Today marks the start of Spring in the Northern Hemisphere, and with warmer weather setting in summer trips are vacation planning are starting to take shape.   

But before you respond to that message about your hotel booking or payment confirmation, it’s worth asking: is it actually legit? 

This week in scams, we’re breaking down a travel phishing scheme making the rounds through realistic booking messages, as well as new McAfee research on betting scams and AI-driven malware. 

We’ll walk through what happened, what to watch for, and how McAfee’s tools can help you stay safe. 

Scammers Who Know Your Exact Travel Reservation Details 

A new phishing campaign targeting travelers is exploiting hotel booking platforms like Booking.com, and it’s convincing enough to fool even cautious users. 

According to reporting from ITBrew and Cybernews, attackers are running a multi-stage scam: 

How The Booking Scam Works 

Scam Stage	How It Works	What You’ll Notice	How to Protect Yourself	Where McAfee Helps
Stage 1: Hotel account gets compromised	Attackers phish or hack hotel staff to access booking platforms and guest reservation data.	You won’t see this part — it happens behind the scenes.	Use strong, unique passwords and enable multi-factor authentication on your own accounts to reduce risk of similar breaches.	Identity Monitoring can alert you if your personal information appears in suspicious places or data leaks.
Stage 2: You receive a realistic message	Scammers use stolen booking data to send messages via WhatsApp, email, or even booking platforms.	The message includes your real name, hotel, and travel dates, making it feel legitimate.	Be cautious of unexpected outreach, even if the details are correct. Don’t assume accuracy means authenticity.	Scam detection tools can help flag suspicious messages and identify potential phishing attempts.
Stage 3: Urgency is introduced	The message claims there’s an issue with your reservation and pushes you to act quickly.	Phrases like “confirm within 12 hours” or “risk cancellation” create pressure.	Pause before acting. Legitimate companies rarely require urgent payment changes without prior notice.	Scam detection can help identify high-risk messages designed to pressure you into quick decisions.
Stage 4: You’re sent to a fake payment page	A link leads to a convincing lookalike site designed to steal your payment details.	The page looks real but may have subtle URL differences or unusual formatting.	Always navigate directly to the official website or app instead of clicking links in messages.	Safe Browsing tools can help block risky or known malicious websites before you enter sensitive information.

March Madness Brackets, Bets, and Bad Actors 

March Madness brings brackets, bets, and a flood of bad actors. 

New McAfee research found that 1 in 3 Americans (32%) say they’ve experienced a betting or gambling scam, and nearly a quarter (24%) say they’ve lost money to one. On average, victims reported losing $547. 

That’s not surprising when you look at the environment around the tournament. More than half of Americans are watching, more than half are participating in some form of betting, and 82% say they’ve seen betting promotions in the past year. 

Some of the most common setups this season include: 

• “Guaranteed win” or “can’t lose” betting tips that require payment upfront 
• Fake sportsbook promotions offering bonus bets or free credits 
• Messages claiming you have winnings, but need to pay a fee to unlock them 
• Impersonation scams posing as sportsbook support or betting platforms 
• Invitations to private “VIP betting groups” on WhatsApp or Telegram 

The takeaway:
If a betting offer promises guaranteed results, demands the use of bizarre apps and sites, asks for money upfront, or pushes you to act quickly, it’s not an edge. It’s a scam. 

“AI-Written” Malware Is Hiding in Everyday Downloads 

Not all scams start with a message. Some start with a search. 

McAfee Labs uncovered a large-scale malware campaign hiding inside hundreds of fake downloads, including game mods, AI tools, drivers, and trading utilities. 

In January alone, researchers identified: 

• 443 malicious ZIP files disguised as legitimate software 
• 1,700+ file names used to make those downloads look credible 
• 48 variants of a malicious DLL file used to infect devices 

These weren’t hosted on obscure corners of the internet either. The files were distributed through platforms people recognize, including Discord, SourceForge, and file-sharing sites. 

Here’s how the attack typically works: 

• You search for a tool. 
• You download what looks like the right file. 
• It opens normally at first. 

Then, behind the scenes, malware loads quietly and begins pulling in additional code. In some cases, victims are shown fake error messages while the real infection happens in the background. 

From there, attackers can: 

• Turn your device into a cryptocurrency mining machine 
• Install additional malware like infostealers or remote access tools 
• Slow down your system while running hidden processes 

What makes this campaign stand out is that some of the code appears to have been generated with help from AI tools. 

That doesn’t mean AI is running the attack on its own. But it does suggest attackers are using AI to: 

• Generate code faster 
• Create more variations of malware 
• Scale campaigns more efficiently 

In other words, the barrier to building malware is getting lower. 

The takeaway:
If a download is unofficial, hard to find, or feels like a shortcut, it’s worth slowing down. The file may look right, but that doesn’t mean it’s safe. 

How McAfee+ Advanced Works in These Scam Moments 

Whether it’s a message about your booking, a betting offer that looks legitimate, or a download that appears to be exactly what you were searching for, these scams all rely on the same thing: they blend into everyday moments. 

That’s where having backup like McAfee+ Advanced comes in. It includes: 

• McAfee’s Scam Detector, which helps flag suspicious links in texts and messages like the ones used in these booking and betting scams, so you can spot something risky before you engage

• Web protection and real-time device security, helping protect against risky links, malicious sites, and evolving threats if you do click, including fake betting platforms or malware hidden in downloads

• Personal Data Cleanup, which helps remove your information from sites that sell it, making it harder for scammers to access the personal details that make messages and scams feel legitimate

• Secure VPN, which helps keep your personal info safe and private anywhere you use public Wi-Fi, like hotels, airports, and cafés while traveling

• Identity Monitoring and alerts, with 24/7 scans of the dark web to help ensure your personal and financial information isn’t being exposed or reused

• Credit and transaction monitoring, so you can get alerts about suspicious financial activity if your information is ever compromised 

• Identity restoration support and up to $2 million in identity theft coverage, giving you access to US-based experts and added peace of mind if something does go wrong 

Stay skeptical, verify before you click, and we’ll see you next week with more. 

The post This Week in Scams: Why That “Booking Confirmation” Message Might Be Fake appeared first on McAfee Blog.

McAfee Labs has uncovered a widespread malware campaign hiding inside fake downloads for things like game mods, AI tools, drivers, and trading utilities. 

In January 2026, researchers observed 443 malicious ZIP files impersonating software people might actively search for online. Across those files, McAfee identified 48 malicious WinUpdateHelper.dll variants used to infect devices. The campaign was spread through a mix of file-hosting and content delivery services, including Discord, SourceForge, FOSSHub, and mydofiles[.]com. 

What makes this campaign especially notable is that some parts of it appear to have been built with help from large language models (LLMs). McAfee researchers found signs that certain scripts likely used AI-generated code, which may have helped the attackers create and scale the campaign faster. 

That does not mean AI created the whole operation on its own. But it does suggest AI may be helping cybercriminals lower the effort needed to build malware and launch attacks. 

Want the full research? Dive in here. 

We break down the top takeaways below. 

What McAfee Found 

Finding	What it means
443 malicious ZIP files	Attackers created many different fake downloads to reach more victims
48 malicious DLL variants	The campaign used multiple versions of the malware, not just one file
1,700+ file names observed	The same threat was repackaged under many different names to look convincing
17 distinct kill chains	Researchers found multiple attack flows, but they followed a similar overall pattern
Hosted on familiar platforms	The malware was distributed through services users may recognize, including Discord and SourceForge
AI-assisted code suspected	Some scripts contained explanatory comments and patterns that strongly suggest LLM assistance
Cryptomining and additional malware observed	Infected devices could be used to mine cryptocurrency or receive more malicious payloads

What Is “AI-Written Malware”? 

In this case, “AI-written malware” does not mean an AI system independently invented and launched the attack. 

Instead, McAfee Labs found evidence that the attackers very likely used AI tools to help generate some of the code used in the campaign, especially in certain PowerShell scripts. 

Put simply: 

Term	Plain-English meaning
Large language model (LLM)	An AI system that can generate text and code based on prompts
AI-assisted malware	Malware where attackers appear to have used AI tools to help write or structure parts of the code
Vibe coding	A style of coding where someone describes what they want and an AI does much of the writing

This matters because it can make malware development faster, easier, and more scalable for attackers. 

 

How The Fake Download Attack Works 

The attack begins when someone searches for software online and downloads what looks like the tool they wanted. 

That tool might appear to be a game mod, AI voice changer, emulator, trading utility, VPN, or driver. But behind the scenes, the ZIP archive includes malicious components that start the infection. 

Step	What happens
1. A user downloads a fake file	The ZIP archive is disguised as something useful or desirable, such as a mod menu, AI tool, or driver
2. The file appears normal at first	In some cases, the package includes a legitimate executable so it feels more convincing
3. A malicious DLL is loaded	A hidden malicious file, often WinUpdateHelper.dll, starts the real attack
4. The user is distracted	The malware may display a fake “missing dependency” message and redirect the user to install unrelated software
5. A PowerShell script is pulled from a remote server	While the user is distracted, the malware contacts a command-and-control server and runs additional code
6. More malware is installed	Depending on the sample, the device may receive coin miners, infostealers, or remote access tools
7. The infected device is abused for profit	In many cases, attackers use the victim’s system resources to mine cryptocurrency in the background

What Kinds of Files Were Used as Bait 

McAfee found that the attackers cast a very wide net. The malicious ZIP files impersonated many types of software, including: 

Bait category	Examples
Gaming tools	game mods, cheats, executors, Roblox-related tools
AI-themed tools	AI image generators, AI voice changers, AI-branded downloads
System utilities	graphics drivers, USB drivers, emulators, VPNs
Trading or finance tools	stock-market utilities and related downloads
Fake security or malware tools	fake stealers, decryptors, and other risky-looking utilities

That broad range is part of what made the campaign effective. It was designed to catch people already looking for shortcuts, unofficial tools, or hard-to-find software. 

Why McAfee Researchers Believe AI Was Used 

One of the strongest clues came from the comments inside some of the attack scripts. 

McAfee researchers found explanatory comments that looked more like AI-generated instructions than the kind of shorthand attackers usually leave for themselves. In one example, a comment referred to downloading a file from “your GitHub URL,” which suggests the code may have come from a generated template and was not fully cleaned up before use. 

These details do not prove every part of the campaign was AI-made. But they do support McAfee’s assessment that certain components were likely generated with help from large language models. 

What Happens on an Infected Device 

In many cases, the malware was used to turn victims’ computers into quiet crypto-mining machines. 

McAfee observed mining activity involving several cryptocurrencies, including: 

• Ravencoin 
• Zephyr 
• Monero 
• Bitcoin Gold 
• Ergo 
• Clore 

Some samples also downloaded additional payloads such as SalatStealer or Mesh Agent. 

For victims, that can mean: 

Possible effect	What it may look like
Slower performance	apps lag, games stutter, system feels unusually sluggish
High CPU or GPU usage	fans run constantly, laptop gets hot, battery drains faster
Background malware activity	unknown processes, suspicious downloads, unexpected behavior
Potential data theft	if an infostealer or remote access tool is installed

McAfee was also able to trace several Bitcoin wallets tied to the campaign. At the time of the report, those wallets held about $4,536 in Bitcoin, while total funds received were approximately $11,497.70. Researchers note the real total could be higher because some of the currencies involved are harder to trace. 

Who Was Targeted Most 

This campaign was observed most heavily in: 

• United States 
• United Kingdom 
• India 
• Brazil 
• France 
• Canada 
• Australia 

That does not mean users elsewhere were unaffected. These were simply the countries where researchers saw the highest prevalence. 

The post New Research: Hackers Are Using AI-Written Code to Spread Malware appeared first on McAfee Blog.

Whether you’re a hardcore basketball fan or the office colleague who gets roped into filling out a bracket every year, March Madness is the season for brackets, office pools, and last-minute picks. 

More than half of Americans (57%) plan to watch the NCAA basketball tournament, and 55% say they participate in some kind of betting or bracket activity during March Madness, from office pools to licensed sportsbook wagers.  

But where there’s excitement and money, scammers aren’t far behind. 

New research from McAfee finds that 1 in 3 Americans (32%) say they’ve experienced a betting or gambling scam, and 24% say they’ve lost money to one, with victims losing an average of $547. 

Big events like March Madness create the perfect storm: massive attention, constant betting promotions, and fans searching online for predictions, tips, and an edge. 

Scammers know it, and they’re exploiting the moment. 

Why March Madness is Prime Time for Betting Scams 

Sports betting promotions are everywhere during major events like March Madness. 

According to McAfee research, 82% of Americans say they’ve seen sports betting promotions or offers in the past year, often on social media, streaming broadcasts, and sports websites. 

That flood of promotions makes it easier for scams to blend in with legitimate content. 

Many scams start the same way legitimate offers do, through messages, ads, or links promising bonuses or tips. But once someone clicks or responds, the situation can escalate quickly. 

For example: 

• 42% of Americans say they’ve been asked to click a link sent via email tied to a betting offer 
• Others report links sent through social media messages or text messages directing them to betting sites, apps, or private betting groups 

In many cases, victims are then asked to send money to unlock winnings, activate accounts, or access premium betting picks. 

The payout rarely exists. 

The Most Common Betting Scams Fans Encounter 

Betting scams come in several forms, but many follow familiar patterns. 

Here are some of the most common tactics reported in McAfee’s research: 

Scam Type	Definition	How It Works	Red Flags
Guaranteed Win Scam	A betting scam where someone promises a “guaranteed win,” “sure bet,” or “can’t lose” outcome in exchange for money, clicks, or sign-ups. According to McAfee Findings, about 1 in 6 Americans say they’ve received these kinds of messages, which are designed to lure fans looking for an edge.	Scammers send private messages, emails, or social posts claiming they have insider knowledge or a lock on a game. The goal is usually to get the victim to pay for picks, join a private group, or click a malicious link.	Claims that a bet is guaranteed, pressure to act fast, requests for payment to access picks, and promises that sound risk-free.
Fake Free Bet Promotion Scam	A scam that pretends to offer bonus bets, deposit matches, or free credits through a fake sportsbook promotion.	The victim sees what looks like a real sportsbook offer, often through social media, email, or text. Clicking may lead to a fake site that steals login details, payment information, or deposits.	Unfamiliar brand names, unofficial links, urgent sign-up language, and promotions that seem unusually generous.
Winnings Release Fee Scam	A scam where a victim is told they have winnings waiting, but must first pay a fee, deposit, or processing charge to collect them.	The scammer claims the user has won money, then invents a reason payment is required before the funds can be released. Once the fee is sent, the payout never arrives.	Requests to pay before receiving winnings, vague “processing” or “verification” fees, and pressure to send money immediately.
Fake Betting App or Website Scam	A scam involving a fraudulent app or website designed to look like a real sportsbook or betting platform.	Victims are directed to a fake platform where they may create an account, enter personal information, or deposit money. The site may appear legitimate, but withdrawals are blocked or impossible.	Slightly misspelled URLs, strange app download paths, poor website quality, and platforms that make deposits easy but withdrawals difficult.
Sportsbook Impersonation Scam	A scam in which someone pretends to represent a legitimate betting platform or sportsbook support team.	The scammer contacts the victim claiming there is an issue with an account, a bonus, or winnings. They then ask for login credentials, payment details, or personal information.	Requests for passwords, bank details, or identity information; unexpected outreach; and messages pushing you to resolve an “account issue” through a link.
Fake Insider Tip Scam	A scam that uses claims of insider information, fixed games, or special access to make a betting offer sound exclusive and trustworthy.	Scammers position themselves as experts, insiders, or connected sources who can help the victim beat the odds. The real goal is usually payment, account access, or enrollment in a scam betting channel.	Claims of fixed outcomes, “insider” knowledge, exclusive access, and offers that rely on secrecy or urgency.
Celebrity or Influencer Endorsement Scam	A betting scam that uses fake or misleading celebrity, athlete, or influencer endorsements to make an offer seem legitimate.	Scammers create ads, videos, or posts that appear to feature a public figure recommending a betting platform, app, or tip service. In some cases, AI-generated content makes these endorsements look more convincing.	Endorsements that seem off-brand, videos or graphics that look unnatural, unfamiliar accounts, and promotions tied to fake urgency or suspicious links.
Private Betting Group Scam	A scam that tries to move betting conversations into private channels like WhatsApp, Telegram, or Signal.	After initial contact on social media or another public platform, the scammer encourages the victim to join a private group for “exclusive picks,” “VIP bets,” or “premium insights.” These groups are often used to pressure victims into sending money or clicking malicious links.	Pressure to move off-platform quickly, promises of VIP access, requests for payment to join, and little proof that the group is legitimate.

AI Is Making Betting Scams Harder to Spot 

Artificial intelligence is beginning to change how scams look and sound. 

About 1 in 5 Americans say they’ve encountered betting scams that appeared more realistic because of AI, and 27% believe they’ve seen AI-generated betting content such as fake promotions, images, or videos.  

Among those who encountered AI-driven scams: 

• 58% reported AI-generated images or graphics in betting ads 
• 57% saw AI-written messages that sounded natural or personalized 
• 45% encountered fake celebrity or influencer endorsements 
• 36% interacted with chatbots posing as betting experts or support agents  

As these tools improve, scam messages are becoming smoother, more convincing, and harder to distinguish from legitimate promotions. 

Safety Check	What To Do
Be skeptical of “guaranteed wins”	No bet is risk-free. Ignore messages promising sure bets, insider picks, or guaranteed outcomes.
Use only licensed sportsbooks	Stick to official betting apps and well-known sportsbooks. Avoid unfamiliar websites or apps.
Don’t click betting links from unknown messages	If you receive a betting offer via email, text, or social media, go directly to the official site instead of clicking the link.
Never pay fees to unlock winnings	If someone says you must send money to claim winnings or activate a betting account, it’s almost certainly a scam.
Be cautious of private betting groups	Invitations to “VIP betting groups” on apps like Telegram or WhatsApp are often used to promote scam picks or collect payments.
Protect your accounts	Use strong passwords and turn on two-factor authentication wherever possible. Try our free strong password generator.
Use scam detection tools	Tools like McAfee’s Scam Detector can flag suspicious links, websites, and messages before you engage.

March Madness is meant to be fun, filling out brackets, debating picks with friends, and cheering for the next big upset. Betting can be part of that excitement, but it’s worth remembering that scammers are watching the tournament too. 

A simple rule of thumb can go a long way: if a betting offer promises guaranteed wins, asks for money upfront, or pushes you to act quickly, take a step back and verify it first.  

The safest plays are the ones where you slow down, stick to trusted platforms, and keep your personal information protected. 

If You or Someone You Know Needs Help 

Sports betting can be fun, but for some people it can become difficult to manage. If you or someone you know is struggling with gambling, help is available through the National Problem Gambling Helpline (1-800-MY-RESET), operated by the National Council on Problem Gambling. 

The post 1 in 3 Has Experienced a Betting Scam. What March Madness Fans Should Know appeared first on McAfee Blog.

A powerful iPhone-hacking technique known as DarkSword has been discovered in use by Russian hackers. It can take over devices running iOS 18 that simply visit infected websites.

Dozens of Telegram channels reviewed by WIRED include job listings for “AI face models.” The (mostly) women who land these gigs are likely being used to dupe victims out of their money.

This week in scams, the Pokémon Trainer pursuit to “catch ’em all” is being hijacked by criminals posting fake trading card listings online; duping buyers, including young collectors, out of hundreds of dollars. 

Meanwhile, threatening email extortion scams claiming your personal data has been stolen are flooding inboxes around the world. And a viral “wedding photo” of Tom Holland and Zendaya shows how AI-generated images can blur the line between real and fake online. 

Here’s what to know. 

Pokémon Card Scams Surge on Online Marketplaces 

The booming market for collectible Pokémon cards has become a new target for scammers. 

According to reporting from The Straits Times, Singapore police recently arrested a 25-year-old man suspected of running a series of e-commerce scams involving Pokémon trading cards. Victims reportedly lost more than $135,000 after paying for limited-edition cards that never arrived. 

Authorities say the suspect allegedly advertised pre-orders for rare cards on the online marketplace Carousell. After receiving payment through bank transfers or digital payment apps, the seller either became unreachable or claimed there were delivery problems. 

Police say at least 35 reports tied to the suspect have been filed since October 2025, and more broadly there have been over 600 reported Pokémon card e-commerce scams totaling more than $1.1 million in losses during that same period. 

Why this matters: 

Collectibles create the perfect storm for online scams. Limited releases, hype, and rising resale values make buyers feel pressure to act quickly before items “sell out.” Scammers take advantage of that urgency. 

How to Stay Safe When Buying Collectibles Online 

If you’re buying trading cards or other collectibles online: 

• Buy from authorized retailers or well-established marketplaces 
• Avoid sellers who require direct bank transfers or payment apps upfront 
• Use platforms with buyer protection or escrow payment systems 
• Be cautious of sellers who suddenly move the conversation to WhatsApp, Telegram, or other messaging apps 

When demand spikes for a product, whether it’s sneakers, concert tickets, or Pokémon cards, scams usually follow. 

The “Your Data Was Stolen” Email Extortion Scam 

Another scam spreading widely right now arrives in a much more intimidating format: a threatening email claiming hackers have stolen your personal data. 

According to reporting from Fox News, many people are receiving messages that claim the sender has access to their passwords, files, or financial information. The message then demands payment in Bitcoin to prevent the data from being sold on the dark web. 

At first glance, these emails can feel frightening. They often use dramatic language like: 

• “I have your complete personal information” 
• “Your files and devices are compromised” 
• “Pay within 48 hours or your data will be leaked” 

But in most cases, there’s one major problem with the claim. 

There’s no proof. 

Security experts note that these messages usually include no screenshots, no passwords, and no evidence of a real breach. Instead, scammers send the same message to thousands of email addresses at once, hoping a small percentage of recipients will panic and pay. 

Often, the scammers obtained your email address from old data breach lists circulating online, which makes the message feel more believable. 

What to Do If You Receive One of These Emails 

If you receive a threatening extortion email: 

• Do not reply
• Do not send money
• Mark the message as spam or phishing
• Delete it

Reporting the message helps email providers improve spam filters and prevent similar scams from reaching others. 

The biggest tactic here is fear. Once you slow down and evaluate the message, the scam usually falls apart. 

That Viral Tom Holland and Zendaya “Wedding Photo”? AI 

A viral image circulating on social media this week claimed to show Tom Holland and Zendaya’s wedding, sparking massive speculation online. 

But many viewers quickly suspected the image wasn’t real. 

According to reporting on Yahoo Entertainment, the photo appeared to originate from a fan account on X (formerly Twitter) that claimed the image had been “confirmed” by major outlets like Vogue and Cosmopolitan. However, no such confirmation existed, and soon the official label was added marking the content as AI-generated. 

Celebrity rumors already spread quickly online. Add generative AI to the mix, and fabricated images can travel even faster. 

While a fake celebrity wedding photo may seem harmless, the same technology can easily be used in more serious ways. 

AI-generated visuals are already being used to create: 

• Fake celebrity endorsements 
• Fabricated news events 
• Scam ads featuring public figures 
• Fraudulent investment promotions 

The line between real and synthetic content is getting harder to spot. 

How to Spot Potential AI Images 

If a viral image seems surprising or dramatic: 

• Check whether credible news outlets or verified accounts are reporting it 
• Look for visual inconsistencies in hands, text, or background details 
• Reverse image search the photo to see where it first appeared 
• Verify through official sources before sharing 

When something looks shocking online, that’s often exactly why it spreads. McAfee’s built-in Scam Detector can help you spot AI-generated audio and video. 

McAfee’s Safety Tips This Week 

A few simple habits can help reduce your risk across all three of these scenarios: 

• Be cautious when buying high-demand collectibles online 
• Never send money in response to threatening emails 
• Treat viral images and breaking celebrity news with healthy skepticism 
• Use strong, unique passwords and enable two-factor authentication 
• Verify surprising claims through trusted sources before reacting 

Scams today don’t always look like scams. They often look like exciting deals, urgent warnings, or AI depictions of people you trust. 

The best defense is slowing down before clicking, paying, or sharing. 

We’ll Be Back Next Week 

From collectible card fraud to email extortion campaigns and AI-generated viral content, the tactics scammers use may change, but the strategy is the same: manipulate emotion and urgency. 

Stay skeptical, verify before you trust, and we’ll be back next week with another breakdown of the scams making headlines, and what they mean for your security. 

The post This Week in Scams: Pokémon Card Cons, Email Extortion, and a Viral AI Wedding Photo appeared first on McAfee Blog.

Plus: A porn-quitting app exposed the masturbation habits of hundreds of thousands of users, Russian hackers are trying to take over people’s Signal accounts, and more.

A bipartisan bill would force the FBI to get a warrant to read Americans’ messages and ban the federal purchase of commercial data on US residents ahead of a critical April deadline.

Amid a paralyzing breach of medical tech firm Stryker, the group has come to represent Iran's use of “hacktivism” as cover for chaotic, retaliatory state-sponsored cyberattacks.

Meta removed 10.9 million Facebook and Instagram accounts linked to “criminal scam centers” last year, the company announced on Wednesday.

Tax season is a headache for many people, and when a shortcut promises to make filing easier, it’s hard to resist. This year, one of the newest trends is using AI chatbots like ChatGPT to help prepare tax returns.

According to new McAfee research, 30% of people say they plan to use an AI tool, such as ChatGPT, to help with their taxes, with younger adults leading the trend. 

At first glance, it makes sense. AI tools can explain confusing tax rules, summarize IRS forms, and answer questions instantly. 

But there’s an important line that should never be crossed: Do not enter your personal tax information into AI chatbots. 

That includes Social Security numbers, income records, home addresses, bank details, or anything else tied to your identity. 

Here’s why: 

Typing Your Tax Info Into a Chatbot Is Like Posting It Online 

Think about it this way: when you type something into an AI chatbot, you’re sending that information over the internet to a system that processes and stores data. 

In practical terms, entering sensitive information into an AI tool is similar to typing it directly into a search engine or submitting it to an online form. 

Once it leaves your device, you lose direct control over where it travels and how it may be stored. 

Even companies with strong security protections are transparent about this risk. 

OpenAI’s privacy documentation explains that they use encryption and strict access controls to protect user data. However, they also note that no internet transmission or digital storage system can be guaranteed completely secure. 

This is true across the internet, not just for AI tools.  

Even Secure Systems Can Experience Breaches 

Security incidents can happen anywhere online, including companies with robust security programs. 

For example, in late 2025, OpenAI disclosed a security incident involving a third-party analytics provider called Mixpanel. The breach occurred within the vendor’s systems, not OpenAI’s infrastructure, but some limited user profile data associated with the platform was exposed. 

According to OpenAI’s disclosure, the data involved information such as: 

• Names associated with accounts 
• Email addresses 
• Approximate location data 
• Browser and device information 

Importantly, chat content, passwords, payment information, and government IDs were not exposed in that incident. 

But the event highlights a broader cybersecurity reality: 

Even when a company takes strong security precautions, third-party services, vendors, and other parts of the digital ecosystem can still introduce risk. 

That’s why cybersecurity experts recommend limiting what personal information you share online whenever possible. 

Why Tax Data Is Especially Dangerous to Share 

Tax information is one of the most valuable targets for cybercriminals. 

If scammers obtain the details commonly found in tax filings, they may be able to: 

• Commit tax refund fraud 
• Open financial accounts in your name 
• Conduct identity theft 
• Launch highly personalized phishing attacks 

Tax returns typically include multiple pieces of highly sensitive data, including: 

• Social Security numbers 
• Home addresses 
• Employer and income information 
• Banking details for refunds 
• Family member information 
• Entering these details into any tool outside of a secure tax platform significantly increases risk. 

Safer Ways to File Your Taxes 

Instead of relying on AI chatbots for filing, stick with trusted tax preparation options designed to securely handle sensitive data: 

• Official tax software platforms 
• Licensed tax professionals 
• IRS-approved free filing services 

These systems are specifically built with compliance, encryption, and identity verification in mind. 

AI tools can be incredibly useful for learning and research. But they are not secure tax filing platforms. 

If you wouldn’t feel comfortable posting your Social Security number publicly online, you shouldn’t paste it into a chatbot either. When it comes to taxes, the safest rule is simple: Use AI for advice, not for your personal data. 

The post Using an AI like ChatGPT to File Your Taxes? Stop and Read This First appeared first on McAfee Blog.

Department of Homeland Security leaders removed top privacy officers who objected to mislabeling government records to block their public release, WIRED has learned.

Delivery apps are glitching and navigation routes are changing abruptly thanks to electronic warfare disrupting the satellite signals that power everything from missiles to your ride home.

We’re back with another roundup of must-know scams and cybersecurity news making headlines this week, including a scam that features the name of the Jim Carrey movie, The Truman Show.

Let’s break it down. 

Why Reports Call it the “Truman Show” Scam 

So, why the name of this scam?

In the 1998 film The Truman Show, the main character unknowingly lives inside a staged reality TV world where everything around him is carefully controlled. In the “Truman Show” scam, criminals try to place victims into a similarly staged investment environment, complete with fake group chats, fake investors, and fake profits designed to build trust. It doesn’t actually have anything to do with the movie.

What is the “Truman Show” Scam?

The “Truman Show” scam is an AI-powered investment scam where criminals create an entire fake online community to convince victims an investment opportunity is real. 

According to reports, scammers invite people into group chats on platforms like Telegram or WhatsApp that appear full of investors sharing tips and celebrating profits. In reality, many of the participants, moderators, and conversations may be run by AI bots designed to simulate a lively trading community. 

Security researchers say the moderator and the other “investors” in the group may actually be AI-driven bots, programmed to simulate real conversations and enthusiasm around the investment strategy. 

The scam often includes: 

• A group chat on Telegram or WhatsApp 
• A downloadable trading app or website 
• Screenshots showing fake profits 
• Encouragement from “other members” to invest more 

The app itself may appear legitimate. But in reality, it often redirects users to a malicious website where scammers collect personal and financial information. 

Once victims deposit money, the criminals can quickly drain accounts or block withdrawals. 

McAfee’s State of the Scamiverse research shows just how convincing scams have become. One in three Americans (33%) say they feel less confident spotting scams than they did a year ago, as criminals increasingly use polished branding, realistic conversations, and AI-generated content to make fraudulent opportunities look legitimate. 

Why this works: people naturally trust social proof. When it looks like dozens of other investors are making money, people lower their skepticism.  

Fake Government Letters Are Targeting Residents Across Towns 

Another scam to be aware of this week includes spoofed letters impersonating local government offices.

According to reporting from WGME in Maine, residents in multiple towns recently received official-looking notices requesting payment for supposed municipal fees tied to development applications. 

The letters appeared convincing. They used formal language, official seals, and department names. But there was a problem. 

One of the notices claimed it came from a “Board of Commissioners,” even though the town in question does not have one. 

Officials say the letters instructed recipients to send payments by wire transfer, a method legitimate government offices almost never use for these kinds of transactions. 

McAfee’s experts say these scams are effective because they rely on volume. Fraudsters send thousands of letters hoping a small percentage of recipients will respond before verifying the request. And remember, these types of scams occur all the time and across the globe. While today’s reports are in Maine, it’s important to be vigilant wherever you live. 

Red flags to watch for: 

• Requests for wire transfers, gift cards, or crypto payments 
• Pressure to pay quickly to avoid penalties 
• Official-looking letters with subtle inconsistencies 
• Contact information that doesn’t match the official government website 

The safest move is simple: verify the request independently. Contact the government office directly using phone numbers listed on its official website, not the ones in the letter. 

LexisNexis Confirms Data Breach After Hackers Leak Files 

Meanwhile, a well-known data analytics company is dealing with a breach after hackers published stolen files online. 

According to BleepingComputer, LexisNexis Legal & Professional confirmed that attackers accessed some of its servers and obtained limited customer and business information. The confirmation came after a hacking group leaked roughly 2GB of stolen data on underground forums. 

LexisNexis says the compromised systems contained mostly older or “legacy” data from before 2020, including: 

• Customer names 
• User IDs 
• Business contact information 
• Product usage details 
• Support tickets and survey responses 

The company says highly sensitive financial information, Social Security numbers, and active passwords were not part of the exposed data. 

However, attackers claim they accessed millions of database records and hundreds of thousands of cloud user profiles tied to the company’s systems. 

LexisNexis says it has contained the intrusion and is working with cybersecurity experts and law enforcement. 

Why breaches like this matter: even when the stolen data appears limited, it can still be used in targeted phishing attacks. 

For example, scammers might use real names, email addresses, or business roles to send convincing messages that appear legitimate. 

Breaches often trigger waves of follow-up scams weeks or months later. (We know we cover this one a lot, but it’s key to remember!) 

McAfee’s Safety Tips This Week 

A few simple habits can make these schemes much easier to spot. 

• Be skeptical of investment groups online. Real trading communities rarely pressure you to deposit money quickly or download unfamiliar apps. 
• Verify government payment requests independently. If you receive a letter demanding payment, contact the agency directly using information from its official website. 
• Treat breach-related messages cautiously. After a breach makes headlines, phishing emails often follow pretending to offer “account verification” or “security updates.” 
• Avoid clicking unfamiliar links in emails or texts. Tools like McAfee’s free WebAdvisor can help flag risky websites and block known malicious pages before they load. 
• Pause before sending money or personal information. Many scams rely on urgency. Slowing down gives you time to verify what’s real.

We’ll be back next week with another roundup of the scams and cybersecurity news making headlines and what they mean for your digital safety. 

The post This Week in Scams: The AI “Truman Show” Scam Draining Bank Accounts appeared first on McAfee Blog.

Plus: Proton helped the FBI identify a protester, the Leakbase cybercrime forum was busted in an international operation, and more.

Iran’s internet shutdown has reduced connectivity by 99 percent, with air strikes likely causing additional outages, and few workarounds remaining.

Frustrated by fragmented war news, Anghami’s Elie Habib built World Monitor, a platform that fuses global data, like aircraft signals and satellite detections, to track conflicts as they unfold.

A pair of US lawmakers are calling for an investigation into how easily spies can steal information based on devices’ electromagnetic and acoustic leaks—a spying trick the NSA once codenamed TEMPEST.

A highly sophisticated set of iPhone hijacking techniques has likely infected tens of thousands of phones or more. Clues suggest it was originally built for the US government.

John C. isn’t the person you picture getting scammed. 

He’s 36. He’s tech-savvy. He’s a mechanical engineer leading a team at a national energy lab in Denver. And he told us his story for one reason: “Scammers will target anyone.” 

It began with a phone call from someone claiming to be the IRS. They said John had underpaid his taxes and needed to resolve it quickly. The caller sounded polished and convincing, so convincing that John didn’t stop to question it. 

“I thought maybe they sent back too much money [in my refund], and they needed it back,” he said. “I was just so busy and overwhelmed that I never really stopped to think about the situation.” 

A follow-up email arrived with IRS logos, clean formatting, and a big payment button. John was trying to move fast between classes as he finished up his PhD, and he wanted to correct the situation as quickly as possible. 

“I was like, let me just hurry up and do this, get it over with.” 

He clicked. He paid. But later, when he checked his statement, he saw the charge didn’t look like an IRS payment at all. In fact, it was an international charge. The whole thing was a scam. 

John said the scammer on the phone had appealed to his emotions and been incredibly convincing.  

“It was absolutely masterful,” John said. “I would give him an Oscar for it. 

And new McAfee research shows John isn’t alone, with nearly 1 in 4 (23%) US adults surveyed revealing they’ve lost money to a tax scam.  

Key findings from McAfee’s 2026 Tax Season Survey 

Here’s what our January 2026 survey of 3,008 U.S. adults found: 

The big picture: lots of worry, not enough confidence 

• 82% of Americans say they’re concerned about tax fraud this season. 
• 67% say they’re seeing the same or more tax scam messages than last year. 
• 40% say tax scam messages are more sophisticated than last year. 
• 84% are concerned about AI making tax scams more realistic. 
• Only 29% say they’re very confident they could spot a deepfake tax scam. 

How often scams are reaching people 

• 34% say they’ve been contacted by someone claiming to be the IRS or another tax authority (phone, text, or email). 
• 38% say they’ve been asked to click a link or send payment related to a “tax issue.” 
• Common asks include SSNs (15%), birth dates (11%), addresses (10%), “you owe back taxes” pressure (9%), and banking details (8%). 

Who is getting hit hardest 

• Nearly 1 in 4 Americans (23%) say they’ve fallen for a tax scam. 
• Young adults report the highest exposure: 42% of 18–24-year-olds say they’ve fallen for at least one tax scam. 
• 11% of Americans report tax-related identity theft, rising to 17% among ages 25–34. 

The money is real 

• Among people who say they’ve fallen for a tax scam, the average loss is $1,020. 
• Separately, nearly 1 in 5 Americans say they’ve lost money to a tax scam. 

Tax filing is increasingly digital (and that changes the risk) 

• 55% say they file taxes online (software or IRS Free File). 
• 75% say they receive refunds or pay taxes electronically (direct deposit, cards, apps, EFTPS, etc.). 
• 30% say they plan to use an AI tool (like ChatGPT) to help prepare taxes, especially younger adults. This is highly dangerous, even with platform security protections. For example, if an AI tool were compromised in a data breach, user messages with personal tax information (like social security numbers, home address, and more) could be made public.  

Tax Scams Now Hit Year-Round, McAfee Labs Finds 

In addition to our consumer survey findings, McAfee Labs analyzed malicious URLs, apps, texts, and emails in the months leading up to filing season. 

The major takeaway: tax scams don’t wait for April. 

Scam activity began climbing as early as November and has again continued building steadily into 2026. 

Between September 1, 2025, and February 19, 2026, McAfee Labs identified 1,468 malicious or suspicious tax-themed unique domains, an average of 43 new fake tax websites every day. 

In early November 2025 alone, the average number of new tax-themed malicious domains nearly doubled in just over a week. After a brief dip in late December, activity resumed climbing into February, a pattern we expect to intensify as the April filing deadline approaches. 

 

Fake IRS Websites Are A Major Threat 

Scammers are rapidly creating lookalike IRS domains that mimic official government URLs.  

They use small changes, extra letters, added words, subtle misspellings, to trick taxpayers into believing they’re on a legitimate IRS site. 

Examples include domains that insert additional text around “irs.gov” or add misleading subdomains designed to pass a quick glance. 

These fake portals are used to: 

• Steal login credentials 
• Harvest Social Security numbers and tax IDs 
• Capture payment details 
• Charge bogus “processing fees” 

In some cases, these sites don’t just steal, they overcharge. 

McAfee Labs observed scam services offering to file for an EIN (Employer Identification Number), something the IRS provides for free, and charging as much as $319 for it. 

Example of a scam website we found charging for an EIN. 

The official IRS website explicitly warns: you never have to pay a fee to obtain an EIN. 

Other scam sites misuse legitimate policy terms, like the “Fresh Start Initiative,” to harvest personal data and enroll victims in aggressive robocall and marketing campaigns. 

Tax scams don’t always steal outright. Sometimes they monetize confusion. 

How a Typical Tax Scam Unfolds 

Most tax scams aren’t one single message. They’re a sequence, designed to make you panic, click, and comply. 

Below is the common playbook, plus the red flags that show up repeatedly. 

*Note: Scammers may swap the details like AI voice, fake IRS videos, cloned websites, or impersonating tax software, but the pattern stays familiar. 

Step	What happens	Red flags you’ll see at this step	Red flags that are true every time	What to do instead
1) The hook	You get a call, text, or email claiming there’s a tax issue (refund problem, underpayment, verification needed).	Message arrives out of nowhere, often during busy hours; “final notice” language; spoofed caller ID.	Unexpected contact + urgency.	Don’t engage. Pause. Go directly to IRS.gov or your tax provider’s official site (type it in).
2) The authority move	They lean hard on being “the IRS” or “state tax authority,” sometimes with personal details.	They sound polished; may use AI voice cloning; may cite a “case number.” Fake or meaningless case numbers are very common.	They want you to trust the title, not verify the source.	Ask for written notice and time. Real tax issues can be verified through official channels.
3) The link	They send a link to a “secure portal” or “refund page.”	Lookalike website, subtle misspellings, weird domain, shortened link, email button that says “Pay Now.”	They’re trying to pull you off official channels.	Never click the link. Navigate to the real site yourself. If unsure, delete it.
4) The data grab	The site (or “agent”) asks for SSN, banking info, login credentials, or details from a prior return.	Requests that are broader than needed; “verify identity” prompts; form fields that feel too invasive.	They want sensitive info fast.	Stop. Don’t type anything. If you already did, assume it’s compromised and act quickly (see next section).
5) The payment push	They demand payment to “avoid penalties,” “release your refund,” or “resolve a mistake.”	Gift cards, crypto, wire transfers, payment apps; pressure to pay today; threats.	Urgency + unusual payment method.	The IRS does not demand immediate payment via text/social, and doesn’t require gift cards or crypto. Verify independently.
6) The escalation	If you hesitate, they intensify: threats, “law enforcement,” or AI video/audio that “proves” it’s real.	Deepfake IRS video, intimidating language, “you’ll be arrested,” “your license will be revoked.”	Fear is the product.	Hang up. Save evidence. Talk to a trusted person. Contact official support through verified numbers.
7) The aftermath	You realize it was a scam—often after noticing a strange charge or login activity.	Charges from odd merchants; new accounts; IRS account alerts; failed tax filing due to “duplicate return.”	Shame keeps people quiet—scammers count on that.	Report it and protect your identity right away. You’re not alone, and it’s not your fault.

Key point: A message can look “official” and still be fake. AI is making scam language smoother and scams more believable. The safest habit is simple: slow down, and verify using official sources you navigate to yourself. 

What to do if you’ve been involved in a tax scam 

First: take a breath. Scams are designed to trick you, especially when you’re overwhelmed, rushed, or just trying to fix a problem quickly. 

John said it plainly: “Don’t be embarrassed. It does happen. It’s common… they will target anyone.” 

And he’s right. The most important thing is what you do next. 

1) Stop the bleeding: cut off contact 

• Stop replying 
• Don’t click anything else 
• Don’t send more information or money 

2) Capture proof (before it disappears) 

Take screenshots and save: 

• Phone numbers, email addresses, usernames 
• The message content 
• Links (don’t click them, just copy) 
• Payment receipts and transaction IDs 

3) Lock down your accounts (especially email) 

If a scammer gets into your email, they can reset passwords for everything else. 

Do this today: 

• Change your email password first, then banking/tax accounts 
• Turn on two-factor authentication (2FA) 
• If you reused passwords anywhere, change those too 

Important: If you clicked a suspicious link, downloaded a file, or gave someone remote access to your computer, make sure you use a different, trusted device (like your phone or another computer) to change passwords. Why? If a scammer installed malware or has access to your computer, they may be able to see all of your brand-new passwords as you’re making them. 

Tip: A password manager like McAfee’s can help you create strong, unique passwords quickly, without having to memorize them all. 

4) Check for identity theft signals 

Tax scams often turn into identity theft. Watch for: 

• IRS notices about a return you didn’t file 
• Trouble e-filing because a return was already submitted 
• Alerts about a new IRS online account you didn’t create 

If you suspect tax-related identity theft: 

• Consider filing an IRS identity theft report (commonly done with IRS Form 14039, Identity Theft Affidavit). 
• Create or log into your IRS account periodically to review account activity (John now does this every few months). 

McAfee’s Identity Monitoring can help restore your sense of security and privacy online.  

5) Report it (even if you feel weird about it) 

Reporting helps you and helps stop the next person from getting hit. 

Common reporting options include: 

• FTC report: Report scams and identity theft at the FTC’s reporting site. 
• IRS phishing email: If you received a scam email posing as the IRS, you can forward it to phishing@irs.gov. 
• Your bank or card provider: If you paid, contact them immediately. Even if recovery isn’t guaranteed, speed matters. 

6) Clean up your digital footprint 

Scammers don’t just use what you give them. They also use what they can look up. 

Removing your personal details from risky data broker sites can reduce how easily scammers can target you again. Tools like Personal Data Cleanup can help you identify where your information is exposed and guide removal. 

7) Add protection for the next attempt 

Tax season scams often come in waves, especially if scammers think your info is “good.” 

Helpful layers include: 

• Web protection to warn you about risky links and lookalike sites before you enter info – get our free WebAdvisor download here 
• Scam detection that can flag suspicious messages 
• Identity monitoring to alert you if key personal info shows up in risky places 
• Run a free antivirus scan to check your device for malware or unwanted programs (especially if you clicked a link or downloaded anything) 

The key takeaway 

Tax season creates the perfect storm: time pressure, sensitive data, and a lot of official-looking communication. 

Our research shows most people are worried, and for good reason. Scammers are getting more convincing, and AI is raising the bar on what “real” looks and sounds like. 

“Tell your friends, tell your family,” John said. “Everyone I know at some point has heard this story, and it might just prevent someone from losing… thousands of dollars.” 

If you remember just three things this season, make them these: 

1. Pause before you click. 
2. Verify through official channels you navigate to yourself. 
3. If something happens, act quickly, and don’t blame yourself. 

The post Tax Scams Hit Nearly 1 in 4 Adults. Spot the Red Flags appeared first on McAfee Blog.