smishing Triad are rotated frequently, with approximately 25,000 phishing domains active during any 8-day period.
Google’s lawsuit alleges the purveyors of Lighthouse violated the company’s trademarks by including Google’s logos on countless phishing websites. The complaint says Lighthouse offers over 600 templates for phishing websites of more than 400 entities, and that Google’s logos were featured on at least a quarter of those templates.
Google is also pursuing Lighthouse under the Racketeer Influenced and Corrupt Organizations (RICO) Act, saying the Lighthouse phishing enterprise encompasses several connected threat actor groups that work together to design and implement complex criminal schemes targeting the general public.
According to Google, those threat actor teams include a “developer group” that supplies the phishing software and templates; a “data broker group” that provides a list of targets; a “spammer group” that provides the tools to send fraudulent text messages in volume; a “theft group,” in charge of monetizing the phished information; and an “administrative group,” which runs their Telegram support channels and discussion groups designed to facilitate collaboration and recruit new members.
“While different members of the Enterprise may play different roles in the Schemes, they all collaborate to execute phishing attacks that rely on the Lighthouse software,” Google’s complaint alleges. “None of the Enterprise’s Schemes can generate revenue without collaboration and cooperation among the members of the Enterprise. All of the threat actor groups are connected to one another through historical and current business ties, including through their use of Lighthouse and the online community supporting its use, which exists on both YouTube and Telegram channels.”
Silent Push’s May report observed that the Smishing Triad boasts it has “300+ front desk staff worldwide” involved in Lighthouse, staff that is mainly used to support various aspects of the group’s fraud and cash-out schemes.
An image shared by an SMS phishing group shows a panel of mobile phones responsible for mass-sending phishing messages. These panels require a live operator because the one-time codes being shared by phishing victims must be used quickly as they generally expire within a few minutes.
Google alleges that in addition to blasting out text messages spoofing known brands, Lighthouse makes it easy for customers to mass-create fake e-commerce websites that are advertised using Google Ads accounts (and paid for with stolen credit cards). These phony merchants collect payment card information at checkout, and then prompt the customer to expect and share a one-time code sent from their financial institution.
Once again, that one-time code is being sent by the bank because the fake e-commerce site has just attempted to enroll the victim’s payment card data in a mobile wallet. By the time a victim understands they will likely never receive the item they just purchased from the fake e-commerce shop, the scammers have already run through hundreds of dollars in fraudulent charges, often at high-end electronics stores or jewelers.
Ford Merrill works in security research at SecAlliance, a CSIS Security Group company, and he’s been tracking Chinese SMS phishing groups for several years. Merrill said many Lighthouse customers are now using the phishing kit to erect fake e-commerce websites that are advertised on Google and Meta platforms.
“You find this shop by searching for a particular product online or whatever, and you think you’re getting a good deal,” Merrill said. “But of course you never receive the product, and they will phish that one-time code at checkout.”
Merrill said some of the phishing templates include payment buttons for services like PayPal, and that victims who choose to pay through PayPal can also see their PayPal accounts hijacked.
A fake e-commerce site from the Smishing Triad spoofing PayPal on a mobile device.
“The main advantage of the fake e-commerce site is that it doesn’t require them to send out message lures,” Merrill said, noting that the fake vendor sites have more staying power than traditional phishing sites because it takes far longer for them to be flagged for fraud.
Merrill said Google’s legal action may temporarily disrupt the Lighthouse operators, and could make it easier for U.S. federal authorities to bring criminal charges against the group. But he said the Chinese mobile phishing market is so lucrative right now that it’s difficult to imagine a popular phishing service voluntarily turning out the lights.
Merrill said Google’s lawsuit also can help lay the groundwork for future disruptive actions against Lighthouse and other phishing-as-a-service entities that are operating almost entirely on Chinese networks. According to Silent Push, a majority of the phishing sites created with these kits are sitting at two Chinese hosting companies: Tencent (AS132203) and Alibaba (AS45102).
“Once Google has a default judgment against the Lighthouse guys in court, theoretically they could use that to go to Alibaba and Tencent and say, ‘These guys have been found guilty, here are their domains and IP addresses, we want you to shut these down or we’ll include you in the case.'”
If Google can bring that kind of legal pressure consistently over time, Merrill said, they might succeed in increasing costs for the phishers and more frequently disrupting their operations.
“If you take all of these Chinese phishing kit developers, I have to believe it’s tens of thousands of Chinese-speaking people involved,” he said. “The Lighthouse guys will probably burn down their Telegram channels and disappear for a while. They might call it something else or redevelop their service entirely. But I don’t believe for a minute they’re going to close up shop and leave forever.”
The Department of Homeland Security collected data on Chicago residents accused of gang ties to test if police files could feed an FBI watchlist. Months passed before anyone noticed it wasn’t deleted.
It’s an all-too-familiar trap. You’re scrolling TikTok when an ad for your favorite shoe brand pops up. Black Friday and Cyber Monday sales are everywhere, and this one—buy one, get one free—looks completely legit.
The site it links to looks real too. The logo, the product pages, even the checkout cart all match what you’d expect from the brand. You place your order and move on.
A few days later, you notice the charge on your bank statement. It’s the right amount—but the payment didn’t go to the store you thought. Instead, there’s a company name you don’t recognize.
That’s when it hits you: the site wasn’t real at all. You’ve been scammed.
Peak shopping season is peak scam season, with fake deals and ads making up one major tactic used to deceive shoppers.
Nearly all U.S. adults plan to shop online this season, with about half planning to do so daily or more. Scammers know that when people are rushing to buy gifts and click “checkout,” they’re also less likely to slow down and verify what they’re seeing.
That’s when fraudsters strike, often using artificial intelligence to make their fake messages and websites look authentic.
Generative AI tools have made it simple to clone brand websites, copy influencer voices, and even create realistic video ads promoting fake sales. And our recent State of the Scamiverse research found people struggle identifying deepfakes, with 39% of people saying deepfake video scams are getting more sophisticated and harder to spot.
That’s why deepfake-driven scams utilizing advanced tactics are multiplying across platforms like TikTok and Instagram. Scammers are impersonating celebrity likenesses, or well-known brands, to advertise “exclusive” promotions or fake giveaways. For holiday shoppers, the line between what is authentic and fraudulent continues to blur.
By the Numbers
1 in 5 Americans say they’ve been scammed during a past holiday season
The average loss per victim is $840
57% of those surveyed are more concerned about AI scams this year than last
38% of those surveyed believe they can spot scams, yet 22% have fallen for one
Detected deepfakes surged 1,740% in North America last year
What to Watch For in 2025
1. Fake Retail Sites and Counterfeit “Deal” Pages
These scams mimic major brand websites down to the logo, product photography, and even customer service pages. The only difference is the URL—a single extra letter or misplaced period (“target-sale.com” instead of “target.com”).
When shoppers enter their payment details or passwords on these fraudulent websites, that information goes directly to criminals. According to McAfee research, this fear of scams while shopping has stopped 40% of consumers from completing a holiday purchase.
How to spot it: Always check the full web address, look for “https,” and avoid clicking through from an ad or social post. It’s best to just type the retailer’s name directly into your browser instead to reach the official site.
2. TikTok and Social Media Scams
Even cybercriminals follow trends, and short-form videos are scam hotspots. Scammers use deepfakes or stolen influencer content to make “exclusive” deals look legitimate.
For example, a TikTok clip may show a celebrity promoting a discount code that redirects to a counterfeit store.
How to spot it: Check if the creator’s account is verified. Look at past posts and engagement patterns. Real brands rarely share one-off videos with unfamiliar links.
3. Delivery and Shipping Text Scams
You’ll receive a text saying a package can’t be delivered or that a small fee is needed to confirm your address.
McAfee found that 43% of people have encountered fake delivery notifications, and many victims say they entered credit card information thinking they were resolving a legitimate issue.
How to spot it: Real shipping companies rarely send texts with clickable payment links. Visit the carrier’s official website or app to verify any delivery problems.
4. Gift Card and Account Verification Scams
These scams pressure you to “verify” your account or make an urgent payment. Messages may claim your PayPal or Amazon account is locked and request you to confirm details. Others ask for gift cards to “resolve” a billing issue.
Scammers count on urgency—once you send a code or card number, the funds are gone instantly.
How to spot it: No legitimate company will ask for payment in gift cards or ask you to share one-time codes over text. Always log in to your account directly, never through a link sent via message.
How to Shop Safely This Holiday Season
Go straight to the source. If you see an offer on social media, type the retailer’s URL yourself instead of clicking through the post. Fraudulent ads often lead to look-alike domains.
Pause before you click. Take a moment to verify emails and DMs. Check the sender’s address, look for misspellings, and hover over links to preview where they lead.
Use AI to fight AI.McAfee’s Scam Detector can identify suspicious messages, fake websites, and deepfake content before harm occurs.
Keep your software up to date. Many scams exploit outdated browsers or apps. Regular updates patch vulnerabilities before criminals can use them.
Avoid public Wi-Fi while shopping. Public networks are easy for hackers to monitor. Use a secure or mobile connection instead. Check out McAfee’s VPN to stay protected while browsing and shopping.
Never pay with gift cards: Legitimate companies and businesses will never ask for you to pay or verify a purchase in exchange for gift cards.
Be suspicious of requests to pay with crypto: A legitimate company will not force you to pay in crypto or other specific crypto assets.
McAfee’s identity protection tools also monitor for signs that your personal information may have been exposed and guide you through recovery steps.
You can sign in to your McAfee account to scan for recent breaches linked to your email, or try a free trial of McAfee antivirus to keep your devices secure throughout the shopping season.
We’re back with a new edition of “This Week in Scams,” a roundup of what’s current and trending in all things sketchy online.
This week, we have fake steaks, why you should shop online with a credit card, and a new and utterly brash form of debit card fraud.
Fake steaks from “0maha Steaks”
Yes, the letter “O” for Omaha in the subject line of this email scam is actually a zero. And that’s not the only thing that’s off with this email, it’s a total scam.
An image of a scam 0maha Steaks email.
If you like your choice cuts, the name Omaha Steaks might be a familiar one. They’ve been around for almost 110 years, and since 1953 they’ve been in the mail order meat business. Today, they sell, well, just about anything you can picture in the butcher or seafood case. With that, the company enjoys a premium reputation, so it’s little surprise scammers have latched onto it and built a phishing attack around the brand—one they garnish with a nod to concerns over rising food prices.
A few things can quickly tip you off to this scam. For starters, the scammers oddly spell Omaha with a zero in the subject line, as mentioned. From there, the sender’s email address is a straight ref flag. In this case, it’s the curiously spelled “steaksamplnext” followed by a (redacted) domain name that isn’t the legitimate omahasteaks dot-com address. Also curious is the lack of an actual price for the bogus “Gourmet Box.” And lastly, you might think that a premium foods brand would showcase some pictures of their famous fare in the email. Not so here.
Rounding it out, you’ll see the classic scammer tactics of scarcity and urgency, which scammers hope will pressure people to act immediately. In this case, only 500 of these supposed boxes are available, and the offer “concludes tomorrow.”
How to avoid Omaha Steak scams and phishing scams like them
Even as this scam makes the rounds, it’s easy to spot if you give it a closer look and a little thought—giving it a sort of old-school feel to it. However, more and more of today’s phishing emails look increasingly legit, thanks to AI tools, which might get you to click.
As for phishing attacks like this in general, you can protect yourself by:
Always checking the email address of the sender. If it doesn’t match the proper address of the company or brand that’s supposedly sending the email, it’s a scam. In this case, from the people at Omaha Steaks themselves, “If it doesn’t show OmahaSteaks.com and @OmahaSteaks, it’s not us!”
Looking for addresses and links that look like they’ve been slightly altered so that they seem “close enough” to the real thing. In this case, the scammer didn’t even bother to try. However, you could expect an alteration like “omahasteakofferforyou.com” to try and look legit.
Getting a scam detector. Our Scam Detector, found in all core McAfee plans, helps you stay safer with advanced scam detection technology built to spot and stop scams across text messages, emails, and videos. It’ll also block those sites if you accidentally tap or click on a bad link.
One good reason for using your credit card when shopping online.
What’s the most common kind of fraud? If you said, “credit card,” you’ll find it number five on the list. The top form is debit cards, according to 2025 findings from the U.S. Federal Reserve.
As reported by financial institutions, the Fed found that attempts at debit card fraud rose to 73% with 52% of those attempts being successful.
There’s a good reason for that debit card fraud ranks highest for attempts and success rate. It’s the same reason that credit card fraud is relatively low. Debit cards don’t have the same fraud protections in place that credit cards do.
As you might have read in our blogs before, credit cards offer additional protection thanks to the Fair Credit Billing Act (FCBA). Your maximum liability is $50 for fraudulent charges on a lost or stolen card if you report the loss to your issuer within 60 days. In the case of relatively unprotected debit cards, those losses often go unrecovered.
Keep this in mind as you sit down for your online shopping for the holidays: use a credit card instead of a debit card. That gives you the protection of the FCBA if your shopping session gets hacked or if the retailer experiences a data breach somewhere down the road. Also think about making it even safer by shopping with a VPN. Our VPN creates an encrypted “tunnel” that protects your data from crooks and prying eyes, so your card info stays private.
A new debit card scam with a porch pirate twist
First reported by the FBI last year, we’re seeing continued reports of a brash and bold form of debit card scam—people physically handing over their cards to scammers.
The scam starts like many card scams do, with a phone call. Scammers spoof the caller ID of the victim’s bank or credit union, ring them up, and tell them there’s a “problem” with their account. From there, scammers direct victims to cut up their current card—but with a twist. They tell victims to keep the little EMV chip for tap-and-go payments intact.
Why? Victims get instructed to leave the cut-up card and intact chip in the mailbox for a “courier” to pick up for “security purposes.” Once in hand, scammers get access to the bank account associated with the chip. Even if the scammers don’t wrangle a PIN number out of their victims with a little social engineering trickery, they can still make purchases with the chip as some points of sale don’t require a PIN number when tapping to pay.
Here’s how you can avoid the “porch pirate” debit card scam
Shred your old cards in a paper shredder. Then, take the next step. Grab the shredded pieces and throw them away in separate batches. This will all make it fantastically tough for a scammer to piece together your card and steal your info.
Call back your bank yourself. If you get a call, voicemail, or text saying there’s an issue with your account, you can verify any possible issue yourself by calling the number on the back of your card.
Know that banks won’t send “couriers” for cards. And they’ll simply never ask you to leave your card in your mailbox.
Many critical systems are still being maintained, and the cloud provides some security cover. But experts say that any lapses in protections like patching and monitoring could expose government systems.
If you’ve been watching the news, you’ve probably seen the headlines out of Paris: one of the most audacious heists in decades took place at the Louvre, where thieves made off with centuries-old crown jewels worth tens of millions of dollars.
But amid the cinematic drama, a quieter detail emerged that’s almost harder to believe—according to French newspaper Libération(via PC Gamer), auditors discovered that the password protecting the museum’s video surveillance system was simply “Louvre.”
While it’s not yet confirmed whether this played a direct role in the robbery, cybersecurity experts point out that weak or reused passwords remain one of the easiest ways for criminals—digital or otherwise—to get inside.
Safety Lessons You Can Learn from The Louvre
The Louvre’s cybersecurity audits, dating back to 2014, reportedly revealed a pattern of outdated software and simple passwords that hadn’t been updated in years. Subsequent reviews noted “serious shortcomings,” including security systems running on decades-old software no longer supported by developers.
That situation mirrors one of the most common security issues individuals face at home. Whether it’s an email account, a social media login, or your home Wi-Fi router, using an easy or repeated password is like leaving the front door open. Hackers don’t need to break in when they can just walk through.
As experts here at McAfee have explained, cybercriminals routinely rely on “credential stuffing” attacks, in which they test stolen passwords from one breach against other sites to see what else they can access. If you’ve used the same password for your streaming account and your online banking, it’s not hard to imagine what could go wrong.
What’s A Bad Password?
Obvious or guessable: Anything like “password,” “123456,” or even the name of the service (“Louvre,” “Netflix,” “Chase”) can be cracked in seconds.
Dictionary words: Real words or phrases are easier for hacking programs to guess, even when combined creatively.
Repeated passwords: Reusing a password across multiple sites means one breach can expose everything.
Personal details: Pet names, birthdays, and favorite bands can all be scraped from social media—making them the first thing a hacker will try.
What Makes A Strong Password
A strong password is long, complex, and unique. Cybersecurity experts recommend at least 12–16 characters that mix uppercase and lowercase letters, numbers, and symbols. A short password can be guessed in minutes; a long one can take decades to crack.
If that sounds like a lot to juggle, you’re not alone. That’s why password managers exist.
Why A Password Manager Is Your Best Guard
A password manager takes the work—and the guesswork—out of creating and remembering complex passwords. It generates random combinations that are nearly impossible to crack, then stores them securely using advanced encryption.
The added bonus? You’ll never have to reuse a password again. Even if one account is theoretically compromised in a breach, your others remain protected because each password is unique.
McAfee’s password manager also uses multi-factor authentication (MFA), meaning you’ll need at least two forms of verification before signing in—like a code sent to your phone. That extra step can stop hackers cold, even if they somehow get your password.
How to protect yourself
To keep your digital treasures safer than the Louvre’s jewels:
Use strong, unique passwords for every account. Longer is better.
Change passwords regularly and especially after any breach or suspicious activity.
Turn on MFA wherever possible—it’s one of the simplest and most effective protections.
Avoid public Wi-Fi for sensitive logins, or use a secure VPN.
Store passwords safely with a reputable password manager instead of your browser or a notepad.
The bottom line
Reports of the Louvre’s weak password might make for an easy punchline, but the truth is that millions of people make the same mistake every day—reusing simple passwords across dozens of accounts. Strong, unique passwords (and the right tools to manage them) are still one of the most powerful defenses against data theft and identity fraud.
As scams and breaches continue to evolve, your best defense is awareness and protection that adapts just as fast. McAfee’s built-in Scam Detector, included in all core plans, automatically detects scams across text, email, and video, blocks dangerous links, and identifies deepfakes—stopping harm before it happens.
Rob Leathern and Rob Goldman, who both worked at Meta, are launching a new nonprofit that aims to bring transparency to an increasingly opaque, scam-filled social media ecosystem.
In a bulletin to law enforcement agencies, the FBI said criminal impersonators are exploiting ICE’s image and urged nationwide coordination to distinguish real operations from fakes.
Football season is in full swing — tailgates, rivalries, fantasy leagues, and Sunday afternoons glued to the screen. Alongside the highlights and heartbreaks, there’s another game playing out online: the rush to place bets.
Every break in the action brings another sportsbook promo — risk-free wagers, bonus bets, exclusive odds — flooding your feed and inbox. But what you don’t see between the ads and sponsorships is how much money is really in play, or how scammers have joined the lineup.
Last year, legally licensed online and retail sportsbooks took nearly $150 billion in bets, a 22.2% jump from 2023 according to the American Gaming Association. And with so much of that money flowing through apps and websites, scammers are finding creative new ways to cash in.
They’re setting up fake betting sites, phishing for logins, and spinning up unlicensed offshore platforms that operate without oversight. Even self-proclaimed “insider tipsters” are pitching guaranteed wins that never exist.
If sports betting is legal in your state and you’re planning to make some wagers this season, here’s how to keep your money — and your data — safe.
Is online sports betting legal in my state?
Since a U.S. Supreme Court ruling in 2018, individual states can determine their own laws for sports betting. Soon after, sports betting became legal in waves. In all, 39 states and Washington D.C. currently offer sports betting through licensed retail locations. Of them, 31 further offer legal sports betting through licensed online apps and websites. The map below offers a quick view as to how all that plays out.
Image from https://sportsdata.usatoday.com/legality-map
Even as online sportsbooks must be licensed to operate legally, be aware that the terms and conditions they operate under vary from service to service. Per the Better Business Bureau (BBB), that calls for closely reading their fine print. For one, you might come across language that says the company can “restrict a user’s activity,” meaning that they can freeze accounts and the funds associated with them based on their terms and conditions. Also, the BBB cautions people about those promo offers that are often heavily advertised, because “like any sales pitch, these can be deceptive.”
What do online betting scams look like?
Fake betting sites
This form of scam follows the same playbook scammers use for all kinds of bogus sites in general. They cook up a copycat site that looks like a legitimate betting site, create a web address that looks like it could be legitimate, and then flood the web with sponsored search results, ads, and social media posts to drive traffic to them. From there, scammers capture payment info and take bogus bets that they never pay out on. Once the site gets discovered as a scam, they pull it down and spin up other scam sites. With the aid of AI tools to help with the process, scammers can turn around scam sites quickly.
Sports app phishing scams
Scammers piggyback on legitimate betting apps and sites another way. They’ll create phony customer support sites that they promote online, with the addition of scam texts and emails to lure in victims. Under the guise of support, they gain a victim’s login info, hack the account, and clean out the victim’s cash.
Unlicensed offshore platforms
These form a gray area when it comes to scams. Some of these offshore platforms, while unlicensed, are legitimate to varying degrees. What makes them dangerous is that they have no regulatory oversight, which means they can do things like charge hidden costs, lock accounts, and refuse payment without users having any way to dispute those actions. Some of these platforms might have suspect security measures as well, which could lead to account hacks. And of course, some of these offshore platforms are simply fake betting sites, as mentioned above.
Handicapper scams
Earlier this year, the BBB shared word of a growing scam where self-proclaimed experts with “insider information to place sure-thing bets” reach out to victims via email and social media posts. Per the BBB, “A handicapper’s goal isn’t to win bets for their members, it’s to get people to buy their picks. Once you’ve purchased their picks, the handicapper has already won. It doesn’t matter if the pick wins or loses, the handicapper keeps the payment.”
Of course, that “insider info” is entirely fake. It’s all just a smokescreen to draw in victims.
Ready to place your bet online? Keep these things in mind.
1) Stick with legitimate betting sites and apps. Use only legal, regulated sportsbooks when you place a bet.
If you’re a sports fan, you probably know the names, like BetMGM, DraftKings, FanDuel, bet365 and Fanatics Sportsbook. In addition, check out the organization’s BBB listing at BBB.org. Here you can get a snapshot of customer ratings, complaints registered against the organization, and the organization’s response to the complaints, along with its BBB rating, if it has one.
2) Use a secure payment method other than your debit card. Credit cards are a good way to go when buying, or betting, online.
One reason why is the Fair Credit Billing Act, which offers protection against fraudulent charges on credit cards by giving you the right to dispute charges over $50 for goods and services that were never delivered or otherwise billed incorrectly. Your credit card companies may have its own policies that improve upon the Fair Credit Billing Act as well. Debit cards don’t get the same protection under the Act.
3) Protect yourself from fake betting sites and bogus offers.
You can steer clear from all kinds of fake sites and bogus offers with the combination of our Web Protection and Scam Detector, found in our McAfee+ plans. They’ll alert you if a link might take you to a sketchy site, and they’ll block those sites if you accidentally tap or click on a bad link.
In addition to the latest virus, malware, spyware, and ransomware protection, it also includes strong password protection by generating and automatically storing complex passwords to keep your winnings and payment info safer from hackers and crooks.
AI has transformed everyday experiences—from your phone instantly translating a foreign language to your smart assistant finding the fastest route home. Just as these devices connect you to the world in a split second, businesses now require on-demand, high-performance access to a rapidly expanding global AI ecosystem. This seamless, real-time connectivity is becoming the new […]
Cybercriminals have tricked X’s AI chatbot into promoting phishing scams in a technique that has been nicknamed “Grokking”. Here’s what to know about it.
Cisco Security Cloud Control introduces multi-customer management for MSPs, streamlining operations and automating deployments for better security outcomes.
As the Trump administration ramps up its targeting of left-leaning people and groups, the prosecution and harsh sentencing of Casey Goonan may provide a glimpse of things to come.
A major breach of the Kansas City, Kansas, Police Department reveals, for the first time, a list of alleged officer misconduct including dishonesty, sexual harassment, excessive force, and false arrest.
Your digital life is being stitched together—one purchase, one search, one swipe at a time.
Data brokers collect and combine fragments of your personal information to build detailed profiles they can sell to advertisers, employers, and anyone willing to pay.
While you can request that these brokers delete your data, many make it almost impossible to do so.
A joint investigation by CalMatters and The Markup found that 35 data brokers had intentionally hidden their opt-out pages from search results, making it harder for people to remove their information.
The result: a patchwork version of you exists online—a Frankenstein of your data, stitched together without your consent.
Moreover, practically anyone can purchase this sensitive info. That ranges from advertisers to law enforcement and from employers to anyone on the street who wants to know a lot more about you.
Here’s what’s happening, and what you can do about it.
Data brokers making it tougher to remove personal data from their sites
As part of the article, reporters analyzed 499 data broker sites registered in the state of California. Of them, 35 had search-blocking code. Additionally per the article, many opt out pages “required scrolling multiple screens, dismissing pop-ups for cookie permissions, and newsletter sign-ups and then finding a link that was a fraction the size of other text on the page.”[i]
Once the publications contacted the data brokers in question, multiple companies halted the practice, some responding that they were unaware their site had search-blocking code. Several others didn’t respond by the time the article was published and kept their practices in place.
Where do data brokers get such personal info?
There are several ways information brokers can get your info about you …
Sources available to the public: Some of your personal records are easily available to the public. Data brokers can collect public records like your voter registration records, birth certificate, criminal record, and even bankruptcy records. By rounding them up from multiple sources and gathering them in one place, it takes someone seconds to find out all these things about you, rather than spending hours poring over public records.
Search, browsing, and app usage: Through a combination of data collected from internet service providers (ISPs), websites, and apps, data brokers can get access to all kinds of activity. They can see what content you’re interested in, how much time you spend on certain sites, and even your daily travels thanks to location data. They also use web scraping tools (software that pulls info from the web), to gather yet more. All this data collecting makes up a multi-billion-dollar industry where personal data is gathered, analyzed, sold, and then sold again and again—all without a person’s knowledge.
Online agreements: As it is with smartphone apps, you’ll usually have to sign an agreement when signing up for a new online service. Many of these agreements have disclosures in the fine print that give the company the right to collect and distribute your personal info.
Purchase history: Data brokers want to know what products or services you’ve purchased, how you paid for them (credit card, debit card, or coupon), and when and where you purchased them. In some cases, they get this info from loyalty programs at places like supermarkets, drugstores, and other retailers. Kroger, one of the largest grocery chains, is a good example of how purchasing insights end up in the hands of others. According to Consumer Reports, the company draws 35% of its net income from selling customer data to other companies.
What can I do about companies collecting my data?
For starters, there aren’t any data privacy laws on the federal level. That, so far, has fallen to individual states to enact. As such, data privacy laws vary from state-to-state, with California having some of the earliest and strongest protections on record, via the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).
In all, 20 states currently have comprehensive privacy laws in place, with five others that have put narrower privacy protections in place, covering data brokers, internet service providers, and medical/biometric data.
States with Comprehensive Data Privacy Laws
· California
· Virginia
· Colorado
· Connecticut
· Utah
· Iowa
· Indiana
· Tennessee
· Texas
· Florida
· Montana
· Oregon
· Delaware
· New Hampshire
· New Jersey
· Kentucky
· Nebraska
· Rhode Island
For specific laws in your state and how they can protect you, we suggest doing a search for “data privacy laws [your state]” for more info.
Even if your state has no or narrow data privacy laws in place, you still have several ways you can take back your privacy.
How to protect your data from data brokers.
The first thing you can do is keep a lower profile online. That can limit the amount of personal info they can get their hands on:
Be selective about what you share online.Don’t overshare personal info on social media. Avoid things like online quizzes and sweepstakes. And be aware that some data brokers indeed scour the web with scraping tools that gather up info from things like forum posts.
Go private. Even better, lock down your privacy on social media. Social media platforms like Facebook, Instagram, and others have several settings that keep your profile from being scraped in the ways mentioned above. Features like our
Use a virtual private network (VPN) whenever possible.A VPN hides your IP address and encrypts your data while you surf the web. McAfee’s Secure VPN protects your personal data and credit card information so you can browse, bank, and shop online without worrying about prying eyes, like data brokers and internet service providers (ISPs) that collect info about what you do online.
Remove your info from data brokers quickly with McAfee.
The list of data brokers is long. Cleaning up your personal data online can quickly eat up your time, as it requires you to reach out to multiple data brokers and opt out.
Rather than removing yourself one-by-one from the host of data broker sites out there, you have a solution: our Personal Data Cleanup.
Personal Data Cleanup scans data broker and people search sites and shows you which ones are selling your personal info. It also provides guidance on how you can remove your data from those sites. And if you want to save time on manually removing that info, you have options. Our McAfee+ Advanced and Ultimate plans come with full-service Personal Data Cleanup, which sends requests to remove your data automatically.
If the thought of your personal info getting bought and sold in such a public way bothers you, our Personal Data Cleanup can put you back in charge of it.
This week on Uncanny Valley, we break down how one of the most common card shufflers could be altered to cheat, and why that matters—even for those who don’t frequent the poker table.
They’re not hiding in dark alleys—they’re hiding in plain sight. Airports, cafés, hotels, even libraries can harbor dangerous Vampire Wi-Fi networks.
These vampires pass themselves off as legitimate public Wi-Fi hotspots, using names that look innocent enough, such as “FREE_WIFI” and “AT&T_FREE_WIFI”. These can potentially be “evil twin networks,” they often mimic the name of the airport you’re in, or the place where you’re grabbing a quick coffee and some laptop time while you’re on the road. In fact, when you connect to a vampire or evil twin network, you’re connecting to a hacker.
These networks are relatively easy to set up. With just a few hundred dollars of gear, attackers can set up these digital bloodsuckers anywhere. The moment you log on, they begin feeding on your data, using tools called packet sniffers to capture and analyze every bit you send.
So say you’re on the road and log into one of these networks, a hacker on the network can see what you’re connecting to and what data you’re passing along. Your credit card number while you shop. Your password when you bank. That confidential contract you just sent to a client. And your email password when your app regularly checks for mail every few minutes or so.
What tools let hackers snoop? Network analyzers, or packet sniffers as many call them. A bad actor can gather up data with a packet sniffer, analyze it, and pluck out the sensitive bits of info that are of value. Before you know it, you’re a victim of identity theft.
Another common vampire Wi-Fi ploy is to set up a phony login screen that asks for a username and password, often for popular online services like Google and Apple. In this case, the hacker gets the keys to all the personal info, apps, files, and financial info connected to them.
How to spot phony evil twin public Wi-Fi networks
Hackers typically take lengths to make these networks look legitimate, but they may give off signs:
The Wi-Fi network has no password.
The Wi-Fi network is not set up with Wi-Fi protected access (WPA) on the router.
The Wi-Fi network is open to Secure Sockets Layer (SSL) attacks. (An SSL is a digital certificate that authenticates a website’s identity and allows for secure, encrypted connections to banking, shopping, and financial sites, to name a few.)
Still, even with some of these flags, they can be tough to spot. And that’s a reason why our mobile security apps for iOS and Android analyze Wi-Fi networks before you connect to them—letting you know if a connection is Safe, Risky, or altogether Unsafe.
How to stay safe from evil twin networks when using public Wi-Fi
Your best bet when using any public Wi-Fi at all is to use a VPN.
A VPN is an app that you install on your device to help keep your data safe as you browse the internet. With your VPN on, your device makes a secure connection to a VPN server that routes internet traffic through an encrypted “tunnel.” This keeps your online activity private on any network, shielding it from prying eyes.
While you’re on a VPN, you can browse and bank with the confidence that your passwords, credentials, and financial info are secure. If a hacker attempts to intercept your web traffic, they’ll only see garbled content, thanks to your VPN’s encryption functionality.
One that doesn’t log or track what you do online, so your online activity remains private.
A VPN that’s independently audited for security and privacy.
One that covers plenty of devices and that offers unlimited data.
Automatically connects when you connect to public Wi-Fi.
Not every VPN offers these features. Selecting one that does gives you the protection you want paired with the privacy you want. You’ll find them all in our VPN, which is also included as part of our McAfee+ plans.
More ways you can stay safe on public Wi-Fi
Several other straightforward steps can keep you safer from vampire and evil twin Wi-Fi—and safer while using public Wi-Fi in general:
Double-check the network name: If you’re at a café, hotel, or airport, check with an employee for the exact name of their official Wi-Fi network before connecting. Don’t automatically trust a network just because its name looks right or has a particularly strong signal. (In fact, some hackers boost their phony Wi-Fi signals to make them look more attractive.)
Disable auto-join: Turn off the auto-join feature for Wi-Fi on your devices. This prevents your phone or laptop from connecting to malicious networks automatically.
See if it can wait: If you can wait to bank, shop, check email, or do anything that involves passwords or sensitive info, do it on a secure connection at home. If it absolutely can’t wait, use your VPN or cellular connection.
Use your own hotspot: Another secure option is to use a personal hotspot from your phone’s cellular data. This gives you a private connection that is much harder for attackers to exploit. That might leave you with a slower connection and possibly eat into your data plan, but those are small concerns compared to the major headache of identity theft.
Vampire Wi-Fi networks aren’t going anywhere. Hackers will keep setting up these traps because they work. People see “free Wi-Fi” and click without thinking twice. But now you know better. You’ve got the tools to spot the red flags, the habits to stay protected, and most importantly, you understand why a quality VPN isn’t optional anymore—it’s essential.
McAfee+ gives you everything we’ve talked about: bank-level encryption, zero-logging policies, independent security audits, and that smart auto-connect feature that kicks in when you need it most. Plus, unlimited data across all your devices, because who has time to ration their security?
Your personal information is worth protecting. Your financial data, your work files, your private conversations, they’re all valuable to the wrong people. Don’t hand them over just because someone dangled “free Wi-Fi” in front of you.
A new ICE proposal outlines a 24/7 transport operation run by armed contractors—turning Texas into the logistical backbone of an industrialized deportation machine.
The X-59 successfully completed its inaugural flight—a step toward developing quieter supersonic jets that could one day fly customers more than twice as fast as commercial airliners.
The second major cloud outage in less than two weeks, Azure’s downtime highlights the “brittleness” of a digital ecosystem that depends on a few companies never making mistakes.
Remember that website where you bought a T-shirt in 2013? No?
Hackers do. And it’s one way they can steal your personal info.
Consider this website, and other forgotten sites like it, an example of a “Ghost Account,” a place where one of your long-unused logins lives on and puts your identity at risk.
Ghosts aside, old accounts like these are very real.
Think of all the times you’ve created a one-off account to make a single purchase, take an online quiz, or get more information about an event or a sale. For all the accounts you remember, there are plenty more you’ve probably completely forgotten about.
Even as estimates vary, it’s likely the average person has somewhere between 100 to 200 online accounts, where varying degrees of their personal and financial info are stored.
And all those accounts add up to plenty of exposure. Those companies still have your address, payment information, and other personal details in their system.
In a time where data breaches of varying sizes hack 3.5 million accounts on average each day, the odds of an old account of yours getting compromised are higher than you may realize. The more places your info resides, the more exposure to risk you have, namely data breaches, which can quickly lead to identity theft and fraud.
Compounding the problem is human nature. People tend to reuse passwords, or use highly similar passwords, all in an effort to maintain some degree of sanity across all the accounts they’re juggling. Hackers love that too. With one password in hand, they potentially get the keys to several other accounts, also with varying levels of personal and financial info, which (again) can lead to identity theft and fraud.
It finds and deletes old accounts to reduce your risk of data exposure. In our McAfee+ Ultimate plans, you get full-service Online Account Cleanup, which sends the data deletion requests for you.
With each scan, you get an all-up view of accounts in your name. From there, it shows which are riskiest to keep, along with a look at what personal info is typically included in those accounts, which helps you decide what you’d like to keep and what you’d like to delete. Again, with McAfee+ Ultimate, you can request to delete accounts with a single click.
And because you add accounts and passwords from time to time, Online Account Cleanup gives you a monthly report. That way, you can keep tabs on your ever-evolving list of accounts and delete any you don’t want over time.
And while you’re at it, don’t forget your passwords.
Yes, with all those accounts come passwords. While you’re cleaning up your old accounts, you can better protect the ones you keep with our Password Manager. It’s a simple and highly secure way you can create strong, unique passwords for each and every one of your accounts. That offers you yet one more line of defense against data breaches, because hackers know so many people reuse their passwords.
Lastly, it’s convenient. You only need to remember one password. Our password manager securely stores all your passwords, where one primary password grants access to them all.
Removing unused ghost accounts can make you far safer from identity crimes
Whether it’s for an old online gaming account, a streaming service you never use anymore, or a login for a doctor’s office you don’t visit anymore, delete it. The less personal and financial info you have sitting in a database somewhere is less info a hacker can steal and use to commit identity theft or fraud.
We all have our “ghosts” floating around online, and today you have an easy way to get rid of them for good.
Peter Williams, a former executive of Trenchant, L3Harris’ cyber division, has pleaded guilty to two counts of stealing trade secrets and selling them to an unnamed Russian software broker.
Cisco Secure Firewall wins SE Labs’ 2025 Best NGFW award — the first ever to earn dual AAA ratings for both protection and performance. Zero breaches, Zero compromises.
FreshRSS 
