Normal view

Scams in messengers: exposing the global scam-cartels exploiting everyday messagesng-heist | Kaspersky official blog

1 June 2026 at 09:00

It starts with the familiar: a short message, a trusted name, a routine tone. Delivery updates, work pings, brand alerts hum in the background, rarely attracting scrutiny. You check, you answer… — until minutes later you’ve slipped into a trap built to lower your guard and hijack your trust.

That’s why messaging scams cut deep: they exploit everyday habits where instinct, not caution, leads. Communication once moved slowly, leaving room for doubt. Now it’s instant — and that speed is a weapon in criminal hands.

On our blog, we’ve already examined numerous scam schemes in messaging apps — from pig butchering, where the victim is groomed for a very long time, or catfishing, where the scammer creates a fake identity, to phishing via chatbots or through gift-giving campaigns in messaging apps.

Now, for the first time, Kaspersky has set out to capture the full end-to-end reality of messaging-based scams to understand how quickly harm occurs, how they impact trust and what remains after the interaction ends. What emerges is a highly organized and industrialized scam ecosystem embedded within everyday messaging channels such as SMS, WhatsApp, and email.

Kaspersky experts have prepared a report on targeted scams in messaging apps, detailing not only the financial but also the emotional damage caused by such attacks, as well as providing tips on how to protect yourself and avoid them. In this post, we explore the most interesting facts, but you can find more details in the full report.

The damage is underestimated

How much do you think a single successful attack via a messaging app costs the average victim? Ten dollars? Or maybe 50? You’re underestimating the scammers. Although more than a third (36%) of victims incur losses of less than $135, on average a victim loses… $733!

Country Average loss per victim
Senegal $392.94
Serbia $493.32
Morocco $504.28
Greece $609.32
United Kingdom $617.38
Côte d’Ivoire $654.11
Spain $672.67
United States $724.73
Portugal $868.20
Italy $896.02
France $1,193.58
Germany $1,369.35

The average amount lost by a victim in a successful attack via a messaging app

On the one hand, the financial hit doesn’t look catastrophic in isolation. These are micro-losses by design. Small enough that some never report them to the police. Small enough that banks don’t always investigate. Small enough to be dismissed as bad luck rather than organized crime.

But $733 is not nothing. It’s enough to cover a month’s worth of groceries, school or daycare fees, or utility bills. Against the backdrop of the global cost-of-living crisis, a single such loss can seriously dent a family’s budget.

In 11% of cases, losses exceed $1,350, and more than a quarter of victims (28%) report having been scammed three or more times in the past six months. Once scammers discover that a phone number responds, that contact becomes an asset, circulating from one database to another.

Now imagine the scale of the problem: if just 10% of the three billion messaging‑app users worldwide fell victim with the average loss, the total damage would amount to… nearly $220 billion! This is comparable to the GDP of Greece, and exceeds that of Morocco, Serbia, or Côte d’Ivoire.

It becomes clear that behind the daily flood of fraudulent schemes lie large scam cartels operating on an industrial scale, using AI to personalize messages that mimic those of family members, friends, and familiar brands. This, in essence, forms the basis of a full-fledged economy built on digital identity theft.

Scam gangs cash in on your money worries, using AI to drain your wallet in minutes

Speed beats scrutiny

More than half of successful messaging scams (52%) unfold in under 30 minutes — from first contact to the moment money or personal data changes hands — or even faster, before the victim begins to doubt the legitimacy of the sender. In fact, one in seven scams takes less than five minutes — quicker than boiling an egg!

The speed isn’t accidental. It’s the method. Scammers structure their schemes to deny the victim a chance to come to their senses. Every element is engineered to compress the decision-making window: the urgency of the scenario, the familiarity of the format, the plausibility of the request.

They rush you — faster, faster, don’t tell anyone, you only have a few minutes, solve the problem, don’t ask questions. Click the link, fill in the details, approve the transaction, or else… Or else what? The scammers’ imagination knows no bounds here, but if you don’t do something right now, you’ll definitely regret it.

Alas, the realization of what has happened usually comes when the damage is already irreversible. More than half of victims (51%) lose money; another 43% hand over their personal data — most commonly phone numbers, names, and email addresses — to scammers, and often the victim loses both.

Where and how attacks occur

A delivery notification, a bank alert, a message from a merchant you ordered from last week — messaging apps permeate every aspect of everyday life, making such interactions completely normal. An attack shouldn’t feel like an attack. It should feel like the same message you’ve received hundreds of times.

It’s no surprise that scammers focus their attention on this method of communication first and foremost. The most popular platforms for scams are predictable: WhatsApp (43%), SMS/iMessage (40%), Facebook (27%), Telegram (22%), and Instagram (19%) — these are the ones that people trust most.

A wide variety of schemes is used. Brand impersonation is now one of the three most common types of messaging scam worldwide — accounting for 31% of cases. Fake delivery notifications top the list at 38%, followed by investment scams at 37%.

At the same time, nearly two-thirds (63%) of fraudulent schemes span multiple platforms, moving from SMS to WhatsApp, from WhatsApp to Telegram, etc. In this way, scammers achieve two goals: they mimic organic messaging and evade moderation algorithms.

AI has taken scams to a new level

Just a couple of years ago, fraudulent messages gave themselves away with bad grammar, awkward phrasing, illogical requests, and an obsessive sense of urgency. Today, a phishing message looks, sounds, and reads just like the real thing.

Scam cartels want to catch people in motion — between meetings, on a commute, or during everyday tasks — when your attention is already fragmented. They mimic your mother’s turn of phrase. They match your bank’s tone of voice. They copy your courier’s format exactly. They mirror the rhythm, structure, and style of authentic brand communications across messaging platforms. And AI is accelerating all of it.

What this creates is overlap. Legitimate and fraudulent messages appear in the same environment, using the same formats, language, and triggers. The difference between them is no longer obvious.

The data shows that two-thirds of victims (66%) believe AI was used in the scam against them, 42% cite messages written by AI, 31% report generated or cloned voices, and 25% encountered deepfake images or videos.

That’s why mere awareness and “tech-savviness” may no longer be enough to protect oneself. From Gen Z to Gen X, messaging scams cut across every generation.

And what about the emotional toll?

But money is far from the only problem a victim is left with after an attack. After what they’ve been through, people develop distrust toward incoming messages, unfamiliar numbers, and any requests for action. As a result, 99% of fraud victims say they no longer trust incoming notifications in messaging apps.

This creates a crisis of trust in all digital channels in general. Every legitimate message can now be perceived as a scam. Brands, banks, and delivery services are forced to operate in an environment where the customer is, by default, in a state of distrust.

Dr. Elizabeth Carter, a forensic linguist and criminologist at Kingston University in London, notes that scammers use familiar contexts, common social settings and embedded linguistic norms to create the illusion for the victim that their decision-making is rational and reasonable in the moment. However, what is actually happening is that they construct false realities in which those decisions end up causing financial and psychological harm. She also notes that it is very hard to identify a false reality while you are in it.

After realizing they had been deceived, more than half of victims felt anger — the kind that comes from having trusted something and discovering it was used against you. 42% of victims report frustration, 38% — feeling upset. Moreover, several months later, these feelings haven’t gone away: nearly half of all victims (48%) are still angry, a third (33%) remain frustrated, and 30% are upset.

And nearly one in 10 victims don’t tell anyone what happened. They feel shame, a sense of having fallen for something so obvious. This leaves a significant portion of the actual damage unreported: only 24% of victims contact the police, and only 23% report it to their bank.

Messaging scams aren't just a personal problem, they're bleeding the world economy dry

So what can be done?

The crisis of trust — and even a touch of paranoia — that has arisen due to widespread attacks on users can linger in victims’ minds for a long time, affecting their quality of life. To prevent this, follow these guidelines:

  • Pause before you act. The sense of urgency you feel is almost always artificial. A legitimate bank, retailer, or delivery service won’t penalize you for taking 30 seconds to verify before clicking a link or confirming details. It’s precisely this instinct to resolve the situation quickly that scammers are counting on.
  • Verify through another channel. If a message appears to be from a relative, colleague, or company you trust — contact them through another channel before taking any action. Use secure verification methods, and cross-check identities when something doesn’t feel right. For families, agreeing on a “safe word” in advance can defeat even the most convincing voice clones.
  • Use a password manager. It will not only help you generate strong, unique passwords for all your accounts and store them securely, syncing them across all your devices, but also protect you from spoofed sites. Even if you click a phishing link and land on such a site, our password manager will notify you about the domain mismatch and refuse to autofill your username and password.
  • Use protection that works in real time. Modern security solutions, such as Kaspersky Premium, provide real-time protection against malicious links and phishing attempts in the apps and websites you use every day. On Android devices, a dedicated layer of anti-phishing security scans and neutralizes suspicious links as they appear, even within notifications, before you even have a chance to click them.

We’ve covered other threats in messaging apps in similar articles:

How to manage subscriptions securely | Kaspersky official blog

15 May 2026 at 19:10

Have you ever tried to tally up how much you spend on subscriptions each month? Music, movies, gaming, language courses, delivery services, heated seats, and even the ability to chat with the Grok bot directly from your car — there’s a subscription for just about everything now. There’s even a subscription service specifically designed to… track your other subscriptions.

The number of subscriptions varies significantly depending on where you live, but statistically, 78% of adults worldwide have at least one paid subscription, with the average user juggling 5.6 active services. Furthermore, a large portion of these are family plans used by groups of close relatives… and sometimes other people: 37% of users share their subscriptions outside their immediate family.

Because subscription accounts, especially family plans, often contain sensitive personal data, they’ve become a prime target for cybercriminals. Today we look at how to manage your subscriptions securely, avoid having your accounts compromised, and keep from falling for scammers’ latest tricks.

Security of shared accounts and subscriptions

Why would anyone want to hack your subscription? Even if the service only offers entertainment, your account almost certainly contains sensitive information: your name, address, email, phone number, the names of other members, and other personally identifiable information. This data is then sold on the dark web and used for further attacks.

Attackers compromise subscription accounts either through social engineering and phishing, or by taking advantage of many users’ reliance on weak or leaked passwords. As we recently highlighted in our research, nearly half of all passwords worldwide can be cracked in less than a minute. Scammers then either resell existing subscriptions or slots in a family group at a discount, or they sign the victim up for new services, hoping the extra charges go unnoticed.

Finally, some middlemen don’t bother with hacking at all; they simply buy bulk subscriptions for a large number of devices, where the per-unit cost is typically much lower. They then resell individual slots in these plans on online marketplaces. As a result, a single “family” account can end up filled with people who are complete strangers to one another.

Sharing subscriptions with family and others

Many subscription owners think nothing of sharing access with family and friends. What could possibly go wrong?

The worst-case scenario from a security standpoint is when a single account is purchased and the owner shares the login and password with other users. This usually happens when people try to save money on a family plan by buying an individual subscription and sharing it. Some services even allow for different profiles, but they are all tied to a single account, meaning the credentials are shared. This is how streaming platforms like Hulu and Disney+ operate.

Sharing one account among multiple people significantly increases the risk of your credentials falling into the wrong hands. There’s no way to guarantee that everyone else is storing those details securely or that their devices aren’t infected with malware. Even without malware, it’s incredibly easy to accidentally hand over a password to attackers simply by signing in to the subscription service over unprotected public Wi-Fi.

It’s entirely possible that the password you kindly shared with some friends has already surfaced in some corner of the dark web, and you may soon lose access to your account. Furthermore, if you reuse the same password across different sites and apps, your other accounts are now in the crosshairs as well.

The second scenario is when each group member has an individual account. Many services now allow you to add extra users to a subscription at no additional cost, and most owners are happy to give away these free slots. Even then, you shouldn’t let your guard down: a breach of just one of these accounts can still leak sensitive information, such as family members’ names, addresses, billing info, and other subscription-related data.

How to protect your subscriptions (and your wallet)

To keep your and your loved ones’ personal data private and your accounts under your control, follow these simple rules.

Use strong account security

To do this, learn — and teach your friends and family — how to use password managers, two-factor authentication, or passkeys.

If you and your loved ones rely on memory to store passwords, there’s a high probability that you’re reusing the same one across multiple services. This is a major blunder: data breaches happen all the time, and a single compromised password gives attackers access to your other accounts.

The simplest solution is to use a password manager that generates and remembers complex, unique passwords for every site and service on your behalf. All you have to do is remember the single main password for its encrypted vault. Additionally, Kaspersky Password Manager doesn’t just store and create passwords; it can also check if they’ve appeared in leaked databases, and sync your credentials across all your devices.

Additionally, a password manager provides a robust defense against phishing: unlike a human, who can easily be misled by a sign-in form that looks almost identical to the real thing and is hosted on a look-alike domain, a password manager won’t fall for the trick. It’ll only offer to autofill your saved login and password on the specific site or service for which they were originally stored.

Avoid using browsers to store your passwords: unfortunately, attackers have long figured out how to extract browser-saved passwords in a matter of seconds.

Two-factor authentication (2FA) is an extra layer of verification the system requests after you enter your password — such as an SMS code or a one-time code from an authenticator app. Whenever technically possible, be sure to enable 2FA on every account linked to a subscription. This applies to the subscription services themselves, as well as any third-party accounts you use to sign in, such as Google, Apple, or Facebook.

We recommend storing your two-factor authentication tokens and generating the one-time codes — which refresh every 30 seconds — inside Kaspersky Password Manager. This significantly lowers the chances of someone hijacking your account. Even if an attacker somehow discovers or guesses your password, they won’t be able to get the code without physical access to your device.

Finally, you can ditch passwords (almost) entirely by switching to passkeys. We’ve previously covered what this password alternative looks like and the specifics of using it. Currently, this is the most breach-resistant authentication system out there. Its main drawback has been the difficulty of syncing passkeys across different ecosystems, like Windows and iOS, but the updated version of Kaspersky Password Manager can now save and sync passkeys across Windows, macOS, iOS, and Android devices, making that issue a thing of the past.

Don’t overlook device security

Even a complex password and 2FA aren’t reasons to let your guard down. An attacker can infect your device with an infostealer: malware designed to swipe things like session cookies from your browser, app configuration files, and other sensitive data. Session cookies allow you to stay signed in without re-entering your credentials every time; however, if scammers get their hands on them, they can sign in to the service as you — even without knowing your username or password. This makes a proactive approach essential, especially if you use Chrome, Edge, Opera, or other Chromium-based browsers on Windows. We recommend installing Kaspersky Premium on all your devices; it includes Kaspersky Password Manager in addition to comprehensive protection against cyberthreats.

Only share subscriptions with people you trust

Otherwise, you might be asking for trouble. For example, if you share a Steam subscription with a friend who cheats, both of your accounts could end up banned. Furthermore, never try to let someone else into your personal account or individual subscription. Sharing your password with others is usually a violation of the terms of service, and can result in your account being blocked.

Make sure there are no strangers in your family group

To do this, periodically check active devices and sessions in your subscription settings. If you see an unrecognized device in the authorized list, terminate that session — or all of them — and change your account password immediately. Signing back in on a few devices is much easier than trying to recover a hijacked account.

And remember: don’t let your own habits compromise your security. If you’re visiting friends, on vacation, or on a business trip and use a local computer or smart TV — or if you sign in to your account from a public computer — don’t forget to sign out when you’re done. Otherwise, the next person to use that device might find themselves with free subscriptions or, even worse, access to your email or cloud photo stream.

Don’t take the bait

Watch out for phishing emails and messages spoofing legitimate services. If you receive a notification about a “need to update your billing details”, or a claim that a “new user has been added” to your family plan, don’t rush to click any links or open attachments. Links can lead to a phishing page, and attachments may hide malware. Scammers often use email addresses and domains that look nearly identical to the real ones — for instance, by swapping l (lowercase L) for I (uppercase i), or using a familiar name in a different domain zone.

Unfortunately, phishing pages are often indistinguishable from the originals now that AI is being used for high-quality design and layout. Since spotting every red flag yourself is increasingly difficult, it’s best to delegate anti-phishing protection to Kaspersky Premium. It will alert you to suspicious sites, saving your money and keeping your peace of mind.

Lastly, some scammers lure users in with freebies like fake gift subscriptions for Telegram Premium. The victim is asked to visit a phishing page mimicking the Telegram login screen and sign in to their account to claim the gift. The result isn’t hard to guess: instead of a premium subscription — a hijacked account. Recently, scammers have even learned to use mini-apps to steal credentials directly inside Telegram under various pretexts — ranging from gift giveaways to claims that you must move to a new chat because the old one was blocked.

Avoid buying subscriptions from third-party sellers

You can often find subscription offers on marketplaces and retail platforms at prices significantly lower than what the official provider charges. More likely than not, that tempting price hides a hacked account or a family group that you could be kicked out of at any moment, because the family admin is either the seller or a random user. Furthermore, sharing a family plan with strangers from around the world is a violation of terms for many services.

How to get rid of unwanted subscriptions

Now that we’ve covered subscription security, what about those extra subscriptions that quietly eat away at your balance every month? Research shows that users typically underestimate how many active subscriptions they have and how much they spend on them; they also frequently forget to cancel auto-renewals for subscriptions they no longer use, or auto-charges after the trial period ends.

If you suspect you’re in that boat, start your investigation with your own bank statements. Recurring charges for the same amount can be a subscription you’ve forgotten about. Check who received the payment; if the name doesn’t ring a bell, do an online search on the company. It’s also worth searching your email box for the merchant name or the payment amount; this can help you track down subscription notifications and figure out what exactly you’re paying for. And don’t forget to check your spam folder, as that’s where subscription alerts often end up.

Now, let’s look at how to check and cancel active subscriptions purchased through the App Store and Google Play.

For Android users

  1. Open Settings on your device.
  2. Tap Google, then tap your profile picture, and go to Google Account.
  3. Go to Wallet & subscriptions.

If you’re the family group manager, you’ll be able to see the purchase history for other family members.

For iOS users

  1. Open Settings on your device.
  2. Tap your profile picture at the top of the menu.
  3. Go to Subscriptions.

Note: to manage your iCloud subscription, you’ll need to go to the specific iCloud section located just below Subscriptions. In the Family Sharing section, if you’re the one who set it up, you can view the subscription and purchase history for all family members.

Read more on subscriptions:

Supply chain attack via DAEMON Tools | Kaspersky official blog

5 May 2026 at 14:09

Our experts have discovered a large-scale supply chain attack via DAEMON Tools – software for emulating optical drives. The attackers managed to inject malicious code into the software installers, and all trojanized executable files are signed with a valid digital signature of AVB Disc Soft – the developer of DAEMON Tools. The malicious version of the program has been circulating since April 8, 2026. At the time of writing, the attack is still ongoing. Researchers at Kaspersky believe this is a targeted attack.

What are the risks of installing the malicious version of DAEMON Tools?

After the Trojanized software is installed on the victim’s computer, a malicious file is launched every time the system starts up – sending a request to a command-and-control server. In response, the server may send a command to download and execute additional malicious payloads.

First, the attackers deploy an information gatherer that collects the MAC address, hostname, DNS domain name, lists of running processes and installed software, and language settings. The malware then sends this information to the command-and-control server.

In some cases, in response to the collected information, the command server sends a minimalistic backdoor to the victim’s machine. It’s capable of downloading additional malicious payloads, executing shell commands, and running shellcode modules in memory.

The backdoor can be used to deploy a more sophisticated implant dubbed as QUIC RAT. It supports multiple communication protocols with the command-and-control server, and is capable of injecting malicious payloads into the notepad.exe and conhost.exe processes.

More detailed technical information, along with indicators of compromise, can be found in the experts’ article on the Securelist blog.

Who’s being targeted?

Since early April, several thousand attempts to install additional malicious payloads via infected DAEMON Tools software have been detected. Most of the infected devices belonged to home users, but approximately 10% of installation attempts were detected on systems running in organizations. Geographically, the victims were spread across around a hundred different countries and territories. Most victims were located in Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China.

Most often, the attack was limited to installing an information collector. The backdoor infected only a dozen machines in government, scientific, and manufacturing organizations, as well as in retail businesses in Russia, Belarus, and Thailand.

What exactly was infected

The malicious code was detected in DAEMON Tools versions ranging from 12.5.0.2421 to 12.5.0.2434. The attackers compromised the files DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe, which are installed in the main DAEMON Tools directory.

Updated on March 6: Following disclosure, the vendor acknowledged the issue and published a new version of the software to address it. The updated DAEMON Tools version 12.6.0.2445 no longer shows the malicious behavior described in this article.

How to stay safe?

If DAEMON Tools software is used on your computer (or elsewhere in your organization), our experts recommend thoroughly checking the computers on which it is installed for any unusual activity starting from April 8.

In addition, we recommend using reliable security solutions on all home and corporate computers used to access the internet. Our solutions successfully protect users from all malware used in the supply chain attack via DAEMON Tools.

Fake BTS ARIRANG tour tickets: K-pop fans being targeted by scammers | Kaspersky official blog

9 April 2026 at 12:46

BTS, a global K-pop phenomenon, has recently made a comeback from an almost four-year hiatus: the members of the group were completing mandatory military service in South Korea. For this reason it comes as no surprise that cybercriminals have taken advantage of the band’s highly anticipated world-tour — ARIRANG — to launch a campaign of fake websites targeting fans eager to buy tickets.

We’ve identified at least 10 fraudulent domains that mimic the official pre‑sale pages for the band’s concerts in Argentina, Brazil, Chile, Colombia, France, Mexico, Peru, Portugal, and Spain — all created in early April. We explain how the scammers operate, and how to avoid buying fake tickets.

How the fake ticket scam works

Due to the high demand for the world-tour tickets, some of the event organizers prepared additional measures to ensure there are no ticket scalpers. In Brazil, the ticketing services adopted a “pre‑booking” format: the user first makes an online reservation, and then pays in person at the box office. Although in essence a good idea, the change has caused confusion among fans and created an opportunity for criminals to commit fraud.

Scammers create pages that are nearly identical to the official ones, replicating the layout, design, and the entire purchasing journey. For ordinary users, the experience seems completely legitimate. The links to these websites are circulating on social media — mainly on Instagram.

In Brazil, victims are prompted to make payments via PIX — an instant payment system operated by the Central Bank of Brazil. In some cases, the sites even simulate a card‑payment option, but claim high demand or system errors to pressure users into choosing PIX. PIX payments are then directed to money mule accounts — making it difficult to recover the funds.

Scam websites sell fake BTS tickets in Brazil
Fake website imitating the Brazilian Ticketmaster. The design is almost indistinguishable from the original
Scam websites sell fake BTS tickets in Brazil
This fake Brazilian website makes it seem as if the user can choose between card payment and instant payment. In reality, choosing the bank card option always results in fake “errors”. In the end, the victim is left with no choice but to pay via the PIX system
Weverse scam website targeted at Mexican fans
This scam page targeted at Mexican fans is selling a fake BTS membership. It’s a fraudulent copy of Weverse — a legitimate website that hosts K-pop communities and sells fan-club memberships
Fake tickets sold for BTS on a fraudulent Ticketmaster
This is the French version of a fake Ticketmaster

The scam is a perfect example of how social engineering works. It exploits a massive and highly engaged fanbase — leading many users to act impulsively. The fake “errors” that the website displays during payment create a sense of urgency and cause panic — the scammers are well aware of how quickly BTS tickets sell out. In addition, doubts about the new purchasing system established by the event organizers help criminals make fake websites even more convincing.

How to protect yourself from ticket scams

If you really want to get tickets to your favorite group’s concert but not fall victim to the scammers, it’s important to keep these basic cybersecurity rules in mind:

  • Access only official ticketing services, which you can find on the official page dedicated to BTS’s tour. Type the website address directly into your browser, and avoid links received via messages, social media, or email.
  • Check the domain carefully. Slight changes in the address often indicate fraud. This includes additional dashes, unusual territorial domains, and hardly-noticeable changes like replacing a lowercase “l” (L) with an uppercase “I” (i).
  • Check the website for Privacy Policy and Terms of Use pages. If they’re missing, you’re definitely visiting a fake website. But remember: their presence doesn’t guarantee that the site is legitimate. With modern AI, generating such pages takes only a few seconds.
  • Carefully check the sales format for each country. In Brazil, payment should only be made in person, so any request for online payment during the pre‑sale is a strong indication of a scam. Other countries and event organizers may offer online payments.
  • If you’ve been scammed, immediately contact your bank. If you provided bank card information to the criminals, you should reissue your card to prevent further unauthorized payments.
  • Enable banking alerts. Real-time notifications allow you to quickly identify suspicious transactions.
  • Use cybersecurity protection that detects and automatically blocks fraudulent websites. Kaspersky Premium, our robust cybersecurity solution, also shuts down phishing attempts, protects your personal data, and helps safeguard your identity.
  • Beware of “free” or “discounted” tickets. Ultimately, there’s never such a thing as a free lunch — especially when it comes to world‑famous music groups.

More on scams:

The dangers of telehealth: data breaches, phishing, and spam | Kaspersky official blog

7 April 2026 at 15:48

April 7 marks World Health Day. The theme for 2026 is “Together for health. Stand with science” — a call to join forces in the fight for evidence-based medicine and scientific progress. Many people view telehealth as one of the crowning achievements of this progress: you can basically get a doctor’s consultation in five minutes without ever leaving your couch. But there’s a catch…

Medical data sells on the black or gray markets for dozens of times more than credit card info or social media logins. Unlike a credit card, which you can just block and replace, you can’t exactly reset your medical history. Your name, birthday, address, phone number, insurance ID, diagnoses, test results, prescriptions, and treatment plans stay relevant for years. This is a goldmine for everything from targeted marketing to blackmail, fraud, or identity theft.

And with the rise of AI, the internet is now flooded with fake websites that claim to offer medical services but are actually designed to strip-mine confidential info from unsuspecting victims. Today, we’re diving into which medical details are at risk, why hackers want them, and how you can stop them in their tracks.

More valuable than credit cards

Scammers monetize stolen medical data both in bulk and through individual sales. Their first move is usually to extort a ransom from the companies they’ve successfully hacked. (In fact, back in 2024, 91% of malware-related healthcare data leaks in the U.S. were the result of ransomware attacks.) But later, the leaked data is then used for pinpointed, personal attacks. It allows hackers to build a medical profile of a victim — what meds they buy, how often, and what they take long-term — to then sell that info to big pharma or marketers, or to use it for targeted phishing scams like pitching a fake innovative treatment. They can even blackmail a patient over a sensitive diagnosis or use the info to fraudulently score prescriptions for controlled substances. On top of that, insurance companies are also hungry for this kind of data. They analyze these details to hike up insurance premiums for patients or, in some cases, refuse to provide coverage altogether. In short, there are plenty of ways they can use it against you.

How bad is it really?

The biggest medical data breach in history went down in February 2024, when the BlackCat hacking group broke into the systems of Change Healthcare. This is a division of UnitedHealth Group, which processes around 15 billion insurance transactions a year and acts as the financial middleman between patients, healthcare providers, and insurance companies.

For nine days, the attackers roamed freely through Change Healthcare’s internal systems, siphoning off six terabytes of confidential data before finally launching their ransomware. UnitedHealth was forced to completely yank Change Healthcare datacenters offline to stop the encryptor from spreading, and they ended up paying a 22-million-dollar ransom to the extortionists. The attack effectively paralyzed the U.S. healthcare system. The number of victims was revised three times: first 100 million, then 190 million, and the final tally hit a staggering 192.7 million people, with total damages estimated at 2.9 billion dollars. And the reason (on the Change Healthcare’s side) for this massive incident — which we broke down in detail in a separate post — was simply… a lack of two-factor authentication on a remote desktop access portal.

Before that, the mental health telehealth startup Cerebral embedded third-party tracking tools directly into its website and apps. As a result, the data of 3.2 million patients — including names, medical and prescription histories, and insurance info — leaked out to LinkedIn, Snapchat, and TikTok. The U.S. Federal Trade Commission slapped the company with a 7.1-million-dollar fine, and issued an unprecedented ban on using medical data for advertising purposes. By the way, that same startup also made the headlines for sending its clients promotional postcards without envelopes, displaying patient names and phrasing that made it easy for anyone to figure out their diagnosis.

Why telehealth is so vulnerable

Let’s take a look at the main weak spots in telehealth services.

  • Ad trackers in medical apps. Trackers from Facebook, TikTok, Snapchat, and other tech giants are often baked right into telehealth platforms, leaking patient data to advertisers without users ever knowing.
  • Unsecured communication channels. Sometimes doctors chat with patients through regular messaging apps instead of certified medical platforms. It’s convenient, sure, but it’s illegal for the clinic and totally unsafe for the patient.
  • Platform vulnerabilities. Telemedicine platforms are prone to classic web attacks, such as SQL injections that let hackers dump entire patient databases, session hijacking, and data interception when connection encryption is weak or nonexistent.
  • Poor staff training. Our research showed that 30% of doctors have dealt with compromised patient data specifically during telehealth sessions, and 42% of medical staff don’t actually understand how their patients’ data is being protected.
  • Outdated medical devices. Many wearable medical gadgets (like heart monitors or blood pressure cuffs) use an old data transfer protocol called MQTT. It’s full of holes that could potentially allow hackers to steal sensitive info or even mess with how the device functions.

Spam and phishing in telehealth

Hackers aren’t the only ones interested in the medical field — spammers and scammers are all over it, too. They pitch “medical services” with deals that look way too good to be true, send out emails about supposed changes to your health insurance, or talk up “ancient Himalayan healing traditions”. Of course, all the links they send lead to suspicious websites offering dubious goods or services.

Spam email appearing to be from Medicare, the U.S. national health insurance program
Spam posing as Medicare, the U.S. national health insurance program. The user is informed falsely that their insurance terms have changed in an attempt to lure them to a fake website
Scammers advertising miraculous Himalayan traditions for treating diabetes
CURING DIABETES IS EASY: All you have to do is… Scammers are promoting some kind of miraculous Himalayan tradition for treating diabetes. But losing your money is the only thing guaranteed here!
Dubious ad for a remedy for a fungal infection with a 70% discount
And of course, we can't forget the classic "miracle cure" for a fungal infection — now with a 70% discount, naturally.

Should you land on such a phishing site, scammers will try to squeeze every bit of private info they can out of you: photos of your ID, insurance policy, prescriptions, and sometimes even… photos of body parts that supposedly need medical attention. From there, this data can be dumped and sold on the dark web — or used for blackmail, extortion, and follow-up phishing attacks. To learn more about how the underground data assembly line works, check out our post, What happens to data stolen using phishing?

Fake clinic website with a convincing design
A fake clinic website with a pretty convincing look. Scammers even created pages for "medical staff", "departments", and "research". However, for some reason, you won't find a privacy policy or terms of use anywhere on this site
An AI diagnostic tool collects a wealth of personal data
Another suspicious website offers AI diagnostics, asking for a ton of personal info: full name, phone number, email, requested medical services, medical history, and current medications
Scam site offering visual health screening by analyzing uploaded photos of the tongue and eyes
This scam site offers users "visual health screening using AI" — all you have to do is upload photos of your tongue and eyes! Just a reminder: retinal scans are sometimes used for biometric authentication

As a rule of thumb, fake clinic sites usually skip the privacy policy section, and bombard you with “today only” deals that seem too good to be true. That said, with the help of AI, creating a professional-looking site that’s indistinguishable from the real thing is now a total breeze: you don’t even need design skills or fluency in the victim’s language. That’s exactly why we recommend using our comprehensive security suite — it’s designed to sniff out spam, scams and phishing, and warn you about fake websites before you land on them.

Safety tips for telehealth patients

  • Set up a dedicated email address for medical services. If this address leaks because a clinic gets hacked, it makes it much harder for scammers to track the rest of your digital life.
  • Avoid using Google, Apple, or social media sign-in for telehealth sites. Keeping things separate makes it way tougher to link your medical data to your personal accounts.
  • Double-check which platform is being used for your consultation. If the clinic suggests a call or chat through a standard messaging app, that’s a red flag. A secure, encrypted patient portal provided by the clinic is significantly safer.
  • Never send medical documents via chat apps or social media. Always upload lab results, scans, and records through the clinic’s official patient portal.
  • Use a unique, complex password for every account. Your government portal, clinic login, and doctor-booking app should each have a separate password. Kaspersky Password Manager can generate and store all of them for you; it also regularly scans leak databases, and alerts you if any of your accounts are compromised.
  • Turn on two-factor authentication. Do this first of all for government services and medical organizations. We recommend using an authenticator app rather than SMS codes: it’s more secure and totally anonymous. Kaspersky Password Manager can help you out here, too.
  • Share only what’s necessary. Don’t feel obligated to fill out every optional field in medical apps or on websites. The less data a service stores, the less there is to leak.
  • Be careful about sharing health info on social media or in chat apps. Scammers love to exploit people when they’re vulnerable. For instance, in 2024, hackers gained the trust of the XZ Utils developer who had publicly posted about burnout and depression. They convinced him to hand over control of his tool, which they then loaded with malicious code. Since XZ Utils is used in tons of Linux systems and affects OpenSSH (a protocol for remote server connections), the attack could have wrecked a huge chunk of the internet if it hadn’t been caught in time.
  • Don’t install telehealth apps from unknown developers. Check the reviews and take a minute to skim the privacy policy — even major platforms might be sharing your data with third parties.
  • Keep an eye on your medical records. Strange prescriptions, doctor visits you never made, or meds you’ve never heard of can all be signs that your account has been compromised.
  • Configure and regularly update your health gadgets. Fitness trackers, blood pressure monitors, smart scales, and activity trackers all send data to the web. Improper settings or unpatched vulnerabilities are an open door for data breaches.

What else you need to know about protecting your health online:

Ransomware attacks on schools and colleges | Kaspersky official blog

6 March 2026 at 18:30

Back when ransomware was just a startup industry, the primary goal of the attackers was simple: encrypt data, then extort a ransom in exchange for decrypting it. Because of this, cybercriminals mostly targeted commercial enterprises — companies that valued their data enough to justify a hefty payout. Schools and colleges were generally left alone — hackers assumed educators didn’t have the kind of data worth paying a ransom for.

But times have changed, and so has the ransomware groups’ business model. The focus has shifted from payment for decryption, to extortion in exchange for non-disclosure of stolen data. Now, the “incentive” to pay isn’t just about restoring the company’s normal operations, but rather avoiding regulatory trouble, potential lawsuits, and reputational damage. And it’s this shift that’s put educational institutions in the crosshairs.

In this post, we discuss several cases of ransomware attacks on educational organizations, why they took place, and how to keep cybercriminals out of the classroom.

Attacks on educational institutions in 2025–2026

In February 2026, the Sapienza University of Rome, one of Europe’s oldest and largest higher education institutions, suffered a ransomware attack. Internal systems were down for three days. According to sources familiar with the incident, the cybercriminals sent the university’s administration a link leading to a ransom demand. Upon clicking the link, a countdown timer started on the site that opened — counting down from  72 hours: the time the attackers demands needed to be met. As of now, there’s still no word on whether the university administration paid up or not.

Unfortunately, this case isn’t an exception. At the very end of 2025, attackers targeted another Italian educational institution — a vocational training center in the small city of Treviso. Things aren’t looking much better in the UK, either: in the same year, Blacon High School was hit by ransomware. Its administration had to shut its doors for two days to restore its IT systems, assess the scale of the incident, and prevent the attack from spreading further through the network.

In fact, a UK government study suggests these incidents are just part of a broader trend. According to its 2025 data, cyberincidents hit 60% of secondary schools, 85% of colleges, and 91% of universities. Across the pond, American researchers also noted that in the first quarter of 2025, ransomware attacks in the global education sector surged by 69% year on year. Clearly, the trend is global.

Why schools and universities are becoming easy targets

The core of the problem is that modern educational organizations are rapidly incorporating digital services into their operations. A typical school or university infrastructure now manages a dizzying array of services:

  • Electronic gradebooks and registers
  • Distance learning platforms
  • Admission systems and databases for storing applicants’ personal data
  • Cloud storage for educational materials
  • Internal staff and student portals
  • Email for faculty, students, and the administration to communicate

While these systems make education more convenient and manageable, they also drastically expand the attack surface. Every new service and every additional user account is a potential doorway for a phishing campaign, access compromise, or a personal data leak.

According to a UK study, the primary vector for these attacks is basic phishing. But that’s not all that surprising: since the education sector was off the cybercriminals’ radar for so long, cybersecurity training for both staff and students was hardly a priority. As a result, even the most seasoned professors can find themselves falling for a fake email purportedly sent by the “dean” or the “school principal”.

But it’s not just the faculty. Students themselves often unwittingly act as mules for malware. In many institutions, students still frequently hand in assignments on USB flash drives. These drives travel across various home or public devices, picking up malicious digital hitchhikers along the way. All it takes is one infected USB drive plugged into a campus workstation to give an attacker a foothold in the internal network.

It’s worth noting that while USB drives aren’t as ubiquitous as they were a decade ago, they remain a staple in the educational environment. Dismissing the threats they carry isn’t a good idea.

How to ensure the cybersecurity of educational infrastructure

Let’s face it: training every literature and biology teacher to spot phishing emails is now easy, quick task. Similarly, the educational system isn’t going to cut down on USB usage overnight.

Fortunately, a robust security solution (such as Kaspersky Small Office Security) can do the heavy lifting for you. It’s ideal for schools and colleges that need set-it-and-forget-it protection without a steep learning curve. Plus, it’s affordable even for institutions operating on a tight budget, and doesn’t require constant management.

At the same time, Kaspersky Small Office Security addresses all the threats we’ve discussed above: it blocks clicks on phishing links, automatically scans USB drives the moment they’re plugged in, and prevents suspicious files from executing on devices connected to the school’s network.

AI assistant in Kaspersky Container Security

3 March 2026 at 17:13

Modern software development relies on containers and the use of third-party software modules. On the one hand, this greatly facilitates the creation of new software, but on the other, it gives attackers additional opportunities to compromise the development environment. News about attacks on the supply chain through the distribution of malware via various repositories appears with alarming regularity. Therefore, tools that allow the scanning of images have long been an essential part of secure software development.

Our portfolio has long included a solution for protecting container environments. It allows the scanning of images at different stages of development for malware, known vulnerabilities, configuration errors, the presence of confidential data in the code, and so on. However, in order to make an informed decision about the state of security of a particular image, the operator of the cybersecurity solution may need some more context. Of course, it’s possible to gather this context independently, but if a thorough investigation is conducted manually each time, development may be delayed for an unpredictable period of time. Therefore, our experts decided to add the ability to look at the image from a fresh perspective; of course, not with a human eye — AI is indispensable nowadays.

OpenAI API

Our Kaspersky Container Security solution (a key component of Kaspersky Cloud Workload Security) now supports an application programming interface for connecting external large language models. So, if a company has deployed a local LLM (or has a subscription to connect a third-party model) that supports the OpenAI API, it’s possible to connect the LLM to our solution. This gives a cybersecurity expert the opportunity to get both additional context about uploaded images and an independent risk assessment by means of a full-fledged AI assistant capable of quickly gathering the necessary information.

The AI provides a description that clearly explains what the image is for, what application it contains, what it does specifically, and so on. Additionally, the assistant conducts its own independent analysis of the risks of using this image and highlights measures to minimize these risks (if any are found). We’re confident that this will speed up decision-making and incident investigations and, overall, increase the security of the development process.

What else is new in Cloud Workload Security?

In addition to adding API to connect the AI assistant, our developers have made a number of other changes to the products included in the Kaspersky Cloud Workload Security offering. First, they now support single sign-on (SSO) and a multi-domain Active Directory, which makes it easier to deploy solutions in cloud and hybrid environments. In addition, Kaspersky Cloud Workload Security now scans images more efficiently and supports advanced security policy capabilities. You can learn more about the product on its official page.

Variations of the ClickFix | Kaspersky official blog

25 February 2026 at 16:14

About a year ago, we published a post about the ClickFix technique, which was gaining popularity among attackers. The essence of attacks using ClickFix boils down to convincing the victim, under various pretexts, to run a malicious command on their computer. That is, from the cybersecurity solutions point of view, it’s run on behalf of the active user and with their privileges.

In early uses of this technique, cybercriminals tried to convince victims that they need to execute a command to fix some problem or to pass a captcha, and in the vast majority of cases, the malicious command was a PowerShell script. However, since then, attackers have come up with a number of new tricks that users should be warned about, as well as a number of new variants of malicious payload delivery, which are also worth keeping an eye on.

Use of mshta.exe

Last year, Microsoft experts published a report on cyberattacks targeting hotel owners working with Booking.com. The attackers sent out fake notifications from the service, or emails pretending to be from guests drawing attention to a review. In both cases, the email contained a link to a website imitating Booking.com, which asked the victim to prove that they were not a robot by running a code via the Run menu.

There are two key differences between this attack and ClickFix. First, the user isn’t asked to copy the string (after all, a string with code sometimes arouses suspicion). It’s copied to the exchange buffer by the malicious site – probably when the user clicks on a checkbox that mimics the reCAPTCHA mechanism. Second, the malicious string calls the legitimate mshta.exe utility, which serves to run applications written in HTML. It contacts the attackers’ server and executes the malicious payload.

Video on TikTok and PowerShell with administrator privileges

BleepingComputer published an article in October 2025 about a campaign spreading malware through instructions in TikTok videos. The videos themselves imitate video tutorials on how to activate proprietary software for free. The advice they give boils down to a need to run PowerShell with administrator rights and then execute the command iex (irm {address}). Here, the irm command downloads a malicious script from a server controlled by attackers, and the iex (Invoke-Expression) command runs it. The script, in turn, downloads an infostealer malware to the victim’s computer.

Using the Finger protocol

Another unusual variant of the ClickFix attack uses the familiar captcha trick, but the malicious script uses the outdated Finger protocol. The utility of the same name allows anyone to request data about a specific user on a remote server. The protocol is rarely used nowadays, but it is still supported by Windows, macOS, and a number of Linux-based systems.

The user is persuaded to open the command line interface and use it to run a command that establishes a connection via the Finger protocol (using TCP port 79) with the attackers’ server. The protocol only transfers text information, but this is enough to download another script to the victim’s computer, which then installs the malware.

CrashFix variant

Another variant of ClickFix differs in that it uses more sophisticated social engineering. It was used in an attack on users trying to find a tool to block advertising banners, trackers, malware, and other unwanted content on web pages. When searching for a suitable extension for Google Chrome, victims found something called NexShield – Advanced Web Guardian, which was in fact a clone of real working software, but which at some point crashed the browser and displayed a fake notification about a detected security problem and the need to run a “scan” to fix the error. If the user agreed, they received instructions on how to open the Run menu and execute a command that the extension had previously copied to the clipboard.

The command copied the familiar finger.exe file to a temporary directory, renamed it ct.exe, and then launched it with the attacker’s address. The rest of the attack was the same as in the abovementioned case. In response to the Finger protocol request, a malicious script was delivered, which launched and installed a remote access Trojan (in this case, ModeloRAT).

Malware delivery via DNS lookup

The Microsoft Threat Intelligence team also shared a slightly more complex than usual ClickFix attack variant. Unfortunately, they didn’t describe the social engineering trick, but the method of delivering the malicious payload is quite interesting. Probably in order to complicate detection of the attack in a corporate environment and prolong the life of the malicious infrastructure, the attackers used an additional step: contacting a DNS server controlled by the attackers.

That is, after the victim is somehow persuaded to copy and execute a malicious command, a request is sent to the DNS server on behalf of the user via the legitimate nslookup utility, requesting data for the example.com domain. The command contained the address of a specific DNS server controlled by the attackers. It returns a response that, among other things, returned a string with malicious script, which in turn downloads the final payload (in this attack, ModeloRAT again).

Cryptocurrency bait and JavaScript as payload

The next attack variant is interesting for its multi-stage social engineering. In comments on Pastebin, attackers actively spread a message about an alleged flaw in the Swapzone.io cryptocurrency exchange service. Cryptocurrency owners were invited to visit a resource created by fraudsters, which contained full instructions on how to exploit this flaw, which can make up to $13,000 in a couple of days.

The instructions explain how the service’s flaws can be exploited to exchange cryptocurrency at a more favorable rate. To do this, a victim needs to open the service’s website in the Chrome browser, manually type “javascript:” in the address bar, and then paste the JavaScript script copied from the attackers’ website and execute it. In reality, of course, the script cannot affect exchange rates in any way; it simply replaces Bitcoin wallet addresses and, if the victim actually tries to exchange something, transfers the funds to the attackers’ accounts.

How to protect your company from ClickFix attacks

The simplest attacks using the ClickFix technique can be countered by blocking the [Win] + [R] key combination on work devices. But, as we see from the examples listed, this is far from the only type of attack in which users are asked to run malicious code themselves.

Therefore, the main advice is to raise employee cybersecurity awareness. They must clearly understand that if someone asks them to perform any unusual manipulations with the system, and/or copy and paste code somewhere, then in most cases this is a trick used by cybercriminals. Security awareness training can be organized using the Kaspersky Automated Security Awareness Platform.

In addition, to protect against such cyberattacks, we recommend:

Quick digest of Kaspersky’s report “Spam and Phishing in 2025” | Kaspersky official blog

11 February 2026 at 22:32

Every year, scammers cook up new ways to trick people, and 2025 was no exception. Over the past year, our anti-phishing system thwarted more than 554 million attempts to follow phishing links, while our Mail Anti-Virus blocked nearly 145 million malicious attachments. To top it off, almost 45% of all emails worldwide turned out to be spam. Below, we break down the most impressive phishing and spam schemes from last year. For the deep dive, you can read the full Spam and Phishing in 2025 report on Securelist.

Phishing for fun

Music lovers and cinephiles were prime targets for scammers in 2025. Bad actors went all out creating fake ticketing aggregators and spoofed versions of popular streaming services.

On these fake aggregator sites, users were offered “free” tickets to major concerts. The catch? You just had to pay a small “processing fee” or “shipping cost”. Naturally, the only thing being delivered was your hard-earned cash straight into a scammer’s pocket.

Free Lady Gaga tickets? Only in a mousetrap

With streaming services, the hustle went like this: users received a tempting offer to, say, migrate their Spotify playlists to YouTube by entering their Spotify credentials. Alternatively, they were invited to vote for their favorite artist in a chart — an opportunity most fans find hard to pass up. To add a coat of legitimacy, scammers name-dropped heavy hitters like Google and Spotify. The phishing form targeted multiple platforms at once — Facebook, Instagram, or email — requiring users to enter their credentials to vote hand over their accounts.

A phishing page masquerading as an artist voting platform

This phishing page mimicking a multi-login setup looks terrible — no self-respecting designer would cram that many clashing icons onto a single button

In Brazil, scammers took it a step further: they offered users the chance to earn money just by listening to and rating songs on a supposed Spotify partner service. During registration, users had to provide their ID for Pix (the Brazilian instant payment system), and then make a one-time “verification payment” of 19.9 Brazilian reals (about $4) to “confirm their identity”. This fee was, of course, a fraction of the promised “potential earnings”. The payment form looked incredibly authentic and requested additional personal data — likely to be harvested for future attacks.

An imitation service claiming to pay users for listening to tracks on Spotify

This scam posed as a service for boosting Spotify ratings and plays, but to start “earning”, you first had to pay up

The “cultural date” scheme turned out to be particularly inventive. After matching and some brief chatting on dating apps, a new “love interest” would invite the victim to a play or a movie and send a link to buy tickets. Once the “payment” went through, both the date and the ticketing site would vanish into thin air. A similar tactic was used to sell tickets for immersive escape rooms, which have surged in popularity lately; the page designs mirrored real sites to lower the user’s guard.

A fake version of a popular Russian ticketing aggregator

Scammers cloned the website of a well-known Russian ticketing service

Phishing via messaging apps

The theft of Telegram and WhatsApp accounts became one of the year’s most widespread threats. Scammers have mastered the art of masking phishing as standard chat app activities, and have significantly expanded their geographical reach.

On Telegram, free Premium subscriptions remained the ultimate bait. While these phishing pages were previously only seen in Russian and English, 2025 saw a massive expansion into other languages. Victims would receive a message — often from a friend’s hijacked account — offering a “gift”. To activate it, the user had to log in to their Telegram account on the attacker’s site, which immediately led to another hijacked account.

Another common scheme involved celebrity giveaways. One specific attack, disguised as an NFT giveaway, stood out because it operated through a Telegram Mini App. For the average user, spotting a malicious Mini App is much harder than identifying a sketchy external URL.

Phishing bait featuring a supposed papakha NFT giveaway by Khabib Nurmagomedov

Scammers blasted out phishing bait for a fake Khabib Nurmagomedov NFT giveaway in both Russian and English simultaneously. However, in the Russian text, they forgot to remove a question from the AI that generated the text, “Do you need bolder, formal, or humorous options?” — which points to a rushed job and a total lack of editing

Finally, the classic vote for my friend messenger scam evolved in 2025 to include prompts to vote for the “city’s best dentist” or “top operational leader” — unfortunately, just bait for account takeovers.

Another clever method for hijacking WhatsApp accounts was spotted in China, where phishing pages perfectly mimicked the actual WhatsApp interface. Victims were told that due to some alleged “illegal activity”, they needed to undergo “additional verification”, which — you guessed it — ended up with a stolen account.

A Chinese method for hijacking WhatsApp accounts

Victims were redirected to a phone number entry form, followed by a request for their authorization code

Impersonating Government Services

Phishing that mimics government messages and portals is a “classic of the genre”, but in 2025, scammers added some new scripts to the playbook.

In Russia, vishing attacks targeting government service users picked up steam. Victims received emails claiming an unauthorized login to their account, and were urged to call a specific number to undergo a “security check”. To make it look legit, the emails were packed with fake technical details: IP addresses, device models, and timestamps of the alleged login. Scammers also sent out phony loan approval notifications: if the recipient hadn’t applied for a loan (which they hadn’t), they were prompted to call a fake support team. Once the panicked victim reached an “operator”, social engineering took center stage.

In Brazil, attackers hunted for taxpayer numbers (CPF numbers) by creating counterfeit government portals. Since this ID is the master key for accessing state services, national databases, and personal documents, a hijacked CPF is essentially a fast track to identity theft.

A fake Brazilian government services portal

This fraudulent Brazilian government portal of surprisingly high quality

In Norway, scammers targeted people looking to renew their driver’s licenses. A site mimicking the Norwegian Public Roads Administration collected a mountain of personal data: everything from license plate numbers, full names, addresses, and phone numbers to the unique personal identification numbers assigned to every resident. For the cherry on top, drivers were asked to pay a “license replacement fee” of 1200 NOK (over US$125). The scammers walked away with personal data, credit card details, and cash. A literal triple-combo move!

Generally speaking, motorists are an attractive target: they clearly have money and a car and a fear of losing it. UK-based scammers played on this by sending out demands to urgently pay some overdue vehicle tax to avoid some unspecified “enforcement action”. This “act now!” urgency is a classic phishing trope designed to distract the victim from a sketchy URL or janky formatting.

A fake demand for British motorists to pay overdue vehicle tax

Scammers pressured Brits to pay purportedly overdue vehicle taxes “immediately” to keep something bad from happening

Let us borrow your identity, please

In 2025, we saw a spike in phishing attacks revolving around Know Your Customer (KYC) checks. To boost security, many services now verify users via biometrics and government IDs. Scammers have learned to harvest this data by spoofing the pages of popular services that implement these checks.

A fake Vivid Money page

On this fraudulent Vivid Money page, scammers systematically collected incredibly detailed information about the victim

What sets these attacks apart is that, in addition to standard personal info, phishers demand photos of IDs or the victim’s face — sometimes from multiple angles. This kind of full profile can later be sold on dark web marketplaces or used for identity theft. We took a deep dive into this process in our post, What happens to data stolen using phishing?

AI scammers

Naturally, scammers weren’t about to sit out the artificial intelligence boom. ChatGPT became a major lure: fraudsters built fake ChatGPT Plus subscription checkout pages, and offered “unique prompts” guaranteed to make you go viral on social media.

A fake ChatGPT checkout page

This is a nearly pixel-perfect clone of the original OpenAI checkout page

The “earn money with AI” scheme was particularly cynical. Scammers offered passive income from bets allegedly placed by ChatGPT: the bot does all the heavy lifting while the user just watches the cash roll in. Sounds like a dream, right? But to “catch” this opportunity, you had to act fast. A special price on this easy way to lose your money was valid for only 15 minutes from the moment you hit the page, leaving victims with no time to think twice.

A phishing page offering AI-powered earnings

You’ve exactly 15 minutes to lose €14.99! After that, you lose €39.99

Across the board, scammers are aggressively adopting AI. They’re leveraging deepfakes, automating high-quality website design, and generating polished copy for their email blasts. Even live calls with victims are becoming components of more complex schemes, which we detailed in our post, How phishers and scammers use AI.

Booby-trapped job openings

Someone looking for work is a prime target for bad actors. By dangling high-paying remote roles at major brands, phishers harvested applicants’ personal data — and sometimes even squeezed them for small “document processing fees” or “commissions”.

A phishing page offering remote work at Amazon

“$1000 on your first day” for remote work at Amazon. Yeah, right

In more sophisticated setups, “employment agency” phishing sites would ask for the phone number linked to the user’s Telegram account during registration. To finish “signing up”, the victim had to enter a “confirmation code”, which was actually a Telegram authorization code. After entering it, the site kept pestering the applicant for more profile details — clearly a distraction to keep them from noticing the new login notification on their phone. To “verify the user”, the victim was told to wait 24 hours, giving the scammers, who already had a foot in the door, enough time to hijack the Telegram account permanently.

Hype is a lie (but a very convincing one)

As usual, scammers in 2025 were quick to jump on every trending headline, launching email campaigns at breakneck speed.

For instance, following the launch of $TRUMP meme coins by the U.S. President, scam blasts appeared promising free NFTs from “Trump Meme Coin” and “Trump Digital Trading Cards”. We’ve previously broken down exactly how meme coins work, and how to (not) lose your shirt on them.

The second the iPhone 17 Pro hit the market, it became the prize in countless fake surveys. After “winning”, users just had to provide their contact info and pay for shipping. Once those bank details were entered, the “winner” risked losing not just the shipping fee, but every cent in their account.

Riding the Ozempic wave, scammers flooded inboxes with offers for counterfeit versions of the drug, or sketchy “alternatives” that real pharmacists have never even heard of.

And during the BLACKPINK world tour, spammers pivoted to advertising “scooter suitcases just like the band uses”.

Even Jeff Bezos’s wedding in the summer of 2025 became fodder for “Nigerian” email scams. Users received messages purportedly from Bezos himself or his ex-wife, MacKenzie Scott. The emails promised massive sums in the name of charity or as “compensation” from Amazon.

How to stay safe

As you can see, scammers know no bounds when it comes to inventing new ways to separate you from your money and personal data — or even stealing your entire identity. These are just a few of the wildest examples from 2025; you can dive into the full analysis of the phishing and spam threat landscape over at Securelist. In the meantime, here are a few tips to keep you from becoming a victim. Be sure to share these with your friends and family — especially kids, teens, and older relatives. These groups are often the main targets in the scammers’ crosshairs.

  1. Check the URL before entering any data. Even if the page looks pixel-perfect, the address bar can give the game away.
  2. Don’t follow links in suspicious messages, even if they come from someone you know. Their account could easily have been hijacked.
  3. Never share verification codes with anyone. These codes are the master keys to your digital life.
  4. Enable two-factor authentication everywhere you can. It adds a crucial extra hurdle for hackers.
  5. Be skeptical of “too good to be true” offers. Free iPhones, easy money, and gifts from strangers are almost always a trap. For a refresher, check out our post, Phishing 101: what to do if you get a phishing email.
  6. Install robust protection on all your devices. Kaspersky Premium automatically blocks phishing sites, malicious attachments, and spam blasts before you even have a chance to click. Plus, our Kaspersky for Android app features a three-tier anti-phishing system that can sniff out and neutralize malicious links in any message from any app. Read more about it in our post, A new layer of anti-phishing security in Kaspersky for Android.

How tech is rewiring romance: dating apps, AI relationships, and emoji | Kaspersky official blog

13 February 2026 at 09:39

With both spring and St. Valentine’s Day just around the corner, love is in the air — but we’re going to look at it through the lens of ultra-modern high-technology. Today, we’re diving into how technology is reshaping our romantic ideals and even the language we use to flirt. And, of course, we’ll throw in some non-obvious tips to make sure you don’t end up as a casualty of the modern-day love game.

New languages of love

Ever received your fifth video e-card of the day from an older relative and thought, “Make it stop”? Or do you feel like a period at the end of a sentence is a sign of passive aggression? In the world of messaging, different social and age groups speak their own digital dialects, and things often get lost in translation.

This is especially obvious in how Gen Z and Gen Alpha use emojis. For them, the Loudly Crying Face 😭 often doesn’t mean sadness — it means laughter, shock, or obsession. Meanwhile, the Heart Eyes emoji might be used for irony rather than romance: “Lost my wallet on the way home 😍😍😍”. Some double meanings have already become universal, like 🔥 for approval/praise, or 🍆 for… well, surely you know that by now… right?! 😭

Still, the ambiguity of these symbols doesn’t stop folks from crafting entire sentences out of nothing but emoji. For instance, a declaration of love might look something like this:

🤫❤️🫵

Or here’s an invitation to go on a date:

🫵🚶➡️💋🌹🍝🍷❓

By the way, there are entire books written in emojis. Back in 2009, enthusiasts actually translated the entirety of Moby Dick into emojis. The translators had to get creative — even paying volunteers to vote on the most accurate combinations for every single sentence. Granted it’s not exactly a literary masterpiece — the emoji language has its limits, after all — but the experiment was pretty fascinating: they actually managed to convey the general plot.

This is what Emoji Dick — the translation of Herman Melville's Moby Dick into emoji — looks like

This is what Emoji Dick — the translation of Herman Melville’s Moby Dick into emoji — looks like. Source

Unfortunately, putting together a definitive emoji dictionary or a formal style guide for texting is nearly impossible. There are just too many variables: age, context, personal interests, and social circles. Still, it never hurts to ask your friends and loved ones how they express tone and emotion in their messages. Fun fact: couples who use emojis regularly generally report feeling closer to one another.

However, if you are big into emojis, keep in mind that your writing style is surprisingly easy to spoof. It’s easy for an attacker to run your messages or public posts through AI to clone your tone for social engineering attacks on your friends and family. So, if you get a frantic DM or a request for an urgent wire transfer that sounds exactly like your best friend, double-check it. Even if the vibe is spot on, stay skeptical. We took a deeper dive into spotting these deepfake scams in our post about the attack of the clones.

Dating an AI

Of course, in 2026, it’s impossible to ignore the topic of relationships with artificial intelligence; it feels like we’re closer than ever to the plot of the movie Her. Just 10 years ago, news about people dating robots sounded like sci-fi tropes or urban legends. Today, stories about teens caught up in romances with their favorite characters on Character AI, or full-blown wedding ceremonies with ChatGPT, barely elicit more than a nervous chuckle.

In 2017, the service Replika launched, allowing users to create a virtual friend or life partner powered by AI. Its founder, Eugenia Kuyda — a Russian native living in San Francisco since 2010 — built the chatbot after her friend was tragically killed by a car in 2015, leaving her with nothing but their chat logs. What started as a bot created to help her process her grief was eventually released to her friends and then the general public. It turned out that a lot of people were craving that kind of connection.

Replika lets users customize a character’s personality, interests, and appearance, after which they can text or even call them. A paid subscription unlocks the romantic relationship option, along with AI-generated photos and selfies, voice calls with roleplay, and the ability to hand-pick exactly what the character remembers from your conversations.

However, these interactions aren’t always harmless. In 2021, a Replika chatbot actually encouraged a user in his plot to assassinate Queen Elizabeth II. The man eventually attempted to break into Windsor Castle — an “adventure” that ended in 2023 with a nine-year prison sentence. Following the scandal, the company had to overhaul its algorithms to stop the AI from egging on illegal behavior. The downside? According to many Replika devotees, the AI model lost its spark and became indifferent to users. After thousands of users revolted against the updated version, Replika was forced to cave and give longtime customers the option to roll back to the legacy chatbot version.

But sometimes, just chatting with a bot isn’t enough. There are entire online communities of people who actually marry their AI. Even professional wedding planners are getting in on the action. Last year, Yurina Noguchi, 32, “married” Klaus, an AI persona she’d been chatting with on ChatGPT. The wedding featured a full ceremony with guests, the reading of vows, and even a photoshoot of the “happy newlyweds”.

A Japanese woman, 32 "married" ChatGPT

Yurina Noguchi, 32, “married” Klaus, an AI character created by ChatGPT. Source

No matter how your relationship with a chatbot evolves, it’s vital to remember that generative neural networks don’t have feelings — even if they try their hardest to fulfill every request, agree with you, and do everything it can to “please” you. What’s more, AI isn’t capable of independent thought (at least not yet). It’s simply calculating the most statistically probable and acceptable sequence of words to serve up in response to your prompt.

Love by design: dating algorithms

Those who aren’t ready to tie the knot with a bot aren’t exactly having an easy time either: in today’s world, face-to-face interactions are dwindling every year. Modern love requires modern tech! And while you’ve definitely heard the usual grumbling, “Back in the day, people fell in love for real. These days it’s all about swiping left or right!” Statistics tell a different story. Roughly 16% of couples worldwide say they met online, and in some countries that number climbs to as high as 51%.

That said, dating apps like Tinder spark some seriously mixed emotions. The internet is practically overflowing with articles and videos claiming these apps are killing romance and making everyone lonely. But what does the research say?

In 2025, scientists conducted a meta-analysis of studies investigating how dating apps impact users’ wellbeing, body image, and mental health. Half of the studies focused exclusively on men, while the other half included both men and women. Here are the results: 86% of respondents linked negative body image to their use of dating apps! The analysis also showed that in nearly one out of every two cases, dating app usage correlated with a decline in mental health and overall wellbeing.

Other researchers noted that depression levels are lower among those who steer clear of dating apps. Meanwhile, users who already struggled with loneliness or anxiety often develop a dependency on online dating; they don’t just log on for potential relationships, but for the hits of dopamine from likes, matches, and the endless scroll of profiles.

However, the issue might not just be the algorithms — it could be our expectations. Many are convinced that “sparks” must fly on the very first date, and that everyone has a “soulmate” waiting for them somewhere out there. In reality, these romanticized ideals only surfaced during the Romantic era as a rebuttal to Enlightenment rationalism, where marriages of convenience were the norm.

It’s also worth noting that the romantic view of love didn’t just appear out of thin air: the Romantics, much like many of our contemporaries, were skeptical of rapid technological progress, industrialization, and urbanization. To them, “true love” seemed fundamentally incompatible with cold machinery and smog-choked cities. It’s no coincidence, after all, that Anna Karenina meets her end under the wheels of a train.

Fast forward to today, and many feel like algorithms are increasingly pulling the strings of our decision-making. However, that doesn’t mean online dating is a lost cause; researchers have yet to reach a consensus on exactly how long-lasting or successful internet-born relationships really are. The bottom line: don’t panic, just make sure your digital networking stays safe!

How to stay safe while dating online

So, you’ve decided to hack Cupid and signed up for a dating app. What could possibly go wrong?

Deepfakes and catfishing

Catfishing is a classic online scam where a fraudster pretends to be someone else. It used to be that catfishers just stole photos and life stories from real people, but nowadays they’re increasingly pivoting to generative models. Some AIs can churn out incredibly realistic photos of people who don’t even exist, and whipping up a backstory is a piece of cake — or should we say, a piece of prompt. By the way, that “verified account” checkmark isn’t a silver bullet; sometimes AI manages to trick identity verification systems too.

To verify that you’re talking to a real human, try asking for a video call or doing a reverse image search on their photos. If you want to level up your detection skills, check out our three posts on how to spot fakes: from photos and audio recordings to real-time deepfake video — like the kind used in live video chats.

Phishing and scams

Picture this: you’ve been hitting it off with a new connection for a while, and then, totally out of the blue, they drop a suspicious link and ask you to follow it. Maybe they want you to “help pick out seats” or “buy movie tickets”. Even if you feel like you’ve built up a real bond, there’s a chance your match is a scammer (or just a bot), and the link is malicious.

Telling you to “never click a malicious link” is pretty useless advice — it’s not like they come with a warning label. Instead, try this: to make sure your browsing stays safe, use a Kaspersky Premium that automatically blocks phishing attempts and keeps you off sketchy sites.

Keep in mind that there’s an even more sophisticated scheme out there known as “Pig Butchering”. In these cases, the scammer might chat with the victim for weeks or even months. Sadly, it ends badly: after lulling the victim into a false sense of security through friendly or romantic banter, the scammer casually nudges them toward a “can’t-miss crypto investment” — and then vanishes along with the “invested” funds.

Stalking and doxing

The internet is full of horror stories about obsessed creepers, harassment, and stalking. That’s exactly why posting photos that reveal where you live or work — or telling strangers about your favorite local hangouts — is a bad move. We’ve previously covered how to avoid becoming a victim of doxing (the gathering and public release of your personal info without your consent). Your first step is to lock down the privacy settings on all your social media and apps using our free Privacy Checker tool.

We also recommend stripping metadata from your photos and videos before you post or send them; many sites and apps don’t do this for you. Metadata can allow anyone who downloads your photo to pinpoint the exact coordinates of where it was taken.

Finally, don’t forget about your physical safety. Before heading out on a date, it’s a smart move to share your live geolocation, and set up a safe word or a code phrase with a trusted friend to signal if things start feeling off.

Sextortion and nudes

We don’t recommend ever sending intimate photos to strangers. Honestly, we don’t even recommend sending them to people you do know — you never know how things might go sideways down the road. But if a conversation has already headed in that direction, suggest moving it to an app with end-to-end encryption that supports self-destructing messages (like “delete after viewing”). Telegram’s Secret Chats are great for this (plus — they block screenshots!), as are other secure messengers. If you do find yourself in a bad spot, check out our posts on what to do if you’re a victim of sextortion and how to get leaked nudes removed from the internet.

More on love, security (and robots):

ForumTroll targets political scientists | Kaspersky official blog

17 December 2025 at 11:58

Our experts from the Global Research and Analysis Team (GReAT) have investigated a new wave of targeted emails from the ForumTroll APT group. Whereas previously their malicious emails were sent to public addresses of organizations, this time the attackers have targeted specific individuals — scientists from Russian universities and other organizations specializing in political science, international relations, and global economics. The purpose of the campaign was to infect victims’ computers with malware to gain remote access thereto.

What the malicious email looks like

The attackers sent the emails from the address support@e-library{.}wiki, which imitates the address of the scientific electronic library eLibrary (its real domain is elibrary.ru). The emails contained personalized links to a report on the plagiarism check of some material, which, according to the attackers’ plan, was supposed to be of interest to scientists.

In reality, the link downloaded an archive from the same e-library{.}wiki domain. Inside was a malicious .lnk file and a .Thumbs directory with some images that were apparently needed to bypass security technologies. The victim’s full name was used in the filenames of the archive and the malicious link-file.

In case the victim had doubts about the legitimacy of the email and visited the e-library{.}wiki page, they were shown a slightly outdated copy of the real website.

What happens if the victim clicks on the malicious link

If the scientist who received the email clicked on the file with the .lnk extension, a malicious PowerShell script was executed on their computer, triggering a chain of infection. As a result, the attackers installed a commercial framework Tuoni for red teams on the attacked machine, providing the attackers with remote access and other opportunities for further compromising the system. In addition, the malware used COM Hijacking to achieve persistency, and downloaded and displayed a decoy PDF file, the name of which also included the victim’s full name. The file itself, however, was not personalized — it was a rather vague report in the format of one of the Russian plagiarism detection systems.

Interestingly, if the victim tried to open the malicious link from a device running on a system that didn’t support PowerShell, they were prompted to try again from a Windows computer. A more detailed technical analysis of the attack, along with indicators of compromise, can be found in a post on the Securelist website.

How to stay safe

The malware used in this attack is successfully detected and blocked by Kaspersky’s security products. We recommend installing a reliable security solution not only on all devices used by employees to access the internet, but also on the organization's mail gateway, which can stop most threats delivered via email before they reach an employee’s device.

❌