Reading view

Nearly 7 Million Driver’s Licenses Exposed in Assurance Breach: This Week in Scams

Millions of Americans hand over personal information every day. They share their data with insurance companies, banks, investment apps, and other services they trust. 

And that’s exactly why cybercriminals target and impersonate those services.

This week, an insurance provider disclosed a breach reportedly affecting nearly 7 million people’s driver’s license numbers, while a California journalist shared how a convincing fake Robinhood text ultimately cost her more than $70,000. 

Here’s what happened, why these scams work, and what you can do to protect yourself This Week in Scams. 

Nearly 7 Million Driver’s License Numbers Exposed in Insurance Data Breach 

One of the largest U.S. data breaches of the year has exposed sensitive information belonging to 6.9 million people. 

According to reporting from TechCrunch, insurance provider AssuranceAmerica confirmed that hackers accessed customer information after compromising an employee account. The company says the stolen data includes names, contact information, driver’s license numbers, insurance policy details, vehicle information, and claims data. 

While the company has not said exactly how the employee’s credentials were compromised, it noted that the attackers targeted an employee account before accessing company systems. 

Why driver’s license numbers matter 

Unlike a password, you can’t simply change your driver’s license number. 

Combined with your name, address, phone number, or other information from previous breaches, driver’s license numbers can be used by criminals to: 

  • Open fraudulent accounts  
  • Impersonate victims during identity verification  
  • Make phishing scams more convincing  
  • Support broader identity theft schemes  

This is also part of a larger trend. In recent months, multiple breaches have exposed government-issued identity documents as more organizations collect IDs for identity verification and age-check requirements. 

If you receive a notice that your information was involved in a breach, monitor your financial accounts closely, consider placing a fraud alert or credit freeze, and remain cautious of unexpected emails, texts, or phone calls referencing your insurance or driver’s license information. 

Unfortunately, scammers will reach out saying they’re trying to “help” secure your stolen information, only to try and steal more personal data from you.

How McAfee Can Help Before, During, and After a Data Breach

Before a breach

Personal Data Cleanup helps reduce your digital footprint by removing your personal information from many data broker sites, limiting what scammers can easily find about you.

During a breach

Identity Monitoring alerts you if your personal information appears on the dark web or in known data leaks, helping you respond faster if your information is exposed.

After a breach

Scam Detector helps identify suspicious texts, emails, and links that often follow major breaches, while Web Protection helps block malicious websites designed to steal additional information or credentials.

Fake Robinhood Text Scam Costs Former News Anchor More Than $70,000 

Even people who report on scams can become victims. 

A former California television news anchor recently shared how she lost more than $70,000 after receiving what appeared to be a legitimate text message claiming there was suspicious activity on her Robinhood investment account. 

The message instructed her to call a phone number for assistance. Once connected, the caller posed as Robinhood support before transferring her to a fake “fraud department.” 

Believing she was protecting her investments from hackers, she was convinced to move her money into what she thought was a secure account. Instead, it went directly to scammers. 

She later contacted Robinhood through the official app, but by then the money had already been transferred. 

Why investment scams are becoming more convincing 

Investment scams rely on urgency, authority, and impersonation rather than obvious phishing emails. 

Rather than asking targets to “invest” immediately, many scams begin by convincing people that their existing account is under attack and immediate action is needed. 

At McAfee, we’ve also seen scammers impersonate Robinhood, Charles Schwab, cryptocurrency platforms, and other investment services through fraudulent text messages and malicious links promising AI-powered investing, exclusive bonuses, or unusually high returns. 

Whether the message claims your account has been compromised or promises incredible profits, the goal is often the same: get you to click, call, or transfer money before you have time to verify what’s happening. 

Investment Safety Checklist 

Before responding to any message about your investments: 

✅ Never call the phone number provided in a text message or email. Instead, contact your financial institution using the number listed in its official app or website. 

✅ Slow down when someone creates urgency. Claims that your account is being hacked or frozen are designed to make you act before you think. 

✅ Be skeptical of guaranteed returns or AI-powered investment opportunities. Promises of extraordinary profits are a common hallmark of investment fraud. 

✅ Verify alerts through your account directly. If you receive a suspicious notification, log in through the official app, not a link in the message. 

How McAfee Can Help   

With McAfee+, multiple layers work together before any damage is done:  

Scam Detector flags suspicious texts, emails, links, QR codes, and even deepfake videos before you engage 

Secure VPN keeps your data private, especially on public Wi-Fi  

Web Protection helps block risky sites, even if you do accidentally click 

Password Manager doesn’t just help you make unique, strong passwords, it keeps them stored and organized for you

Device Security helps detect malicious apps or downloads   

Identity Monitoring alerts you if your personal info appears online in places it shouldn’t, so you can act fast

Personal Data Cleanup helps remove your information from sites selling it. 

Online Account Cleanup assists in taking down your old, forgotten accounts across the web 

Social Privacy Manager helps you monitor and change privacy settings across your social platforms in just a few clicks 

Together, these protections are designed to address the broader range of online risks people face every day. 

The post Nearly 7 Million Driver’s Licenses Exposed in Assurance Breach: This Week in Scams appeared first on McAfee Blog.

  •  

Imposter Scams Are Evolving. Here Are the 10 Identities Scammers Pretend to Be Most.

Imposter scams remain the most reported type of fraud in America for the fifth year in a row, according to new data from the Federal Trade Commission (FTC).  

Americans submitted more than 1 million reports of imposter scams in 2025, making them the agency’s top fraud category once again. Victims reported more than $3.5 billion in losses, though the real number is likely much higher since many scams go unreported.  

But “imposter scam” is a broad category. It doesn’t tell you what these scams actually look like when they land in your inbox, texts, social media DMs, or phone calls. 

To better understand what consumers are encountering every day, McAfee surveyed more than 7,500 people for its State of the Scamiverse report. The results show scammers aren’t just pretending to be one type of person or company. They’re impersonating the brands, services, and people we trust most.  

This week’s edition of This Week in Scams is here ahead of the holiday weekend with the 10 most common identities scammers pretend to be. 

10. Someone Who “Texted the Wrong Number” (20%)

Common scam: An innocent conversation that turns into something more. 

These scams often begin with a harmless message intended for “someone else.” Once you reply, the scammer slowly builds trust over days or even weeks before introducing investment opportunities, romance, or requests for money. 

Unlike traditional phishing, these scams don’t always include suspicious links. 

Why it works: They feel like genuine human conversations rather than obvious scams. 

Learn more about wrong number and pig-butchering scams. 

9. Technology Companies (21%)

Common scam: “Your device has been compromised.” 

These messages impersonate technology companies or cybersecurity brands, claiming your computer or phone has been infected or involved in a security breach. 

Some direct victims to fake technical support, while others encourage downloads of malicious software. 

Why it works: Security alerts are designed to grab attention, and convincing impersonation can make fake warnings look legitimate. 

Learn more about tech support scams. 

8. Banks and Financial Institutions (21%)

Common scam: “We’ve detected suspicious activity on your account.” 

Bank impersonation scams create immediate urgency, asking customers to confirm transactions, secure their accounts, or verify their identity. 

Many direct victims to fake websites or connect them with fraudulent customer support representatives. 

Why it works: Financial security messages naturally demand attention, making people more likely to react before verifying the sender. 

Learn more about banking scams and financial fraud. 

 7. Subscription Services (21%)

Common scam: “Your payment couldn’t be processed.” 

Scammers impersonate streaming services, software subscriptions, and other recurring services, warning that your account will be canceled unless you update your payment information. 

Why it works: Consumers are used to recurring billing notifications, making these messages blend into everyday digital life. 

Learn more about mobile payment and subscription scams. 

6. Auto Warranty Providers (22%)

Common scam: “Your vehicle warranty is about to expire.” 

One of the oldest impersonation scams is still one of the most common. Fraudsters claim your warranty is ending and pressure you to purchase coverage immediately or provide personal information. 

Why it works: Many people aren’t sure when their warranty expires, making the claim difficult to verify on the spot. 

Learn more about these types of robocallers. 

5. Rewards Programs and Survey Companies (22%)

Common scam: “You’ve won a prize.” 

These scams promise gift cards, rewards, or exclusive offers but require you to “verify” your identity or enter payment information to claim them. 

Why it works: The promise of something free lowers skepticism, especially when the message appears to come from a familiar brand. 

Learn more about survey and prize scams.  

4. Retailers and Merchants (26%)

Common scam: Fake invoices for purchases you never made. 

Receiving an invoice for an expensive purchase can trigger panic. Scammers count on victims clicking quickly to dispute the charge, often leading them to malicious websites or fake customer support numbers. 

Why it works: Consumers naturally want to stop fraudulent purchases as quickly as possible. 

Learn more about shopping scams. 

3. Payment Services (27%)

Common scam: “Verify your PayPal account.” 

Messages claiming there’s a problem with your payment account often direct you to fake login pages designed to steal your username, password, or financial information. 

While PayPal is one common example, scammers impersonate many digital payment platforms. 

Why it works: Payment notifications are common, and many consumers don’t think twice before signing in to resolve what appears to be a routine issue. 

Learn more about mobile payment scams.  

2. Social Media Platforms (27%)

Common scam: “Verify your account or it will be suspended.” 

Scammers frequently impersonate platforms like Facebook, Instagram, TikTok, or X, claiming there’s unusual activity or that your account violates community guidelines. 

The goal is usually to steal your login credentials or two-factor authentication codes. 

Why it works: Many people rely on social media for work, business, or staying connected, making the threat of losing access feel urgent. 

Learn more about social media scams.  

1. Delivery Companies (31%)

Common scam: “Your package couldn’t be delivered.” 

Whether you’re waiting for a birthday gift, an online order, or an important package, fake delivery notifications prey on the fact that most people are expecting something to arrive. 

These messages often claim there’s a shipping issue, unpaid delivery fee, or missed package and urge you to click a link immediately. 

Why it works: Package updates have become part of daily life, making fake notifications feel routine rather than suspicious. 

Learn more about delivery scams. 

The Common Thread 

While these scams may look different, they all rely on the same tactic: impersonation. 

“AI has lowered the barrier for creating convincing impersonation scams,” said Abhishek Karnik, Head of Threat Research at McAfee.  

“Scammers can now produce professional-looking emails, realistic websites, and even convincing voices or videos at scale. The result isn’t necessarily more scam types, it’s far more believable versions of the scams people already encounter every day.” 

That mirrors a broader trend McAfee identified in its State of the Scamiverse research: scams are becoming more realistic, more personalized, and harder to distinguish from legitimate communications.  

Americans now receive an average of 14 scam messages every day, spend 114 hours each year deciding what’s real and what’s fake, and one in three say they feel less confident spotting scams than they did a year ago.  

How to Protect Yourself From Impersonation Scams 

If you notice this…  ✅ Do this instead 
A message creates a sense of urgency (“Your account will be suspended,” “Package delivery failed,” “Fraud detected”)  Pause before acting. Scammers want you to make a quick decision before verifying the message. 
You’re asked to click a link or scan a QR code  Open the company’s official website or app yourself instead of using the link in the message. 
The message asks you to verify your account, payment information, or identity  Never enter credentials through an unsolicited message. If you’re concerned, contact the company directly using a trusted phone number or website. 
Someone asks for passwords, one-time verification codes, or payment over text, email, or phone  Legitimate companies won’t ask for this. Don’t share the information, even if the request seems convincing. 
A “wrong number” text quickly becomes unusually friendly or shifts toward investing, crypto, or money  Stop responding and block the sender. Modern scams often begin as seemingly harmless conversations. 

How McAfee Can Help   

With McAfee+, multiple layers work together before any damage is done:  

  • Scam Detector flags suspicious texts, emails, links, QR codes, and even deepfake videos before you engage 
  • Secure VPN keeps your data private, especially on public Wi-Fi  
  • Web Protection helps block risky sites, even if you do accidentally click 
  • Password Manager doesn’t just help you make unique, strong passwords, it keeps them stored and organized for you
  • Device Security helps detect malicious apps or downloads   
  • Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast   
  • Personal Data Cleanup helps remove your information from sites selling it. 
  • Online Account Cleanup assists in taking down your old, forgotten accounts across the web 
  • Social Privacy Manager helps you monitor and change privacy settings across your social platforms in just a few clicks 

Together, these protections are designed to address the broader range of online risks people face every day. 

The post Imposter Scams Are Evolving. Here Are the 10 Identities Scammers Pretend to Be Most. appeared first on McAfee Blog.

  •  

McAfee Mobile Security Earns a Perfect AV-TEST Score Yet Again

McAfee Mobile Security has once again earned a perfect score from AV-TEST, one of the cybersecurity industry’s most respected independent testing organizations. 

In AV-TEST’s latest Android security evaluation, McAfee achieved a flawless 18 out of 18 points, receiving perfect 6/6 scores in Protection, Performance, and Usability 

The result also earned McAfee AV-TEST’s highest certification for mobile security. 

More importantly, this isn’t a one-time achievement. McAfee has earned top certification in every AV-TEST Mobile Security evaluation since testing began in 2013, demonstrating more than a decade of consistently delivering industry-leading protection for Android users. 

What is AV-TEST? 

AV-TEST is one of the world’s leading independent cybersecurity testing laboratories. Rather than relying on vendor claims, AV-TEST evaluates security products under controlled, real-world conditions using the same types of threats consumers face every day. 

Its certifications are widely referenced by: 

  • Security experts and reviewers  
  • Technology publications  
  • Product comparison sites  
  • Consumers researching antivirus software  

Because every product is tested using the same methodology, AV-TEST provides an objective benchmark for comparing mobile security solutions. 

How McAfee Was Tested 

For this evaluation, AV-TEST examined 12 Android mobile security products across three equally weighted categories: 

Category  What It Measures 
Protection  Ability to detect and block real-world Android malware and emerging threats 
Performance  Whether the security app slows down your device or drains system resources 
Usability  Accuracy of detections and avoidance of false alarms or unnecessary interruptions 

McAfee earned the maximum possible score in all three categories: 

  • Protection: 6/6  
  • Performance: 6/6  
  • Usability: 6/6 

Overall Score: 18/18 

That means McAfee not only blocked threats effectively, but did so without slowing devices down or generating unnecessary false positives. 

Why These Results Matter 

Mobile devices have become one of our primary ways to bank, shop, communicate, and manage our digital lives. As cybercriminals increasingly target smartphones with malware, phishing attacks, malicious apps, and credential theft, effective mobile protection matters more than ever. 

Independent testing helps separate marketing claims from measurable performance. 

McAfee’s latest AV-TEST results demonstrate that users don’t have to choose between strong security and a smooth mobile experience. The protection works quietly in the background, helping keep devices secure without getting in the way. 

Even more importantly, this latest certification continues a streak that spans more than a decade. Consistently earning perfect scores across changing threat landscapes reflects McAfee’s ongoing investment in protecting customers against today’s evolving mobile threats. 

Mobile Protection You Can Count On 

The award-winning protection recognized by AV-TEST is included in: 

  • McAfee+ Premium  
  • McAfee+ Advanced  
  • McAfee+ Ultimate  
  • McAfee Total Protection  
  • McAfee LiveSafe  
  • McAfee Internet Security  
  • McAfee Business Protection  

Whether you’re protecting your own phone or your entire family’s devices, you’re getting the same independently tested mobile security that continues to earn top marks from one of the industry’s most trusted testing organizations. 

Ready to get protection that doesn’t slow you down? Explore McAfee+ Plans →  

The post McAfee Mobile Security Earns a Perfect AV-TEST Score Yet Again appeared first on McAfee Blog.

  •  

AI Can Find Your Location 91% of the Time Using Just One Photo

summer travel with a smartphone

How AI uses simple details in your photos to pinpoint where you are and why that’s a gold mine for scammers

McAfee Labs Safer Summer Travel Report | Summer 2026 

A Photo Is Worth a Thousand Data Points 

You just got back from a week in Central America. You posted a few shots: the colorful streets of Tulum, a picture of the ancient ruins of Tikal, a close-up of your shrimp tacos. No location tag. No caption naming the city. Just a good photo. 

A few days later, you get a message. It references your bank. It mentions suspicious activity “while traveling internationally.” It feels oddly specific, with details about where you were and when. It feels real. 

These types of personalized scam messages are a growing tactic. And your own photos may have helped write it.

McAfee Labs set out to understand exactly how much location information exists inside an ordinary travel photo, and what that means for the roughly 244 million Americans who travel each year.  

What we found should change the way you think about what you share online: Some AI models have a more than 90% accuracy rate at detecting the location a photo was taken based on the visuals in the photo alone. And critically, that level of accuracy is now achievable using tools that are free and widely accessible. 

That’s why we’ve built tools like McAfee’s Scam Detector that are designed to help spot these kinds of highly targeted, convincing messages before they lead to costly mistakes. 

What We Tested And Why 

The question McAfee Labs wanted to answer was deceptively simple: Can AI look at a travel photo and figure out where it was taken, even without GPS data or location tags? 

Not metadata. Not embedded coordinates. Just the image itself: the background, the architecture, the signage, the light; the visual context that any photo naturally captures. 

To find out, we built an automated testing pipeline and ran it against a dataset of 21,236 travel images sourced from publicly available image sets. We also conducted a separate, more controlled review of 102 additional images to pressure-test our findings. 

We tested two publicly available, large-scale AI vision models that are both freely available. Neither required special access, proprietary data, or advanced technical expertise to run. We used the same tools a scammer could access today. 

Each image was analyzed using a consistent automated prompt asking the model to identify the location depicted (city, country, or region) based solely on visual content. Results were then reviewed by human analysts to validate accuracy and flag edge cases.

What We Found: AI Has a Whopping 91% Accuracy Rate 

The results were striking. 

Gemma3 27B correctly identified the city and country of a travel photo 87% of the time. Qwen3 VL 30B performed even better, reaching 91% accuracy across the same dataset. 

That means in roughly 9 out of 10 cases, an AI model that’s available for free, to anyone, could look at an ordinary travel photo and correctly name where it was taken. This kind of analysis is also how AI tools understand images more broadly, shaping not just scams, but how information shows up in AI-powered answers. 

And when the exact city wasn’t identified, the country alone was almost always correct. For a scammer, that’s more than enough. It’s also enough to turn a vague, generic scam into one that feels specific, timely, and believable. 

What Makes a Photo Easy to Place? 

Certain types of images were identified with even higher confidence: 

  • Photos featuring famous landmarks or recognizable skylines 
  • Images taken in popular tourist destinations with distinctive visual signatures 
  • Photos with visible signage, unique street markings, or local architecture 
  • Images that captured cultural context: transportation, storefronts, food stalls 

Less recognizable scenery, like a generic beach, a rural road, or a hotel room, lowered accuracy. But even in those cases, country-level identification remained high. 

We Tried it. And We Were Spooked. 

To illustrate how simple this was to replicate, we moved outside of McAfee’s labs and asked our less-technical colleagues to try it themselves. No research background required. No special tools. 

Employees uploaded their own personal travel photos, images pulled straight from their camera rolls and never posted publicly, to ChatGPT, Claude, and Copilot, and simply asked each one to identify where the photo was taken. 

The results made people uncomfortable. 

Accuracy dropped compared to our controlled lab tests. But not by much. The models still correctly identified country-level location at a rate that would be more than enough for a scammer to craft a convincing, targeted message. 

The takeaway isn’t that AI has “seen” your photos somewhere before. It’s that a photograph inherently contains an enormous amount of locating information, in the architecture, the light, the signage, the landscape, simply by virtue of existing in the world. You don’t need to geotag a photo for it to give away where you’ve been. 

See It for Yourself 

The following section shows real examples of AI geo-location detection in action, using personal travel photos submitted by our research team. No location tags. No metadata. Just the image and what AI found in it. 

We started with somewhat recognizable structures in the background, and then tried increasingly more obscure backgrounds, trying to reduce faces and backgrounds to foliage only. This is what happened:

Example 1 

Brooke’s honeymoon pictures: This example features a more prominent landmark, helping AI determine the location  specifically. When there’s something recognizable, AI really recognizes it, down to giving you the exact spot on the map you’re at, the history of the location, and tourist information.

Screenshot of ChatGPT conversation identifying the location of a photo
Here, we see AI correctly state this photo was taken in front of “Temple II, Temple of the Masks.”

Example 2 

Sandra’s sunset photoThis example gets more difficult for AI by removing major landmarks and people. ChatGPT was still able to correctly identify the location as Hastings-on-Hudson. 

screenshot of AI correctly identifying location

 

 

Example 3 

Rob’s close-up shot of flowers: Just the close-up image of these tulips was enough for Claude to accurately detect that this photo was taken at Keukenhof gardens in the Netherlands.

AI was able to identify the location of these flowers in a close up.
AI was able to identify the location of these flowers in a close up.

How a Photo Becomes a Scam 

Knowing where someone is or where they’ve recently been is one of the oldest tricks in a scammer’s playbook. But until recently, getting that information required either knowing the person or getting lucky. 

AI removes the guesswork, allowing attackers to build highly specific, contextual scams at scale. 

With geo-location inference this accurate, scammers no longer need to cast a wide net and hope a generic phishing message lands. Instead, they can use publicly shared photos to build a believable context around an attack: 

  • “We detected unusual account activity while you were traveling in [city].” 
  • “Your card was flagged for a transaction in [country] — please verify immediately.” 
  • “Hi, we’re reaching out regarding your recent stay at a hotel in [destination].” 
  • “Hi, it’s [your name], I’m in Mexico and all my cards are being declined. Could you send me $$?” (a message targeting your friends or loved ones) 
  • “We noticed a login attempt from your location in [destination] — please confirm your identity.” 
  • “Your reservation in [city] requires reconfirmation — click here to secure your booking.” 
This is an example of a scam text detected by our research team. Now, imagine if scammers had more information, like the exact tour you were on, where you were, or the stores you shopped at. These details could make messages like this even more convincing and personalized.
This is an example of a scam text detected by our research team. Now, imagine if scammers had more information, like the exact tour you were on, where you were, or the stores you shopped at. These details could make messages like this even more convincing and personalized.

These messages don’t need to be perfectly accurate. They just need to feel plausible and close enough. That is the entire strategy. Familiarity lowers skepticism. Skepticism is what protects you. 

This is what turns mass phishing into hyper-personalized phishing at scale, and it’s why even cautious, digitally savvy travelers are getting caught. 

The Scammer’s New Workflow 

Here’s how straightforward this pipeline can become: 

  1. Find publicly shared travel photos on Instagram, Facebook, or X, no hacking required 
  2. Run them through a freely available AI vision model 
  3. Identify the likely destination, timeframe, and context 
  4. Craft a targeted message referencing that location 
  5. Send it during or shortly after the travel window, when the victim is most likely to believe it 

Steps 1 through 5 can be automated. The whole process scales easily. And the resulting messages feel personal in a way that generic scams never could. 

The Broader Scam Landscape Travelers Face 

Geo-location inference doesn’t exist in a vacuum. It’s one tool in a growing arsenal that scammers deploy specifically against travelers.  

Travelers are operating outside their normal routines, using unfamiliar networks, and making quick financial decisions under time pressure. These behaviors are exactly what make photo-based location inference more actionable for scammers. 

New McAfee consumer research found that more than 1 in 3 Americans have encountered a travel-related cyberthreat, and 41% of those impacted lost money, often exceeding $500. At the same time, rising travel costs and time pressure are pushing people toward faster, riskier decisions. Those are exactly the conditions scammers are built to exploit. 

The data reveals just how exposed travelers make themselves without realizing it. Nearly two-thirds of Americans connect to public Wi-Fi while traveling (63%), and a similar share scan QR codes without verifying where they lead (62%). Almost half use airport Wi-Fi specifically (49%), and 41% admit to trusting travel-related messages without checking the sender. One in five logs into financial apps while on public networks, and the same group shares travel plans in real time on social media. Twenty percent click travel-related links without verifying the source first. And finally, around 1 in 5 (22%) admit to sharing travel plans in real time.  

That last behavior is worth pausing on. Sharing travel plans in real time, on public or semi-public social accounts, is precisely what creates the photo-based location signals this research examines. These behaviors and geo-location exposure are not separate issues. They feed each other. 

Location inference is the key that makes all of those existing vulnerabilities more exploitable. A scammer with a rough idea of where you are does not just have a data point. They have a script. 

Methodology: How We Conducted This Research 

Transparency matters. Here is exactly how this research was conducted. 

Dataset: 21,236 travel images that are publicly available for research, plus a separate controlled set of 102 images contributed by McAfee internal volunteers (never previously posted publicly). 

Models tested: 

  • Gemma3 27B — a multi-model and vision-language model from Google DeepMind 
  • Qwen3 VL 30B — a multi-model and vision-language model from Alibaba’s Qwen team 

It’s important to note that we conducted our testing using large language models running locally on our own computers, rather than through public services such as ChatGPT.  

This more closely reflects how an attacker might operate at scale. Running models locally allows unrestricted, automated generation of large volumes of malicious content without relying on a third-party provider.  

By contrast, cloud-based AI services typically monitor for abuse and may impose rate limits, suspend accounts, or block requests when they detect activity associated with phishing or other malicious behavior. 

Process: An automated Python script submitted each image to both models using a standardized prompt requesting location identification based solely on visual content. No metadata, EXIF data, or file naming conventions were used as inputs. Results were logged programmatically. 

Validation: Image labels were pre-assigned prior to analysis. In cases where geographic names or landmarks could reasonably be interpreted in more than one way, a human reviewer compared the pre-labeled locations and model outputs to ensure consistent categorization.  

For example, the reviewer determined whether Vatican City should be grouped with Rome and whether “Washington D.C.” and “Washington, D.C.” should be treated as the same location. The reviewer did not alter either the original labels or the model results, but instead applied judgment to reconcile ambiguous naming conventions and edge cases. 

Accuracy definition: A result was counted as correct when the model identified the correct city and country. Country-only identification was tracked separately. Both metrics are reported. 

What this research does not claim: This research does not suggest that every travel photo will be correctly identified, or that all publicly available AI tools perform at this level. Results varied by image type, landmark density, and geographic region. The point is not perfect identification,  it’s that accuracy is high enough, and accessible enough, to enable targeted scams at scale. 

About the Consumer Research McAfee commissioned a consumer survey fielded in March 2026 examining travel intentions, travel scam experiences and perceptions, and digital behaviors while traveling. Results referenced here represent a subset of 1,000 U.S. adults over the age of 18. The full study included responses from 6,000 participants across Australia, France, Germany, Japan, the United States, and the United Kingdom. 

How to Protect Yourself 

Knowing the risk exists is the first step. Here’s what to actually do about it. 

Think before you post, especially in real time. The highest-risk window is when you’re still traveling. Posting while you’re in a location gives scammers a live signal. When possible, post after you’ve returned home or delay sharing location-identifiable content by a few days. 

Audit your social media privacy settings. Photos shared publicly are the easiest targets. Restricting your posts to people you know significantly limits the pool of images that can be scraped and analyzed. 

Be skeptical of urgency tied to your location. If a message references where you’ve been, even correctly, treat that as a red flag, not a credibility signal. Scammers use location familiarity precisely because it feels reassuring. 

Go directly to the source. If you receive a message claiming to be from your bank, airline, hotel, or card provider while traveling, don’t click any link in the message. Open a new browser tab and navigate directly to the company’s official website, or call the number on the back of your card. 

Use a travel-specific email or alias. Some travelers use a separate email address for bookings, reservations, and travel apps. This limits the cross-referencing scammers can do between your social media presence and your financial accounts. 

Trust the skepticism, not the familiarity. Modern scams are designed to feel familiar before they feel suspicious. If something creates a sense of urgency around your financial accounts while you’re traveling, slow down. The pressure itself is the warning sign. 

How McAfee Protects You Before, During, and After Travel 

As prices rise and decisions happen in real time, it’s easy to prioritize convenience over caution. But that’s exactly the moment when small checks matter most. 

Stage of Travel  What’s Happening  How McAfee Helps 
Before You Book  Comparing deals, clicking promotions, booking flights and hotels under time pressure  Scam Detector checks links, messages, and booking sites before you click, helping you avoid fake deals and scam listings 
During Your Trip  Connecting to public Wi-Fi, scanning QR codes, receiving travel updates and alerts  VPN helps secure your connection on public Wi-Fi, while Scam Detector flags suspicious messages and unsafe links in real time 
After Your Trip  Accounts remain active, travel data stored across platforms, potential exposure from breaches  Identity Monitoring alerts you if your personal information appears online, helping you act quickly before damage spreads 

With McAfee+ Advanced, multiple layers work together so you’re not left figuring it out after the damage is done.  

So you can focus on your trip, and not on whether that notification is a scam. 

Final Thought 

A travel photo is a memory. It’s also, increasingly, a data point. 

That doesn’t mean you should stop sharing your experiences. It means understanding that the same visual richness that makes a great photo is exactly what AI systems are trained to read. 

Scammers know this. Now you know how to protect yourself. 

This report was produced by McAfee Labs. Research was conducted in 2025–2026 as part of McAfee’s ongoing monitoring of AI-enabled scam vectors. 

The post AI Can Find Your Location 91% of the Time Using Just One Photo appeared first on McAfee Blog.

  •  

Silent Swap: A Crypto Clipper Extension Campaign

Authored by Neil Tyagi

Executive Summary 

McAfee Advanced Threat Research has identified an active browser-extension campaign designed to steal cryptocurrency by silently substituting wallet addresses the moment a user initiates a transaction. The campaign is delivered through unsigned installers — observed in both .NET and Golang variants — that deploy a malicious Chromium extension masquerading as a benign “Google Notes” utility.  

This campaign is related to a previous blog published by McAfee Labs, Sinkholing CountLoader: Insights into Its Recent Campaign, as the threat actor appears to be the same behind both operations. In that earlier research, we analyzed a crypto clipper payload that was injected directly into memory. Here, we examine a different variant of the final-stage payload: a browser-based malicious extension designed to intercept and manipulate cryptocurrency transactions.  

In this report, we detail how the extension operates and provide a technical analysis of the mechanisms that make this threat particularly unique. The extension behaves as a clipboard-aware crypto clipper: it monitors copy-and-paste activity, identifies wallet addresses across multiple blockchains, and swaps them for attacker-controlled addresses just before the victim pastes the content. Because most Blockchain transactions are irreversible, even a single uninterrupted execution is enough to cause permanent financial loss. 

Two characteristics elevate this campaign above the typical clipper threat: 

  1. Chromium trust-layer abuse. The installer secretly forces a malicious browser extension into Chromium-based browsers like Google Chrome, Brave, and Microsoft Edge by modifying protected browser settings files. Normally, these browsers store security verification data (hash/HMAC values) alongside sensitive settings to detect unauthorized changes. The malware recalculates and updates these security values after tampering with the files, tricking the browser into believing the malicious extension was installed legitimately. This allows the extension to bypass the normal extension web store installation process and load silently without user approval. However for updated Chrome and edge browser, Victim must manually turn on the developer mode for the extension to load properly, but people with outdated versions of chromium based browsers, remain at high risk. Moreover, for latest versions as well threat attacker can employ social engineering tactics to enable developer mode.
  2. Blockchain-resolved command-and-control. The extension does not contain a hardcoded C2 domain. Instead, it queries a public blockchain RPC endpoint, invokes a read-only smart-contract method, and decodes the response at runtime to reveal its active C2 observed at the time of analysis as Zebregts[.]com 

    This technique, often referred to as “EtherHiding,” complicates takedown efforts because the attacker can rotate infrastructure by updating a smart-contract value rather than redeploying malware. 

McAfee telemetry indicates a globally distributed infection footprint with a pronounced concentration in India. The breadth of the geography suggests opportunistic targeting of consumer cryptocurrency users rather than a region-specific operation. 

Geographical Prevalence  

A map of the world showing countries impacted by this cybersecurity threat.
Our research shows that these are the most affected regions of the globe.

Telemetry analysis indicates that infections are globally distributed, with a significantly higher concentration observed in India compared to other regions.  

The widespread geographic presence highlights the campaign’s broad reach, suggesting opportunistic targeting rather than a region-specific attack. 

The Malicious Extension: “Google Notes” 

This malware is masquerading as a seemingly harmless Google Notes extension. 

The malicious Google Chrome extension.
Figure 1. This image shows the malicious extension at the center of this campaign

 

The dropped extension presents as a minimalist, legitimate-looking note-taking application branded as “Google Notes,” complete with a clean icon and a functional (& simplistic) user interface.  

The cover is calculated: a user who manually opens the extension finds something that behaves as advertised, dampening suspicion. The extension’s malicious logic is implemented in background service-worker scripts and content scripts that operate entirely out of view of the UI. 

A major red flag first appears when adding the extension, which requests  security permissions and access that are disproportionate to a typical notes application: 

  • Access to all URLs , granting content-script injection into every site the user visits. 
  • Browsing history access. 
  • Read and write access to the clipboard. 

Mitigation and Recommendations 

For Consumers 

  1. Before confirming any cryptocurrency transaction, visually verify the first and last six characters of the recipient address against the original source — ideally on a separate device. This single habit defeats the overwhelming majority of clipper attacks. 
  2. Install browser extensions exclusively from the official Chrome Web Store, Edge Add-ons store, or equivalent. An extension that appears in your installed list without a clear memory of having installed it should be treated as suspicious. 
  3. Review the permissions granted to every installed extension. A note-taking tool has no legitimate need for access to all websites, browsing history, or the clipboard. 
  4. Avoid running unsigned executables obtained from non-authoritative sources, particularly those offering free or cracked versions of paid software — a common delivery vector for this category of installer. 
  5. Keep endpoint protection up to date and enabled; McAfee customers are protected against this specific campaign as described below. 

McAfee security solutions help safeguard users at multiple levels: 

1. McAfee detects this threat as CryptoStealer.NE and keeps our customers safe 

Figure 2. This image shows McAfee Antivirus blocking this threat for consumers.
Figure 2. This image shows McAfee Antivirus blocking this threat for consumers.

2. Malicious Download Protection

The installer’s behavior—downloading and executing remote payloads—is flagged and blocked by McAfee before infection completes. All the malicious domains and URLs are blocked by McAfee in our tests. 

3. Network Protection

Connections to known malicious infrastructure (C2 servers) are blocked by McAfee, preventing Wallet address retrieval 

4. Real-Time Threat Intelligence

Because this threat was identified in McAfee telemetry, protections can be rapidly deployed to: 

  • Block similar variants 
  • Detect related infrastructure 
  • Protect customers globally 

How The Threat Campaign Works 

What the Malware Does  

  1. Installs a browser extension silently (web extension sideloading) 
  2. Monitors what you copy and paste (especially crypto addresses) 
  3. Works when you are making a crypto transaction 
  4. Silently replaces the wallet address with the attacker’s address 
  5. Your funds are sent to the attacker instead of the intended recipient 

Because cryptocurrency transactions are typically non-reversible, victims may permanently lose funds. 

Figure 3. How the extension works in a nutshell
Figure 3. How the extension works in a nutshell

 

Key Capabilities Identified 

1. Silent Extension Installation 

The malware does not use the official browser store. Instead, it directly modifies browser files to make the extension appear installed. (Sideloading Browser Extension) 

This bypasses normal security prompts and user awareness. 

Figure 4. Procmon logs showing BaseZipInstaller (malicious web installer) writing into chrome and edge secure preference files
Figure 4. Procmon logs showing BaseZipInstaller (malicious web installer) writing into Chrome and Edge secure preference files

2. Full Browser Access 

Figure 5. Chrome extension Permissions required
Figure 5. Chrome extension Permissions required
Figure 6. Manifest file for web extension
Figure 6. Manifest file for web extension

The malicious extension requests excessive permissions such as: 

  • Access to all websites 
  • Reading browsing history 
  • Reading and modifying clipboard content 

3. Crypto Address Interception

The extension contains logic to detect wallet addresses across multiple cryptocurrencies, including: 

Figure 7. Hardcoded cryptocurrency Regex and fallback address
Figure 7. Hardcoded cryptocurrency Regex and fallback address
  • The fallback wallet addresses shown in the code are not used for every transaction; instead, they serve as a backup mechanism when dynamic address retrieval from the attacker-controlled server fails.  
  • Under normal operation, the extension fetches replacement addresses from a remote server, enabling dynamic and potentially per-victim wallet assignment.  
  • Fallback addresses ensure the attack remains functional even if the command-and-control infrastructure is temporarily unavailable or blocked. 
Figure 8. Malicious extension performing dynamic crypto address resolution
Figure 8. Malicious extension performing dynamic crypto address resolution
  • This function is responsible for obtaining the attacker-controlled replacement wallet address corresponding to a victim’s original address.  
  • It sends the intercepted wallet address to the attacker backend and uses the response to dynamically substitute the original address.  
  • If the backend request fails, the function falls back to a predefined hardcoded wallet address, ensuring uninterrupted malicious activity. 
  • 3J98t1Wxxxx is the address that was copied in the clipboard 

4Detection evasion and stealth 

Figure 8. settings.js file which shows config
Figure 8. Settings.js file which shows config
  • The configuration includes a hardcoded API key, which is used by the extension to authenticate communication with attacker-controlled infrastructure.  
  • An RPC URL pointing to a public blockchain node is leveraged to dynamically resolve backend server information, allowing the attacker to hide critical infrastructure behind decentralized systems.  
  • The presence of a smart contract address and method indicates that the malware retrieves its command-and-control (C2) domain indirectly via blockchain queries, making takedown and tracking more difficult. 
  • Blacklisted domains contains a list of blockchain inspection related websites where the web extension will not work , this is done to not alert the victim while he is trying to paste his own address and view the balance of his wallet or inspect his wallet transactions 
Figure 9. Resolving attacker c2 domain via etherium smart contract (etherhiding)
Figure 9. Resolving attacker C2 domain via Ethereum smart contract (etherhiding)
Figure 10. Request payload with Ethereum contract address
Figure 10. Request payload with Ethereum contract address
  • Dynamic analysis revealed that the malware resolves its command-and-control domain via a blockchain smart contract, which returned the domain devops-offensive[.]cc at runtime.  
  • The response from the blockchain is decoded at runtime, revealing the active C2 domain (devops-offensive.cc).  
  • This domain is not hardcoded, enabling the attacker to update infrastructure without modifying the malware.  
  • The resolved domain is cached locally to maintain persistence and reduce repeated network queries. 
Figure 11. This image shows the long-encoded string with the malicious domain
Figure 11. This image shows the long-encoded string with the malicious domain

This Longencoded string is decoded using this function to give the final attacker domain.

Figure 12. This image shows the final attacker domain
Figure 12. This image shows the final attacker domain

Persistence and Evasion Techniques 

The campaign’s persistence and evasion posture is deliberate and layered. The operator has clearly optimized for two properties: low visibility to the end user, and high resilience against takedown and static analysis. 

Persistence 

  • Extension registration through Secure Preferences tampering ensures the extension loads on every subsequent browser launch without requiring any auxiliary Windows persistence mechanism — no registry Run keys, scheduled tasks, or services that endpoint hunters typically inspect. 
  • Developer mode is enabled programmatically where required, allowing unpacked extensions to persist without triggering the periodic “unpacked extensions warning” flow that Chromium displays to dissuade sideloading. 
  • The cached C2 domain allows the extension to continue operating against a known-good backend even if the blockchain RPC endpoint is briefly unavailable. 

Evasion 

  • The extension’s visible identity — a simple “Google Notes” note-taking application — provides plausible cover against casual inspection of the installed extensions list. 
  • Recomputed HMAC values satisfy Chromium’s integrity verification, avoiding the “extension installed by an unknown source” warning banner that would otherwise alert the user. 
  • The installer self-deletes after execution, removing the most obvious on-disk indicator of initial compromise. 
  • C2 resolution through a public blockchain means that there is no persistent C2 domain observable in the malware bundle itself; network-based detections built against hardcoded indicators will not fire until the domain is resolved and contacted. 
  • Multi-language installer variants (.NET and Golang) reduce the effectiveness of compile-artifact and binary-feature signatures. 
  • Per-address dynamic wallet substitution means that published attacker addresses age rapidly and do not generalize into durable blocklist entries — the defender must block the backend service itself, not the addresses it dispenses. 

Wallet Substitution Logic 

The clipper logic sits in two layers: a content-script layer that monitors clipboard activity and DOM input fields across every visited origin, and a background layer that communicates with the attacker backend to retrieve replacement addresses. 

When the extension observes a copy event, it applies a set of cryptocurrency-specific regular expressions to the clipboard payload. If a match is found, the intercepted address is transmitted to the attacker’s backend over an authenticated request (authenticated with the API key embedded in the configuration). The backend responds with a replacement address specific to the submitted original, and that replacement is written back to the clipboard, overwriting the legitimate address before the victim can paste. 

Testing against a reconstructed backend client — built by re-implementing the extension’s request format and response-decoding logic in Python — produced a revealing behavioural profile: 

  • Bitcoin (BTC), Ethereum, Bitcoin Cash, Ripple, and Dash: Each submitted address is mapped to a unique attacker-controlled address. Re-submitting the same original returns the same replacement, indicating a deterministic one-to-one mapping maintained server-side. 
  • Solana: All submitted addresses collapse to a single attacker address, suggesting the per-victim mapping feature is selectively implemented per chain 

Analyzing Attacker Crypto Wallets 

Based on the code snippets from the web extension responsible for retrieving replacement addresses, a Python script was prepared to programmatically extract attacker wallet addresses. The payload was crafted using the attacker’s own code, and the “get replacement address” snippet was lifted directly from it. The attacker’s logic for decoding data received from the C2 server was also faithfully reimplemented in the script. 

The script was then executed using a few test Bitcoin (BTC) wallet addresses. The results showed that for every Bitcoin address provided, a unique Bitcoin address was returned in response, and all of these returned addresses were valid BTC wallets. This indicates that for every BTC address supplied, the attacker dynamically generates a new wallet tied to that specific input address. Furthermore, when the same address was provided again, the same BTC address was returned — confirming that each victim BTC address is deterministically mapped to a single, specific attacker-controlled address. While some of these attacker wallets contained funds and others were empty, the unknown total number of attacker wallets makes it difficult to put a reliable estimate on how much cryptocurrency has been stolen overall. 

The same behavior was observed for Ethereum, where different wallet addresses were returned for each input. Interestingly, when the script was tested with Solana addresses, only a single address was returned regardless of how many different inputs were provided. This suggests that the attacker has implemented the per-address mapping feature only for specific cryptocurrencies, while others fall back to a single static drop wallet. Because the Solana address is shared across all victims, a noticeable bump in its balance is visible. Additionally, one of the Ethereum addresses uncovered was found to be holding approximately 1,902 USD worth of funds. 

In summary, the cryptocurrencies for which unique per-victim wallet addresses are generated include Bitcoin, Ethereum, Bitcoin Cash, Ripple, and Dash. 

Fig 13. Payload was crafted as attacker code
Fig 13. Payload was crafted as attacker code
Fig 14.Getting replacement address code snippet taken from attacker code
Fig 14. Getting the replacement address code snippet taken from attacker code
Fig 15. Attackers logic of decoding received data from c2 was also implemented
Fig 15. Attackers’ logic of decoding received data from C2 was also implemented

Running script with few test Bitcoin Wallet addresses 

Fig 16. Every bitcoin address a unique bitcoin address was returned and All addresses are valid BTC wallet address
Fig 16. Every unique Bitcoin address was returned and all addresses are valid BTC wallet addresses
Fig 17. Similarly, Ethereum saw unique addresses
Fig 17. Similarly, Ethereum saw unique addresses
Figure 18: Running Script for Test Solana Addresses
Figure 18: Running Script for Test Solana Addresses

Luckily for Solana we are getting only 1 address when given multiple addresses. This shows that the attacker has implemented this address mapping feature only on specific cryptocurrencies 

Fig. 19 Here you can see a bump in the balance amount
Fig. 19 Here you can see a bump in the balance amount
Fig 20. ETH address was found to be having 1902 USD
Fig 20. The ETH address was found to have 1902 USD

Technical Analysis for .net file (Extension installer) 

Fig. 21 BaseZipInstaller is a .NET installer which is unsigned
Fig. 21 BaseZipInstaller is a .NET installer which is unsigned

 

Fig. 22 Stored Config as seen in Dnspy
Fig. 22 Stored Config as seen in Dnspy
  • The malware embeds a complete configuration JSON directly within the binary, eliminating the need to fetch initial setup data from external sources.  
  • This embedded configuration includes critical details such as API keys, backend server URL, targeted wallet extensions, and the full extension manifest with extensive permissions.  
Fig 23: Main function from where execution starts
Fig 23: Main function from where execution starts
  • The installer retrieves and validates a remote ZIP archive (google-services[.]cc/base[.]zip), which serves as the primary payload for deploying the malicious browser extension, marking the transition from initial infection to browser-level compromise. 
Fig. 24 The extension is created at the following location In system with files which are downloaded as base.zip.
Fig. 24 The extension is created at the following location in the system with files that are downloaded as base.zip.
Fig. 25: Dnspy showing the list of targeted browsers
Fig. 25: Dnspy showing the list of targeted browsers
  • The installer iterates through multiple Chromium-based browsers, including Chrome, Edge, Opera, and Brave, identifying available user profiles on the system.  
  • For each detected profile, the malware forcibly terminates the browser process to safely modify configuration files without interference.  
  • It then injects the malicious extension by directly modifying Secure Preferences and Preferences, enabling the extension to be loaded without user interaction. 
more code
  • The malware identifies browser installation paths by querying standard system directories, enabling it to locate user data folders for Chrome, Edge, Opera, and Brave.  
  • It systematically enumerates browser profiles and specifically looks for the presence of the Secure Preferences file, which stores critical browser configuration and extension data.  
  • By targeting profiles with Secure Preferences, the malware ensures it modifies only valid browser environments, increasing the reliability of extension injection. 
We can see writefile Event on Secure preferences file of chrome and MS Edge , when details of downloaded extension are written to those config files
We can see writefile Event on Secure preferences file of chrome and MS Edge , when details of downloaded extension are written to those config files
Fig 27 Attacker logic to resign the secure preference files
Fig 27 Attacker logic to resign the secure preference files
  • The malware reads and modifies the browser’s Secure Preferences file, which controls installed extensions and their trust state.  
  • It injects the malicious extension into the configuration and attempts to re-sign the modified data, making the changes appear legitimate to the browser’s integrity checks.  
  • The updated configuration is then written back to disk, ensuring the extension is loaded automatically and persists across browser restarts. 
Fig 27B :Extension path is added to chrome secure preferences file
Fig 27B :Extension path is added to chrome secure preferences file
Fig 28: Logic to Manipulate defenses of Brave Bowser
Fig 28: Logic to Manipulate defenses of Brave Bowser
  • For browsers such as Brave and Opera, the malware injects the malicious extension directly into the browser’s configuration by adding entries under the extensions.settings (or extensions.opsettings) section.  
  • It also updates integrity-related fields (protection.macs) to make the injected extension appear trusted by the browser.  
  • Additionally, the malware attempts to enable developer mode programmatically, allowing unpacked extensions to run with fewer restrictions. 
Fig 29: Attacker logic to get device ID used to further calculate integrity Values
Fig 29: Attacker logic to get device ID used to further calculate integrity Values
  • The malware attempts to recompute browser integrity signatures by generating new MAC (Message Authentication Code) values for the modified Secure Preferences file.  
  • It uses system-specific identifiers, such as the machine SID, combined with a seed value to mimic Chrome’s internal verification mechanism.  
  • By recalculating these integrity checks (macs and super_mac), the malware tries to make its unauthorized modifications appear legitimate to the browser. 
Figure 30 Self Deletion Logic
Figure 30 Self-Deletion Logic
  • The malware includes a self-deletion mechanism designed to remove the installer executable after successful execution.  
  • It launches a hidden command prompt process that delays execution briefly before deleting the original file from disk. 

Conclusion 

This campaign is a concise illustration of where consumer-targeted cryptocurrency theft is heading. The operator has taken the oldest and simplest category of crypto malware — the clipper — and quietly upgraded three of its weakest links. Static attacker addresses have been replaced with a server-side, per-victim mapping. Fragile, hardcoded command-and-control domains have been replaced with a blockchain-resolved lookup that an operator can rotate with a single transaction. And a fragile dropper has been replaced with a Chromium extension that lives inside the user’s most trusted application, loaded under the browser’s own integrity signature. 

McAfee will continue to track this campaign and related infrastructure. Our customers are protected by existing detections and will benefit from telemetry-driven updates as new variants and rotated infrastructure are identified. 

Indicators of Compromise (IOC)

Type  Category  Value 
SHA-256  .NET Installer (BaseZipInstaller)  2735e12030c195fb5454e4736c51b55b59664b93cae9f4bd5317afcd9c2af0bf 

053620962047f50a91c6e8d1a6519eccc41fab51473f033086b4d816abe8bcb0 

 

SHA-256  Golang-compiled Installer Variant  11be4c47ff049322de41743f62544cafd32d67e24ad653b7ebedf8ebd63e0962   

1432393691b415d0cd4680d9cee73e60896fbe63300d9f0355c96e91817e4b1d   

URL  Payload distribution  hxxps://google-services[.]cc/base[.]zip 
Domain  Command-and-Control (resolved via smart contract)  devops-offensive[.]cc 

Zebregts[.]com 

BTC wallet  Crypto wallet  3JvDBvKbS6YYMKjV3R9e9Zfd67f467fNLy 

1BbhVBxpniuZuAL1gGZnEMdQhmz9JGWpyT 

3AcPNVh7NyESwX3ECymy3rkdH4Ke2c26Tj 

1BVTrB47erypG3tevi1U9Fv6BbNUBEiuiX 

Artifact  Sideload target  Chromium Secure Preferences file (Chrome, Edge, Brave, Opera profiles) 
Extension files  manifest.json  

crypto-patterns.js 

 

Interceptor.js 

 

content-script.j  

 

cache.js  

 

domain-resolver.js 

 

service-worker.js 

 

api-client.js 

ed2599d6a8f30d5eaf14ad7f855aece0acdf7efa4a148eb18e4d9f0d8e2cd90c  

daf82c67e8e5df6bbd5370172ac9374aa7dce48af05496e8ec3dba7b602c619b  

6eb2f07265dd95cacd39dfcf0705786b97f3e173cf4e9b3dfe7bad141c9a9dd5 

 

a2ffdbedc5c9f5400a2b1cf5d35f5ec1df06a74d0345f1035bcf75d36ed73e01  

 

eb84ba4a0cd95655a021865d4fec93ae3393f86cc9848810ed0b49035b1c5e2c  

6aaba685669d779ef8be8f7f4231096cfafd0ef386f3897c5e2106c177724fc8  

 

2599064901308a97540af29197ed0b38702bbee38d6dbbfa61cf9eb5878353f3  

ab450927b37e1b68e2be68832c354ac600e86e2545a904d4ca0ea283f2600cc2  

 

The post Silent Swap: A Crypto Clipper Extension Campaign appeared first on McAfee Blog.

  •  

The New DoorDash Scam Every Gig Worker Should Know About: This Week in Scams

Millions of Americans rely on apps and online services every day to work, shop, game, and manage their lives. Scammers know that, and they’re hijacking platforms and brands you already trust. 

This week, gig workers were targeted by fake DoorDash support calls designed to steal their earnings, while gamers searching for early access to Grand Theft Auto VI found fraudulent websites promising something Rockstar Games simply isn’t offering. 

Here’s what happened, how these scams work, and the other cybersecurity stories making headlines this week. 

The DoorDash Driver Scam That Can Empty Your Account 

A growing scam targeting DoorDash drivers starts with what appears to be a normal delivery request. 

According to Fox 9 in Minnesotascammers place fake DoorDash orders, then contact drivers while they’re actively completing the delivery. Because the call often arrives during a real order and can even appear to come from DoorDash, victims may believe they’re speaking with legitimate support. 

The caller typically claims there’s an issue with the order or the driver’s account and asks them to verify information or read back security codes. 

Once the scammer gains access, they can change account information, lock the driver out, and redirect earnings into their own accounts. In reported cases, victims lost hundreds of dollars and temporarily lost access to the platform they depend on for income. 

While today’s it’s DoorDash in the headlines, scammers are known to impersonate all types of delivery apps, so gig workers across companies should stay alert. 

How the fake delivery support scams work 

Step  What Happens 
1  Scammers place a fake DoorDash order. 
2  They call the driver pretending to be DoorDash Support. 
3  They request login information or verification codes. 
4  They take over the account and transfer the driver’s earnings. 

Red flags every delivery driver should know 

Pause if you experience: 

  • Unexpected calls asking for verification codes  
  • Requests to confirm login credentials  
  • Pressure to act immediately  
  • Anyone asking you to read a one-time authentication code over the phone  

Legitimate companies generally won’t ask you to share one-time security codes. If you receive an unexpected call, end it and contact support directly through the app. 

Fake GTA 6 Early Access Sites Are Everywhere 

Excitement around Grand Theft Auto VI has created another opportunity for scammers. 

According to Malwarebytes, fraudulent websites are claiming to sell “VIP Early Access” or exclusive versions of GTA 6 months before release. Many of the sites look polished, featuring convincing artwork, countdown timers, and professional checkout pages. 

The catch? They typically require payment in cryptocurrency. 

After victims pay, there’s no game to download because no legitimate early-access version exists. 

How to spot a GTA 6 scam 

If a website promises: 

  • Early access before Rockstar officially releases it  
  • Exclusive playable builds  
  • Secret download links  
  • Crypto-only payment  
  • “Limited VIP access”  

it’s almost certainly a scam. 

Rockstar has announced pre-orders through authorized retailers. Any website claiming to provide playable access before launch should be treated with skepticism. 

Other Scam and Security News This Week 

Police Officer Records Live Scam Call to Show How Social Engineering Works 

A police officer recorded a scam call in real time to demonstrate how quickly criminals try to establish trust, create urgency, and convince victims to share sensitive information. The recording serves as a reminder that scammers often sound calm, professional, and convincing because manipulation, not technology, is their primary weapon. 

Tata Electronics Cyber Incident Raises Supply Chain Questions 

Apple supplier Tata Electronics confirmed it experienced a cybersecurity incident after a ransomware group claimed to publish more than 200,000 files allegedly connected to the company. According to Cybernews and Reuters reporting, the leaked material allegedly includes manufacturing documents and employee information tied to Apple and Tesla. Apple says it is investigating while Tata has not confirmed whether the published files originated from its systems. 

Texas Parks and Wildlife Warns 3 Million Customers About Data Breach 

Texas Parks and Wildlife notified roughly three million hunting and fishing license customers that personal information stored by a third-party vendor may have been accessed during a cyber incident. According to Click2Houston, exposed information may include driver’s license numbers, contact information, and mailing addresses, though officials said Social Security numbers and payment card information were not involved. Impacted customers are being offered identity monitoring. 

How McAfee Can Help  

With McAfee+, multiple layers work together before any damage is done:  

  • Scam Detector flags suspicious texts, emails, links, QR codes, and even deepfake videos before you engage 
  • Secure VPN keeps your data private, especially on public Wi-Fi  
  • Web Protection helps block risky sites, even if you do accidentally click 
  • Password Manager doesn’t just help you make unique, strong passwords, it keeps them stored and organized for you
  • Device Security helps detect malicious apps or downloads   
  • Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast   
  • Personal Data Cleanup helps remove your information from sites selling it. 
  • Online Account Cleanup assists in taking down your old, forgotten accounts across the web 
  • Social Privacy Manager helps you monitor and change privacy settings across your social platforms in just a few clicks 

Together, these protections are designed to address the broader range of online risks people face every day. 

The post The New DoorDash Scam Every Gig Worker Should Know About: This Week in Scams appeared first on McAfee Blog.

  •  

Is That Delivery Text Real? How to Spot Package Smishing and Delivery Scams

You’re expecting a package. 

Maybe it’s a birthday gift. Maybe it’s a purchase from a major shopping event. Maybe it’s something you forgot you ordered three days ago. 

Then your phone buzzes. 

Your package couldn’t be delivered.  There’s a problem with your shipping address. 

A small fee is required before delivery can continue. 

“Click here immediately.”

The message feels plausible because so many of us are constantly waiting for packages. And scammers know it. 

According to McAfee’s State of the Scamiverse report, fake delivery and shipping notices are the single most commonly reported scam consumers encounter today, with 31% of people saying they’ve received one. Americans also receive an average of 14 scam messages every day across texts, email, social media, phone calls, and other channels.  

Delivery scams have become one of the internet’s most successful forms of phishing because they exploit something simple: people are already expecting the message. 

Here’s how to spot and stop these scams:

What Is a Delivery Scam? 

A delivery scam is a fraudulent message that pretends to come from a shipping company, retailer, postal service, or delivery provider. 

The goal is usually one of three things: 

  • Steal personal information  
  • Steal financial information  
  • Trick victims into downloading malware or visiting malicious websites  

These scams often impersonate organizations such as: 

  • USPS  
  • UPS  
  • FedEx  
  • DHL  
  • Amazon  
  • Royal Mail  
  • Australia Post  
  • Other local or regional delivery services  

Most delivery scams arrive through text messages, which is why they’re often called package smishing scams. 

What Is Smishing? 

Smishing is a type of phishing attack delivered through SMS text messages. 

The term combines: 

  • SMS (Short Message Service)  
  • Phishing 

Instead of arriving through email, the scam arrives directly on your phone and attempts to create a sense of urgency that encourages immediate action. 

Common examples include: 

  • “Your package could not be delivered.”  
  • “Delivery attempt failed.”  
  • “Update your shipping address.”  
  • “Pay a small customs fee.”  
  • “Confirm delivery information.” 
McAfee's Scam Detector lets you know when delivery messages are scams.
McAfee’s Scam Detector lets you know when delivery messages are scams.

Delivery Scam Red Flags and What to Do 

If You See This Red Flag  Why It’s Suspicious  What To Do 
A package alert when you’re not expecting a delivery  Scammers send messages in bulk hoping someone is waiting for a package  Ignore the message and do not click links 
A request to pay a small fee before delivery  Legitimate carriers rarely collect delivery fees through text messages  Visit the carrier’s official website directly 
A message claiming your address needs verification  Common tactic used to steal personal information  Check shipment status through your retailer or carrier account 
A shortened or unusual link  Scammers often disguise malicious websites  Avoid clicking and manually type the carrier’s website address 
Pressure to act immediately  Urgency is designed to override caution  Pause and verify independently 
Requests for passwords, payment information, or verification codes  Legitimate carriers will not ask for this through text messages  Delete the message and report it as spam 
A delivery app or file download request  May install malware on your device  Never download software from a text message 

Accidentally Clicked a Delivery Scam? Do This Immediately 

What Happened  What To Do 
You only clicked the link  Close the page and do not enter any information 
You entered login credentials  Change your password immediately and enable two-factor authentication 
You entered payment information  Contact your bank or credit card provider right away 
You downloaded a file or app  Delete it and run a security scan 
You’re unsure what information was exposed  Monitor accounts closely for unusual activity 

How McAfee Can Help  

With McAfee+, multiple layers work together before any damage is done:  

  • Scam Detector flags suspicious texts, emails, links, QR codes, and even deepfake videos before you engage 
  • Secure VPN keeps your data private, especially on public Wi-Fi  
  • Web Protection helps block risky sites, even if you do accidentally click  helps block risky sites, even if you do accidentally click   
  • Password Manager doesn’t just help you make unique, strong passwords, it keeps them stored and organized for you
  • Device Security helps detect malicious apps or downloads   
  • Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast   
  • Personal Data Cleanup helps remove your information from sites selling it. 
  • Online Account Cleanup assists in taking down your old, forgotten accounts across the web 
  • Social Privacy Manager helps you monitor and change privacy settings across your social platforms in just a few clicks 

Together, these protections are designed to address the broader range of online risks people face every day. 

The post Is That Delivery Text Real? How to Spot Package Smishing and Delivery Scams appeared first on McAfee Blog.

  •  

New Malware Targeting Minecraft Infects 2K Daily, and Teens are Becoming Attackers

McAfee Labs has discovered a massive, ongoing malware campaign called WeedHack that disguises itself as free Minecraft mods and game clients to infect players’ computers. Since January 2026, it has logged more than 116,000 victim infections, averaging 2,000 to 3,000 new hits every single day. 

What makes WeedHack different from most malware is how cheap and easy it is to use. 

Typically, a hacker would pay hundreds of dollars per month to access attack tools through underground criminal networks. WeedHack offers a free version to anyone with a Discord account and an internet connection. A premium upgrade, which includes the ability to secretly watch victims through their own webcam, starts at just $5 a month. 

This low barrier has attracted a younger crowd of would-be attackers, many of them appear to be teenagers or young adults. Our researchers were startled to discover teens using these tools not just for financial theft, but to harass and bully their peers, a pattern we’ve documented and that makes this campaign especially concerning. 

The good news for McAfee users: Web Protection actively blocks the sites distributing WeedHack, and Threat Explainer tells you exactly why a flagged file is dangerous, so you’re never left guessing. 

Key Facts at a Glance 

What  Details 
Campaign name  WeedHack 
Active since  January 2026 
Total victims logged  116,464+ 
New infections per day  ~2,000–3,000 
Malicious files discovered  3,820+ unique files 
Malicious download URLs  240+ 
Free tier available?  Yes. Anyone can sign up 
Premium price  Starting at $5/month; $24.99 lifetime 
Who is being targeted  Minecraft players worldwide 
Most affected country  United States, followed by Germany, India, the UK, Italy, and others 
What attackers can access  Once installed, it can steal passwords, hijack accounts, and, for paying customers, it can give the attacker live access to the victim’s screen, webcam, and files. 
The financial impact  It can steal Discord tokens, crypto wallet credentials, Minecraft account credentials.  

Hackers will hold your information for ransom, requiring a large payment in exchange for your data. 

Read our research team’s full report here.

What Is WeedHack? 

WeedHack is a Malware-as-a-Service (MaaS) campaign, meaning it’s a criminal business that sells hacking tools to customers, the same way a legitimate software company sells subscriptions. 

The “product” is malware that gets secretly installed on a victim’s computer when they download what they think is a Minecraft mod or client. Once installed, it can steal passwords, hijack accounts, and, for paying customers, it can give the attacker live access to the victim’s screen, webcam, and files. 

The campaign operates a polished, professional-looking dashboard hosted openly on the internet (not the dark web). That dashboard lets customers track their victims, download stolen data, and launch remote access features, all from a browser. 

What it looks like to buy a subscription from WeedHack.
What it looks like to buy a subscription from WeedHack.

The Cyberbullying Problem 

One of the most disturbing findings from our investigation is how WeedHack is being used. 

While monitoring the campaign’s Telegram channel, which had over 850 members during the time of our research, we observed that many customers appear to be teenagers and young adults, and a significant portion are using the remote access tools not for financial gain, but to harass and intimidate other players 

We observed attackers recording victims through their webcams without consent and sharing those recordings in the Telegram channel as trophies. Others used knowledge of victims’ IP addresses and system access to threaten them. 

It’s important to note that, at the current time of publishing, the Telegram channel has been taken down, and no replacement channel has appeared. McAfee is continuing to monitor any new channels that may be established by the threat actors for further communication. 

Still, what we observed is a form of cyberbullying with unusually invasive tools behind it. If you or your child has been contacted by someone online claiming they have hacked your computer, have your webcam footage, or know your IP address, take it seriously. 

What to do if this happens: 

  • Do not follow the attacker’s instructions, it makes things worse 
  • Tell a trusted adult immediately (parent, guardian, school counselor) 
  • Contact your local law enforcement, this may constitute criminal conduct.  
  • Do not engage with the attacker or attempt to negotiate 
The Telegram channel uncovered by McAfee.
The Telegram channel uncovered by McAfee.

How Do People Get Infected? 

WeedHack spreads in two main ways, and the campaign even provides its customers with step-by-step tutorials on how to carry out both. 

1. Fake YouTube Videos

Attackers create convincing YouTube videos reviewing or demonstrating Minecraft clients and mods.  

The videos are well-produced, some include voiceover narration, and link to malicious download sites in the description and comments. 

One video McAfee identified had over 7,500 views before being flagged. Comments are also sometimes planted by the attackers claiming the files are safe. 

2. Fake Mod Websites

WeedHack instructs customers to build convincing-looking websites that mimic official Minecraft mod pages. These sites are deliberately designed to show up high in search engine results for popular mod names, a tactic called SEO poisoning 

Some fake sites include fake security warnings, Discord links, and GitHub references to appear legitimate. In one case, a site warned players to “only download from us,” while actively distributing malware. 

Minecraft clients and mods specifically targeted include: Meteor Client, Radium Client, Wurst Client, LiquidBounce, Impact Client, Future Client, and others. 

An example of a video hiding a malicious link in the description.
An example of a video hiding a malicious link in the description.

What Happens When You’re Infected? 

Infection happens in four stages that happen silently in the background after a victim opens the downloaded file. 

Stage 1 – First Contact: The malicious file launches quietly (without showing a console window), connects to a hidden network, and phones home to receive further instructions. It uses a sophisticated technique involving the Ethereum blockchain to locate its command server in a way that’s difficult to block or take down. 

Stage 2 – Taking Hold: The malware disables Windows Defender protections, gathers detailed information about the victim’s computer (processor, graphics card, RAM, operating system), and takes a screenshot of their screen. It then steals Discord tokens and browser passwords and cookies. For McAfee users, this is where Web Protection would prevent users from visiting the site, and where our Antivirus would prevent any downloaded malware from taking hold. 

Stage 3 – Digging In: The malware installs itself so that it automatically restarts every time the victim logs into their computer. It sets up a hidden scheduled task that runs continuously, even at the highest system privileges. 

Stage 4 – Full Access: For premium customers, an additional component is installed that connects the attacker to the victim’s computer in real time. This includes live screen sharing with keyboard and mouse control, webcam access, keylogging (recording every keystroke), a reverse shell (full command-line access to the computer), and the ability to upload or download any files. 

A separate component specifically hunts for Telegram credentials and cryptocurrency wallets, sending that data to a different server every five minutes. 

What if I’m Infected? 

Visit our guide: How to Quickly Remove Malware in 2026.  

What Can Attackers Steal? 

Free tier steals: 

  • Minecraft session IDs (used to hijack Minecraft accounts) 
  • Saved passwords and cookies from 36 different browsers 
  • Credentials from Discord, Steam, and Telegram 
  • Browser-based crypto wallets (56 supported) and desktop crypto wallets (12 supported) 
  • Files matching 24 different search keywords 
  • Screenshots of the victim’s screen 
  • System information (computer name, IP address, hardware specs) 

Premium tier adds: 

  • Live webcam access 
  • Live screen sharing with keyboard and mouse control 
  • Keylogging (every key the victim types) 
  • Full remote shell (command-line control of the computer) 
  • File management (upload, download, delete files remotely) 

What Parents Need to Know 

Minecraft’s mod ecosystem is enormous and largely unregulated. Kids routinely search YouTube and Google for performance-boosting clients, cosmetic mods, and gameplay cheats, exactly the kinds of things WeedHack exploits.  

Here’s a practical guide for families: 

Red Flag  ✅ Safe Practice 
The mod isn’t on the developer’s official website  Only download from CurseForge, Modrinth, or the mod’s verified GitHub 
A site or video tells you to disable your antivirus to run the file  Never disable antivirus for a game mod. Legitimate mods don’t ask you to 
A site you’ve never heard of claims to be the “only official” source  If you can’t verify the site is official, don’t download from it 
Download links are in YouTube comment sections  Treat comment section links as a red flag, always 
Your antivirus flags a file as malware, but they try to tell you to ignore it, it’s a “false alarm”  Use McAfee’s Threat Explainer to find out why this is malicious. Don’t disable antivirus 

One of the best ways parents can protect their families is with McAfee’s award-winning antivirus and Web Protection, which are specifically designed to detect threats like WeedHack and help block malicious downloads before a device can be compromised. 

Are McAfee Users Protected? 

McAfee has been actively tracking WeedHack samples and detects this threat under the following signatures: 

  • Trojan:Win/Weedhack.AA through Trojan:Win/Weedhack.AE 

McAfee provides multiple layers of protection against threats like WeedHack. 

  • Web Protection helps block access to malicious websites distributing infected Minecraft mods, stopping the threat before a file is ever downloaded.  
  • Award-winning antivirus detects and blocks malware if a malicious file does make it onto your device.  
  • Threat Explainer shows exactly why a file was flagged, helping users understand what happened and avoid similar scams in the future.  

Together, these protections help proactively block risky downloads, reactively stop malware, and explain what to watch for next. 

McAfee Labs continues to monitor WeedHack and will update coverage as new samples and domains are identified. For the full technical report including indicators of compromise, see the McAfee Labs analysis. 

Key Terms Explained 

Term  What it means 
Malware-as-a-Service (MaaS)  A criminal business model where hackers sell or rent attack tools to other people, just like a software subscription 
RAT (Remote Access Trojan)  Malware that gives an attacker remote control over a victim’s device — screen, files, camera, and more 
Infostealer  Malware designed to silently collect and transmit passwords, cookies, and account credentials 
SEO Poisoning  Manipulating search engine results so a malicious website appears near the top when someone searches for a legitimate product 
Minecraft Client/Mod  Third-party software that modifies or enhances the Minecraft game experience. Legitimate ones are common; WeedHack fakes them 
Minecraft Session ID  A token that proves you’re logged into Minecraft. Stealing it lets an attacker take over your account without your password 
Keylogger  Software that secretly records every key a person types — including passwords, messages, and search queries 
Reverse Shell  A connection from the victim’s computer back to the attacker that gives the attacker full command-line control 
EtherHiding  A technique that hides a malware’s server address inside the Ethereum blockchain, making it very difficult to block 
Discord Token  A credential that lets someone access your Discord account. Stealing it gives attackers full access without needing your password 

 

The post New Malware Targeting Minecraft Infects 2K Daily, and Teens are Becoming Attackers appeared first on McAfee Blog.

  •  

Do Windows PCs and Macs Need Antivirus Software? How McAfee Goes Beyond Built-In Security

Couple looking at computers

Your Windows PC or Mac already includes built-in security features, and that’s a good thing. These tools provide an important first layer of protection against malware and other common threats users encounter every day. 

But today, staying safe online is about much more than blocking viruses.  

Scam texts arrive daily. Phishing emails imitate trusted brands. Fake websites are designed to steal passwords and payment information. Personal details can appear on data broker sites. AI Deepfakes are more convincing than ever. And most households use multiple devices, from laptops and phones to tablets and Chromebooks. 

That’s why McAfee+ Advanced combines device security with scam protection, identity monitoring, personal info removal, web protection, and secure VPN to help protect the many parts of your digital life. 

Let’s break down what built-in security does, and what McAfee does differently: 

What Built-In Security Does Well 

Both Windows 11 and macOS include a range of built-in security features designed to help protect your device. Depending on your operating system and the apps you use, these may include: 

  • Malware detection and removal  
  • Firewalls  
  • Browser warnings about suspicious websites  
  • Password management tools  
  • Privacy and app permission controls  

Together, these features provide an important first layer of protection and help many users stay safer online.  

Why Many People Want More Than Basic Device Protection 

Built-in security tools are primarily focused on protecting the device itself. However, today’s online threats often target something even more valuable: your identity, your money, and your personal information. 

Recent McAfee research found that Americans receive an average of 14 scam messages every day, and more than three in four have encountered an online scam. 

Threats now commonly include: 

  • Scam texts pretending to be banks, toll agencies, and delivery companies  
  • Fake job offers via text, email, or social media 
  • Phishing emails  
  • QR code scams  
  • AI-generated voice and video impersonations  
  • Identity theft via smishing and quishing, including hijacking entire social profiles 
  • Exposure of personal information on data broker sites  

These risks can follow you across all your devices, not just the computer sitting on your desk. 

Built-In Security vs. McAfee Protection 

Here are the key differences between built-in security alone, vs additional protection like McAfee.  

Built-In Security Has  McAfee+ Advanced Adds 
Detecting viruses and malware  Scam protection for suspicious texts, emails, links, QR codes, and deepfakes 
Basic privacy controls  Secure VPN to protect your connection on public Wi-Fi 
Saving passwords  Password manager with unique password generation and storage. 
Warning about some risky websites  Web Protection to help block dangerous sites before they load 
Security on one device  Antivirus coverage across your PCs, Macs, phones, and tablets 
Doesn’t have this support  Identity monitoring, so you know when your SSN and other info is exposed. Plus personal info removal, so your old data isn’t left spread out across the web. 

Why McAfee Stands Out: Speed and Comprehensive Protection 

Unlike the old stereotype that stronger protection means a slower computer, independent testing shows McAfee is also the lightest on performance.  

In the latest AV-Comparatives PC Performance Test, McAfee Total Protection posted the lowest system impact score of all 20 products tested: just 3.3, compared with the industry average of 12.8.  

It also earned the highest possible rating, ADVANCED+. That means McAfee is not just adding more layers of protection. It is doing so while staying out of your way. 

For consumers looking for security that goes beyond basic antivirus to help protect against scams, identity theft, privacy risks, and threats across all their devices, that combination is hard to ignore. 

Protection Across All Your Devices 

Most people no longer rely on a single computer. A typical household may use: 

  • Windows PCs  
  • Macs  
  • iPhones  
  • Android phones  
  • Tablets  
  • Chromebooks

Managing security separately on every device can be difficult. McAfee+ Advanced is designed to provide coverage across your devices under one subscription, helping simplify online protection for individuals and families. 

How McAfee+ Advanced Goes Beyond Built-In Security 

With McAfee+ Advanced, multiple layers work together before any damage is done:  

  • Scam Detector flags suspicious texts, emails, links, QR codes, and even deepfake videos before you engage 
  • Secure VPN keeps your data private, especially on public Wi-Fi  
  • Web Protection helps block risky sites, even if you do accidentally click  helps block risky sites, even if you do accidentally click   
  • Password Manager doesn’t just help you make unique, strong passwords, it keeps them stored and organized for you
  • Device Security helps detect malicious apps or downloads   
  • Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast   
  • Personal Data Cleanup helps remove your information from sites selling it. 
  • Online Account Cleanup assists in taking down your old, forgotten accounts across the web 
  • Social Privacy Manager helps you monitor and change privacy settings across your social platforms in just a few clicks 

Together, these protections are designed to address the broader range of online risks people face every day. 

So, Do Windows PCs and Macs Need Antivirus Software? 

Built-in security tools provide an important starting point, but with scam attempts becoming more convincing and personal information more widely exposed, many people need a more comprehensive approach to staying safe online. 

McAfee+ Advanced combines device security, scam protection, identity monitoring, privacy tools, and VPN coverage to help you browse, bank, shop, and connect with greater confidence. 

The post Do Windows PCs and Macs Need Antivirus Software? How McAfee Goes Beyond Built-In Security appeared first on McAfee Blog.

  •  

1 in 3 Targeted by Travel Scams and Rising Costs are Making it Worse

You’re comparing airfare on your phone, watching prices climb by the hour, when a deal pops up that feels just good enough to grab. The timer’s ticking. The price looks right. You don’t want to miss it. 

You’re comparing airfare on your phone, watching prices climb by the hour, when a deal pops up that feels just good enough to grab. The timer’s ticking. The price looks right. You don’t want to miss it. 

That moment, when you’re rushing to lock something in, is exactly where scams thrive. 

New McAfee research shows that more than 1 in 3 Americans have encountered a travel-related cyberthreat, and 41% of those impacted lost money, often exceeding $500. 

This shows a screenshot of a fake Booking.com website detected by McAfee that was attempting to trick users into running malicious script/code
This shows a screenshot of a fake Booking.com website detected by McAfee that was attempting to trick users into running malicious script/code

At the same time, rising travel costs and time pressure are pushing people to make faster, riskier decisions. Those are the exact conditions scammers rely on. 

That’s where protection has to show up earlier. 

McAfee’s Scam Detector lets you check suspicious links, messages, and booking sites before you click, so you can pause and verify instead of giving scammers the edge. 

Travel Scams, Red Flags, and How McAfee Protects You 

Travel Scam Type  Key Red Flags  How McAfee Helps 
Fake travel deals  Prices far below market, pressure to “book now,” sites you’ve never heard of  Scam Detector flags suspicious links and explains why they’re risky, so you can avoid fake deals before you book 
Fake booking confirmations  Unexpected messages about bookings you didn’t make, mismatched sender details  Scam Detector analyzes messages before you engage, helping you avoid fake confirmations 
Fake airline/hotel websites  Slight URL changes, poor design, being pushed to pay immediately or off-platform  Safe Browsing helps block risky sites before you enter payment details, reducing the chance of fraud 
Payment requests outside platforms  Asked to pay via wire transfer, crypto, or direct payment instead of official platforms  Scam Detector flags suspicious payment requests, helping you avoid sending money to scammers 
QR code scams  QR codes posted in public with no clear source or context  Scam Detector checks QR links before they open, so you don’t land on malicious sites 
Customer service impersonation  Calls or messages asking for login credentials or payment info  Scam Detector detects deepfake AI audio impersonation attempts, helping you avoid sharing sensitive information 
AI-generated listings  Photos that look overly polished, details that don’t quite match up  Scam Detector identifies suspicious content patterns, helping you spot listings that aren’t real 
Public Wi-Fi attacks  Open networks with no password or security prompts  VPN helps protect your data on public networks, keeping your personal information private 

The Findings From Our 2026 Travel Research 

McAfee Labs found that many travel scams work because they look familiar and spread fast.  

TripAdvisor was the most commonly impersonated travel app, cloned at roughly three times the rate of other major platforms like Kayak, Expedia, and Booking.com.  

In some cases, thousands of scam detections traced back to just a handful of fake apps, showing how quickly a convincing scam can take off when travelers are racing to book. 

Top 5 Ways Rising Travel Costs Are Driving Risky Decisions 

Our 2026 travel survey shows how rising prices and lastminute pressure are changing traveler behavior, often in ways scammers exploit. 

1. Booking faster than usual
90% feel pressure to act quickly  

2. Choosing cheaper deals without verifying
32% would book before confirming legitimacy  

3. Ignoring red flags
33% admit they’ve done it  

4. Trusting messages that look legitimate
41% trust airline/hotel messages without verifying  

5. Clicking links without checking the source
20% click first, verify later (or not at all)  

Top 5 Ways Costs Drive Risk

The Travel Scams People Are Most Likely to Fall For

According to our consumer survey findings, those who reported falling for a travel scam said these were the methods scammers used to trick them:

1. Fake travel deals or promotions (15%)

2. Scam booking confirmations or updates (15%)

3. Manipulated accommodation listings or photos (15%)

4. Payment requests outside official platforms (11%)

5. Fake vacation rental listings (10%)

6. Fake airline or hotel websites (9%)

7. Customer service impersonation (9%)

The Travel Scams People Are Most Likely to Fall For

8 Ways Travelers Put Themselves at Risk Without Realizing It

These common traveler behaviors are popular avenues for criminals to steal your information, data, and money.

1. Connecting to public Wi-Fi (63%)  

2. Scanning QR codes without verifying (62%)  

3. Using airport Wi-Fi (49%)  

4. Trusting travel-related messages (41%)  

5. Logging into financial apps on public Wi-Fi (22%)  

6. Sharing travel plans in real time (22%)  

7. Clicking travel links without verifying (20%)  

8. Using shared/public computers (15%)  

8 Ways Travelers Put Themselves at Risk Without Realizing It

How McAfee Protects You Before, During, and After Your Trip 

As prices rise and decisions happen in real time, it’s easy to prioritize convenience over caution. But that’s exactly the moment when small checks matter most. 

Stage of Travel  What’s Happening  How McAfee Helps 
Before You Book  Comparing deals, clicking promotions, booking flights and hotels under time pressure  Scam Detector checks links, messages, and booking sites before you click, helping you avoid fake deals and scam listings 
During Your Trip  Connecting to public Wi-Fi, scanning QR codes, receiving travel updates and alerts  VPN helps secure your connection on public Wi-Fi, while Scam Detector flags suspicious messages and unsafe links in real time 
After Your Trip  Accounts remain active, travel data stored across platforms, potential exposure from breaches  Identity Monitoring alerts you if your personal information appears online, helping you act quickly before damage spreads 

With McAfee+ Advanced, multiple layers work together so you’re not left figuring it out after the damage is done.  

Spend more time on your vacation, and less time worrying about scammers who want your vacation fund. 

The post 1 in 3 Targeted by Travel Scams and Rising Costs are Making it Worse appeared first on McAfee Blog.

  •  

How to Spot Fake Court Texts and Celebrity Deepfake Ads: This Week in Scams

A text that looks like it came straight from a courthouse is making the rounds across the U.S. And yes, I got it too. 

First things first, that’s a scam. And to be clear: DON’T SCAN THAT QR CODE. 

It’s the same playbook as last year’s toll road scams, just dressed up with a little more authority and a lot more pressure. 

Before doing anything, our team ran it through McAfee’s Scam Detector. It immediately flagged the message as suspicious, and that’s exactly the kind of moment this tool is built for. When something feels just real enough to second guess, it gives you a clear signal before you click, scan, or spiral. 

This shows how Scam Detector immediately flagged the text message and court image as suspicious.  
A screenshot showing Scam Detector in action.

This court notice scam has ramped up and changed shape since we first covered it in March. So let’s get into how it works: 

How the scam works 

The text claims you’ve missed a payment, violated a law, or have some kind of outstanding “case.” It then pushes you to scan a QR code or click a link to resolve it quickly. 

From there, one of two things usually happens: 

  1. You’re taken to a fake payment page designed to steal your money, or 
  2. You’re prompted to download something that gives scammers access to your device or data  

Either way, the goal is the same: get you to act fast before you have time to question it. 

Here's the fake text our author received
Here’s the scam text I got in California. You’ll notice it looks exactly like the others across the country. 

The red flags in this message 

  • Urgent, threatening language about fines, penalties, or legal action  
  • Vague accusations with no real details about what you supposedly did  
  • Official-looking formatting like case numbers, clerk signatures, and judge names  
  • Copy-paste consistency across states: McAfee employees in New York and California received nearly identical messages with the same names  

There are reports of this scam popping up nationwide, but the rule is simple: law enforcement does not text you to demand payment or resolve legal issues. 

What to do if you scanned the QR code 

First, don’t panic. Then: 

  • Do not pay anything or enter personal information  
  • Do not delete apps you were told to install (this can make it harder to detect what happened)  
  • Run a device scan using a trusted security tool like McAfee’s free antivirus  
  • Keep an eye on your financial accounts and logins for unusual activity  

And that, my friends, is scam number one in this week’s This Week in Scams (new format, we’re experimenting a little).  

Let’s get into what else is on our radar. 

Deepfake Celebrity Ads Are Targeting Seniors on Social Media. Here’s What a New Study Found.  

If you saw our story last year about Al Roker speaking out after scammers used an AI-generated version of him to promote a fake hypertension cure, or the shocking case of a French woman who lost nearly $900,000 to fraudsters posing as Brad Pitt, you already know just how convincing celebrity deepfake scams have become. 

Now, new reporting suggests these scams are reaching older adults at enormous scale. 

According to a new study from the Center for Countering Digital Hate, just 30 of the most active scam advertisers on Facebook generated an estimated 215 million ad impressions over the past year. Nearly 73% of those impressions were shown to adults over 65. 

The fake ads used AI-generated versions of well-known figures including Donald Trump, Joe Biden, Oprah Winfrey, Steve Harvey, and Brad Pitt to promote fake government benefits, miracle health products, and bogus financial offers. 

These are some of the AI-generated and photoshopped images used by scammers last year to convince a woman she was dating Brad Pitt.
These are some of the AI-generated and photoshopped images used by scammers last year to convince a woman she was dating Brad Pitt.

What McAfee’s Data Says About Celebrity Deepfake Scams 

This aligns closely with McAfee’s 2025 Most Dangerous Celebrity: Deepfake Deception List. 

Our research found that: 

  • 72% of Americans have seen a fake celebrity or influencer endorsement online  
  • 39% have clicked on one of these ads or posts  
  • 1 in 10 lost money or personal information  
  • Average losses reached $525 per victim  

The celebrities most commonly exploited in the U.S. included Taylor Swift, Scarlett Johansson, Jenna Ortega, and Sydney Sweeney, while Brad Pitt also ranked prominently on the global list.  

Why These Scams Work So Well 

Celebrity deepfake scams exploit something simple: trust. 

When a familiar face appears in your social feed, whether it is Al Roker recommending a health product or Brad Pitt asking for help, your guard naturally drops. 

And AI is making these fakes harder to detect. 

McAfee’s 2026 State of the Scamiverse found that Americans now encounter an average of three deepfakes every day, yet more than one in three say they are not confident they can identify one. 

In other words, scammers are weaponizing the faces people know best to make fraud feel familiar. 

How to Spot a Deepfake on Social Media 

Celebrity deepfakes are designed to look convincing, but there are still clues that something is off. If you see a video of Oprah Winfrey, Al Roker, or Brad Pitt promoting a miracle cure, government benefit, or investment opportunity, pause before you click. 

Here are some of the biggest red flags to watch for: 

Red Flag   What to Look For   
Too-good-to-be-true offers  The video promises free grocery money, secret Medicare benefits, guaranteed investment returns, or miracle health cures. 
Out-of-character endorsements  A celebrity appears to promote a random supplement, financial opportunity, or government program that seems unrelated to their normal work. 
Robotic or unnatural voice  The speech sounds overly smooth, lacks natural pauses, or has strange pacing and tone. 
Lip-sync issues  The celebrity’s mouth movements do not perfectly match the words being spoken. 
Unnatural facial expressions  Blinking, smiling, and head movements appear stiff, overly polished, or slightly off. 
Urgent language  The ad pressures you to “Act now,” “Claim your benefits today,” or “Limited spots available.” 
Suspicious links  Clicking leads to a website you do not recognize or that does not match the company or organization being referenced. 
No confirmation elsewhere  Trusted news outlets and the celebrity’s verified accounts do not mention the same announcement or offer. 

When in doubt, go directly to the celebrity’s verified social account or search trusted news sources to confirm the information. And if something feels off, trust your instincts. In the age of AI, seeing is no longer believing. 

How McAfee Helps You Stay Ahead of These Scams 

McAfee+ Advanced gives you multiple layers working together so you’re not left figuring it out in the moment: 

  • Scam Detector flags suspicious texts, emails, links, and even deepfake videos before you engage  
  • Safe Browsing helps block risky sites if you do click or scan  
  • Device Security helps detect and remove malicious apps or downloads  
  • Identity Monitoring alerts you if your personal info shows up where it shouldn’t, so you can act fast  
  • Personal Data Cleanup helps remove your information from data broker sites, making you a harder target in the first place  
  • Secure VPN keeps your data private, especially on public Wi-Fi  

Safety tips to carry into next week 

  • Slow down when a message creates urgency. That’s the hook  
  • Don’t scan QR codes or click links from unexpected texts  
  • Go directly to official websites instead of using links sent to you  
  • Use tools that flag scams in real time so you don’t have to guess  
  • Don’t trust celebrity endorsements posted to social media unless they come directly from a celebrity’s official page 

The reality is, these scams are designed to look normal. You shouldn’t have to be an expert to spot them. That’s why McAfee’s here to help. 

We’ll be back next week with more scams making headlines. 

The post How to Spot Fake Court Texts and Celebrity Deepfake Ads: This Week in Scams appeared first on McAfee Blog.

  •  

How to Protect Yourself After the Canvas Education Data Breach + Fake Amazon Recall Texts

If you have ever checked your child’s grades online, submitted a college paper through a school portal, downloaded homework assignments, or received messages from a teacher through a classroom app, there is a good chance you have used Canvas, a nationwide learning management system that was just in a massive data breach. 

This is exactly the moment McAfee+ Advanced was built for. With our built-in Scam Detector to flag risky links, QR codes, and deepfakes; Identity Monitoring that alerts you when your data appears where it shouldn’t; and Personal Data Cleanup that removes your information from the dark web and data brokers, McAfee+ Advanced is an all-in-one solution for protection after a data breach.

Now let’s get into what you need to know about this breach: 

Who Is Behind the Canvas Breach? 

The ransomware group ShinyHunters is claiming responsibility for the attack. The group alleges it stole roughly 275 million records tied to nearly 9,000 schools and educational institutions worldwide. 

How Did the Canvas Cyberattack Happen? 

Instructure, the company behind Canvas, confirmed a cyber incident affecting its cloud-hosted environment. The attackers later posted claims about the breach on their leak site, where ransomware groups pressure organizations into paying by threatening to release stolen data publicly. 

What Information Was Stolen in the Canvas Breach? 

The stolen data reportedly includes: 

  • Student names  
  • Teacher and staff names  
  • Email addresses  
  • Student IDs  
  • Course and enrollment information  
  • School-related records  

ShinyHunters claims the breach exposed roughly 275 million records and more than 231 million unique email addresses. 

How Could the Canvas Data Breach Impact Families and Students? 

Even if financial information was not exposed, this kind of data can still be extremely valuable to scammers. Criminals can use real school names, real classes, teacher names, and student information to create highly convincing phishing emails, fake school alerts, scholarship scams, tuition scams, or password reset messages. 

A scam message referencing your child’s actual school or assignment is much harder to spot as fake. 

This is what a Canvas message might look like when forwarded to your email inbox. Hackers claim to have millions of these types of messages.
This is what a Canvas message might look like when forwarded to your email inbox. Hackers claim to have millions of these types of messages.

This is a real message from Canvas from a community college professor after yours truly took an anthropology class for fun during the pandemic. It’s full of links to apply for programs and reach out to professors. It has exact details about courses I’ve taken.  

While this correspondence is real, it’s exactly the type of messaging that scammers could fake and replicate, replacing real links with fake “paid” opportunities to pursue degrees.  

Now think of the millions of messages and specific scenarios scammers have access to, to create dubious and convincing scams. That’s why protecting yourself after a breach is key.  

What To Do Right Now 

Here are some actions you can take immediately ot protect yourself after this breach:

  • Change you or your child’s Canvas password immediately, and update any other accounts where they reuse that password 
  • Turn on multi-factor authentication (2FA) on parent and student accounts wherever the school permits it — Instructure’s own post-incident guidance specifically called out enforcing MFA as a recommended precaution 
  • Ask your school what identity protection is being offered if sensitive data was involved 
  • Consider placing a credit freeze on your or your child’s file to block new accounts from being opened in their name 
  • Avoid clicking links in any messages that reference the breach, go directly to the official site instead 

And that, my friends, is issue number one in this week’s This Week in Scams. Let’s get into what else is on our radar in cybersecurity and scam news. 


Fake Amazon Recall Texts Are Targeting Shoppers  

Your phone buzzes. It’s a text from an unknown number, but the message looks official. 

“Dear Amazon Customer, we are writing to inform you that an item from your March 2026 order has been identified for recall.” There’s an order number. A link at the top of the message. A note about quality standards and a refund waiting for you. 

It looks real. It has the Amazon logo, the branded formatting, even a reference to the “Amazon Customer Safety Team.” The only thing it doesn’t have? Any connection to Amazon at all. 

A photo of a scam recall text I received this week. Luckily Scam Detector flags the link as risky if you try to click.
A photo of a scam recall text I received this week. Luckily Scam Detector flags the link as risky if you try to click.

This is a fake Amazon recall scam, and it is making the rounds right now. The goal is to get you to click that link, which takes you to a site designed to harvest your login credentials, payment information, or both.  

If you get a text like this, do not click the link. Go directly to amazon.com in your browser, log in, and check your orders and messages from there. Amazon does not initiate recall or refund processes through unsolicited texts with outside links. 

What Is a Fake Amazon Recall Scam And How Does It Work? 

A fake Amazon recall scam is a text message or email in which criminals impersonate Amazon to convince you that one of your recent orders has been flagged for a product recall. The message directs you to an external link leading to a phishing site designed to steal your Amazon credentials, credit card details, or personal information. 

Red Flags To Watch For 

  • The text comes from an unknown number, not a short code or verified sender 
  • The link goes to a domain that is not amazon.com 
  • The message asks you to complete a refund through an external link 
  • Small typos or awkward phrasing appear in what looks like official communication 
  • The greeting says “Dear Amazon Customer” rather than your actual name 

What To Do If You Get One 

  • Do not click the link 
  • Go to amazon.com directly and check your orders and account notifications 
  • Report the text to Amazon at stop-spoofing@amazon.com 
  • Block the number 

Where McAfee Steps In (So You Don’t Have to Guess)  

Scams today are layered.  A fake email leads to stolen credentials. A breach leads to targeted phishing. And those follow-ups are getting harder to spot.  

With McAfee+ Advanced, multiple layers work together so you’re not left figuring it out after the damage is done: 

  • Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast  
  • Personal Data Cleanup helps remove your information from sites selling it. 
  • Scam Detector flags suspicious texts, emails, links, QR codes, and even deepfake videos before you engage  
  • Safe Browsing helps block risky sites, even if you do accidentally click  
  • Device Security helps detect malicious apps or downloads  
  • Secure VPN keeps your data private, especially on public Wi-Fi    

McAfee Safety Tips This Week 

Our advice based on this week’s scams and stories: 

  • If your child’s school uses Canvas, update their password now and enable multi-factor authentication if available 
  • Consider a credit freeze for your child’s identity, especially if sensitive identifiers were part of the breach 
  • Never click links in unsolicited texts about refunds, recalls, or account issues — go directly to the official site instead 
  • Treat any message that references your recent orders or personal account details with extra skepticism, even if it looks legitimate 
  • Use Scam Detector to check suspicious links before engaging, and stay alert in the weeks and months after a breach, not just the first few days 

And we’ll be back next week with more scams and cybersecurity news making headlines. 

The post How to Protect Yourself After the Canvas Education Data Breach + Fake Amazon Recall Texts appeared first on McAfee Blog.

  •  

Now Available: Use ChatGPT with McAfee to Spot Scams Faster

Scam messages are getting smarter and faster. 

According to McAfee’s 2026 State of the Scamiverse report, Americans now spend 114 hours a year trying to figure out what’s real and what’s fake online. That’s nearly three full workweeks lost to second-guessing messages, alerts, and links. 

And when scams do succeed, they move quickly. The typical scam unfolds in about 38 minutes, leaving little room for hesitation. 

That creates a gap: People want to check before they act, but the tools haven’t always met them in that moment. 

ChatGPT + McAfee is designed to close that gap, bringing scam detection directly to a platform people are already using to ask questions and make decisions. 

And it’s available to anyone. You don’t have to be a McAfee subscriber. 

This isn’t just detection. It’s guidance in the exact moment you’re deciding what to do.  

Instead of guessing, you can paste a message or drop in a screenshot and get a clear explanation of what’s riskyand what to do nextpowered by McAfee’s threat intelligence. 

What You Can Do with ChatGPT + McAfee 

With this integration, checking something suspicious becomes as simple as asking a question. 

Paste a message. Drop in a link. Upload a screenshot. 

McAfee analyzes it and explains what’s going on clearly and in context. 

Here’s how it works: 

Feature  What it does  How it protects you 
Link safety check  Paste a suspicious URL and get a reputational analysis based on McAfee threat intelligence  Scam links are often designed to look legitimate. A quick check helps avoid phishing and malware 
Message analysis  Submit texts, emails, or social messages for evaluation  Many scams now rely on urgency and tone. Analysis helps surface subtle red flags 
Screenshot uploads  Upload screenshots of messages, emails, or posts for review  Scams don’t always come as clean text. This makes it easier to check what you’re actually seeing 
Clear explanations  Get a breakdown of why something is flagged as risky or safe  Not just a warning—an explanation that helps you recognize patterns next time 
Guided next steps  Receive recommendations on what to do next  Helps prevent escalation, especially in moments of uncertainty 

It’s a quick, accessible way to get answers in the moment. But it’s just one part of a broader system designed to protect you more comprehensively. 

Add the app to your ChatGPT account here. 

McAfee's ChatGPT extension
McAfee’s ChatGPT extension

Built on McAfee’s Threat Intelligence 

Behind the scenes, ChatGPT + McAfee is powered by the same intelligence that fuels McAfee’s broader scam protection ecosystem. 

When you submit something for review: 

  • Links are checked against known threat signals  
  • Messages are analyzed for scam patterns and language cues  
  • Results are translated into clear, human-readable explanations  

The goal isn’t just to flag risk. It’s to help you understand it. 

A New Way to Stay Ahead of Scams 

Scams aren’t slowing down. If anything, they’re becoming more convincing, more personalized, and harder to detect. 

That’s where ChatGPT + McAfee comes in. But this is only one part of a much bigger system designed to protect you before, during, and after a scam attempt. 

With McAfee+ Advanced, multiple layers work together so you’re not left figuring it out after the damage is done: 

  • Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast  
  • Personal Data Cleanup helps remove your information from sites selling it. 
  • Scam Detector flags suspicious texts, emails, links, QR codes, and even deepfake videos before you engage  
  • Safe Browsing helps block risky sites, even if you do accidentally click  
  • Device Security helps detect malicious apps or downloads  
  • Secure VPN keeps your data private, especially on public Wi-Fi    

The ChatGPT experience gives you a fast, intuitive way to check something in the moment. 

McAfee+ Advanced makes sure you’re protected across everything else.

The post Now Available: Use ChatGPT with McAfee to Spot Scams Faster appeared first on McAfee Blog.

  •  

Ad Impersonation Scams and Record-Breaking Social Media Fraud Losses: This Week in Scams

You’re scrolling through Facebook or TikTok and see it. 

A flash sale from a brand you recognize. A limited-time investment opportunity. A job posting that promises quick money. 

The ad has comments. The account looks polished. Maybe someone you follow even liked it. 

So you click. 

From there, things move fast. You’re pushed to act quickly, enter your information, or send payment before the “deal” disappears. And just like that, the money is gone or your account is compromised. 

This isn’t an edge case anymore. According to new FTC data, nearly 30% of people who reported losing money to a scam in 2025 said it started on social media, with total losses hitting $2.1 billion. 

That’s why McAfee+ Advanced includes comprehensive protection designed to help you spot and stop scams at every step, including McAfee’s Scam Detector, which flags suspicious links and messages and explains why they may be risky, along with identity and privacy tools that help protect your information if a scam slips through. 

How Social Media Ad Scams Work 

A social media ad scam is when scammers use paid ads, fake profiles, or hijacked accounts on platforms like Facebook, Instagram, or TikTok to promote fake products, services, or investment opportunities in order to steal money or personal information. 

Step  What happens  What to do  How McAfee helps 
1  You see an ad, post, or DM promoting a deal, job, or investment  Don’t engage immediately, even if it looks legitimate  Scam Detector flags suspicious links and messages before you interact 
2  The ad links to a website or moves you into DMs  Avoid clicking unfamiliar links or continuing off-platform  Safe Browsing helps block risky or newly created websites 
3  You’re pressured to act quickly or “secure your spot”  Slow down and verify the company independently  Scam Detector explains urgency tactics and why they’re risky 
4  You’re asked to pay, share login info, or download something  Never send money or credentials based on a social media interaction  Identity Monitoring helps protect your personal data if exposed 
5  The product never arrives, the investment disappears, or your account is compromised  Report the scam and secure your accounts immediately  Personal Data Cleanup and monitoring help reduce ongoing exposure 

Red Flags To Watch For 

  • Deals that feel unusually cheap or urgent  
  • Ads linking to unfamiliar or slightly misspelled websites  
  • Requests to move conversations off-platform quickly  
  • Payment requests via apps, crypto, or wire transfer  
  • Accounts with limited history or inconsistent engagement  

And that is the first part of This Week in Scams! This Friday we’re taking a different format to talk about this new FTC data and all that it reveals.  

Let’s keep digging in: 

FTC Report: Social Media Scams Are Now The Most Costly Fraud Channel 

New data from the FTC shows just how dominant social media has become in the scam landscape. 

  • Social media scams drove $2.1 billion in reported losses in 2025  
  • Losses have increased eightfold since 2020  
  • Investment scams alone accounted for $1.1 billion of those losses 

Where Scams Are Happening And What’s Changing 

Category  What to know 
Most common scams  Shopping scams lead, with over 40% of victims reporting purchases from social media ads that never arrived 
Most costly scams  Investment scams drive the biggest losses, often starting with ads or group chats showing fake success 
What’s changing  Scammers are using platform tools like ads, targeting, and profile data to reach people more precisely than ever 

How Scams Play Out Across Platforms 

Platform  How scams typically start  What to watch for 
Facebook  Ads, Marketplace listings, hacked accounts  Fake stores, duplicate listings, urgent purchase pressure 
Instagram  Sponsored posts, influencer impersonation  “Limited drop” scams, fake brand collaborations 
TikTok  Ads, stolen videos/profiles, comment links, bio links,   “Get rich quick” schemes, external link funnels, reselling via TikTok 
WhatsApp  Group chats, investment communities  Fake testimonials, coordinated pressure to invest 

 How McAfee Protects You from Scams and Cyber Threats 

McAfee+ Advanced gives you multiple layers working together so you are not left figuring it out after the damage is done:   

  • Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast  
  • Personal Data Cleanup helps remove your information from data broker sites, making you harder to target in the first place  
  • Scam Detector flags suspicious texts, emails, links, and even deepfake videos before you engage  
  • Safe Browsing helps block risky sites if you do click  
  • Device Security helps detect malicious apps or downloads  
  • Secure VPN keeps your data private, especially on public Wi-Fi    

McAfee Safety Tips This Week 

Our advice based on this week’s scams and schemes: 

  • Treat social media ads like any other unknown source, not a trusted recommendation  
  • Pause before clicking, especially when urgency is involved  
  • Verify brands by going directly to their official website  
  • Avoid sending money or personal information through social media  
  • Use tools like Scam Detector to check suspicious links before engaging  

And we’ll be back next week with more scams making headlines.

The post Ad Impersonation Scams and Record-Breaking Social Media Fraud Losses: This Week in Scams appeared first on McAfee Blog.

  •  

Fake USPS QR Code Text Scams and a Major Health Data Breach: This Week in Scams

A new scam making the rounds takes a familiar delivery trick and upgrades it with hyperrealistic messaging and a QR code that looks safe to scan. 

But don’t be fooled. 

It’s the same delivery scam playbook scammers have relied on for years, just repackaged with better design and more convincing details. 

You get a message with a notice that looks something like this, a real message received by our team and tested against McAfee’s Scam Detector. 

A real image of a scam message impersonating the USPS
This is an example of the scam message we received, impersonating the USPS.

 

That added layer of realism is what makes this version more dangerous. But it doesn’t hold up under scrutiny. McAfee’s Scam Detector flagged both the suspicious language and the QR code in this message before any interaction. 

If you receive something like this, pause. Do not scan the code. 

You can also protect yourself with McAfee’s Scam Detector, which flags suspicious links and messages, including delivery scams and QRbased attacks, and explains why they may be risky. 

What is the USPS QR Code Scam and How Does it Work? 

The USPS QR code scam is a phishing attempt where scammers impersonate postal services and use QR codes instead of clickable links to direct victims to malicious websites. 

Once scanned, the QR code can lead to a fake USPS page that asks for payment, login credentials, or personal information. 

How the scam works 

Step  What happens  The red flags  What to do  How McAfee helps 
You receive a text about a delivery issue or missed package  Urgency, you’re not tracking a package  Be skeptical of unsolicited delivery messages  Scam Detector flags suspicious messages 
The message includes a QR code instead of a link  QR codes instead of official tracking links  is a red flag  Do not scan QR codes from unknown sources  QR scanning protection warns before opening risky destinations 
You scan the code and land on a fake USPS page  Generic or slightly off branding on the webpage  Do not enter any information  Safe Browsing blocks known malicious sites 
The page asks for payment or personal details  Requests for small “redelivery” or “processing” fees  are not normal  Exit immediately and do not submit anything  Scam Detector explains why the page is risky, and Identity Monitoring supports you when if your info gets out. 

What To Do If You Get This Message 

  • Do not scan the QR code  
  • Go directly to the official USPS website to check tracking  
  • Delete the message  
  • Report it as spam  
  • Monitor your accounts if you interacted with it  

And that, my friends, is scam number one in this week’s This Week in Scams. 

Let’s get into what else is on our radar. 

A Major Health Data Breach Exposes 500,000 Records 

A massive health data incident is raising new concerns about how sensitive information is handled and shared. 

According to reporting from the Associated Press, data tied to 500,000 participants in a major U.K. health research project was found listed for sale online. The dataset included biological and health-related information, though it did not contain direct identifiers like names or contact details. 

Access to the data had been granted to research institutions, but that access has since been revoked. Authorities say no purchases were made, and the listing has been removed. 

Still, the situation highlights a growing reality: once data is accessed or shared, control over it becomes harder to guarantee. 

What This Breach Says About Data Privacy 

Scams are no longer isolated events. They are layered. 

A data breach does not just stay a breach. It becomes fuel for future scams. Exposed information can be used to make phishing messages more convincing, personalize attacks, and build trust with targets. 

That is why detection alone is not enough anymore. Protection has to account for both incoming threats and what happens when data is already out there. 

How McAfee Protects You In A World of Scams and Data Breaches  

McAfee+ Advanced gives you multiple layers working together so you are not left figuring it out after the damage is done:  

  • Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast 
  • Personal Data Cleanup helps remove your information from data broker sites, making you harder to target in the first place 
  • Scam Detector flags suspicious texts, emails, links, and even deepfake videos before you engage 
  • Safe Browsing helps block risky sites if you do click 
  • Device Security helps detect malicious apps or downloads 
  • Secure VPN keeps your data private, especially on public Wi-Fi   

McAfee Safety Tips This Week  

As always, we have some best practices and safety tips for navigating life online:  

  • Pause before clicking, especially when a message creates urgency   
  • Go directly to websites or apps instead of using email links   
  • Be skeptical of routine account alerts that push immediate action   
  • Double-check sender addresses and URLs closely   
  • Use tools like McAfee’s Scam Detector to flag suspicious links and messages before interacting   
  • Turn on identity monitoring so you’re alerted if your data is exposed  

And we’ll be back next week with more scams making headlines.

The post Fake USPS QR Code Text Scams and a Major Health Data Breach: This Week in Scams appeared first on McAfee Blog.

  •  

Why Hackers Are Collecting Data They Can’t Read Yet. And How to Stay Safe

Co-Authored by Luiz Parente 

Your data might be safe today. But that doesn’t mean it’s safe forever. 

A growing number of sophisticated actors are collecting encrypted data now, with the goal of decrypting it later, when more powerful technology becomes available. 

This strategy is known as Harvest Now, Decrypt Later (HNDL). And it’s not a future problem. It’s already happening, according to research from our McAfee VPN team. 

For everyday people, that means private messages, financial records, and sensitive documents could be exposed years from now if protections don’t evolve today. 

That’s why security teams, including McAfee’s VPN engineers, are already working on ways to strengthen encryption for both today and what comes next. 

What “Harvest Now, Decrypt Later” Means 

At its core, HNDL is simple: Attackers collect encrypted data now, store it, and wait until they have the tools to unlock it later. 

Even though today’s encryption is incredibly strong, the strategy doesn’t rely on breaking it today. It relies on patience.  

A Simple Way to Think About It 

You put valuable belongings and documents in a safe at home that’s locked and secured. This works at preventing crimes of opportunity. But let’s say there’s a thief who steals the entire safe, knowing they have tools they can use later to access what’s inside. They wait, and once the tools are available, they break into your safe and access everything inside. 

That’s one way to think of HNDL. The safe is the encryption. The quantum computing is the tool they can use later.  

But in real life, you’d probably notice if your safe is gone. In the case of HNDL, if you’re not monitoring your data, you may not even notice encrypted information has been stolen to be decrypted.  

Key Terms Explained 

Term  What it means 
Encryption  Scrambling data so others can’t read it 
Quantum computing  A new type of computing that can break some encryption 
HNDL  A strategy to collect encrypted data now and decrypt it later 

Why This Matters Right Now 

This isn’t about whether your data is valuable today. It’s about whether it might be valuable later. 

Data with a long shelf life is especially at risk, including: 

  • Financial records  
  • Medical information  
  • Private messages  
  • Legal or identity documents  

Even something that feels low-stakes today could become sensitive in the future. 

And because the collection phase is already happening, the risk isn’t hypothetical. It’s already in motion. 

How This Affects VPNs (and what doesn’t change) 

VPNs remain one of the most effective ways to protect your data today. That hasn’t changed. 

But HNDL introduces a new layer of complexity. 

  • What’s still strong: The encryption that protects your data in transit remains highly resilient.  
  • Where the risk is: The “handshake” process (how a secure connection is established) is more vulnerable to future quantum attacks.  

In simple terms: Your data is well protected today, but parts of how that protection is set up may need to evolve for the future. 

What Quantum Computing Changes 

Traditional computers process information in a linear way. 

Quantum computers work differently. They can solve certain types of problems much faster, including the kinds of mathematical challenges that protect today’s encryption. 

That’s why attackers are willing to wait. 

Once quantum computing reaches a certain level, it could unlock data that was previously considered secure. 

Image shows a phone connecting to VPN

What McAfee’s VPN Team is Working On 

McAfee’s VPN team is already preparing for this shift. 

  • Evaluating quantum-safe encryption approaches  
  • Exploring hybrid models that protect both now and long-term  
  • Building toward a more resilient VPN experience  

This work builds on a broader privacy-by-design approach, where systems are designed to minimize risk from the start, not react after the fact. 

Because with HNDL, waiting isn’t an option. 

What You Can Do Now 

You don’t need to wait for quantum computing to take steps today. 

  • Use a trusted VPN to encrypt your connection  
  • Be mindful of long-term sensitive data you share online  
  • Avoid unsecured public Wi-Fi when possible  
  • Keep your apps and devices updated  

These steps help protect your data now while the industry builds toward future-ready security. 

How McAfee Helps Protect You 

McAfee+ Advanced gives you multiple layers working together so you are not left figuring it out after the damage is done:  

  • Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast 
  • Personal Data Cleanup helps remove your information from data broker sites, making you harder to target in the first place 
  • Scam Detector flags suspicious texts, emails, links, and even deepfake videos before you engage 
  • Safe Browsing helps block risky sites if you do click 
  • Device Security helps detect malicious apps or downloads 
  • Secure VPN keeps your data private, especially on public Wi-Fi   

Frequently Asked Questions (FAQs) 

FAQ 
Q: Is my data safe right now?  

A: In most cases, yes—today’s encryption is extremely strong and is designed to protect your data from current threats. If you’re using trusted security tools like a VPN, safe browsing protections, and device security, your data is actively protected while it’s in transit and in use. However, no system is risk-free. Data exposed through phishing, weak passwords, breaches, or unsecured networks may still be vulnerable. And with “Harvest Now, Decrypt Later,” even properly encrypted data could be collected today and targeted for decryption in the future. 

Q: What is quantum-safe encryption? 

A: Quantum-safe (or post-quantum) encryption refers to new types of cryptography designed to remain secure even against future quantum computers. Today’s encryption relies on math problems that are extremely difficult for classical computers to solve, but quantum computers could eventually solve some of them much faster. Quantum-safe approaches use different mathematical foundations that are believed to resist those capabilities. In practice, many companies are moving toward hybrid encryption, combining today’s proven methods with newer quantum-resistant techniques to protect data both now and long-term. 

Q: Should I still use a VPN? 

A: Yes. A VPN remains one of the most effective ways to protect your data today, especially on public or unsecured networks. It encrypts your internet traffic and helps prevent interception by hackers, internet providers, or other third parties. While VPN protocols are evolving to address future quantum risks, they still provide strong, essential protection against today’s threats. 

Q: When will this become a real threat? 

A: The risk unfolds in two phases. The collection phase is already happening today, where sophisticated actors gather encrypted data and store it. The decryption phase depends on when quantum computing advances far enough to break certain types of encryption, which could take years but is actively progressing. This means data with a long lifespan, such as financial records, personal communications, and sensitive documents, is most at risk because it only needs to remain valuable until those capabilities exist. 

The post Why Hackers Are Collecting Data They Can’t Read Yet. And How to Stay Safe appeared first on McAfee Blog.

  •  

Cloud Storage Scam Emails and Record-Breaking Fraud Losses: This Week in Scams 

Fake cloud email example

You open your inbox and see it: Your cloud storage is full. 

There’s a warning about photos being deleted, your account being suspended, or a renewal failing. There’s a button to “fix it now.” Or a warning to “act today.” 

It looks routine. Maybe even urgent enough to click. 

That’s exactly the point. 

An example of a cloud storage scam detected by McAfee.
An example of a cloud storage scam detected by McAfee.

Cloud storage scams are making headlines again, building on patterns we flagged earlier this year in our State of the Scamiverse research.  

These emails have circulated steadily since 2025, often impersonating trusted brands like Apple, Microsoft, and Google. Many are timed to moments when people are already thinking about storage, backups, or subscriptions. 

The safest move is simple: pause and don’t click. If there’s a real issue, go directly to your account through the official app or website. 

You can also protect yourself with McAfee’s Scam Detector, which flags suspicious links and messages, including cloud storage scams, and explains why they may be risky. 

What Is A Cloud Storage Scam And How Does It Work? 

Cloud storage scams are phishing attacks designed to trick you into believing there’s an issue with your account so you’ll click a malicious link.

They often look like this, and include 3 key red flags:  

  • Messages that create urgency like “act now or lose your data”  
  • Generic greetings instead of your name  
  • Links that don’t match the official domain  

How the scam works (step-by-step) 

Step  What happens  What to do  How McAfee helps 
1. You receive a message  Email or text claims your storage is full or your account has an issue  Don’t click links directly from the message  Scam Detector flags suspicious messages before you interact 
2. Urgency is introduced  Warning that files or photos will be deleted if you don’t act  Pause. Urgency is a red flag  Scam Detector identifies pressure-based scam patterns 
3. You’re pushed to a link  Link mimics a real login or billing page  Go directly to the official website instead  Safe browsing tools help block malicious sites 
4. You’re asked for info  Login credentials or payment details requested  Never enter info from a link you didn’t verify  Scam Detector explains why a page or link is risky 
5. Data is captured  Scammers collect your data or payment  Monitor accounts and report suspicious activity  Identity monitoring alerts you if your data is exposed 

 Why This Scam Works 

  • Familiar brands: Messages often appear to come from trusted platforms like Apple iCloud or Google Drive  
  • Emotional pressure: The threat of losing photos or files triggers quick decisions  
  • Routine context: Storage alerts feel normal, so people don’t question them  

And that, my friends, is scam number one in this week’s This Week in Scams. 

Let’s get into what else is on our radar. 

FBI Report: Over $20 Billion Lost to Scams in 2025

New data from the FBI’s Internet Crime Complaint Center (ICC) shows just how large the scam economy has become. 

 Accessibility description: Chart describes the number of complaints filed with IC3.gov from 2001 – 2025. 2 Accessibility description: Chart describes the losses of complaints filed with IC3.gov from 2001 – 2025. (Image Courtesy, FBI)
Cybersecurity-related fraud losses topped $20 billion in 2025. (Image Courtesy, FBI)

In 2025 alone: 

  • Americans reported over $20.8 billion in losses  
  • More than 1 million complaints were filed  
  • That’s roughly 3,000 complaints per day  
(Image Courtesy, FBI)
Investment-related fraud topped the charts, with over $8.5 billion lost to investment cybercrime in 2025. And that’s just losses that were reported. Not everyone reports when they were scammed. (Image Courtesy FBI)

This is where layered protection matters. It’s not just about catching one bad link. It’s about recognizing patterns across messages, platforms, and moments when something feels slightly off. 

How McAfee Protects You From Scams and Cyber Threats 

McAfee+ Advanced gives you multiple layers working together so you are not left figuring it out after the damage is done:  

  • Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast 
  • Personal Data Cleanup helps remove your information from data broker sites, making you harder to target in the first place 
  • Scam Detector flags suspicious texts, emails, links, and even deepfake videos before you engage 
  • Safe Browsing helps block risky sites if you do click 
  • Device Security helps detect malicious apps or downloads 
  • Secure VPN keeps your data private, especially on public Wi-Fi   

McAfee Safety Tips This Week 

As always, we have some best practices and safety tips for navigating life online: 

  • Pause before clicking, especially when a message creates urgency  
  • Go directly to websites or apps instead of using email links  
  • Be skeptical of routine account alerts that push immediate action  
  • Double-check sender addresses and URLs closely  
  • Use tools like McAfee’s Scam Detector to flag suspicious links and messages before interacting  
  • Turn on identity monitoring so you’re alerted if your data is exposed 

And we’ll be back next week with more scams making headlines. 

The post Cloud Storage Scam Emails and Record-Breaking Fraud Losses: This Week in Scams  appeared first on McAfee Blog.

  •  

Can Your Wearable Health Monitors Be Compromised?

Wearable health devices are designed to give you more control over your body and your data. 

But in 2026, the bigger risk isn’t someone spying on your smartwatch or smartring in real time. It’s what happens if the data connected to that device gets exposed. 

Health data, login credentials, and behavioral patterns tied to wearables can become valuable signals for cybercriminals. And once that data is out, it can fuel everything from identity theft to highly targeted scams. 

Here’s what’s actually at risk, and how to protect yourself. 

What Is Wearable Health Data (and Why It Matters) 

Wearable health data refers to the personal information collected and stored by devices like fitness trackers, smartwatches, and connected medical monitors. 

This can include: 

  • Heart rate and activity levels  
  • Sleep patterns  
  • Location data  
  • Medical metrics (like glucose levels)  
  • Account credentials tied to apps and dashboards  

On its own, this data may seem harmless. But combined, it creates a highly detailed profile of your habits, routines, and health status. 

The Real Risk in 2026 Isn’t the Device. It’s the Data. 

Early conversations around wearable security focused on device hacking or surveillance. 

Today, the bigger concern is data exposure. 

If wearable platforms, apps, or connected services are breached, your data could be: 

  • Sold on the dark web  
  • Used to impersonate you  
  • Leveraged in targeted phishing or health-related scams  

And because this data is personal and specific, scams built from it can feel far more convincing than generic spam. 

How Exposed Wearable Data Can Lead to Scams 

When cybercriminals gain access to personal data, they don’t just sit on it. They use it. 

Here’s how that plays out: 

Scenario  What It Looks Like  Why It Works 
Health-related phishing  “Your insurance claim was denied” or “Update your health profile”  Feels relevant and urgent 
Account takeover attempts  Password reset emails tied to known apps  Uses real account signals 
Personalized scams  Messages referencing routines, devices, or conditions  Builds trust quickly 
Fake alerts or services  “Device security issue detected”  Mimics real product behavior 

 

This is where the risk shifts from data privacy → real-world financial and identity impact. 

6 Smart Ways to Protect Your Wearable Data 

1)Install updates immediately
Security patches fix known vulnerabilities. Delaying updates leaves gaps open.  

2) Use layered protection, not just device settings
A VPN and security software help protect data in transit and block threats before they reach you.  

3) Strengthen your login credentials
Use strong, unique passwords and enable two-factor authentication wherever possible.  

4) Limit what you share
Review app permissions and only connect devices to services you trust.  

5) Verify every message or alert
If you receive a message tied to your device or health data, double-check the source before clicking.  

6) Monitor your accounts regularly
Small signs of unusual activity can be early indicators of larger issues. 

How McAfee Helps Protect Your Data Beyond the Device 

Protecting your wearable doesn’t stop at the device itself. It extends to what happens if your data is exposed or targeted. 

Identity Monitoring 

McAfee helps track your personal information across known breach sources and alerts you if your data appears where it shouldn’t. 

This gives you early warning if wearable-related accounts or associated data are compromised. 

Scam Detector 

If your data is exposed, scammers often follow. 

McAfee’s Scam Detector helps identify suspicious messages, links, and communications before you engage, and explains why something was flagged, so you can make informed decisions quickly. 

Together, these tools help protect not just your device, but the chain reaction that can follow a data breach. 

The post Can Your Wearable Health Monitors Be Compromised? appeared first on McAfee Blog.

  •  

McAfee’s Scam Detector Named Webby Awards Finalist for AI Innovation

We’re excited to share that McAfee’s Scam Detector has been named a finalist in the 2026 Webby Awards. 

Recognized in the AI Experiences & Applications – Consumer Application category and named a Webby Honoree for Best Use of AI & Machine Learning, Scam Detector is being acknowledged for its effectiveness as an AI-driven consumer tool. 

This recognition of Scam Detector validates something key in research findings. According to McAfee’s 2026 State of the Scamiverse report, Americans now spend 114 hours a year trying to decide what’s real and what’s fake online. 

Scam Detector was built with this era of uncertainty in mind, designed to help people cut through confusion and identify scams as they appear. The Webby recognition reinforces to us that McAfee’s Scam Detector is doing exactly that. 

What Are the Webby Awards? 

The Webby Awards are presented by the International Academy of Digital Arts & Sciences and recognize excellence across the internet, including apps, software, AI, and digital experiences. 

Each year, thousands of entries are evaluated, with finalists representing the top work in their category globally. 

In addition to judged awards, the Webby Awards include a People’s Voice Award, which is decided by public vote. 

How McAfee’s Scam Detector Uses AI to Stop Scams 

Scam Detector is designed to help people identify scams where they’re most likely to happen, always ready to help you spot what’s real and what’s not when you least expect it. 

It uses AI to analyze and flag suspicious: 

  • Text messages and emails  
  • Links and websites  
  • QR codes  
  • Social media messages  
  • AI-generated and deepfake content  

Beyond detection, Scam Detector explains why something was flagged as risky. That transparency helps show how decisions are made, so people can quickly understand the risk and feel more confident trusting what’s flagged.

As scams become more personalized and harder to detect, this combination of automatic detection and clear guidance is critical to preventing financial loss and identity theft. 

Vote for McAfee’s Scam Detector 

Scam Detector is eligible for the Webby People’s Voice Award, which is decided by public vote. 

If you would like to support McAfee’s Scam Detector, you can vote here: https://vote.webbyawards.com/PublicVoting#/2026/ai/ai-experiences-applications/consumer-application 

Voting is open through Thursday, April 16 at 11:59 pm PDT. 

Winners will be announced on April 21, 2026. 

And a big thank you to the McAfee teams who brought Scam Detector to life and who continuously improve how Scam Detector identifies new threats and adapts to the evolving world of AI-driven scams. 

The post McAfee’s Scam Detector Named Webby Awards Finalist for AI Innovation appeared first on McAfee Blog.

  •  

Oklahoma Tax Breach and FBI Impersonation Scam: This Week in Scams

Suspects wanted by the FBI

A tax system breach in Oklahoma is putting highly sensitive personal information at risk. And unfortunately, this is exactly the kind of situation scammers love to exploit. 

Hackers reportedly accessed W-2 and 1099 files through Oklahoma’s online tax portal, according to state officials, exposing the kind of information that can open the door to tax fraud, identity theft, and highly targeted phishing attempts. 

Before the follow-up scams start rolling in, this is the kind of moment where layered protection matters. McAfee+ Advanced includes identity monitoring and data cleansup that can help alert you if your personal information starts circulating where it shouldn’t, and Scam Detector can flag suspicious messages if scammers try to use this breach as a hook. 

What Happened in Oklahoma 

According to a statement by the Oklahoma Tax Commission and reported by KOCO News 5, a local ABC affiliate, suspicious activity inside the state’s Oklahoma Taxpayer Access Point system was identified in December 2025. The agency says impacted individuals have been notified directly by mail, and complimentary credit monitoring and fraud assistance are being offered. 

When W-2s, 1099s, Social Security numbers, and tax-related records are exposed, scammers can use that information to: 

  • File fraudulent tax returns  
  • Try to open new accounts  
  • Build phishing emails or texts that feel unusually real  

Either way, the goal is the same: use real information to make the next scam more believable. 

Red Flags of a Scam After a Breach Like This 

The breach itself is real. But what often follows is a second wave of scams pretending to help. 

Watch For: 

  • Emails or texts about your “tax account” that create urgency  
  • Messages asking you to verify personal information  
  • Fake alerts about refunds, filings, or suspicious activity  
  • Links telling you to log in and “secure” your account  

That’s where people can get hit twice: once by the breach, and again by the scam that follows it. 

What To Do If You’re Impacted 

First, don’t panic. Then: 

  • Take advantage of any free credit monitoring or fraud assistance being offered  
  • Monitor your bank accounts, tax records, and credit reports closely  
  • Consider placing a fraud alert or credit freeze if needed  
  • Be extra careful with any message referencing taxes, refunds, or account access 
  • Go directly to official sites instead of clicking links in emails or texts  

And that, my friends, is scam number one in this week’s This Week in Scams. 

Let’s get into what else is on our radar. 

The FBI Impersonation Scam Showing Up Across the U.S. 

Scammers pretending to be federal agents are making the rounds across the country, and this one is built to make people panic fast. 

Field offices, including Chicago and Houston, are warning the public about fraudsters posing as FBI agents in calls, texts, and emails. In some cases, the scammers claim you’re connected to an investigation. In others, they say you’re a victim of fraud and need to act immediately to protect yourself. 

Sometimes they do not stop there. They may also pretend to be bank employees working alongside the FBI, all to make the story feel more convincing and get access to your money or personal information. 

Suspects wanted by the FBI
The FBI has shared images of these suspects pretending to be agents. If you are contacted by these officials, report it to the FBI.

Why This Scam Works

This scam plays on the same pressure tactics we’ve seen over and over again: authority, urgency, and confusion. 

If someone claims to be a federal agent, many people freeze up and assume they need to cooperate immediately. That’s exactly what scammers are counting on. 

The FBI has been clear about this: federal law enforcement will not ask you for money or sensitive personal information over the phone, by text, or by email. 

The Red Flags in This Message

  • Unsolicited outreach from someone claiming to be federal law enforcement  
  • Pressure to act immediately  
  • Requests for money, gift cards, prepaid cards, or personal information  
  • Instructions to keep the conversation secret  
  • Stories involving a bank “working with” the FBI  

If it feels dramatic, high-pressure, and just a little off, trust that instinct. 

What To Do if You Get One Of These Messages

  • Do not respond  
  • Do not send money or share personal information  
  • Contact the agency directly using publicly listed contact information  
  • Save the message for your records  
  • Report it to the FBI: 1-800-CALL-FBI (225-5324), or online at tips.fbi.gov.

This is also exactly the kind of message McAfee’s Scam Detector is built to flag before you get pulled in. 

How McAfee Helps You Stay Ahead of Scams and Breaches 

McAfee+ Advanced gives you multiple layers working together so you are not left figuring it out after the damage is done: 

  • Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast
  • Personal Data Cleanup helps remove your information from data broker sites, making you harder to target in the first place
  • Scam Detector flags suspicious texts, emails, links, and even deepfake videos before you engage
  • Safe Browsing helps block risky sites if you do click
  • Device Security helps detect malicious apps or downloads
  • Secure VPN keeps your data private, especially on public Wi-Fi  

This kind of layered protection is critical in cases like ghost student scams, where the first sign of fraud often comes after financial damage has already happened. 

Safety tips to carry into next week 

  • Be extra cautious after any real breach makes headlines  
  • Do not trust unsolicited messages just because they reference real institutions  
  • Never send money to someone claiming to be law enforcement  
  • Go directly to official websites instead of clicking links  
  • Use tools that flag suspicious messages in real time so you do not have to guess 

The reality is, scams are getting better at looking official. 

You should not have to be an expert to spot them. That’s why McAfee is here to help. We’re Safer Together.

We’ll be back next week with more scams making headlines. 

The post Oklahoma Tax Breach and FBI Impersonation Scam: This Week in Scams appeared first on McAfee Blog.

  •  
❌