Normal view

Payment apps are watching what you say (Lock and Code S07E11)

1 June 2026 at 03:52

This week on the Lock and Code podcast…

In the United States today, you can have your bank account closed, your credit cards cancelled, and your online payments revoked for any number of crimes, like funding terrorism, engaging in money laundering, or violating sanctions.

Sensible, right? Well, you can also face financial ruin for teaching poetry.

That’s what seemingly happened to a Persian poetry teacher from Detroit whose accounts were flagged for “sanctions violations” because his students wrote “Persian classes” in their Venmo memos. There’s also the story about the naked yoga practitioners who lost their payment processor for 60 days, forced to rebuild a subscriber list from scratch. And we can’t forget the San Diego cannabis journalist cut off from Stripe—and from a paid Substack newsletter—because of the payment platform’s rules that prohibit the promotion of the sale of cannabis.

This is “financial censorship,” and it often happens when a bank, credit card provider, or payment app decides that a customer is too risky to serve. But “risky” doesn’t always mean “illegal,” and when a major financial institution errs towards caution about what a customer is saying, advocating for, representing, or publishing, a lot of innocent people can be hurt in the process.

That’s what the digital rights activist Rainey Reitman learned in writing “Transaction Denied: Big Finance’s Power to Punish Speech.” As Reitman explained about these hugely impactful decisions:

“Even if they are well-intentioned, the financial systems can end up pulling in a lot of people that are not the actual target… Sometimes we talk about this as dolphins in the fishing lines.”

These decisions are difficult to fight, frustratingly opaque, and nearly impossible to reverse. Compounding the problem is that that there aren’t enough alternatives available for the financially censored to easily regain their freedom.

The reality for hundreds of millions of people in this country is that about a dozen companies control all their finances. People mostly bank with Chase, or Bank of America, or Citigroup, or Wells Fargo. They mostly use credit cards assigned by Visa, MasterCard, American Express, or Capital One. And they mostly send money to one another and to small businesses using services like PayPal, Venmo, Cash app, and Square.

For most people, these companies are supposed to operate in the background of their lives, providing reliable, secure financing to sustain and manage their livelihoods. But in practice, these companies can become quite interested in what you say online, what payments you receive each month, and the locations those payments arrived from.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Reitman—who is also the president and a co-founder of the Freedom of the Press Foundation—about the real stories of those who have been financially censored, why financial companies cut off customers for legal speech, and how a single company’s decision can create cascading consequences that feel impossible to fight.

“They’d be locked out of Venmo, then they’d be locked out of PayPal—which is connected to Venmo—and then they’d suddenly lose their Chase Bank account. You could see that in a lot of instances, losing one form of access to the financial system, it could result in a pattern where they would be losing access repeatedly.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)


Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium Security for Lock and Code listeners.

More PayPal emails hijacked to deliver tech support scams

30 April 2026 at 21:29

Scammers have found another way to get deceptive messages delivered through PayPal’s legitimate services.

In December 2025, we reported that PayPal closed a loophole that let scammers send real emails with fake purchase notices.

In those cases, scammers created a PayPal subscription and then paused it, which triggered PayPal’s genuine “Your automatic payment is no longer active” notification. They also set up a fake subscriber account, likely a Google Workspace mailing list, which automatically forwarded any email it received to all other group members.

Recently, ConsumerWorld.org alerted us that tech support scammers have found a way to manipulate the subject line of PayPal payment notifications.

This is a screenshot of the example they sent us.

Screenshot email from PayPal scammers
Screenshot email from PayPal scammers

As you can see, the email comes from service@paypal.com. It wasn’t spoofed, which means it passes standard security checks (DKIM, SPF, DMARC).

While the body of the email says that you received a payment of ¥1 JPY (a whopping $0.0063), the subject line tells a different story:

“Pending charge of USD 987.90 for account activation. Questions? Call-(888) 607-0685.”

As an extra bonus for the scammers, the email contains personalized details—the recipient’s actual name and a real transaction ID.

The number in the subject line is not PayPal’s. The legitimate contact number appears inside the email.

the fake and the real PayPal number
The fake (red) and the real (green) PayPal number

Scam or legit? Scam Guard knows.


The intention of the email is straightforward.

Recipients think:

  1. “Oh no! There’s a pending charge for $987.90.”
  2. “The amount doesn’t match what I see in the email body—that’s weird and scary.”
  3. “I need to call this number immediately to dispute this charge.”

They call the number in the subject line, only to reach tech support scammers.

These scammers pretend to be PayPal support and may try to:

  • Get you to “verify” payment methods
  • Collect banking details
  • Convince you to install remote access tools
  • Take control of accounts or devices
  • All of the above

How the subject line is altered is still unclear. Based on PayPal’s documented email behavior, subject lines are typically fixed and not meant to include arbitrary free text or phone numbers. Our findings indicate that the subject line was already weaponized at the point PayPal’s systems signed the email. If someone along the way had rewritten the subject, the dkim=pass header.d=paypal.com result would likely fail.

One possibility is that the scammer abused PayPal’s note or remittance field in a way that surfaces in certain payout templates, including the subject line and HTML <title>, even though normal merchant payment‑received emails don’t allow arbitrary subjects.

The title tag matches the subject line of the email
The title tag matches the subject line of the email

We have contacted PayPal for comment and will update this post if we hear back.

How to avoid PayPal scams

The best way to stay safe is to stay informed about the tricks scammers use. Learn to spot the red flags that almost always give away scams and phishing emails, and remember:

  • Use verified, official ways to contact companies. Don’t call numbers listed in suspicious emails or attachments.
  • Beware of someone wanting to connect to your computer remotely. One of the tech support scammer’s biggest weapons is their ability to connect remotely to their victims. If they do this, they essentially have total access to all of your files and folders.
  • Report suspicious emails to PayPal. Send the email to phishing@paypal.com to support their investigations.

If you’ve fallen victim to a tech support scam:

  • Paid the scammer? Contact your bank or card provider and let them know what’s happened. You can also file a complaint with the FTC or your local law enforcement, depending on your region.
  • Shared a password? Change it anywhere it’s used. Consider using a password manager and enable 2FA for important accounts.
  • Gave access to your device? Run a full security scan. If scammers had access to your system, they may have planted a backdoor so they can revisit whenever they feel like it. Malwarebytes can remove these and other software left behind by scammers.
  • Watch your accounts: Keep an eye out for unexpected payments or suspicious charges on your credit cards and bank accounts.
  • Be wary of suspicious emails. If you’ve fallen for one scam, they may target you again.

Pro tip: Malwarebytes Scam Guard recognized this email as a call back scam. Upload any suspicious text, emails, attachments, and other files to ask for its opinion. It’s really very good at recognizing scams. 


Something feel off? Check it before you click.  

Malwarebytes Scam Guard helps you analyze suspicious links, texts, and screenshots instantly.  

Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.  

Try it free → 

Criminals are using AI website builders to clone major brands

12 February 2026 at 09:03

AI tool Vercel was abused by cybercriminals to create a Malwarebytes lookalike website.

Cybercriminals no longer need design or coding skills to create a convincing fake brand site. All they need is a domain name and an AI website builder. In minutes, they can clone a site’s look and feel, plug in payment or credential-stealing flows, and start luring victims through search, social media, and spam.

One side effect of being an established and trusted brand is that you attract copycats who want a slice of that trust without doing any of the work. Cybercriminals have always known it is much easier to trick users by impersonating something they already recognize than by inventing something new—and developments in AI have made it trivial for scammers to create convincing fake sites.​​

Registering a plausible-looking domain is cheap and fast, especially through registrars and resellers that do little or no upfront vetting. Once attackers have a name that looks close enough to the real thing, they can use AI-powered tools to copy layouts, colors, and branding elements, and generate product pages, sign-up flows, and FAQs that look “on brand.”

A flood of fake “official” sites

Data from recent holiday seasons shows just how routine large-scale domain abuse has become.

Over a three‑month period leading into the 2025 shopping season, researchers observed more than 18,000 holiday‑themed domains with lures like “Christmas,” “Black Friday,” and “Flash Sale,” with at least 750 confirmed as malicious and many more still under investigation. In the same window, about 19,000 additional domains were registered explicitly to impersonate major retail brands, nearly 3,000 of which were already hosting phishing pages or fraudulent storefronts.

These sites are used for everything from credential harvesting and payment fraud to malware delivery disguised as “order trackers” or “security updates.”

Attackers then boost visibility using SEO poisoning, ad abuse, and comment spam, nudging their lookalike sites into search results and promoting them in social feeds right next to the legitimate ones. From a user’s perspective, especially on mobile without the hover function, that fake site can be only a typo or a tap away.​

When the impersonation hits home

A recent example shows how low the barrier to entry has become.

We were alerted to a site at installmalwarebytes[.]org that masqueraded from logo to layout as a genuine Malwarebytes site.

Close inspection revealed that the HTML carried a meta tag value pointing to v0 by Vercel, an AI-assisted app and website builder.

Built by v0

The tool lets users paste an existing URL into a prompt to automatically recreate its layout, styling, and structure—producing a near‑perfect clone of a site in very little time.

The history of the imposter domain tells an incremental evolution into abuse.

Registered in 2019, the site did not initially contain any Malwarebytes branding. In 2022, the operator began layering in Malwarebytes branding while publishing Indonesian‑language security content. This likely helped with search reputation while normalizing the brand look to visitors. Later, the site went blank, with no public archive records for 2025, only to resurface as a full-on clone backed by AI‑assisted tooling.​

Traffic did not arrive by accident. Links to the site appeared in comment spam and injected links on unrelated websites, giving users the impression of organic references and driving them toward the fake download pages.

Payment flows were equally opaque. The fake site used PayPal for payments, but the integration hid the merchant’s name and logo from the user-facing confirmation screens, leaving only the buyer’s own details visible. That allowed the criminals to accept money while revealing as little about themselves as possible.

PayPal module

Behind the scenes, historical registration data pointed to an origin in India and to a hosting IP (209.99.40[.]222) associated with domain parking and other dubious uses rather than normal production hosting.

Combined with the AI‑powered cloning and the evasive payment configuration, it painted a picture of low‑effort, high‑confidence fraud.

AI website builders as force multipliers

The installmalwarebytes[.]org case is not an isolated misuse of AI‑assisted builders. It fits into a broader pattern of attackers using generative tools to create and host phishing sites at scale.

Threat intelligence teams have documented abuse of Vercel’s v0 platform to generate fully functional phishing pages that impersonate sign‑in portals for a variety of brands, including identity providers and cloud services, all from simple text prompts. Once the AI produces a clone, criminals can tweak a few links to point to their own credential‑stealing backends and go live in minutes.

Research into AI’s role in modern phishing shows that attackers are leaning heavily on website generators, writing assistants, and chatbots to streamline the entire kill chain—from crafting persuasive copy in multiple languages to spinning up responsive pages that render cleanly across devices. One analysis of AI‑assisted phishing campaigns found that roughly 40% of observed abuse involved website generation services, 30% involved AI writing tools, and about 11% leveraged chatbots, often in combination. This stack lets even low‑skilled actors produce professional-looking scams that used to require specialized skills or paid kits.​

Growth first, guardrails later

The core problem is not that AI can build websites. It’s that the incentives around AI platform development are skewed. Vendors are under intense pressure to ship new capabilities, grow user bases, and capture market share, and that pressure often runs ahead of serious investment in abuse prevention.

As Malwarebytes General Manager Mark Beare put it:

“AI-powered website builders like Lovable and Vercel have dramatically lowered the barrier for launching polished sites in minutes. While these platforms include baseline security controls, their core focus is speed, ease of use, and growth—not preventing brand impersonation at scale. That imbalance creates an opportunity for bad actors to move faster than defenses, spinning up convincing fake brands before victims or companies can react.”

Site generators allow cloned branding of well‑known companies with no verification, publishing flows skip identity checks, and moderation either fails quietly or only reacts after an abuse report. Some builders let anyone spin up and publish a site without even confirming an email address, making it easy to burn through accounts as soon as one is flagged or taken down.

To be fair, there are signs that some providers are starting to respond by blocking specific phishing campaigns after disclosure or by adding limited brand-protection controls. But these are often reactive fixes applied after the damage is done.

Meanwhile, attackers can move to open‑source clones or lightly modified forks of the same tools hosted elsewhere, where there may be no meaningful content moderation at all.

In practice, the net effect is that AI companies benefit from the growth and experimentation that comes with permissive tooling, while the consequences is left to victims and defenders.

We have blocked the domain in our web protection module and requested a domain and vendor takedown.

How to stay safe

End users cannot fix misaligned AI incentives, but they can make life harder for brand impersonators. Even when a cloned website looks convincing, there are red flags to watch for:

  • Before completing any payment, always review the “Pay to” details or transaction summary. If no merchant is named, back out and treat the site as suspicious.
  • Use an up-to-date, real-time anti-malware solution with a web protection module.
  • Do not follow links posted in comments, on social media, or unsolicited emails to buy a product. Always follow a verified and trusted method to reach the vendor.

If you come across a fake Malwarebytes website, please let us know.


We don’t just report on threats—we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.

❌