Login
Losing your phone or having it stolen can feel like a nightmare, especially when you consider the treasure trove of personal information stored on your device. From banking apps and email accounts to social media profiles and payment methods, smartphones contain virtually our entire digital lives. When a criminal or pickpocket gains access to your phone, they potentially have the keys to your identity, finances, and online presence. However, acting quickly and methodically can help minimize the risks and protect you from identity theft and financial fraud.
The reality is sobering, criminals with access to your phone can make unauthorized purchases, hack into your accounts, and even steal your identity to open new credit lines in your name. But by following these nine critical steps immediately after discovering your phone is missing, you can significantly reduce the potential damage and protect your most sensitive information.
Before taking any drastic measures, start with the obvious: try calling your phone from another device. You might hear it ring nearby, or someone who found it might answer and be willing to return it. If this doesn’t work, turn to your phone’s built-in tracking capabilities.
For iPhone users, Apple’s Find My service allows you to see your device’s location on a map, play a sound to help locate it, and even view its last known location if the battery has died. Android users can access Google’s Find My Device with similar functionality. Both services can be accessed from any computer or other device by logging into your Apple or Google account. These tracking tools not only help you locate your phone but also provide remote control options that become crucial if recovery seems unlikely.
If you can’t physically retrieve your phone or suspect it’s in the wrong hands, immediately lock it remotely. This creates an additional barrier between a potential thief and your personal information, preventing access to your apps, messages, emails, and saved payment methods.
Both iPhone and Android devices offer remote locking capabilities through their respective tracking services. You can also set a custom message to display on the lock screen with your contact information, which could help if someone honest finds your phone and wants to return it. For iPhone users, this means accessing iCloud.com or using the Find My app on another Apple device, selecting your lost phone, and choosing “Mark as Lost.” Android users can visit android.com/find, select their device, and choose “Secure Device” to lock it and display a custom message.
While law enforcement may not actively search for your stolen phone, filing a police report creates an official record that can prove invaluable if you need to dispute fraudulent charges or deal with insurance claims. When you visit your local police department, bring as much information as possible about when and where your phone was lost or stolen.
Having your phone’s IMEI number (International Mobile Equipment Identity) or serial number available will strengthen your report. You can usually find these numbers in your phone’s settings, on the original packaging, or through your carrier’s account portal. This documentation becomes particularly important if criminals use your phone to commit further crimes or if you need to prove to financial institutions that fraudulent activity resulted from theft.
Your next call should be to your mobile carrier to suspend service on your stolen or lost device. This prevents unauthorized calls, texts, or data usage that could result in unexpected charges on your bill. More importantly, it helps protect your account from being hijacked or used to access two-factor authentication codes sent to your number.
Most major carriers can also blacklist your stolen device, making it much harder for thieves to use even if they manage to bypass the screen lock. When you contact your carrier, ask about temporary suspension options if you’re still hoping to recover your phone, or proceed with permanent cancellation if you’re ready to move to a replacement device. Many carriers also offer insurance programs that may help cover the cost of a replacement phone.
Even with remote locking enabled, sophisticated criminals may find ways to access your stored information. This makes securing your online accounts one of the most critical steps in protecting yourself from identity theft. Your phone likely has saved passwords, active app sessions, and stored payment information that could be exploited.
Start by changing passwords for your most sensitive accounts, particularly email, banking, and financial services. Focus on creating strong, unique passwords that would be difficult for criminals to guess. McAfee’s Password Manager can secure your accounts by generating and storing complex passwords and auto-filling your info for faster logins across devices. Next, remotely sign out of all apps and services that were logged in on your stolen device. Most major platforms, including Google, Apple, Microsoft, and social media sites, offer account security settings where you can view active sessions and log out of all devices remotely. This step is crucial because it prevents thieves from accessing your accounts even if they bypass your phone’s lock screen.
Consider this an opportunity to enable two-factor authentication on accounts that support it, adding an extra layer of security for the future. While you’re at it, monitor your online and financial accounts closely for any suspicious activity, unauthorized transactions, or login attempts from unfamiliar locations.
Your stolen phone likely contains mobile payment apps like Apple Pay, Google Pay, or individual retailer apps with stored credit card information. Criminals can potentially use these payment methods to make unauthorized purchases, so removing them quickly is essential for protecting your finances.
For Apple Pay users, marking your device as lost through Find My iPhone will automatically suspend Apple Pay on that device. Alternatively, you can manually remove payment methods by signing into your Apple ID account at appleid.apple.com, selecting your lost device, and choosing to remove all cards. Google Pay users should visit payments.google.com, navigate to payment methods, and remove any cards linked to the compromised device.
Don’t stop there – contact your bank or credit card issuer directly to alert them about the potential for fraud. They can freeze or cancel the cards linked to your mobile payment apps and monitor for any suspicious transactions. Review your recent statements carefully and report any charges that weren’t made by you. Most financial institutions have straightforward fraud dispute processes and will work quickly to resolve unauthorized transactions.
When all hope of recovering your phone is lost, remote data erasure becomes your final line of defense against identity theft. This nuclear option wipes all stored data, settings, media, and personal information from your device, ensuring that criminals can’t access your photos, contacts, passwords, financial information, or any other sensitive data.
Both iPhone and Android devices offer comprehensive remote wipe capabilities through their respective tracking services. For iPhone users, this means accessing Find My and selecting “Erase iPhone,” which will restore the device to factory settings and remove all personal information. Android users can accomplish the same thing through Find My Device by selecting “Erase Device.”
Keep in mind that once you erase your phone remotely, you’ll lose the ability to track it further, so make sure you’ve exhausted all other options first. However, the peace of mind that comes from knowing your personal information can’t be accessed often outweighs the slim chance of recovery.
Criminals with access to your phone may attempt to exploit your personal relationships by impersonating you in messages or calls to your contacts. They might send urgent requests for money, ask for sensitive information, or attempt to trick your friends and family into various scams using your trusted identity.
Reach out to your closest contacts through alternative communication methods to warn them that your phone has been compromised. Let them know to be suspicious of any unusual requests coming from your number and to verify your identity through a different channel if they receive anything questionable. This proactive step can prevent your loved ones from becoming secondary victims of the crime.
Once you’ve accepted that your phone is truly gone, it’s time to focus on getting back online securely. Check with your mobile carrier about replacement options, as some plans include insurance coverage that can significantly reduce the cost of a new device. Even if you don’t have insurance, carriers often offer payment plans for replacement phones.
When you get your new device, you’ll be able to restore your data from cloud backups like iCloud or Google Drive. This is why maintaining regular automatic backups is so important – they ensure you don’t lose photos, contacts, app data, and other important information permanently. During the setup process, take the opportunity to review and strengthen your security settings based on what you’ve learned from this experience.
The theft of your phone represents just one potential pathway to identity theft, but it’s often one of the most impactful because of how much personal information our devices contain. While following the steps above can help minimize immediate damage, comprehensive protection requires ongoing vigilance and professional monitoring services.
McAfee’s Identity Protection offers multiple layers of defense that can alert you to potential identity theft before it becomes a major problem. Through comprehensive identity monitoring, McAfee identifies your personal information across the dark web and various databases, providing early warnings when your data appears in places it shouldn’t. This includes monitoring of social security numbers, government IDs, credit card numbers, bank account details, email addresses, and phone numbers – often alerting users up to 10 months earlier than similar services.
The credit monitoring component keeps watch over changes to your credit score, reports, and accounts, sending timely notifications when new accounts are opened, credit inquiries are made, or suspicious activity is detected. This early warning system can help you catch identity thieves before they cause significant financial damage. Perhaps most importantly, if you do become a victim of identity theft in the U.S., McAfee provides up to $2 million in identity theft coverage and restoration support for select McAfee+ plans.
While no one plans to have their phone stolen, taking preventive measures can significantly reduce the potential impact if it happens to you. Enable device tracking features like Find My or Find My Device before you need them, and make sure you know how to access these services from other devices. Use a strong passcode or biometric authentication that would be difficult for thieves to guess or bypass quickly.
Consider adding a PIN to your SIM card to prevent thieves from removing it and using it in another device. Maintain regular automatic backups to cloud services so you won’t lose important data permanently if your phone disappears. Most importantly, review and limit the amount of sensitive information you store directly on your device and consider using additional authentication methods for your most critical accounts.
Record your phone’s IMEI number and serial number in a safe place where you can access them if needed for police reports or insurance claims. These small preparatory steps can save significant time and stress if the worst happens.
Phone theft is just one of many ways criminals can gain access to your personal information and identity. In our interconnected digital world, comprehensive protection requires a multi-layered approach that goes beyond device security. Data breaches at major companies, phishing attacks, social engineering scams, and various online threats all pose risks to your identity and financial well-being.
This is where integrated protection services like McAfee+ become invaluable. Rather than trying to manage multiple security concerns separately, comprehensive identity and device protection provides peace of mind through continuous monitoring, early warning systems, and professional restoration support when things go wrong. The goal isn’t just to react to problems after they occur, but to prevent them from happening in the first place and to minimize their impact when prevention isn’t enough.
Having your phone stolen is stressful enough without worrying about the long-term consequences for your identity and finances. By following these nine essential steps quickly and methodically, you can significantly reduce the potential damage and protect yourself from becoming a victim of identity theft. Remember, the key is acting fast – every minute counts when it comes to protecting your digital life from criminals who might have gained access to your most personal information.
The post What to Do if Your Phone is Stolen or Lost: 10 Steps to Protect Your Identity appeared first on McAfee Blog.
As another school year begins, the digital landscape our children navigate has become increasingly complex. With artificial intelligence tools now readily available and social media platforms evolving rapidly, considering creating a family technology pledge has never been more crucial, or more challenging.
Gone are the days when we simply worried about screen time limits. Today’s parents must address everything from AI-assisted homework to the growing threat of deepfake cyberbullying. The technology shaping our kids’ lives isn’t just about phones and social media anymore—it’s about preparing them for a world where artificial intelligence is reshaping how they learn, communicate, and express themselves.
Recent research from the Pew Research Center shows that 26% of students aged 13-17 are using ChatGPT to help with their assignments, double the number from 2023. Meanwhile, surveys reveal that between 40 and 50 percent of students are aware of deepfakes being circulated at school. These statistics underscore a reality many parents aren’t prepared for: our children are already immersed in an AI-powered world, whether we’ve given them permission or not.
The key to successful digital parenting in 2025 isn’t necessarily about banning technology—it’s about having intentional, educational conversations that prepare our children to use these powerful tools responsibly. We need to acknowledge that technology is here to stay, so the best thing we can do is accept it’s here, educate our kids on how to use it safely, and introduce boundaries and rules to help keep them protected.
For any pledge to be effective, lasting, and conflict-free, we need to shift the focus from simply setting rules to creating an open, constructive dialogue that helps all family members use technology in healthy ways. The most successful technology pledges are created collaboratively, not decided without collaboration. This ensures everyone feels included and that the guidelines reflect your family’s unique needs and values.
The most important consideration in tailoring a pledge to your kids’ ages and maturity levels, and to your family’s schedule. There’s no point making pledges that don’t reflect your children’s actual technology use or your family’s realistic expectations. Remember, this is about starting conversations and creating a framework for ongoing dialogue, not a rigid set of rules that’s destined to fail.
One of the biggest changes in recent years is the need to address AI tools like ChatGPT, Claude, and other learning platforms. Rather than trying to catch assignments written by AI, many schools are now launching programs that include AI Learning Modes, recognizing that these tools can be valuable when used appropriately.
The benefits of AI assistance in education are significant and shouldn’t be ignored. AI can serve as a personalized tutor, explaining complex concepts in multiple ways until a student understands. It can help students with learning differences access the curriculum more effectively, and students working in a second language can use these tools to level the playing field. When used properly, AI can enhance critical thinking by helping students explore different perspectives on topics and organizing their thoughts more clearly.
However, the risks of over-reliance on AI are equally real and concerning. New research has shown that overreliance on AI might erode our ability to think critically, and critical thinking skills are essential for success in the real world. Students may become dependent on AI for basic problem-solving, missing opportunities to develop their own analytical skills and unique voice. Academic integrity concerns arise when AI does the work instead of supporting learning, potentially undermining the entire educational process.
Your family technology pledge should address these nuances.. Children should understand that they will use AI tools to enhance their learning, not replace it. This means always disclosing when they’ve used AI assistance on assignments, using AI to explain concepts they don’t understand while still working through problems themselves, and never submitting AI-generated work as their own original thinking. They should learn to ask AI to help with organizing thoughts, not creating them, and use AI to check their work for errors while ensuring the ideas and solutions remain their own.
The rise of AI-generated content has created unprecedented risks for students, particularly regarding deepfake technology. Research shows that girls are most often targeted by deepfake images, and for victims, the emotional and psychological impact can be severe and long-lasting. What’s particularly alarming is that one photo posted online is all that’s needed to create a deepfake, making this a potential risk for every student.
Parents should help their children become mindful of what photos they share on social media, understanding that any image could potentially be misused. Children must understand that they should never participate in group chats or conversations where deepfakes are being shared, even passively. They need to recognize that creating deepfakes of others, even as a “joke,” can cause serious psychological harm and that possession of manipulated sexual imagery involving minors is illegal.
Creating a family technology pledge isn’t about limiting your child’s potential—it’s about empowering them to navigate an increasingly complex digital world safely and ethically. The emergence of AI tools and deepfakes is forcing families to have important conversations about ethics, empathy, and responsibility that previous generations never had to consider.
The goal isn’t to create a perfect document that anticipates every possible scenario. Instead, it’s to establish a foundation for ongoing dialogue about how technology can enhance rather than detract from your family’s values and your child’s growth into a thoughtful, responsible digital citizen. To help parents and guardians start discussions, we’ve created a first draft Technology Pledge that you can use to start a discussion with your family. Click here to download McAfee’s Technology Pledge
The digital landscape will continue to evolve, but the fundamental principles of kindness, honesty, and critical thinking remain constant. By creating a thoughtful technology pledge and maintaining open dialogue about digital challenges, you’re giving your child the tools they need to thrive in whatever technological environment they encounter. Start the conversation today. Your child’s digital future depends on it.
The post How to Create a Family Technology Pledge appeared first on McAfee Blog.
October marks Cybersecurity Awareness Month, and this year’s message couldn’t be clearer: small actions can make a big difference in your online safety. As cyber threats continue to evolve and become more sophisticated, the importance of taking proactive steps to protect yourself, your family, and your personal information has never been greater.
The 2025 theme, “Secure Our World,” focuses on simple yet powerful steps that anyone can implement to boost their digital security. At the heart of this year’s campaign are the “Core 4” essential practices that form the foundation of good cybersecurity habits. These four pillars represent the most impactful actions you can take to strengthen your digital defenses without requiring technical expertise or significant time investment.
The Core 4 principles serve as your digital security roadmap. Using strong passwords paired with a reliable password manager eliminates one of the most common vulnerabilities that cybercriminals exploit. When every account has a unique, complex password, a breach of one service doesn’t compromise your entire digital life.
Enabling multifactor authentication adds a crucial second layer of protection that makes unauthorized access exponentially more difficult. Even if someone obtains your password, they would still need access to your phone or authentication app to breach your accounts. This simple step blocks the vast majority of automated attacks and significantly raises the bar for would-be intruders.
Keeping your software updated ensures that known security vulnerabilities are patched as soon as fixes become available. Cybercriminals often target outdated software because they know exactly which weaknesses to exploit. By maintaining current versions of your operating system, apps, and security software, you close these doors before attackers can walk through them.
The fourth pillar, recognizing and reporting scams, has become increasingly critical as fraudulent schemes grow more sophisticated and prevalent. Today’s scammers leverage artificial intelligence to create convincing fake emails, text messages, and even video content that can fool even cautious consumers.
The statistics paint a sobering picture of today’s threat landscape. According to McAfee’s comprehensive Scamiverse Report, 59% of people globally say they or someone they know has been a victim of an online scam, with Americans facing an average of 14+ scams per day. Between February and March 2025 alone, scam text volumes nearly quadrupled, with almost half using cloaked links to disguise malicious intent.
The burden on consumers is staggering. Americans spend an average of 93.6 hours per year – nearly two and a half work weeks, just reviewing messages to identify fakes. This represents 1.6 hours per week spent verifying whether communications are legitimate, a significant drain on time that could be spent on productive activities. The emotional toll is equally concerning, with 35% of people globally experiencing moderate to significant distress from scams, and two-thirds of people reporting they are more worried about scams than ever before.
What makes modern scams particularly dangerous is their increasing sophistication and alarming success rates. When scams do succeed, 87% of victims lose money, with financial losses often being substantial. According to the Scamiverse Report, 33% of scam victims lost over $500, while 21% lost more than $1,000, and 8% lost over $5,000. Most troubling is the speed at which these crimes unfold – 64% of successful scams result in money or information theft in less than one hour.
Young adults face particularly high risks, with 77% of people aged 18-24 having been scam victims – significantly higher than the global average. This demographic encounters an average of 3.5 deepfake videos daily, compared to 1.2 daily for Americans over 65. The pattern suggests that digital nativity doesn’t necessarily translate to better scam detection abilities.
Today’s cybercriminals have embraced artificial intelligence as a force multiplier for their fraudulent activities. The accessibility of deepfake creation tools has democratized sophisticated fraud techniques that were once available only to well-funded criminal organizations. For just $5 and in 10 minutes, scammers can create realistic deepfake videos using any of the 17 different AI tools tested by McAfee Labs.
The scale of this threat has exploded exponentially. North America has seen a staggering 1,740% increase in deepfakes over the past year, with over 500,000 deepfakes shared on social media in 2023 alone. Americans now encounter an average of 3 deepfake videos per day, yet confidence in detection abilities remains concerning – while 56% of Americans believe they can spot deepfake scams, 44% admit they lack confidence in their ability to identify manipulated content.
The platform distribution reveals where consumers are most at risk. Among Americans, 68% report encountering deepfakes on Facebook, followed by 30% on Instagram, 28% on TikTok, and 17% on X (formerly Twitter). Older adults appear particularly vulnerable on Facebook, with 81% of those 65+ encountering deepfakes on the platform.
Understanding these evolving threats requires more than awareness—it demands tools that can keep pace with rapidly changing criminal tactics. Traditional approaches that rely solely on user education and manual verification are no longer sufficient when facing AI-generated content that can fool even security-conscious individuals. The challenge becomes even greater when considering that repeat victimization is common, with 26% of scam victims falling victim to another scam within 12 months.
People are developing some detection strategies, but these manual methods have limitations. According to the Scamiverse Report, 40% of people look for over-the-top claims like unrealistic discounts, while 35% watch for distorted imagery or suspicious website links. Other detection methods include identifying images that seem too perfect (33%), generic audio (28%), and audio-lip sync mismatches (28%). However, only 17% use more advanced techniques like reverse image searches to verify content authenticity.
The same artificial intelligence that enables sophisticated scams can also serve as our defense against them. Advanced security solutions now use machine learning algorithms to analyze patterns, context, and content in real-time, identifying threats that would be impossible for humans to detect quickly enough. This technological arms race requires consumers to leverage AI-powered protection to match the sophistication of modern threats.
McAfee’s Scam Detector represents a significant advancement in consumer protection, using AI-powered detection to identify and alert consumers of scam texts, emails, and AI-generated audio in deepfake videos across multiple platforms and devices. This technology addresses the reality that manual detection methods, while useful, aren’t sufficient against the volume and sophistication of current threats. When people are spending nearly 94 hours per year just trying to identify fake messages, automated protection becomes essential for reclaiming both time and peace of mind. With scam detector, you can automatically know what’s real and what’s fake.
McAfee’s Scam Detector works across three critical communication channels: text messages, emails, and video content. For text message protection, the system monitors incoming SMS communications and alerts users to potentially dangerous content before they open suspicious messages. This proactive approach prevents the curiosity factor that often leads people to engage with scam content—total protection with no guesswork.
Email protection extends to major providers, including Gmail, Microsoft, Yahoo Mail, and more, with lightning-fast background scanning that identifies suspicious messages and provides clear explanations of the risks involved. This educational component helps users understand the specific tactics scammers employ, from urgency language to impersonation strategies.
The scam detection capability represents a unique advancement in consumer protection, using AI to detect deepfake audio and other manipulative media designed to impersonate trusted individuals or spread disinformation. This feature addresses the growing threat of fake celebrity endorsements, manipulated political content, and fraudulent investment pitches that leverage realistic-sounding audio content and is trained to identify AI-generated audio.
In February 2025, McAfee Labs found that 59% of deepfake detections came from YouTube, more than all other domains combined, reinforcing the platform’s role as a primary source of deepfake content. This data underscores the importance of having protection that works across the platforms where people naturally consume video content.
Effective cybersecurity extends beyond scam detection to encompass all aspects of digital life. Password management remains fundamental, as weak or reused passwords continue to be primary attack vectors. A quality password manager not only generates strong, unique passwords for every account but also alerts users when their credentials appear in data breaches.
Virtual private networks (VPNs) such as Secure VPN provide essential protection when using public Wi-Fi networks, encrypting internet traffic to prevent eavesdropping and man-in-the-middle attacks. This protection is particularly important for remote workers and travelers who frequently connect to untrusted networks.
Identity monitoring services watch for signs that personal information has been compromised or is being misused. McAfee’s Identity Monitoring services scan for data breach databases, monitor credit reports, and alert users to suspicious activity across various financial and personal accounts. Select plans of McAfee+, can provide up to $2M of identity theft coverage. Early detection of identity theft can significantly reduce the time and effort required for recovery. Our identity monitoring service can notify you up to 10 months sooner than similar services.
Device protection through comprehensive antivirus and anti-malware solutions remains crucial as cyber threats continue to target endpoints. Modern security suites use behavioral analysis and machine learning to identify previously unknown threats while maintaining system performance.
While technology provides powerful tools for protection, human judgment remains irreplaceable in maintaining security. Understanding common social engineering tactics helps consumers recognize when they’re being manipulated, even when automated systems might not detect a threat immediately.
Scammers frequently exploit emotions like fear, urgency, and greed to bypass rational decision-making. Messages claiming immediate action is required to avoid account closure, unexpected windfalls that require upfront payments, or urgent requests from family members in distress all follow predictable patterns that become easier to recognize with awareness and practice.
Verification through independent channels remains one of the most effective defense strategies. When receiving unexpected requests for money or personal information, contacting the supposed sender through a known, trusted method can quickly expose fraudulent communications.
Cybersecurity is most effective when it becomes a shared responsibility within families and communities. Parents can model good digital hygiene practices for their children while teaching age-appropriate lessons about online safety. Regular family discussions about recent scam trends and security practices help create an environment where everyone feels comfortable reporting suspicious activity.
Workplace security awareness programs extend protection beyond individual households to encompass professional environments where data breaches can have far-reaching consequences. Employees who understand their role in organizational security are more likely to follow proper protocols and report potential threats promptly.
Community education initiatives, often supported by local law enforcement and cybersecurity organizations, provide valuable resources for groups that might be particularly vulnerable to certain types of fraud, such as seniors targeted by tech support scams or small business owners facing ransomware threats.
The cybersecurity landscape will continue evolving as both threats and defenses become more sophisticated. Artificial intelligence will play an increasingly central role on both sides of this digital arms race, making advanced protection tools essential for ordinary consumers who lack specialized technical knowledge.
Integration between different security tools will likely improve, creating more seamless protection that works across all devices and platforms without requiring separate management interfaces. This consolidation will make comprehensive security more accessible to consumers who currently find managing multiple security solutions overwhelming.
Regulatory initiatives may also shape the future of consumer protection, potentially requiring stronger default security measures on devices and platforms while establishing clearer responsibilities for organizations that handle personal data.
Cybersecurity Awareness Month provides an excellent opportunity to evaluate and improve your digital protection strategy. Start by implementing the Core 4 practices: use strong passwords with a password manager, enable multifactor authentication on all important accounts, keep your software updated, and learn to recognize and report scams.
Consider comprehensive protection solutions that address multiple threat vectors simultaneously rather than relying on piecemeal approaches. Look for services that combine device protection, identity monitoring, scam detection, and privacy tools in integrated packages that work together seamlessly.
Remember that cybersecurity is an ongoing process rather than a one-time setup. Threats evolve constantly, requiring regular updates to both your tools and your knowledge. Stay informed about emerging threats through reliable sources and adjust your protection strategies accordingly. McAfee delivers smarter protection against evolving threats.
The digital world offers tremendous benefits for communication, commerce, education, and entertainment. By taking proactive steps to protect yourself and your family, you can enjoy these advantages while minimizing the risks that come with our increasingly connected lives. Small actions today can prevent significant problems tomorrow, making cybersecurity one of the most valuable investments you can make in your digital future.
The post Secure Your World This Cybersecurity Awareness Month appeared first on McAfee Blog.
Beth Hyland never imagined love would cost her $26,000. At 53, she considered herself cautious and financially aware. But when she matched with someone calling himself “Richard Dobb”, the whirlwind connection, late-night conversations, and promises of a future together felt genuine. What she didn’t realize was that she was being drawn into one of the most devastating and personal scams out there—romance fraud.
Beth and Richard’s connection quickly escalated. They weren’t “officially” engaged, but in her mind, they were planning a future together. Richard told her he had just completed a project in Qatar and needed to pay a translator to finalize things. The catch? He claimed he couldn’t access his funds unless he went in person to a bank branch in England.
That’s when the requests for money began.
Richard framed it as a temporary problem. If Beth could just help him raise the money, they’d be set. Wanting to support her partner, she took out a $15,000 loan and added another $5,000 in cash advances from her credit card.
When she asked how to send the money, he directed her to a cryptocurrency site.
Beth’s financial advisor became concerned. “I think you’re in a romance scam,” he told her. But Beth didn’t want to believe it.
“No,” she thought, “we’re in love. He wouldn’t do this to me.”
Her last message to Richard was desperate: “If you’re real, prove me wrong. Bring me my money, and maybe we’ll talk.”
She never heard from him again.
Romance scams are uniquely painful because they prey on trust, hope, and human connection. Beth said, “People would be surprised at how much this happens, how much it goes on.”
Like many victims, she wishes there had been a tool to fact-check the links, the stories, and the too-good-to-be-true excuses. That’s where technology like McAfee’s Scam Detector could have made all the difference, flagging suspicious links and warning her before thousands of dollars vanished.
Romance scams thrive on silence. Victims often feel embarrassed, but Beth wants her story out there.
“It would have been really good if there was technology where I could have checked these links to fact-check all of that,” she reflected.
Her experience is a reminder that scammers aren’t just after money—they target trust. By sharing her story, Beth hopes others will pause before sending money to someone they’ve never met in person. And with tools like McAfee’s Scam Detector, more people can spot the lies before love turns into loss.
The post “If You’re Real, Prove Me Wrong”: Beth’s Romance Scam Story appeared first on McAfee Blog.
Deshawn never thought he’d be the kind of person to fall for a scam. At 30, he was tech-savvy, careful, and always aware of the world around him. But one busy afternoon, a single text message changed everything. What looked like a routine delivery notification turned into a $420 lesson that convenience can be a scammer’s greatest weapon.“I thought this stuff only happened to older people.” That’s what Deshawn, 30, told us after a fake delivery text nearly drained his bank account. It all started on what he thought was just a busy day.
Deshawn was juggling errands when a text came through: a delivery company said his package was being held at a facility. To recover it, all he had to do was click the link.
Since he really was expecting packages, it felt routine. He tapped the link, entered his information, and moved on.
The next day, his bank flagged a transaction: $420 spent—in Jamaica. Deshawn had never been there. That’s when it clicked. The delivery text was a scam, and the fraudsters had his financial info.
“When I saw purchases hitting my card, I felt like an idiot,” Deshawn admitted. “I thought things like this only happened to older people.”
But scams don’t discriminate. Deshawn realized the very convenience he relied on—quick taps, fast responses—was exactly what scammers exploit.
“Even if you’re detail-oriented, even if you check all the boxes, it can happen to you,” he said.
Scammers count on assumptions. They count on younger people thinking they’re “too smart” or “too aware” to get tricked. But as Deshawn’s story shows, anyone can fall for a scam—especially when it looks like an everyday task, like recovering a package.
“It’s crazy how a device in your pocket and one tap can take your money,” Deshawn reflected. He wishes more people his age would share their experiences, so others wouldn’t let their guard down.
Final Word from Deshawn
“I used to laugh at the idea of being a scam target. Now I know it can happen to anyone. Sharing my story means maybe the next person will pause before they tap.”
The post A Fake Delivery Text Nearly Cost Deshawn Hundreds: His Scam Story appeared first on McAfee Blog.
Article tags
We’re standing at the threshold of a new era in cybersecurity threats. While most consumers are still getting familiar with ChatGPT and basic AI chatbots, cybercriminals are already moving to the next frontier: Agentic AI. Unlike the AI tools you may have tried that simply respond to your questions, these new systems can think, plan, and act independently, making them the perfect digital accomplices for sophisticated scammers. The next evolution of cybercrime is here, and it’s learning to think for itself.
The threat is already here and growing rapidly. According to McAfee’s latest State of the Scamiverse report, the average American sees more than 14 scams every day, including an average of 3 deepfake videos. Even more concerning, detected deepfakes surged tenfold globally in the past year, with North America alone experiencing a 1,740% increase.
At McAfee, we’re seeing early warning signs of this shift, and we believe every consumer needs to understand what’s coming. The good news? By learning about these emerging threats now, you can protect yourself before they become widespread.
Before we dive into the threats, let’s break down what we’re actually talking about when we discuss AI and its evolution:
Traditional AI: The Helper
The AI most people know today works like a very sophisticated search engine or writing assistant. You ask it a question, it gives you an answer. You request help with a task, it provides suggestions. Think of ChatGPT, Google’s Gemini, or the AI features on your smartphone. They’re reactive tools that respond to your input but don’t take independent action.
Generative AI: The Creator
Generative AI, which powers many current scams, can create content like emails, images, or even fake videos (deepfakes). This technology has already made scams more convincing by cloning real human voices and eliminating telltale signs like poor grammar and obvious language errors.
The impact is already visible in the data. McAfee Labs found that for just $5 and 10 minutes of setup time, scammers can create powerful, realistic-looking deepfake video and audio scams using readily available tools. What once required experts weeks to produce can now be achieved for less than the cost of a latte—and in less time than it takes to drink it.
Agentic AI: The Independent Actor
Agentic AI represents a fundamental leap forward. These systems can think, make decisions, learn from mistakes, and work together to solve tough problems, just like a team of human experts. Unlike previous AI that waits for your commands, agentic AI can set its own goals, make plans to achieve them, and adapt when circumstances change
Key Characteristics of Agentic AI:
Gartner predicts that by 2028, a third of our interactions with AI will shift from simply typing commands to fully engaging with autonomous agents that can act on their own goals and intentions. Unfortunately, cybercriminals won’t be far behind in exploiting these capabilities.
Think of agentic AI as giving scammers their own team of tireless, intelligent apprentices that never sleep, never make mistakes, and get better at their job every day. Here’s how this digital apprenticeship makes scams exponentially more dangerous.
Traditional scammers spend hours manually researching targets, scrolling through social media profiles, and piecing together personal information. Agentic AI recon agents operate persistently and autonomously, self-prompting questions like “What data do I need to identify a weak point in this organization?” and then collecting it from social media, breach data, exposed APIs and cloud misconfigurations.
Unlike traditional phishing that uses static messages, agentic AI can dynamically update or alter their approach based on a recipient’s response, location, holidays, events, or the target’s interests, marking a significant shift from static attacks to highly adaptive and real-time social engineering threats.
An agentic AI scammer targeting you might start with a LinkedIn message about a job opportunity. If you don’t respond, it switches to an email about a package delivery. If that fails, it tries a text message about suspicious account activity. Each attempt uses lessons learned from your previous reactions, becoming more convincing with every interaction.
AI-generated phishing emails achieve a 54% click-through rate compared to just 12% for their human-crafted counterparts. With agentic AI, scammers can create messages that don’t just look professional, they sound exactly like the people and organizations you trust.
The technology is already sophisticated enough to fool even cautious consumers. As McAfee’s latest research shows, social media users shared over 500,000 deepfakes in 2023 alone. The tools have become so accessible that scammers can now create convincing real-time avatars for video calls, allowing them to impersonate anyone from your boss to your bank representative during live conversations.
Perhaps most concerning is agentic AI’s ability to learn and improve. As the AI interacts with more victims over time, it gathers data on what types of messages or approaches work best for certain demographics, adapting itself and refining future campaigns to make each subsequent attack more powerful, convincing, and effective. This means that every failed scam attempt makes the AI smarter for its next victim. Understanding how agentic AI will transform specific types of scams helps us prepare for what’s coming. Here are the most concerning developments:
Multi-Stage Campaign Orchestration
Agentic AI can potentially orchestrate complex multi-stage social engineering attacks, leveraging data from one interaction to drive the next one. Instead of simple one-and-done phishing emails, expect sophisticated campaigns that unfold over weeks or months.
Automated Spear Phishing at Scale
Traditional spear phishing required manual research and customization for each target. In the new world order, malicious AI agents will autonomously harvest data from social media profiles, craft phishing messages, and tailor them to individual targets without human intervention. This means cybercriminals can now launch thousands of highly personalized attacks simultaneously, each one crafted specifically for its intended victim.
Real-Time Adaptive Attacks
When a target hesitates or questions an initial approach, agents adjust their tactics immediately based on the response. This continuous refinement makes each interaction more convincing than the last, wearing down even skeptical targets through persistence and learning. Traditional red flags like “This seems suspicious” or “Let me verify this” no longer end the attack, they just trigger the AI to try a different approach.
Cross-Platform Coordination
These autonomous systems now independently launch coordinated phishing campaigns across multiple channels simultaneously, operating with an efficiency human attackers cannot match. An agentic AI scammer might contact you via email, text message, phone call, and social media—all as part of a coordinated campaign designed to overwhelm your defenses.
The rise of agentic AI scams requires a fundamental shift in how we think about cybersecurity. Traditional advice like “watch for poor grammar” no longer applies. Here’s what you need to know to protect yourself:
Since agentic AI eliminates traditional warning signs, focus on these behavioral red flags:
High-Priority Warning Signs:
Emotional urgency: Messages designed to make you panic, feel guilty, or act without thinking
Requests for unusual actions: Being asked to do something outside normal procedures
Isolation tactics: Instructions not to tell anyone else or to handle something “confidentially”
Multiple contact attempts: Being contacted through several channels about the same issue
Perfect personalization: Messages that seem to know too much about your specific situation
At McAfee, we understand that fighting AI-powered attacks requires AI-powered defenses. Our security solutions are designed to detect and stop sophisticated scams before they reach you. McAfee’s Scam Detector provides lightning-fast alerts, automatically spotting scams and blocking risky links even if you click them, with all-in-one protection that keeps you safer across text, email, and video. Our AI analyzes incoming messages using advanced pattern recognition that can identify AI-generated content, even when it’s grammatically perfect and highly personalized.
Scam Detector keeps you safer across text, email, and video, providing comprehensive coverage against multi-channel agentic AI campaigns. Beyond analyzing message content, our system evaluates sender behavior patterns, communication timing, and request characteristics that may indicate AI-generated scams. Just as agentic AI attacks learn and evolve, our detection systems continuously improve their ability to identify new threat patterns.
Protecting yourself from agentic AI scams requires combining smart technology with informed human judgment. Security experts believe it’s highly likely that bad actors have already begun weaponizing agentic AI, and the sooner organizations and individuals can build up defenses, train awareness, and invest in stronger security controls, the better they will be equipped to outpace AI-powered adversaries.
We’re entering an era of AI versus AI, where the speed and sophistication of both attacks and defenses will continue to escalate. According to IBM’s 2025 Threat Intelligence Index, threat actors are pursuing bigger, broader campaigns than in the past, partly due to adopting generative AI tools that help them carry out more attacks in less time.
While the threat landscape is evolving rapidly, the combination of human intelligence and AI-powered security tools gives us powerful advantages. Humans excel at recognizing context, understanding emotional manipulation, and making nuanced judgments that AI still struggles with. When combined with AI’s ability to process vast amounts of data and detect subtle patterns, this creates a formidable defense.
The rise of agentic AI represents both a significant threat and an opportunity. While cybercriminals will certainly exploit these technologies to create more sophisticated scams, we’re not defenseless. By understanding how these systems work, recognizing the new threat landscape, and combining human wisdom with AI-powered protection tools like McAfee‘s Scam Detector, we can stay ahead of the threats.
The key insight is that while AI can mimic human communication and behavior with unprecedented accuracy, it still relies on exploiting fundamental human psychology—our desire to help, our fear of consequences, and our tendency to trust. By developing better awareness of these psychological vulnerabilities and implementing verification protocols that don’t depend on technological red flags, we can maintain our security even as the threats become more sophisticated.
Remember: in the age of agentic AI, the most important security tool you have is still your human judgment. Trust your instincts, verify before you act, and never let urgency override prudence, no matter how convincing the request might seem.
The post How Agentic AI Will Be Weaponized for Social Engineering Attacks appeared first on McAfee Blog.
How do hackers hack phones? In several ways. But also, there are several ways you can prevent it from happening to you. The thing is that our phones are like little treasure chests. They’re loaded with plenty of personal data, and we use them to shop, bank, and take care of other personal and financial matters—all of which are of high value to identity thieves. However, you can protect yourself and your phone by knowing what to look out for and by taking a few simple steps. Let’s break it down by first understanding what phone hacking is, taking a look at some common attacks, and learning how you can prevent it.
Phone hacking refers to any method where an unauthorized third party gains access to your smartphone and its data. This isn’t just one single technique; it covers a wide range of cybercrimes. A phone hack can happen through software vulnerabilities, like the spyware campaigns throughout the years that could monitor calls and messages. It can also occur over unsecured networks, such as a hacker intercepting your data on public Wi-Fi. Sometimes, it’s as simple as physical access, where someone installs tracking software on an unattended device.
Hackers have multiple avenues of attacking your phone. Among these common methods are using malicious apps disguised as legitimate software, exploiting the vulnerabilities of unsecure public Wi-Fi networks, or deploying sophisticated zero-click exploits that require no interaction from you at all. The most common method, however, remains social engineering, where they trick you into giving them access. Let’s further explore these common hacking techniques below.
Whether hackers sneak it onto your phone by physically accessing your phone or by tricking you into installing it via a phony app, a sketchy website, or a phishing attack, hacking software can create problems for you in a couple of ways:
Some possible signs of hacking software on your phone include:
In all, hacking software can eat up system resources, create conflicts with other apps, and use your data or internet connection to pass your personal information into the hands of hackers.
This classic form of attack has been leveled at our computers for years. Phishing is where hackers impersonate a company or trusted individual to get access to your accounts or personal info or both. These attacks take many forms such as emails, texts, instant messages, and so forth, some of which can look really legitimate. Common to them are links to bogus sites that attempt to trick you into handing over personal info or that install malware to wreak havoc on your device or likewise steal information. Learning to spot a phishing attack is one way to keep yourself from falling victim to one.
Professional hackers can use dedicated technologies that search for vulnerable mobile devices with an open Bluetooth connection. Hackers can pull off these attacks when they are within range of your phone, up to 30 feet away, usually in a populated area. When hackers make a Bluetooth connection to your phone, they might access your data and info, yet that data and info must be downloaded while the phone is within range. This is a more sophisticated attack given the effort and technology involved.
In August of 2019, then CEO of Twitter had his phone hacked by SIM card swapping scam. In this type of scam, a hacker contacts your phone provider, pretends to be you, then asks for a replacement SIM card. Once the provider sends the new SIM to the hacker, the old SIM card is deactivated, and your phone number will be effectively stolen. This enables the hacker to take control of your phone calls, messages, among others. The task of impersonating someone else seems difficult, yet it happened to the CEO of a major tech company, underscoring the importance of protecting your personal info and identity online to prevent hackers from pulling off this and other crimes.
While a phone call itself cannot typically install malware on your device, it is a primary tool for social engineering, known as vishing or voice phishing. A hacker might call, impersonating your bank or tech support company, and trick you into revealing sensitive information like passwords or financial details. They might also try to convince you to install a malicious app. Another common tactic is the “one-ring” scam, where they hang up hoping you’ll call back a premium-rate number. To stay safe, be wary of unsolicited calls, never provide personal data, block suspicious numbers, and check that your call forwarding isn’t enabled.
Generally, a phone that is powered off is a difficult target for remote hackers. However, modern smartphones aren’t always truly off. Features like Apple’s Find My network can operate in a low-power mode, keeping certain radios active. Furthermore, if a device has been previously compromised with sophisticated firmware-level malware, it could activate upon startup. The more common risk involves data that was already stolen before the phone was turned off or if the device is physically stolen. While it’s an uncommon scenario, the only sure way to take a device offline and completely sever all power is by removing the battery, where possible.
Hacking a phone’s camera is referred to as camfecting, usually done through malware or spyware hidden within a rogue application. Once installed, these apps can gain unauthorized permission to access your camera and record video or capture images without your knowledge. Occasionally, vulnerabilities in a phone’s operating system (OS) have been discovered that could allow for this, though these are rare and usually patched quickly. Protect yourself by regularly reviewing app permissions in your phone’s settings—for both iOS and Android—and revoking camera access for any app that doesn’t absolutely need it. Always keep your OS and apps updated to the latest versions.
This is a long-standing debate with no simple answer. iPhones are generally considered more secure due to Apple’s walled garden approach: a closed ecosystem, a strict vetting process for the App Store, and timely security updates for all supported devices. Android’s open-source nature offers more flexibility but also creates a more fragmented ecosystem, where security updates can be delayed depending on the device manufacturer. However, both platforms use powerful security features like application sandboxing.
The most important factor is not the brand but your behavior. A user who practices good digital hygiene—using strong passwords, avoiding suspicious links, and vetting apps—is well-protected on any platform.
Detecting a phone hack early can save you from significant trouble. Watch for key red flags: your battery draining much faster than usual, unexpected spikes in your mobile data usage, a persistently hot device even when idle, or a sudden barrage of pop-up ads. You might also notice apps you don’t remember installing or find that your phone is running unusually slow. To check, go into your settings to review your battery and data usage reports for any strange activity. The most effective step you can take is to install a comprehensive security app, like McAfee® Mobile Security, to run an immediate scan and detect any threats.
Discovering that your phone has been hacked can be alarming, but acting quickly can help you regain control and protect your personal information. Here are the urgent steps to take so you can remove the hacker, secure your accounts, and prevent future intrusions.
While there are several ways a hacker can get into your phone and steal personal and critical information, here are a few tips to keep that from happening:
Your smartphone is central to your life, so protecting it is essential. Ultimately, your proactive security habits are your strongest defense against mobile hacking. Make a habit of keeping your operating system and apps updated, be cautious about the links you click and the networks you join, and use a comprehensive security solution like McAfee® Mobile Security.
By staying vigilant and informed, you can enjoy all the benefits of your mobile device with confidence and peace of mind. Stay tuned to McAfee for the latest on how to protect your digital world from emerging threats.
The post How Do Hackers Hack Phones and How Can I Prevent It? appeared first on McAfee Blog.
Cybercriminal groups peddling sophisticated phishing kits that convert stolen card data into mobile wallets have recently shifted their focus to targeting customers of brokerage services, new research shows. Undeterred by security controls at these trading platforms that block users from wiring funds directly out of accounts, the phishers have pivoted to using multiple compromised brokerage accounts in unison to manipulate the prices of foreign stocks.
Image: Shutterstock, WhataWin.
This so-called ‘ramp and dump‘ scheme borrows its name from age-old “pump and dump” scams, wherein fraudsters purchase a large number of shares in some penny stock, and then promote the company in a frenzied social media blitz to build up interest from other investors. The fraudsters dump their shares after the price of the penny stock increases to some degree, which usually then causes a sharp drop in the value of the shares for legitimate investors.
With ramp and dump, the scammers do not need to rely on ginning up interest in the targeted stock on social media. Rather, they will preposition themselves in the stock that they wish to inflate, using compromised accounts to purchase large volumes of it and then dumping the shares after the stock price reaches a certain value. In February 2025, the FBI said it was seeking information from victims of this scheme.
“In this variation, the price manipulation is primarily the result of controlled trading activity conducted by the bad actors behind the scam,” reads an advisory from the Financial Industry Regulatory Authority (FINRA), a private, non-profit organization that regulates member brokerage firms. “Ultimately, the outcome for unsuspecting investors is the same—a catastrophic collapse in share price that leaves investors with unrecoverable losses.”
Ford Merrill is a security researcher at SecAlliance, a CSIS Security Group company. Merrill said he has tracked recent ramp-and-dump activity to a bustling Chinese-language community that is quite openly selling advanced mobile phishing kits on Telegram.
“They will often coordinate with other actors and will wait until a certain time to buy a particular Chinese IPO [initial public offering] stock or penny stock,” said Merrill, who has been chronicling the rapid maturation and growth of the China-based phishing community over the past three years.
“They’ll use all these victim brokerage accounts, and if needed they’ll liquidate the account’s current positions, and will preposition themselves in that instrument in some account they control, and then sell everything when the price goes up,” he said. “The victim will be left with worthless shares of that equity in their account, and the brokerage may not be happy either.”
Merrill said the early days of these phishing groups — between 2022 and 2024 — were typified by phishing kits that used text messages to spoof the U.S. Postal Service or some local toll road operator, warning about a delinquent shipping or toll fee that needed paying. Recipients who clicked the link and provided their payment information at a fake USPS or toll operator site were then asked to verify the transaction by sharing a one-time code sent via text message.
In reality, the victim’s bank is sending that code to the mobile number on file for their customer because the fraudsters have just attempted to enroll that victim’s card details into a mobile wallet. If the visitor supplies that one-time code, their payment card is then added to a new mobile wallet on an Apple or Google device that is physically controlled by the phishers.
The phishing gangs typically load multiple stolen cards to digital wallets on a single Apple or Android device, and then sell those phones in bulk to scammers who use them for fraudulent e-commerce and tap-to-pay transactions.
An image from the Telegram channel for a popular Chinese mobile phishing kit vendor shows 10 mobile phones for sale, each loaded with 4-6 digital wallets from different financial institutions.
This China-based phishing collective exposed a major weakness common to many U.S.-based financial institutions that already require multi-factor authentication: The reliance on a single, phishable one-time token for provisioning mobile wallets. Happily, Merrill said many financial institutions that were caught flat-footed on this scam two years ago have since strengthened authentication requirements for onboarding new mobile wallets (such as requiring the card to be enrolled via the bank’s mobile app).
But just as squeezing one part of a balloon merely forces the air trapped inside to bulge into another area, fraudsters don’t go away when you make their current enterprise less profitable: They just shift their focus to a less-guarded area. And lately, that gaze has settled squarely on customers of the major brokerage platforms, Merrill said.
Merrill pointed to several Telegram channels operated by some of the more accomplished phishing kit sellers, which are full of videos demonstrating how every feature in their kits can be tailored to the attacker’s target. The video snippet below comes from the Telegram channel of “Outsider,” a popular Mandarin-speaking phishing kit vendor whose latest offering includes a number of ready-made templates for using text messages to phish brokerage account credentials and one-time codes.
According to Merrill, Outsider is a woman who previously went by the handle “Chenlun.” KrebsOnSecurity profiled Chenlun’s phishing empire in an October 2023 story about a China-based group that was phishing mobile customers of more than a dozen postal services around the globe. In that case, the phishing sites were using a Telegram bot that sent stolen credentials to the “@chenlun” Telegram account.
Chenlun’s phishing lures are sent via Apple’s iMessage and Google’s RCS service and spoof one of the major brokerage platforms, warning that the account has been suspended for suspicious activity and that recipients should log in and verify some information. The missives include a link to a phishing page that collects the customer’s username and password, and then asks the user to enter a one-time code that will arrive via SMS.
The new phish kit videos on Outsider’s Telegram channel only feature templates for Schwab customers, but Merrill said the kit can easily be adapted to target other brokerage platforms. One reason the fraudsters are picking on brokerage firms, he said, has to do with the way they handle multi-factor authentication.
Schwab clients are presented with two options for second factor authentication when they open an account. Users who select the option to only prompt for a code on untrusted devices can choose to receive it via text message, an automated inbound phone call, or an outbound call to Schwab. With the “always at login” option selected, users can choose to receive the code through the Schwab app, a text message, or a Symantec VIP mobile app.
In response to questions, Schwab said it regularly updates clients on emerging fraud trends, including this specific type, which the company addressed in communications sent to clients earlier this year.
The 2FA text message from Schwab warns recipients against giving away their one-time code.
“That message focused on trading-related fraud, highlighting both account intrusions and scams conducted through social media or messaging apps that deceive individuals into executing trades themselves,” Schwab said in a written statement. “We are aware and tracking this trend across several channels, as well as others like it, which attempt to exploit SMS-based verification with stolen credentials. We actively monitor for suspicious patterns and take steps to disrupt them. This activity is part of a broader, industry-wide threat, and we take a multi-layered approach to address and mitigate it.”
Other popular brokerage platforms allow similar methods for multi-factor authentication. Fidelity requires a username and password on initial login, and offers the ability to receive a one-time token via SMS, an automated phone call, or by approving a push notification sent through the Fidelity mobile app. However, all three of these methods for sending one-time tokens are phishable; even with the brokerage firm’s app, the phishers could prompt the user to approve a login request that they initiated in the app with the phished credentials.
Vanguard offers customers a range of multi-factor authentication choices, including the option to require a physical security key in addition to one’s credentials on each login. A security key implements a robust form of multi-factor authentication known as Universal 2nd Factor (U2F), which allows the user to complete the login process simply by connecting an enrolled USB or Bluetooth device and pressing a button. The key works without the need for any special software drivers, and the nice thing about it is your second factor cannot be phished.
Merrill said that in many ways the ramp-and-dump scheme is the perfect crime because it leaves precious few connections between the victim brokerage accounts and the fraudsters.
“It’s really genius because it decouples so many things,” he said. “They can buy shares [in the stock to be pumped] in their personal account on the Chinese exchanges, and the price happens to go up. The Chinese or Hong Kong brokerages aren’t going to see anything funky.”
Merrill said it’s unclear exactly how those perpetrating these ramp-and-dump schemes coordinate their activities, such as whether the accounts are phished well in advance or shortly before being used to inflate the stock price of Chinese companies. The latter possibility would fit nicely with the existing human infrastructure these criminal groups already have in place.
For example, KrebsOnSecurity recently wrote about research from Merrill and other researchers showing the phishers behind these slick mobile phishing kits employed people to sit for hours at a time in front of large banks of mobile phones being used to send the text message lures. These technicians were needed to respond in real time to victims who were supplying the one-time code sent from their financial institution.
The ashtray says: You’ve been phishing all night.
“You can get access to a victim’s brokerage with a one-time passcode, but then you sort of have to use it right away if you can’t set new security settings so you can come back to that account later,” Merrill said.
The rapid pace of innovations produced by these China-based phishing vendors is due in part to their use of artificial intelligence and large language models to help develop the mobile phishing kits, he added.
“These guys are vibe coding stuff together and using LLMs to translate things or help put the user interface together,” Merrill said. “It’s only a matter of time before they start to integrate the LLMs into their development cycle to make it more rapid. The technologies they are building definitely have helped lower the barrier of entry for everyone.”
Malicious software, also called malware, refers to any program or code engineered to harm or exploit computer systems, networks and devices. It affects your phone’s functionality, especially if you jailbreak your device—that is, opening your iOS to additional features, apps, and themes.
The risks associated with a malware infection can range from poor device performance to stolen data. Cybercriminals typically use it to extract data—from financial data and healthcare records to emails and passwords—that they can leverage over victims for financial gain.
Thanks to their closed ecosystem, built-in security features, and strict policies on third-party apps, Apple devices tend to be generally resilient against malware infections. It’s important to note, however, that they’re not completely without vulnerabilities.
Read on to learn how you can detect malware on your iPhone and how to remove these infections so you can get back to enjoying your digital activities.
While traditional self-replicating viruses are rare on iPhones, malware is a genuine threat for Apple devices. Malware typically enters through links in deceptive texts or emails or through downloaded, unvetted apps rather than system-wide infection. These are some types of malware that could infect your iPhone:
To keep you safe against malware and other threats, Apple engineers the iPhone with multiple security layers, including:
Together, these features create a highly secure environment for iPhones. However, this robust shield does not eliminate all risks, as threats can still bypass these defenses through phishing scams or by tricking a user into installing a malicious configuration profile.
If your iPhone is exhibiting these odd activities listed below, a manual scan is your first point of order. These quick actions are free to do as they are already integrated into your device.
The disadvantage of doing a manual scan is that it requires effort. In addition, it does not detect sophisticated malware, and only identifies symptoms rather than root causes.
If your iPhone persistently exhibits any of the red flags above despite your quick actions, you may have to investigate using a third-party security app to find the threats that manual checks don’t catch.
Compared with manual or built-in scans, third-party solutions like McAfee Mobile Security offer automated, comprehensive malware scans by detecting a wider range of threats before they enter your digital space. While available at a premium, third-party security suites offer great value as they include full-scale protection that includes a safe browsing feature to protect your digital life and a virtual private network (VPN) for a more secure internet connection.
If the scan confirms the presence of malware on your iPhone, don’t worry. There’s still time to protect yourself and your data. Below is an action plan you can follow to remove malware from your device.
In many cases, hackers exploit outdated versions of iOS to launch malware attacks. If you don’t have the latest version of your operating system, it’s a good idea to update your iOS immediately to close this potential vulnerability. To do this, go to Settings > General > Software Update and follow the instructions to update your iPhone.
It might sound simple, but restarting your device can fix certain issues. The system will restart on its own when updating the iOS. If you already have the latest version, restart your iPhone now.
If updating the iOS and restarting your device didn’t fix the issue, try clearing your phone’s browsing history and data. If you’re using Safari, go to Settings > Clear History and Website Data > Clear History and Data. Keep in mind that the process is similar for Google Chrome and most other popular web browsers.
Malicious software, such as spyware and ransomware, often end up on phones by masquerading as legitimate apps. To err on the side of caution, delete any apps that you don’t remember downloading or installing.
The option to restore to a previous backup is one of the most valuable features found on the iPhone and iPad. This allows you to restore your device to an iCloud backup version that was made before the malware infection. Go to Settings > General > Transfer or Reset iPhone > Erase All Content and Settings > Restore from iCloud Backup.
A factory reset should be your last resort when other removal methods have failed, as it is a complete data wipe. That means it will erase all content and settings, including any malicious apps, profiles, or files, returning the software to its original, out-of-the-box state. That’s why it’s crucial to back up your essential data such as photos and contacts first. Also, remember to restore to an iCloud backup version *before* the malware infection to avoid reintroducing the infection. For the highest level of security, set the iPhone up as new and manually redownload trusted apps from the App Store. When you are ready to reset, go to Settings > General > Transfer or Reset iPhone > Erase All Content and Settings > Set Up as New iPhone.
Spyware is designed to be sneaky, but it leaves subtle traces. Pay attention to your iPhone’s behavior, such as the camera or microphone unexpectedly activating as indicated by a green or orange dot in the status bar, sudden battery drain, or your device overheating for no reason. Another major red flag is a spike in data usage when you aren’t actively using your phone.
For a deeper look, do this 5-minute check to see which apps have accessed your data, camera, and microphone. Look for any activity that seems suspicious or that you don’t recall authorizing.
If you suspect your iPhone has been compromised, it’s important to act quickly. Here’s a step-by-step process to remove it, restore your privacy, and prevent future threats.
A common tactic used by scammers is the fake virus pop-up. These alarming messages appear while you are browsing, often using logos from Apple or other trusted companies, and claim your iPhone is infected. Their goal is to create panic, urging you to click a link, download a fake app, or call a fraudulent support number. Never interact with these pop-ups. Here’s a quick response plan when dealing with fake virus pop-up ads:
Never enter personal information, passwords, or payment details on a page that appears from a pop-up ad.
The best way to protect your iOS device is to avoid malware in the first place. Follow these security measures to safeguard your device:
Can my iPhone get a virus from opening an email?
Simply opening an email is very unlikely to infect your iPhone. However, clicking a malicious link or downloading an attachment from a phishing email can lead you to a harmful website or trick you into compromising your information. It’s the action you take, not opening the email itself, that creates the risk.
How do I know if a virus warning is real or fake?
Any pop-up in your browser that claims your iPhone has a virus is fake. Apple does not send notifications like this. These are scare tactics designed to trick you into clicking a link or calling a fake support number. The safest response is to close the browser tab and clear your browsing data.
Does my iPhone really need antivirus software?
It’s a misconception that iPhones are immune to all viruses. While Apple’s built-in security provides a strong defense, it doesn’t offer complete protection. Cybercriminals are increasingly using phishing, smishing, AI voice cloning, deepfake videos and other social engineering methods to target iPhone users. A comprehensive security app provides layered protection beyond the iOS integrated security. Think of it as adding a professional security guard to already-strong walls.
What is the best way to check my iPhone for a virus or malware for free?
You can perform manual checks for free by looking for suspicious apps, checking for unusual battery drain and data usage, and reviewing your App Privacy Report. While helpful for spotting obvious issues, these manual checks aren’t foolproof. A dedicated security app offers a more reliable and thorough analysis.
Can an iPhone get malware without jailbreaking it?
Yes. While jailbreaking significantly increases the risk, malware can still infect a non-jailbroken iPhone. This typically happens through sophisticated phishing attacks, installing malicious configuration profiles from untrusted sources, or, in very rare cases, by exploiting an unknown vulnerability in iOS, known as a “zero-day” attack.
Is an iPhone malware scan truly necessary?
Given the value of the personal data on our phones, a regular malware scan provides significant peace of mind. A reputable security app can identify vulnerabilities you might miss, such as outdated software or risky system settings, helping you maintain a strong security posture.
Keeping your iPhone secure from malware is an achievable goal that puts you in control of your digital safety. By combining smart habits with powerful security tools, you can confidently protect your personal information from emerging threats.
McAfee is committed to empowering you with the resources and protection needed to navigate the online world safely. McAfee Mobile Security provides full protection against various types of malware targeting the Apple ecosystem. With safe browsing features, a secure VPN, and antivirus software, McAfee Security for iOS delivers protection against emerging threats, so you can continue to use your iPhone with peace of mind. Download the McAfee Mobile Security app today and get all-in-one protection.
The post A Guide to Remove Malware From Your iPhone appeared first on McAfee Blog.
Scammers didn’t take a summer break. They kept busy, ramping up a fresh wave of back-to-school shopping scams. As busy families rush to get kitted out for a new school year, scammers are ready with a glut of phony shopping sites, bogus offers, and fake delivery notifications designed to steal your money and personal info. Let’s get a rundown of what scams are out there this year and how you can avoid them.
Scammers look to cash in on all the spending that tends to peak in July and August. According to the National Retail Federation, the average U.S. family spends nearly $860 per child to prep them for school—which includes supplies, clothing, and shoes for the new school year. So, like any time of year where a holiday or seasonal event drives a spike in online shopping, we see a rise in scam shopping sites.
The scammers behind these sites promote them in several ways, such as through sponsored search links, email offers, and through social media ads (more on that in a moment). Typically, these sites fall into two categories:
While scammers use the lure of low-priced classroom staples like pens, notebooks, backpacks, and the like, they also crank out non-existent deals everything from clothing and shoes to big-ticket items like laptop computers. Also popular are phony shopping sprees and giveaways, which also lure shoppers into handing over their account and personal info. In all, with online shopping hitting another seasonal peak, it’s time for shoppers to give those ads and deals a particularly closer look. Scammers are out there in force.
Fake social media ads remain a mainstay of the scammer arsenal, and scammers most certainly put them to use during back-to-school time. Scammers love social media ads because they offer precise audience targeting. With a convincing-looking ad created using AI tools, they can reach vast numbers of interested buyers—people who are on the lookout for back-to-school deals. With these ads, they point potential victims to the sites mentioned above, all with the hope that unsuspecting shoppers will impulsively click on the deal. From there, the scam works much the same as above. Shoppers end up on a scam site that often looks convincing (thanks again to AI tools that help scammers spin them up quickly) where they enter their personal and account info, only to end up getting scammed.
Another popular scammer ploy involves shipping notifications. Scammers know that with lots of online shopping comes a lot of online shipping notifications. They send phony delivery messages by the thousands, all with the aim of catching a few victims who have real packages on the way.
They pose as legitimate shippers and retailers, do their best to look and sound like them, and use urgency to get people to act. “Your package can’t be delivered. Please click this link within the next 24 hours to get your shipment.” And so on. In some cases, those links lead to phishing and malware sites. In others, the notification contains an attachment that installs malware if clicked.
With these scams in the mix, here’s how you can stay safe:
The post Scammers Take Advantage of Back-to-School Shopping Scams. appeared first on McAfee Blog.
You can request data brokers to remove your personal info from their databases. But finding their request forms is another challenge entirely, especially when they’re hidden. Recent reporting from CalMatters and The Markup found that 35 data brokers injected code into their websites that hid their opt out pages from search, making it more difficult for people to delete their data.If you don’t like the idea of your sensitive personal info being collected, bought, and sold without your knowledge, this is important news for you.
And these brokers collect plenty of it. They compile often exacting profiles of people, which can include things like purchasing habits, health data, financial info, real-time location data (gathered from smartphone apps), and even inferred info like political leanings, lifestyle choices, and religious beliefs.
As you can see, this level of data collection can get entirely personal.
Moreover, practically anyone can purchase this sensitive info. That ranges from advertisers to law enforcement and from employers to anyone on the street who wants to know a lot more about you.
This report stands as a good reminder that data collection on this level is an everyday fact of life—and that you can still take some control of it.
With a quick look at the report, we’ll then show you what’s going on with all this data collection and what you can do about it.
As part of the article, reporters analyzed 499 data broker sites registered in the state of California. Of them, 35 had search-blocking code. Additionally per the article, many opt out pages “required scrolling multiple screens, dismissing pop-ups for cookie permissions, and newsletter sign-ups and then finding a link that was a fraction the size of other text on the page.” Once the publications contacted the data brokers in question, multiple companies halted the practice, some responding that they were unaware their site had search-blocking code. Several others didn’t respond by the time the article was published and kept their practices in place.
There are several ways information brokers can get information about you…
Sources available to the public: Some of your personal records are easily available to the public. Data brokers can collect public records like your voter registration records, birth certificate, criminal record, and even bankruptcy records. By rounding them up from multiple sources and gathering them in one place, it takes someone seconds to find out all these things about you, rather than spending hours poring over public records.
Search, browsing, and app usage: Through a combination of data collected from internet service providers (ISPs), websites, and apps, data brokers can get access to all kinds of activity. They can see what content you’re interested in, how much time you spend on certain sites, and even your daily travels thanks to location data. They also use web scraping tools (software that pulls info from the web), to gather yet more. All this data collecting makes up a multi-billion-dollar industry where personal data is gathered, analyzed, sold, and then sold again and again—all without a person’s knowledge.
Online agreements: As it is with smartphone apps, you’ll usually have to sign an agreement when signing up for a new online service. Many of these agreements have disclosures in the fine print that give the company the right to collect and distribute your personal info.
Purchase history: Data brokers want to know what products or services you’ve purchased, how you paid for them (credit card, debit card, or coupon), and when and where you purchased them. In some cases, they get this info from loyalty programs at places like supermarkets, drugstores, and other retailers. Kroger, one of the largest grocery chains, is a good example of how purchasing insights end up in the hands of others. According to Consumer Reports, the company draws 35% of its net income from selling customer data to other companies.
“What can I do about companies collecting my data?”
For starters, there aren’t any data privacy laws on the federal level. So far, that has fallen to individual states to enact. As such, data privacy laws vary from state-to-state, with California having some of the earliest and strongest protections on record, via the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).
In all, 20 states currently have comprehensive privacy laws in place, with five others that have put narrower privacy protections in place, covering data brokers, internet service providers, and medical/biometric data.
States with Comprehensive Data Privacy Laws
For specific laws in your state and how they can protect you, we suggest doing a search for “data privacy laws [your state]” for more info.
Even if your state has no or narrow data privacy laws in place, you still have several ways you can take back your privacy.
The first thing you can do is keep a lower profile online. That can limit the amount of personal info they can get their hands on:
Be selective about what you share online. Don’t overshare personal info on social media. Avoid things like online quizzes and sweepstakes. And be aware that some data brokers indeed scour the web with scraping tools that gather up info from things like forum posts.
Go private. Even better, lock down your privacy on social media. Social media platforms like Facebook, Instagram, and others have several settings that keep your profile from being scraped in the ways mentioned above. Features like our Social Privacy Manager can make quick work of this by adjusting more than 100 privacy settings across your accounts in a few clicks.
Use a virtual private network (VPN) whenever possible. A VPN hides your IP address and encrypts your data while you surf the web. McAfee’s Secure VPN protects your personal data and credit card information so you can browse, bank, and shop online without worrying about prying eyes, like data brokers and internet service providers (ISPs) that collect info about what you do online.
The list of data brokers is long. Cleaning up your personal data online can quickly eat up your time, as it requires you to reach out to multiple data brokers and opt out. Rather than removing yourself one by one from the host of data broker sites out there, you have a solution: our Personal Data Cleanup.
Personal Data Cleanup scans data broker sites and shows you which ones are selling your personal info. It also provides guidance on how you can remove your data from those sites. And if you want to save time on manually removing that info, you have options. Our McAfee+ Advanced and Ultimate plans come with full-service Personal Data Cleanup, which sends requests to remove your data automatically. If the thought of your personal info getting bought and sold in such a public way bothers you, our Personal Data Cleanup can put you back in charge of it.
The post You Have a Right to Delete Your Data—But Dozens of Data Brokers Hide How to Do It appeared first on McAfee Blog.
Scammers are exploiting the massive popularity of Labubu collectible toys through fake websites and social media ads, resulting in consumers losing hundreds of dollars to counterfeit “Lafufu” dolls or receiving nothing at all. Here’s how to protect yourself from becoming their next victim.
If you haven’t heard of Labubu dolls yet, you’re about to understand why they’ve become both a cultural obsession and a cybersecurity nightmare. These small, mischievous-looking plush toys with distinctive sharp teeth have exploded in popularity thanks to celebrity endorsements from Rihanna, Dua Lipa, and BLACKPINK’s Lisa, plus viral TikTok unboxing videos.
Created by Hong Kong artist Kasing Lung and sold exclusively by Pop Mart since 2019, these $20-$30 “blind box” collectibles have generated such intense demand that rare “secret” versions are reselling for thousands of dollars. Fans line up for hours at Pop Mart stores and even travel internationally to get their hands on authentic Labubus. Where there’s viral demand and limited supply, cybercriminals inevitably follow.
The Better Business Bureau has received over 76 reports from consumers who thought they were purchasing authentic Labubu dolls but instead received counterfeit versions dubbed “Lafufus” – or worse, nothing at all. Some victims report losses of nearly $500 from a single fraudulent transaction.
The attack vector is disturbingly familiar yet devastatingly effective:
1. Social Media Infiltration: Scammers flood TikTok and Instagram with sponsored ads featuring “limited edition” Labubu dolls at discounted prices
2. Fake Website Creation: Professional-looking e-commerce sites mimic Pop Mart’s official branding and use urgent language like “limited stock” and countdown timers
3. Payment Harvesting: Once victims enter payment information, scammers either ship low-quality counterfeits or disappear entirely
4. Digital Vanishing Act: When complaints mount, the entire operation disappears overnight, only to resurface under a new domain name
The BBB has specifically flagged these scam operations:
Additionally, TikTok live streams claiming to be “Pop Mart USA” have been particularly problematic, using high-pressure sales tactics and fake countdown timers to rush buyers into immediate purchases.
These fraudulent advertisements are designed to look legitimate and often feature professional product photography stolen from Pop Mart’s official channels. The ads frequently claim unrealistic discounts such as “50% off limited edition Labubu” or similar offers that seem too good to be true. Promotional copy emphasizes false urgency with phrases like “Last 24 hours!” or “Only 100 left!” to pressure consumers into making immediate purchases without proper consideration.
Warning signs include links that redirect to domains other than popmart.com or Pop Mart’s official Amazon store, indicating fraudulent operations. These ads typically originate from accounts with generic names or recently created profiles that have little post history, suggesting they were established specifically for scamming purposes. The comments sections are either disabled entirely or filled with obviously fake positive reviews designed to create an illusion of satisfied customers.
Scammers often use unofficial terminology or deliberate misspellings of “Labubu,” sometimes intentionally using variations like “Lafufu” to avoid detection by platform algorithms designed to identify and remove fraudulent content related to official brand names.
TikTok live streams have become a particularly dangerous vector for Labubu scams, operating as sophisticated psychological manipulation campaigns. These streams claim to be “Pop Mart USA” and run for up to 12 hours daily, using countdown timers that reset repeatedly to create false urgency. The hosts make claims of “restocks” or “newly available inventory” that never actually existed, giving viewers only seconds to purchase once items “drop” to prevent careful consideration.
The manipulation extends to chat features filled with fake comments from bot accounts expressing excitement, while QR codes displayed on stream appear authentic but lead to fraudulent websites. Many hosts wear Pop Mart merchandise or display authentic products while selling counterfeits, using stream titles with official-sounding language like “Official Pop Mart Restock Event” to enhance their credibility.
Scammers create networks of interconnected fake accounts to build credibility and reach wider audiences. These profiles use variations of names like “Pop Mart USA” or “Official Labubu Store,” copying official Pop Mart language and contact information in their bio sections. They use profile pictures featuring Pop Mart’s logo or official product photography without permission, engaging in cross-promotion between fake accounts to create an illusion of legitimacy.
These fraudulent accounts maintain artificially inflated follower counts through bot networks and post histories that are either very recent or filled with stolen content from official accounts. The posting patterns appear inconsistent, suggesting automated or outsourced management, while comments and engagement seem coordinated rather than organic.
Visual “proof” elements appear legitimate but are actually fabricated to deceive consumers. QR codes redirect to fake verification websites rather than Pop Mart’s official system, while authenticity certificates or stamps use similar but not identical branding to official materials. Scammers use photos of authentic Labubu products to “prove” legitimacy while shipping counterfeits, providing serial numbers or batch codes that don’t match Pop Mart’s actual numbering systems.
The deception includes holographic stickers or security features that look similar but lack proper verification methods, screenshots of “authentication apps” that are actually fake applications created by scammers, and references to verification through third-party services that don’t actually authenticate Pop Mart products. Authentic packaging may be displayed while the actual shipped products come in generic or counterfeit boxes.
Several warning signs indicate fraudulent operations. Scammers often request payment through peer-to-peer apps like CashApp or Venmo, avoid implementing secure checkout processes or SSL certificates, and make it impossible to cancel orders immediately after placement. Customer service typically becomes unresponsive after payment is received, leaving consumers with no recourse.
Genuine Labubu toys have exactly nine pointed teeth, which serves as the key identifier for authenticity. They feature a pale peach complexion with specific color consistency and display the official Pop Mart logo stamped on the bottom of one foot. Authentic products come in proper packaging with legitimate QR codes and holographic stickers, including authenticity stamps that can be verified through Pop Mart’s official system.
Counterfeit versions exhibit several telltale signs of fraudulent manufacturing. These fake toys have more or fewer than nine teeth, different facial colors or expressions, and missing or fake Pop Mart branding. The materials and construction quality are noticeably poor, and packaging lacks verifiable QR codes that connect to official authentication systems.
Protecting yourself from these scams requires a multi-layered approach starting with shopping exclusively through official channels. Purchase only from Pop Mart’s official website at popmart.com or their verified Amazon store to ensure authenticity. Before making purchases from unfamiliar retailers, always search for “[website name] + scam” to verify their legitimacy.
Use secure payment methods that offer fraud protection and dispute capabilities, particularly credit cards rather than peer-to-peer payment apps. Maintain extreme skepticism toward social media ads, especially those creating artificial urgency or pressure to purchase immediately.
If you discover you’ve been scammed, document everything immediately by saving screenshots, emails, and transaction records. Contact your credit card company or bank without delay to dispute charges and report the scam to the Better Business Bureau’s Scam Tracker. File complaints with the Federal Trade Commission to help authorities track these criminal operations.
Request chargebacks through your credit card provider and provide all documentation showing misrepresentation of goods. Avoid using peer-to-peer payment apps for future purchases as they offer limited fraud protection and fewer options for recovery when scams occur.
The Labubu scam represents a troubling evolution in cybercriminal tactics, demonstrating how quickly bad actors can weaponize viral trends to create sophisticated fraud networks. These operations exploit consumer psychology around FOMO (fear of missing out) and artificial scarcity to pressure victims into making hasty financial decisions.
Several factors make this particularly dangerous for consumers and cybersecurity professionals alike. The speed of adaptation allows scammers to create convincing fake operations within days of a trend emerging, while social media amplification means platforms struggle to quickly identify and remove fraudulent sponsored content. The international scope of many operations makes law enforcement cooperation challenging, and the target demographics often include Gen Z consumers who may be early adopters of trends but lack experience with sophisticated scams.
Pop Mart has been working to combat counterfeiting, but the distributed nature of online fraud makes this an ongoing challenge. Social media platforms are slowly improving their ad verification processes, though scammers continue finding workarounds to exploit system vulnerabilities.
International customs officials have begun seizing shipments of counterfeit Labubu toys, with hundreds of thousands of fake units confiscated in recent operations. However, the profit margins on these scams remain attractive enough that new operations continue launching regularly, adapting their tactics to avoid detection.
As cybersecurity professionals and informed consumers, we have a responsibility to educate others about these evolving threats. The Labubu scam won’t be the last time cybercriminals exploit viral cultural phenomena – it represents the most recent example of an increasingly sophisticated playbook that targets consumer psychology and cultural trends.
Consumer protection requires constant vigilance and education. Always verify the authenticity of sellers before providing payment information, maintain suspicion of deals that seem too good to be true, and use payment methods that offer fraud protection and dispute capabilities. Report suspected scams to relevant authorities to help protect other consumers from similar harm.
The intersection of viral culture and cybercrime is only going to become more complex as digital trends accelerate and criminal operations become more sophisticated. By staying informed about these tactics and sharing knowledge with our communities, we can help reduce the success rate of these operations and protect consumers from financial harm.
Remember that when it comes to viral trends and online shopping, a healthy dose of skepticism isn’t cynicism – it’s cybersecurity best practice. The cost of verification is always less than the cost of victimization.
The post Going Lacoocoo over Labubu: How Viral Toy Trends Are Becoming Scams appeared first on McAfee Blog.
Meta has unleashed a groundbreaking feature that transforms Instagram from a photo-sharing platform into a real-time location broadcaster. While the company promises enhanced connectivity, cybersecurity experts are sounding alarm bells about potential dangers lurking beneath this seemingly innocent update.
Instagram’s freshly minted “Map” functionality represents a seismic shift in social media architecture. Unlike traditional posting where you deliberately choose what to share, this feature operates as an always-on location transmitter that continuously broadcasts your whereabouts to selected contacts whenever you launch the application.
The mechanism mirrors Snapchat’s infamous Snap Map, but with Instagram’s massive user base—over 2 billion active accounts—the implications for personal security amplify exponentially. This feature enables users to share their real-time location with friends and view theirs on a live map, but it also raises serious privacy concerns from targeted advertising to potential stalking and misuse in abusive relationships.
McAfee’s Chief Technology Officer Steve Grobman provides crucial context: “Features like location sharing aren’t inherently bad, but they come with tradeoffs. It’s about making informed choices. When people don’t fully understand what’s being shared or who can see it, that’s when it becomes a risk.”
Digital predators can exploit location data to track victims with unprecedented precision. Relationship and parenting experts warn location sharing can turn into a stressful or even dangerous form of control, with research showing that 19 percent of 18 to 24-year-olds think it’s reasonable to expect to track an intimate partner’s location.
Steve Grobman emphasizes the real-world implications: “There’s also a real-world safety concern. If someone knows where you are in real time, that could lead to stalking, harassment, or even assault. Location data can be powerful, and in the wrong hands, dangerous.”
Your boss, colleagues, or acquaintances might gain unwanted insights into your personal activities. Imagine explaining why you visited a competitor’s office or why you called in sick while appearing at a shopping center.
The danger often comes from within your own network. Grobman warns: “It only takes one person with bad intentions for location sharing to become a serious problem. You may think your network is made up of friends, but in many cases, people accept requests from strangers or someone impersonating a contact without really thinking about the consequences.”
While Instagram claims it doesn’t use location data from this feature for ad targeting, the platform’s history with user data suggests caution. Your movement patterns create valuable behavioral profiles for marketers.
Cybercriminals employ sophisticated data aggregation techniques. According to Grobman: “Criminals can use what’s known as the mosaic effect, combining small bits of data like your location, routines, and social posts to build a detailed profile. They can use that information to run scams against a consumer or their connections, guess security questions, or even commit identity theft.”
For iPhone Users:
For Android Users:
Method 1: Through the Map Interface
Method 2: Through Profile Settings
iPhone Security Configuration:
Android Security Setup:
After implementing these changes:
Audit Your Digital Footprint
Review all social media platforms for similar location-sharing features. Snapchat, Facebook, and TikTok offer comparable functionalities that require individual deactivation.
Implement Location Spoofing Awareness
Some users consider VPN services or location-spoofing applications, but these methods can violate platform terms of service and create additional security vulnerabilities.
Regular Security Hygiene
Establish monthly reviews of your privacy settings across all social platforms. Companies frequently update features and reset user preferences without explicit notification.
Grobman emphasizes the challenge consumers face: “Most social platforms offer privacy settings that offer fine-grained control, but the reality is many people don’t know those settings exist or don’t take the time to use them. That can lead to oversharing, especially when it comes to things like your location.”
Family Protection Protocols
If you’re a parent with supervision set up for your teen, you can control their location sharing experience on the map, get notified when they enable it, and see who they’re sharing with. Implement these controls immediately for underage family members.
Data Collection Frequency
Your location updates whenever you open the app or return to it while running in the background. This means Instagram potentially logs your position multiple times daily, creating detailed movement profiles.
Data Retention Policies
Instagram claims to hold location data for a maximum of three days, but this timeframe applies only to active sharing, not the underlying location logs the platform maintains for other purposes.
Visibility Scope
Even with location sharing disabled, you can still see others’ shared locations on the map if they’ve enabled the feature. This asymmetric visibility creates potential social pressure to reciprocate sharing.
Red Flags and Warning Signs
Monitor these indicators that suggest your privacy may be compromised:
This Instagram update represents a concerning trend toward ambient surveillance in social media. Companies increasingly normalize continuous data collection by framing it as connectivity enhancement. As consumers, we must recognize that convenience often comes at the cost of privacy.
The feature’s opt-in design provides some protection, but user reports suggest the system may automatically activate for users with older app versions who previously granted location permissions. This highlights the importance of proactive privacy management rather than reactive protection.
Immediate (Next 10 Minutes):
This Week:
Monthly Ongoing:
Grobman advises a comprehensive approach: “The best thing you can do is stay aware and take control. Review your app permissions, think carefully before you share, and use tools that help protect your privacy. McAfee+ includes identity monitoring, scam detection. McAfee’s VPN keeps your IP address private, but if a consumer allows an application to identify its location via GPS or other location services, VPNs will not protect location in that scenario. Staying safe online is always a combination of the best technology along with good digital street smarts.”
Remember: Your location data tells the story of your life—where you work, live, worship, shop, and spend leisure time. Protecting this information isn’t paranoia; it’s fundamental digital hygiene in our hyper-connected world.
The choice to share your location should always remain yours, made with full awareness of the implications. By implementing these protective measures, you’re taking control of your digital footprint and safeguarding your personal security in an increasingly surveilled digital landscape.
The post Instagram’s New Tracking Feature: What You Need to Know to Stay Safe appeared first on McAfee Blog.
FreshRSS