Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Fraud. Show all posts
Southeast Asia
Cyber Fraud Law Enforcement Meta Scam Southeast Asia

Meta Targets 150K Accounts in Southeast Asia Scam Operation

 



Meta announced that it has removed more than 150,000 accounts tied to organized scam centers operating in Southeast Asia, describing the move as part of a large international effort to disrupt coordinated online fraud networks.

The enforcement action was carried out with assistance from authorities in several countries. Law enforcement agencies and government partners involved in the operation included officials from Thailand, the United States, the United Kingdom, Canada, South Korea, Japan, Singapore, the Philippines, Australia, New Zealand, and Indonesia. According to Meta, the joint effort resulted in 21 individuals being arrested by the Royal Thai Police.

This latest crackdown builds on an earlier pilot initiative launched in December 2025. During that initial phase, Meta removed approximately 59,000 accounts, Pages, and Groups from its platforms that were connected to similar fraudulent activity. The earlier investigation also led to the issuance of six arrest warrants by authorities.

In a statement explaining the action, Meta said that online scams have grown increasingly complex and organized over recent years. Criminal networks, often operating from countries such as Cambodia, Myanmar, and Laos, have established large scam compounds that function in many ways like organized business operations. These groups typically use structured teams, scripted communication strategies, and digital tools designed to evade detection while targeting victims on a global scale. According to the company, the impact of such scams extends far beyond financial loss, as they can severely disrupt lives and weaken trust in digital communication platforms.

Alongside the enforcement action, Meta also announced several new safety features aimed at helping users identify and avoid scam attempts.

One of these tools introduces new warning messages on Facebook that notify users when they receive communication from accounts that display characteristics commonly linked to fraudulent activity. Another safeguard has been introduced on WhatsApp to address a tactic used by scammers who attempt to persuade users to scan a QR code. If successful, this method can link the attacker’s device to the victim’s WhatsApp account, allowing them to access messages and impersonate the account holder. Meta said its system will now notify users when suspicious device-linking requests are detected.

The company is also expanding scam detection on Messenger. When a conversation with a new contact begins to resemble known fraud patterns, such as questionable job opportunities or requests that appear unusual, the platform may prompt users to share recent messages so that an artificial intelligence system can evaluate whether the interaction matches known scam behavior.

Meta also disclosed broader enforcement statistics related to scams on its platforms. Throughout 2025, the company removed more than 159 million advertisements that violated its policies related to fraud and deception. In addition, it disabled approximately 10.9 million Facebook and Instagram accounts that investigators linked to organized scam centers.

To further address fraudulent activity, the company said it plans to expand its advertiser verification program. The goal of this measure is to increase transparency by confirming the identities of advertisers and reducing the ability of malicious actors to misrepresent themselves while running advertisements.

The announcement comes at a time when governments are intensifying efforts to address online fraud. The UK Government recently introduced a new Online Crime Centre designed to focus specifically on cybercrime, including scams connected to organized fraud operations operating in regions such as Southeast Asia, West Africa, Eastern Europe, India, and China.

The centre will bring together specialists from several sectors, including government agencies, law enforcement, intelligence services, financial institutions, mobile network providers, and major technology companies. The initiative is expected to begin operations next month.

The project forms part of the United Kingdom’s broader Fraud Strategy 2026–2029, a policy framework aimed at strengthening the country’s response to fraud and financial crime. As part of this strategy, authorities plan to use artificial intelligence to detect emerging scam patterns, identify suspicious bank transfers more quickly, and deploy “scam-baiting” chatbots designed to interact with fraudsters in order to gather intelligence.

Officials said the new centre, supported by more than £30 million in funding, will focus on identifying the digital infrastructure used by organized crime groups. This includes tracking fraudulent accounts, websites, and phone numbers used in scam operations. Authorities aim to shut down these resources at scale by blocking scam messages, freezing financial accounts linked to criminal activity, removing fraudulent social media profiles, and disrupting scam networks at their source.

Read more »
reverse DNS exploitation
CNAME hijacking Cyber Fraud DNS infrastructure attack Infoblox Threat Intel IPv6 tunnel phishing reverse DNS exploitation

Phishing Campaign Abuses .arpa Domain and IPv6 Tunnels to Evade Enterprise Security Defenses

 

Cybersecurity experts at Infoblox Threat Intel have identified a sophisticated phishing operation that manipulates core internet infrastructure to slip past enterprise security mechanisms.

The campaign introduces an unusual evasion strategy: attackers are exploiting the .arpa top-level domain (TLD) while leveraging IPv6 tunnel services to host phishing pages. This method allows malicious actors to sidestep traditional domain reputation systems, posing a growing challenge for security teams.

Unlike public-facing domains such as .com or .net, the .arpa TLD is reserved strictly for internal internet functions. It primarily supports reverse DNS lookups, translating IP addresses into domain names, and was never intended to serve public web content.

Researchers found that attackers are capitalizing on weaknesses within DNS record management systems. By using free IPv6 tunnel providers, threat actors obtain control over certain IPv6 address ranges. Rather than configuring reverse DNS pointer (PTR) records as expected, they create standard A records under .arpa subdomains. This results in fully qualified domain names that appear to be legitimate infrastructure addresses—entities that security tools generally consider trustworthy and therefore seldom inspect closely.

Attack Chain and CNAME Hijacking

According to Infoblox, the campaign often starts with malspam emails impersonating well-known consumer brands. The emails feature a single clickable image that either advertises a prize or warns about a disrupted subscription.

Once clicked, victims are routed through a sophisticated Traffic Distribution System (TDS). The TDS analyzes the incoming traffic, specifically filtering for mobile users on residential IP networks, before ultimately delivering the malicious content.

In addition to abusing the .arpa namespace, the attackers are also exploiting dangling CNAME records. They have taken control of outdated subdomains belonging to respected government bodies, media outlets, and academic institutions. By registering expired domains that abandoned CNAME records still reference, they effectively inherit the reputation of trusted organizations, allowing malicious traffic to blend in seamlessly.

Dr. Renée Burton, Vice President at Infoblox Threat Intel, emphasized the severity of this tactic, noting that "weaponizing the .arpa namespace effectively turns the core of the internet into a phishing delivery mechanism."

Because reverse DNS domains inherently carry a clean reputation and lack conventional registration details, security systems that depend on URL analysis and blocklists often fail to identify the threat.

Experts recommend that organizations begin viewing foundational DNS infrastructure as a potential attack surface. Proactive monitoring, particularly for unusual record creation within the .arpa namespace, along with specialized filtering controls, will be critical to defending against this evolving threat.
Read more »
U.S. Department of Justice
cryptocurrency Cyber Fraud DoJ crypto seizure pig butchering scam Tether freeze U.S. Department of Justice

U.S. Justice Department Seizes $61 Million in Tether Linked to ‘Pig Butchering’ Crypto Scams


The U.S. Department of Justice (DoJ) has revealed that it seized approximately $61 million in Tether connected to fraudulent cryptocurrency operations commonly referred to as “pig butchering” scams.

According to the department, investigators traced the confiscated digital assets to wallet addresses allegedly used to launder funds obtained through cryptocurrency investment fraud schemes. The stolen proceeds were reportedly siphoned from victims who were manipulated into investing in fake platforms promising lucrative returns.

"Criminal actors and professional money launderers use cyber-enabled fraud schemes to swindle their victims and conceal their ill-gotten gains," said HSI Charlotte Acting Special Agent in Charge Kyle D. Burns.

"HSI special agents work diligently to trace the illicit proceeds of crime across the globe to disrupt and dismantle the transnational criminal organizations that seek to defraud hardworking Americans."

Authorities explained that these schemes typically begin with scammers initiating contact through dating platforms or social media messaging applications. The perpetrators build trust by posing as romantic interests or financial advisors before persuading victims to invest in fabricated cryptocurrency opportunities.

Officials further noted that many of these operations are allegedly run from scam compounds based primarily in Southeast Asia. Individuals trafficked under false promises of well-paying jobs are reportedly forced to participate in the schemes. Their passports are confiscated, and they are coerced into deceiving targets online under threats of severe punishment.

Victims are directed to professional-looking but fraudulent investment websites that display falsified portfolios and exaggerated profits. These manipulated dashboards are designed to encourage larger investments. When victims attempt to withdraw their funds, they are often told to pay additional “fees,” resulting in further financial losses.

"Once the victims' money transferred to a cryptocurrency wallet under the scammers’ control, the crooks quickly routed that money through many other wallets to hide the nature, source, control, and ownership of that stolen money," the department added.

In a related statement, Tether disclosed that it has frozen roughly $4.2 billion in assets tied to unlawful activities so far. The company said that nearly $250 million of that amount has been linked to scam networks since June 2025.

The seizure marks one of the larger enforcement actions targeting cryptocurrency-enabled fraud and reflects ongoing efforts by U.S. authorities to disrupt global cybercrime syndicates exploiting digital assets.
Read more »
spear-phishing statistics
Cyber Fraud Darktrace phishing report 2025 DMARC bypass phishing identity-based cyberattacks spear-phishing statistics

Darktrace Flags Surge in Phishing as Identity-Based Attacks Redefine 2025 Threat Landscape

 

More than 32 million high-confidence phishing emails were identified in 2025, signaling a sharp rise in identity-focused cyberattacks, according to new findings from Darktrace.

The cybersecurity firm analyzed incidents across its global customer network, revealing a year marked by growing automation, overlapping attack techniques, and faster execution by threat actors.

Among the total phishing volume, over 8.2 million emails specifically targeted high-profile individuals and executives, representing more than a quarter of all attempts observed. Additionally, 1.6 million phishing messages were traced to newly registered domains, while 1.2 million leveraged malicious QR codes to lure victims.

The report found that 70% of phishing emails bypassed DMARC authentication checks. Spear-phishing accounted for 41% of attacks, and 38% featured new social engineering strategies. Roughly one-third of the phishing emails exceeded 1,000 characters in length, indicating increasingly sophisticated messaging tactics.

Identity Compromise Emerges as Primary Breach Method

The analysis underscores a major shift in cyber intrusion tactics: identity compromise has surpassed vulnerability exploitation as the leading initial access method. Although Common Vulnerabilities and Exposures (CVEs) rose approximately 20% year-over-year, many exploits were deployed even before vulnerabilities were publicly disclosed.

"Identity has become the attacker's skeleton key. Instead of forcing their way through a firewall, adversaries are logging in with stolen credentials, hijacked tokens and abused permissions, then moving laterally under the cover of legitimacy," commented Shane Barney, CISO at Keeper Security.

"When identity controls are fragmented or overly permissive, attackers don't need novel exploits. They just need access that looks routine."

In the Americas, nearly 70% of reported incidents involved SaaS and Microsoft 365 account takeovers. The manufacturing sector accounted for 17% of documented cases and represented 29% of ransomware incidents in the region. Overall, 47% of global security events tracked in 2025 originated from the Americas.

Regional data further illustrates varying levels of digital resilience and geopolitical pressure.

In Latin America, 44% of incidents stemmed from malware spreading after phishing or credential theft. The education sector was most affected, accounting for 18% of cases. Brazil, Mexico, and Colombia recorded the highest activity levels over the past three years. Across Europe, 58% of security incidents were linked to cloud and email compromise, while 42% were tied to network-based attacks. Africa reported a 60% year-over-year spike in ransomware incidents, with 76% of compromises categorized as network-driven.

In Asia-Pacific and Japan, 84% of organizations indicated that AI-driven threats are already affecting them. However, only 42% said they have formal governance policies in place for safe AI usage.

"Identity is no longer about perimeter-based defense. The rise in AI-based agents and the massively accelerating threat landscape has rendered that approach inadequate, and prompted a shift towards identity as the critical element to enterprise security," SailPoint CEO, Mark McClain, said.

"This report's findings demonstrate that there is now a need for real-time, intelligent, and dynamic identity security, built to govern and secure not just 'who,' or in the case of AI agents, 'what,' has access to the enterprise, but what data they can access and what they are able to do once inside."
Read more »
MMRat trojan
Coretax phishing scam Cyber Fraud Gigabud.RAT GoldFactory malware Group-IB report Indonesia Coretax fraud MMRat trojan

Indonesia’s Coretax Platform Exploited in $2 Million Fraud Campaign Targeting Taxpayers

A highly coordinated cyber fraud campaign targeting Indonesia’s official Coretax tax system has resulted in estimated nationwide losses ranging between $1.5 million and $2 million.


Security firm Group-IB revealed that the scheme first surfaced in July 2025 and escalated sharply in January 2026, coinciding with the country’s peak tax filing season. Cybercriminals posed as the Coretax web portal to deceive users into installing malicious mobile applications.

Although Coretax is accessible strictly through its official website and does not offer a mobile application, attackers used this limitation to their advantage. The fraud operation combined cloned phishing websites, WhatsApp accounts impersonating tax officials, and voice phishing (vishing) calls to create a convincing attack chain.

Victims were instructed to download fraudulent APK files, unknowingly granting attackers remote control of their smartphones. This access enabled unauthorized banking transactions and financial theft.

Investigators traced the campaign to the GoldFactory threat cluster, which utilized several malware variants, including Gigabud.RAT and MMRat. During the probe, Group-IB uncovered 228 previously unidentified malware samples.

The infrastructure supporting the operation was also found to be repurposed to mimic more than 16 reputable brands across sectors such as government services, aviation, pension funds, and energy.

According to the report, approximately 67 million Indonesian taxpayers were considered potential targets. However, among financial institutions secured by Group-IB, the fraud success rate was restricted to 0.027% of infected devices due to advanced predictive detection tools.

Researchers estimated a broader device compromise rate of 0.025% — roughly 2.5 out of every 1,000 banking users. When extrapolated to Indonesia’s population of 287 million individuals exposed to the impersonated brands, the cumulative financial losses and associated operational expenses were calculated between $1.5 million and $2 million.

The investigation further identified 996 phishing URLs generated through a centralized system, pointing to a malware-as-a-service (MaaS) framework with the capacity to scale internationally. Potential expansion targets include Thailand, Vietnam, the Philippines, and South Africa.

The fraud followed a structured, multi-phase approach:
  1. Distribution of phishing links via fake WhatsApp tax representatives
  2. Installation of malicious applications that locked devices and extracted sensitive data
  3. Vishing calls pressuring victims to settle alleged tax dues
  4. Screen recording to capture banking credentials and one-time passwords (OTPs)
  5. Remote account takeover (ATO) and fund transfers through mule accounts

Group-IB noted that a layered security strategy combining signature-based detection, behavioral analytics, and contextual threat intelligence significantly mitigated losses among its clients. By analyzing infrastructure patterns and anticipating brand impersonation trends, the company reported stopping most fraudulent transactions before funds could be withdrawn.

The case underscores the growing sophistication of coordinated malware campaigns and the risks they pose to public confidence in digital government services, particularly when critical platforms like national tax systems are targeted.
Read more »
Phishing Campaign
Coretax Cyber Fraud Financial Scam Indonesia Phishing Campaign

Indonesia Hit by $2m Fraud Wave Using Fake ‘Coretax’ Tax Apps

 

A massive fraud campaign abusing Indonesia’s official Coretax tax platform has siphoned off an estimated 1.5–2 million dollars in losses nationwide, highlighting how cybercriminals now weaponize public digital services at industrial scale. 

Launched around July 2025 and ramped up ahead of the 2026 tax filing season, the operation preyed on taxpayers who believed they were interacting with legitimate Coretax channels. Although Coretax is only available as a web service, victims were deceived into thinking an official mobile app existed, turning their smartphones into entry points for financial theft. This gap between user perception and the platform’s real distribution model became the core social engineering hook.

According to Group-IB, the attackers built a multi-stage attack chain that blended classic phishing with modern mobile malware techniques. It started with phishing websites that visually mimicked the Coretax portal and other trusted brands, then continued via WhatsApp messages and calls from impostors posing as tax officials. These contacts pushed users to download Android application packages (APKs) masquerading as Coretax tools for filing or synchronizing tax data. Once installed, the malicious apps granted remote access, allowing fraudsters to control infected devices, freeze screens, and intercept sensitive data.

The campaign has been linked to the GoldFactory threat cluster, known for deploying advanced Android remote access trojans such as Gigabud.RAT and MMRat. Investigators uncovered 228 new malware samples tied to the operation, underlining the industrialized nature of the scheme. Beyond Coretax, the same infrastructure impersonated more than 16 reputable brands, including government services, airlines, pension funds, and energy providers, significantly widening the pool of potential victims. This brand-hopping strategy enabled attackers to reuse tooling while constantly refreshing lures.

At its peak, the operation aimed at roughly 67 million Indonesian taxpayers and, more broadly, at 287 million individuals exposed to abused brands across the country. While the overall compromise rate remained relatively low—around 0.025% of users—the scale of the population meant financial losses and associated costs still reached between 1.5 and 2 million dollars. Among financial institutions protected by Group-IB, predictive detection and layered defenses limited successful fraud to just 0.027% of malware-compromised devices. This illustrates how early detection and behavioral analysis can sharply reduce downstream financial impact.

Researchers warn that the operation appears to follow a malware-as-a-service model, supported by a centralized framework that has already generated nearly a thousand phishing URLs. The same toolkit could easily be repurposed against taxpayers and banking customers in other countries, with Thailand, Vietnam, the Philippines, and South Africa cited as likely next targets. For Indonesian users, the key defense is to remember that Coretax does not have a mobile app and is only accessible via official government websites. Verifying domains, refusing APK installations sent over messaging apps, and questioning unsolicited “tax officer” calls are now critical to staying safe during tax season.
Read more »
snail mail
cryptocurrency Cyber Fraud forged letterheads Hardware Wallets Ledger phishing snail mail

Fraudsters Use Postal Mail to Target Crypto Hardware Wallet Owners



Cybercriminals are using traditional mail services to target cryptocurrency users who own hardware wallets manufactured by Trezor and Ledger. The attackers are distributing printed letters that falsely present themselves as official security notifications and attempt to trick recipients into revealing their wallet recovery phrases.

The letters instruct users to complete a compulsory “Authentication Check” or “Transaction Check,” claiming this step will soon become mandatory. Recipients are warned that failure to comply before stated deadlines could result in disrupted wallet functionality. One Trezor-themed letter sets February 15, 2026 as the cutoff date, while a Ledger-branded version references October 15, 2025.

The correspondence appears professionally formatted and claims to originate from internal security or compliance departments. In a case shared publicly by cybersecurity researcher Dmitry Smilyanets, a Trezor-related letter stated that authentication would soon be enforced across devices and urged users to scan a QR code to prevent interruption of Trezor Suite access. The letter further asserted that even if users had already enabled authentication on their device, they must repeat the process to ensure full activation and synchronization of the feature.

The QR codes direct recipients to fraudulent domains including trezor.authentication-check[.]io and ledger.setuptransactioncheck[.]com. At the time of reporting, the Ledger-linked domain was inactive, while the Trezor-related site remained accessible but displayed a phishing warning from Cloudflare.

The Trezor-themed phishing page states that users must complete authentication by February 15, 2026 unless they purchased specific models, including Trezor Safe 7, Safe 5, Safe 3, or Safe 1, after November 30, 2025, in which case the feature is allegedly preconfigured. After selecting “Get Started,” users are warned that ignoring the process could lead to blocked access, transaction signing errors, and complications with future updates.

Those who continue are prompted to enter their wallet recovery phrase. The form accepts 12-, 20-, or 24-word phrases and claims the information is necessary to confirm device ownership. Technical analysis shows that submitted phrases are transmitted through a backend endpoint located at /black/api/send.php on the phishing domain.

With access to the recovery phrase, attackers can restore the wallet on another device and transfer funds.

The method used to identify recipients remains unclear. However, both manufacturers have experienced past data breaches that exposed customer contact information, potentially increasing targeting risks.

Although email-based crypto phishing is common, physical mail scams remain relatively uncommon. In 2021, attackers mailed tampered Ledger devices designed to capture recovery phrases during setup. A similar postal campaign targeting Ledger users was reported again in April.

A recovery phrase, also called a seed phrase, represents the private cryptographic key controlling a cryptocurrency wallet. Anyone who obtains it gains complete control over the associated funds.

Legitimate hardware wallet providers do not request recovery phrases through mail, QR codes, websites, or email. The phrase should only be entered directly on the hardware device during a genuine restoration process.



Read more »
voice phishing kits
Cyber Fraud dark web phishing Identity Fraud MFA Bypass Okta threat intelligence social engineering scams voice phishing kits

Dark Web Voice-Phishing Kits Supercharge Social Engineering and Account Takeovers

 

Cybercriminals are finding it easier than ever to run convincing social engineering schemes and identity theft operations, driven by the availability of customized voice-phishing (vishing) kits sold on dark web forums and private messaging channels.

According to a recent Okta Threat Intelligence blog published on Thursday, these phishing kits are being marketed as a service to “a growing number” of threat actors aiming to compromise Google, Microsoft, and Okta user accounts. Beyond fake login pages, the kits also provide real-time support that helps attackers capture login credentials and multi-factor authentication (MFA) codes while victims are actively being manipulated.

“There are at least two kits that implement the novel functionality observed,” Okta Threat Intelligence Vice President Brett Winterford told The Register.

“The phishing kits have been developed to closely mimic the authentication flows of identity providers and other identity systems used by organizations,” he said. “The kits allow the attacker to monitor the phishing page as the targeted user is interacting with it and trigger different custom pages that the target sees. This creates a more compelling pretext for asking the user to share credentials and accept multi-factor authentication challenges.”

Winterford noted that this form of attack has “evolved significantly since late 2025.” Some advertisements promoting these kits even seek to hire native English-speaking callers to make the scams more believable.

“These callers pretend to be from an organization's helpdesk and approach targets using the pretext of resolving a support ticket or performing a mandatory technical update,” Winterford said.

Similar tactics were observed last year when Scattered Spider-style IT support scams enabled attackers to breach dozens of Salesforce environments, resulting in mass data theft and extortion campaigns.

The attacks typically begin with reconnaissance. Threat actors collect details such as employee names, commonly used applications, and IT support contact numbers. This information is often sourced from company websites, LinkedIn profiles, and other publicly accessible platforms. Using chatbots to automate this research further accelerates the process.

Once prepared, attackers deploy the phishing kit to generate a convincing replica of a legitimate login page. Victims are contacted via spoofed company or helpdesk phone numbers and persuaded to visit the fraudulent site under the guise of IT assistance. “The attacks vary from there, depending on the attacker's motivation and their interactions with the user,” Winterford said.

When victims submit their login credentials, the data is instantly relayed to the attacker—often through a Telegram channel—granting access to the real service. While the victim remains on the call, the attacker attempts to log in and observes which MFA methods are triggered, modifying the phishing page in real time to match the experience.

Attackers then instruct victims to approve push notifications, enter one-time passcodes, or complete other MFA challenges. Because the fake site mirrors these requests, the deception becomes harder to detect.

“If presented a push notification (type of MFA challenge), for example, an attacker can verbally tell the user to expect a push notification, and select an option from their [command-and-control] panel that directs their target's browser to a new page that displays a message implying that a push message has been sent, lending plausibility to what would ordinarily be a suspicious request for the user to accept a challenge the user didn't initiate,” the report says.

Okta also warned that these kits can defeat number-matching MFA prompts by simply instructing users which number to enter, effectively neutralizing an added layer of security.

Once MFA is bypassed, attackers gain full control of the compromised account.

This research aligns with The Register’s previous reporting on “impersonation-as-a-service,” where cybercriminals bundle social engineering tools into subscription-based offerings.

“As a bad actor you can subscribe to get tools, training, coaching, scripts, exploits, everything in a box to go out and conduct your infiltration operation that often combine[s] these social engineering attacks with targeted ransomware, almost always with a financial motive,” security firm Nametag CEO Aaron Painter said in an earlier interview.
Read more »
User Privacy
Biometric Authentication Cyber Fraud OTP Scam UAE Banks User Privacy

UAE Banks Ditch SMS OTPs for Biometric App Authentication

 

UAE banks have discontinued SMS-based one-time passwords (OTPs) for online transactions from January 6, 2026, moving customers to app-based and biometric authentication as part of a wider security overhaul led by the Central Bank of the UAE. This marks a significant shift in how digital payments are approved, aiming to curb SIM-swap and phishing-related fraud while streamlining user experience for cardholders across the country.

Since January 6, customers making online card payments are no longer receiving OTP codes via SMS or email to complete their purchases. Instead, banks will push transaction-approval requests directly to their official mobile applications, where users must confirm the payment using in-app prompts.Major UAE lenders, including names like Emirates NBD and others, have started sending alerts to customers, warning that online payments may fail if the banking app is not installed and activated before the deadline.

Role of biometrics and app authentication

The new model relies heavily on biometric verification such as fingerprint and facial recognition, along with secure app PINs or Smart Pass-style codes built into mobile banking platforms. When a customer attempts an online transaction, a notification appears inside the bank’s app, and the user authorises it with their registered biometric data or a secure PIN rather than typing in a texted code.Banks and regulators describe this as “strong customer authentication,” aligning local practices with international standards similar to Europe’s PSD2 framework for secure digital payments.

Authorities and banks point to rising fraud that targets SMS OTPs, especially SIM-swap scams, phishing schemes and interception of text messages over insecure channels. By tying approvals to registered devices and biometrics inside the banking app, the sector aims to sharply reduce the chance that criminals can hijack authentication codes and authorise fraudulent payments in a victim’s name. The Central Bank’s notice (2025/3057) set March 2026 as the outer deadline to phase out SMS and email OTPs entirely, but most major banks accelerated implementation after seeing a spike in such fraud cases last year.

Impact on customers and preparations

Customers are being urged to update their bank apps to the latest version, register biometrics where available, and enable push notifications so they do not miss approval requests during online shopping or money transfers.Those who do not complete these steps risk declined payments or delays, particularly for e-commerce and international transactions that now depend entirely on in-app verification rather than text messages. Employers and community groups in the UAE have been encouraged to educate less tech-savvy users, including blue-collar workers who rely on digital wallets and remittances, to avoid disruption during the transition period.

The move positions the UAE as one of the early markets to rely almost exclusively on biometric and app-based approvals for everyday retail payments, ahead of many more mature banking jurisdictions. Industry analysts see this shift as part of a broader digital transformation strategy in the country’s financial sector, combining enhanced security with faster, more convenient user journeys for online transactions.For customers, the change may require short-term adaptation, but it is expected to deliver stronger protection and a smoother checkout flow once app-based and biometric authentication becomes routine.
Read more »
Mobile Numbers
account protection Cyber Fraud Cyber Frauds CyberCrime Data Safety User Data Indian Government Mobile Numbers

Government Flags WhatsApp Account Bans as Indian Number Misuse Raises Cyber Fraud Concerns

 

The Indian government has expressed concern over WhatsApp banning an average of nearly 9.8 million Indian accounts every month until October, amid fears that Indian mobile numbers are being widely misused for scams and cybercrime. Officials familiar with the discussions said the government is engaging with the Meta-owned messaging platform to understand how such large-scale misuse can be prevented and how enforcement efforts can be strengthened. 

Authorities believe WhatsApp’s current approach of not sharing details of the mobile numbers linked to banned accounts is limiting the government’s ability to track spam, impersonation, and cyber fraud. While WhatsApp publishes monthly compliance reports disclosing the number of accounts it removes for policy violations, officials said the lack of information about the specific numbers involved reduces transparency and weakens enforcement efforts. 

India is WhatsApp’s largest market, and the platform identifies Indian accounts through the +91 country code. Government officials noted that in several cases, numbers banned on WhatsApp later reappear on other messaging platforms such as Telegram, where they continue to be used for fraudulent activities. The misuse of Indian phone numbers by scammers operating both within and outside the country remains a persistent issue, despite multiple measures taken to combat digital fraud. 

According to officials, over-the-top messaging platforms are frequently used for scams because once an account is registered using a mobile number, it can function without an active SIM card. This makes it extremely difficult for law enforcement agencies to trace perpetrators. Authorities estimate that nearly 95% of cases involving digital arrest scams and impersonation fraud currently originate on WhatsApp. 

Government representatives said identifying when a SIM card was issued and verifying the authenticity of its know-your-customer details are critical steps in tackling such crimes. Discussions are ongoing with WhatsApp and other OTT platforms to find mechanisms that balance user privacy with national security and fraud prevention. 

The government also issues direct requests to platforms to disable accounts linked to illegal activities. Data from the Department of Telecommunications shows that by November this year, around 2.9 million WhatsApp profiles and groups were disengaged following government directives. However, officials pointed out that while these removals are documented, there is little clarity around accounts banned independently by WhatsApp.  

Former Ministry of Electronics and IT official Rakesh Maheshwari said the purpose of monthly compliance reports was to improve platform accountability. He added that if emerging patterns raise security concerns, authorities are justified in seeking additional information.  

WhatsApp has maintained that due to end-to-end encryption, its enforcement actions rely on behavioural indicators rather than message content. The company has also stated that sharing detailed account data involves complex legal and cross-border challenges. However, government officials argue that limited disclosure, even at the level of mobile numbers, poses a security risk when large-scale fraud is involved.
Read more »
WhatsApp security alert
Cyber Fraud device pairing scam GhostPairing scam WhatsApp account hijack WhatsApp hacking WhatsApp security alert

Hackers Hijack WhatsApp Accounts Using ‘GhostPairing’ Scam Without Breaking Encryption

 

Cybersecurity experts have issued a warning after discovering a new method that allows hackers to take over WhatsApp accounts without compromising the app’s end-to-end encryption.

The attack, known as the GhostPairing scam, exploits WhatsApp’s legitimate device-linking feature. By manipulating users into unknowingly connecting their account to a device controlled by cybercriminals, attackers gain live access to private chats, images, videos, and voice messages. Once an account is compromised, hackers can impersonate the victim and message their contacts, enabling the scam to spread further.

The process begins when a target receives a message that appears to be sent by someone they trust. The message includes a link, often claiming to display a photo of the recipient. Clicking the link redirects the user to a fake Facebook login page that asks for their phone number.

Instead of displaying any image, the page triggers WhatsApp’s device-pairing process by showing a code and instructing the victim to enter it into the app. By doing so, the user unknowingly authorises an unfamiliar device to link with their account. This gives attackers full access without the need for passwords or additional verification.

The scam was identified by researchers at cybersecurity company Avast, who say it is particularly dangerous due to its ability to spread rapidly in a chain-like manner.

“This campaign highlights a growing shift in cybercrime: breaching people's trust is as important as breaching their security systems,” Luis Corrons, a Security Evangelist at Avast, told The Independent.

“Scammers are persuading people to approve access themselves by abusing familiar mechanisms like QR codes, pairing prompts, and ‘verify on your phone’ screens that feel routine.

“Scams like GhostPairing turn trust into a tool for abuse. This isn’t just a WhatsApp issue. It’s a warning sign for any platform that relies on fast, low-visibility device pairing.”

In a blog post explaining the scam, Avast cautioned that many victims may not even realise their accounts have been hijacked. WhatsApp users can review connected devices by opening Settings and tapping Linked Devices. Any unfamiliar device should be removed immediately.

“At Avast, we see this as a turning point in how we think about authentication and user intent,” Mr Corrons said.

“As attacks grow more manipulative, security must account not just for what users are doing intentionally, but also what they’re being tricked into doing. GhostPairing shows that when trust becomes automatic, it becomes exploitable."
Read more »
South Africa
Cyber Fraud Festive Scams Online fraud ransomware attacks South Africa

South Africa Warns of Cybercrime Surge Amid Festive Season

 

South Africa is experiencing a sudden and deeply concerning rise in cybercrime this holiday season, with consumers and businesses being warned to prepare for more aggressive attacks on digital banking, mobile applications and online services. 

Surge in festive-season attacks

The law firm Cox Yeats has witnessed a significant rise in cyberattacks themed around online shopping and digital payments, criminals are leveraging fake online shops, phishing emails, malicious QR codes and AI-powered impersonation scams to trick people into handing over credentials and payment data. They are encouraged to confirm any communications, transact only in official channels, avoid public Wi‑Fi when conducting transactions and use VPNs or mobile data, and report any suspicious activity as soon as possible.

The Information Regulator logged a total of 2 374 data breach cases that were officially reported for the 2024/25 period, averaging at a high of 200 incidents a month and increasing to about 300 monthly notifications in the current financial year—a 40% increase in security breaches. No organization is immune, as recent attacks have compromised government agencies, healthcare providers, financial institutions, retailers and telecommunication providers in ransomware, data theft and extortion. 

Financial and human cost 

The economic impact is devastating, with the median cost of a data breach to a local business now hovering near R49 million, a sum that can lay waste to even the most well-run small or medium-sized business. South African consumers lost more than R1 billion in 2023 alone through digital banking and mobile app scams, while SABRIC reckons annual losses to cyber-attacks could be as high as R3.3 billion, accompanied by 45% rise in digital banking fraud and a 47% increase in such related financial losses. 

Surveys cited by Mpahlwa show that 70% of South African consumers have fallen victim to cybercrime, compared with 50% globally, with 35% admitting to losing money in scams and 32% acknowledging that they clicked on phishing emails. The emotional strain is mounting too, with 58% of people expressing deep concern about becoming victims, a trend worsened by AI tools that make it easier for criminals to convincingly impersonate brands, colleagues and even family members. 

As ransomware continues to be a highly disruptive threat, with South Africa being the second most targeted country in Africa and third globally for cyberattacks, including double extortion attacks in which stolen data is threatened with being released to the public. Organisations are being advised to harden defences and have strong cyber insurance that covers loss of money, liability, business interruption, incidents relating to ransomware, breaches involving data, and the potential for fines from regulators as the threat landscape rapidly shifts.
Read more »
Scam Prevention
Cyber Fraud Fraud Alerts Holiday Scams Online Safety Scam Prevention

Holiday Scams Surge: How to Protect Yourself This Season

 

Scammers intensify their efforts during the holiday season, exploiting the rush, stress, and increased spending that characterize this time of year. The Federal Bureau of Investigation warns that fraud schemes spike significantly as criminals deploy sophisticated tactics—including AI-generated offers and phony delivery notifications—to steal money and personal information from unsuspecting victims.

The holiday period creates perfect conditions for fraudsters. People are distracted by family obligations, travel plans, and shopping deadlines, making them less likely to scrutinize suspicious messages or verify deals that appear too good to be true. With money flowing through shopping, travel bookings, and gift exchanges, scammers have numerous opportunities to exploit vulnerable targets.

Common holiday scams

Fake online shopping sites represent one of the most prevalent threats. These professional-looking storefronts advertise steep holiday discounts but disappear after collecting payments without delivering products. Consumers should navigate directly to trusted retailer websites rather than clicking promotional links and use credit cards for easier fraud disputes.

Phishing and smishing attacks flood inboxes with messages impersonating delivery services, claiming shipping problems or requesting order confirmations. These messages aim to harvest login credentials and financial details. Recipients should avoid clicking links in unexpected messages and instead manually type company URLs into browsers to verify account status.

Gift card scams involve tampering with physical cards to drain balances after activation or pressuring victims to pay with gift cards instead of standard methods. Purchasing cards directly from secure locations and retaining receipts provides protection against these schemes.Bogus charity operations emerge during the holidays, exploiting generosity through emotional donation requests. Donors should verify organizations using platforms like Charity Navigator before contributing funds.

Travel scams target holiday travelers with fake airline, hotel, or rental confirmations designed to collect money and personal information. Booking directly through official company channels and confirming reservations via verified apps prevents these frauds.Imposter scams feature criminals posing as customer service representatives on social media to extract sensitive data. 

Users should only engage with verified business accounts and never share personal details through direct messages.Non-delivery scams occur when buyers pay for goods they never receive or sellers ship items without receiving payment. Using platforms with buyer and seller protections minimizes these risks.

Protection strategies

Awareness and simple habits provide effective defense. Slowing down before clicking links, verifying sellers through reviews, and favoring credit cards over peer-to-peer payment apps significantly reduce risk. When urgency triggers suspicion, pausing to verify information can prevent costly mistakes and protect finances throughout the holiday season
Read more »
WhatsApp Security
Account Takeover browser hijacking Cyber Fraud Device Pairing End-to-End Encryption Identity Threats QR Phishing Social Engineering WhatsApp Security

GhostPairing Attack Puts Millions of WhatsApp Users at Risk

 


An ongoing campaign that aims to seize control of WhatsApp accounts by manipulating WhatsApp's own multi-device architecture has been revealed by cybersecurity experts in the wake of an ongoing, highly targeted attack designed to illustrate the increasing complexity of digital identity threats. 

Known as GhostPairing, the attack exploits the trust inherent in WhatsApp's system for pairing devices - a feature that allows WhatsApp Web users to send encrypted messages across laptops, mobile phones, and browsers by using the WhatsApp Web client. 

Through a covert means of guiding victims into completing a legitimate pairing process, malicious actors are able to link an attacker-controlled browser as a hidden companion device to the target account, without alerting the user or sending him/her any device notifications at all. 

The end-to-end encryption and frictionless cross-platform synchronization capabilities of WhatsApp remain among the most impressive in the industry, but investigators warn that these very strengths of the service have been used to subvert the security model, which has enabled adversaries to have persistent access to messages, media, and account controls.

Although the encryption remains intact in such a scenario technically, it will be strategically nullified if the authentication layer is compromised, allowing attackers to read and reply to conversations from within their own account. This effectively converts a feature that was designed to protect your privacy into an entry point for silent account takeovers, effectively converting a privacy-first feature into a security-centric attack.

Analysts have characterized GhostPairing as a methodical account takeover strategy that relies on WhatsApp’s legitimate infrastructure of device linkage as a means of obtaining access to accounts instead of compromising WhatsApp’s security through conventional methods of authentication. In this technique, users are manipulated socially so that they link an external device, under the false impression that they are completing a verification process. 

As a general rule, an attack takes place through messages appearing to come from trusted contacts, often compromised accounts, and containing links disguised as photos, documents, or videos. Once accessed by victims, these links lead them to fake websites meticulously modeled after popular social media platforms such as Facebook and WhatsApp, where allegedly the victim will be asked to enter his or her phone number as part of an authentication process. 

Moreover, the pages are designed to generate QR codes that are used to verify customer support, comply with regulations regarding KYC, process job applications, update KYC records, register promotional events, or recover account information. By scanning QR codes that mirror the format used by WhatsApp Web, users unintentionally link their accounts to those of attackers, not realizing they are scanning QR codes that are actually the same format used by WhatsApp Web. 

It is important to know that once the connection is paired, it runs quietly in the background, and the account owner does not receive an explicit login approval or security alert. Although WhatsApp’s encryption remains technically intact, the compromise at the device-pairing layer allows threat actors to access private communications in a way that effectively sidesteps encryption by allowing them to enter authenticated sessions from within their own account environment, even though WhatsApp’s encryption has remained unbroken technologically. 

The cybercriminals will then be able to retrieve historical chat data, track incoming messages in real time, view and transmit shared media — including images, videos, documents, and voice notes — and send messages while impersonating the legitimate account holder in order to take over the account. Additionally, compromised accounts are being repurposed as propagation channels for a broader range of targets, further enlarging the campaign's reach and scale. 

The intrusion does not affect normal app behavior or cause system instability, so victims are frequently unaware of unauthorized access for prolonged periods of time, which allows attackers to maintain persistent surveillance without detection for quite a while. 

The campaign was initially traced to users in the Czech Republic, but subsequent analysis has shown that the campaign's reach is much larger than one specific country. During their investigation, researchers discovered that threat actors have been using reusable phishing kits capable of rapid replication, which allows operations to scale simultaneously across countries, languages, and communication patterns. 

A victim's contact list is already populated with compromised or impersonated accounts, providing an additional layer of misplaced trust to the outreach, which is what initiates the attack chain. In many of these messages, the sender claims that they have found a photograph and invites their recipients to take a look at it through a link intentionally designed to look like the preview or media viewer for Facebook content. 

As soon as the link is accessed, users are taken to a fake, Facebook-branded verification page that requires them to authenticate their identity before they can view the supposed content. The deliberate mimicry of familiar interfaces plays a central role in lowering suspicions, thereby encouraging victims to complete verification steps with little hesitation, according to security analysts. 

A study published by Gen Digital's threat intelligence division indicates that the campaign is not relying on malware deployments or credential interceptions to execute. This malware manipulates WhatsApp's legitimate device-pairing system instead. 

As a consequence of the manipulation, WhatsApp allows users to link browsers and desktop applications together for the purpose of synchronizing messaging. Attackers can easily bind an unauthorized browser to an account by convincing the users to voluntarily approve the connection. In other words, they are able to bypass encryption by entering through a door of authentication that they themselves unknowingly open, rather than breaking it.

It has become increasingly apparent that threat actors are moving away from breaking encryption towards undermining the mechanisms governing access to it, as evidenced by GhostPairing. As part of this attack, people are using WhatsApp's unique feature: frictionless onboarding and the ability to link their devices to their account with just a phone number in order to extend your account to as many devices as they like. 

The simplicity of WhatsApp, often cited as a cornerstone of the company's global success, means that users don't have to enter usernames or passwords, reinforcing convenience, but inadvertently exposing more vulnerabilities to malicious use. WhatsApp's end-to-end encryption architecture further complicates things, since it provides every user with their own private key. 

Private cryptographic keys that are used to securely encrypt the content of the messages are stored only on the user's device, which theoretically should prevent eavesdropping unless an attacker is able to physically acquire the device or deploy malware to compromise it remotely if it can be accessed remotely. 

By embedding an attacker's device within an authenticated session, GhostPairing demonstrates that a social engineering attack can circumvent encryption without decrypting the data, but by embedding an attacker's device within a session in which encrypted content is already rendered readable, thus circumventing the encryption. 

Researchers have found that the technique is comparatively less scalable on platforms such as Signal, which supports only QR-based approvals for pairing devices, and this limitation has been noted to offer some protection against similar thematically driven device linking techniques. 

The analysts emphasize from a defensive standpoint that WhatsApp provides users with an option to see what devices are linked to them through their account settings section titled Linked Devices. In this section, unauthorized connections can, in principle, be identified, as well. The attackers may be able to establish silent persistence through fraudulently linking devices, but they cannot remove or revoke their device access themselves, since the primary registered device remains in charge of revocation. 

The addition of two-step PIN verification as a mitigation, which prevents attackers from making changes to an account's primary email address, adds additional hurdles for attackers. However, this control does not hinder access to messages once pairing has been completed. Especially acute consequences exist for organizations.

A common way for employees to communicate is via WhatsApp, which can sometimes lead to informal group discussions involving multiple members - many of which are conducted outside of formal documentation and oversight. It has been recommended by security teams to assume the existence of these shadow communication clusters, rather than treat them as exceptions, but as a default risk category. 

A number of industry guidelines (including those that have prevailed for the past five years) emphasize the importance of continued user awareness, and in particular that users should be trained in identifying phishing attempts, unsolicited spam, and the like, even if the attempt seems to come from well-known contacts or plausible verification attempts. 

The timing of the attack is difficult to determine when viewed from a broader perspective, but there are no signs that there is any relief. According to a report published by Meta in April of this year, millions of WhatsApp users had their mobile numbers exposed, and Meta confirmed earlier this year that the Windows desktop application had security vulnerabilities.

In parallel investigations, compromised Signal-based messaging tools have also been found to have been compromised by political figures and senior officials, confirming that cross-platform messaging ecosystems, regardless of whether or not they use encryption strength, are now experiencing identity-layer vulnerabilities that must be addressed with the same urgency as network or malware attacks have been traditionally addressed.

The GhostPairing campaign signals a nuanced, yet significant change in techniques for gaining access to accounts, which reflects a longer-term trend in which attackers attempt to gain access to identities through behavioral influence rather than technical subversion. 

Threat actors exploit WhatsApp's ability to link devices exactly as it was intended to work, whereas they decrypt the secure communication or override authentication safeguards in a way that seems to be more effective. 

They engineer moments of cooperation through the use of persuasive, familiar-looking interfaces. A sophisticated attack can be carried out by embedding fraudulent prompts within convincingly branded verification flows, which allows attackers to secure enduring access to victim accounts with very little technical skill, relying on legitimacy by design instead of compromising the systems.

There is a warning from security researchers that this approach goes beyond regional boundaries, as scalable phishing kits and interface mimicry enable multiple countries to deploy it across multiple languages. 

A similar attack can be attempted on any digital service that allows set-up via QR codes or numeric confirmation steps, irrespective of whether the system is built on a dedicated platform or not. This has an inherent vulnerability to similar attacks, especially when human trust is regarded as the primary open-source software vulnerability. 

Analysts have emphasized that the attack's effectiveness stems from the convergence of social engineering precision with permissive multi-device frameworks, so that it allows adversaries to penetrate encrypted environments without any need to break the encryption at all — and to get to a session in which all messages have already been decrypted for the authenticated user. 

It is encouraging to note that the defensive measures necessary to combat such threats are still relatively straightforward. The success rate of such deception-driven compromises could be significantly reduced if regular device hygiene audits, greater user awareness, and modest platform refinements such as clearer pairing alerts and tighter device verification constraints were implemented. 

Especially for organizations that are exposed to undocumented employee group chats that operate outside the formal oversight of the organization are of crucial importance for reducing risk. User education and internal reporting mechanisms are crucial components of mitigating risks. 

Amidst the rapid increase in digital interactions, defenders are being urged to treat vigilance in the process not as an add-on practice, but rather as a foundational layer of account security for the future. GhostPairing's recent appearance serves to serve as a reminder that the security of modern communication platforms is no longer solely defined by encryption standards, rather by the resilience of the systems that govern access to them, and that the security of these systems must be maintained at all times.

It is evident that as messaging ecosystems continue to grow and integrate themselves into everyday interactions — such as sharing personal media or coordinating workplace activities — the balance between convenience and control demands renewed scrutiny. 

It is strongly advised for users to follow regular digital safety practices, such as verifying unexpected links even if they are sent by familiar contacts, regularly auditing linked devices, and activating two-factor safeguards, such as two-step PIN verification, to ensure that their data is secure.

As organizations become increasingly aware of threats beyond the perimeter of their organizations, they should cultivate a culture of internal threat reporting that ensures that unofficial communication groups are acknowledged in risk models rather than ignored. 

Security teams are advised to conduct phishing awareness drills, make device-pairing alerts more clear at the platform level, and conduct periodic access hygiene reviews of widely used communication channels, such as encrypted messengers, for a number of reasons. 

With the incidence of identity-layer attacks on the rise, researchers emphasize that informed users remain the best countermeasure against silent account compromise - making awareness the best strategic strategy in the fight against silent account compromises, not only as a reactive habit, but as a long-term advantage.
Read more »
Subscription Abuse
Cyber Fraud Identity Theft PayPal Scam Phishing Campaign Subscription Abuse

PayPal Subscriptions Exploited in Sophisticated Email Scam

 

Hackers have found a clever way to misuse PayPal's legitimate email system to send authentic looking phishing scams that are able to bypass security filters and look genuine to the end users.

Over the last few weeks, users are complaining that they are receiving emails from PayPal's legitimate address "service@paypal.com" informing that their automatic payment has expired. The emails successfully pass all the usual security checks such as DKIM and SPF authentication and have proved to be coming directly from PayPal’s mail servers. 

One of the reasons these messages are potent is that the scammers have altered the Customer Service URL to take users to their own websites from where they can see fake purchase notifications, claiming victims have purchased high-priced electronics such as MacBooks, iPhones, or Sony devices for USD 1,300 to 1,600.

The spam text message contains Unicode characters which can make the words bold or in different fonts, all this is to help to get round spam filters and keyword detection. Instead, the messages tell recipients to call a phony “PayPal support” phone number to cancel or dispute the alleged charges. 

BleepingComputer's analysis of logs and transactions shows that the PayPal Subscriptions feature is being abused by scammers. When merchants hold a subscriber's subscription, they can do so with their own mechanism, and PayPal, in turn, will notify subscribers via email. PayPal seems to be vulnerable to a subscription metadata attack - perhaps in an API or legacy platform - which lets attackers insert arbitrary text in the Customer Service URL field (it normally only accepts valid URLs). 

The scammers can forge emails and register a fake subscriber account for an email address associated with Google Workspace mailing list. When these accounts receive the notification from PayPal, the mailing list service sends what looks like a legitimate e-mail from PayPal to the list of "victims", making it looks more and more like a scam.

Safety measures

Recipients should ignore these emails and avoid calling the provided phone numbers. These tactics historically aim to facilitate bank fraud or trick victims into installing malware on their devices . PayPal confirmed awareness of the scam and recommends customers contact support directly through the official PayPal app or website if they suspect fraudulent activity. Users concerned about account compromise should log into their PayPal account directly rather than clicking email links to verify whether any unauthorized charges actually occurred.
Read more »
money mules
Bank Accounts Cyber Fraud Financial Fraud Money Laundering money mules

Why Banks Must Proactively Detect Money Mule Activity



Financial institutions are under increasing pressure to strengthen their response to money mule activity, a growing form of financial crime that enables fraud and money laundering. Money mules are bank account holders who move illegally obtained funds on behalf of criminals, either knowingly or unknowingly. These activities allow criminals to disguise the origin of stolen money and reintroduce it into the legitimate financial system.

Recent regulatory reviews and industry findings stress upon the scale of the problem. Hundreds of thousands of bank accounts linked to mule activity have been closed in recent years, yet only a fraction are formally reported to shared fraud databases. High evidentiary thresholds mean many suspicious cases go undocumented, allowing criminal networks to continue operating across institutions without early disruption.

At the same time, banks are increasingly relying on advanced technologies to address the issue. Machine learning systems are now being used to analyze customer behavior and transaction patterns, enabling institutions to flag large volumes of suspected mule accounts. This has become especially important as real-time and instant payment methods gain widespread adoption, leaving little time to react once funds have been transferred.

Money mules are often recruited through deceptive tactics. Criminals frequently use social media platforms to promote offers of quick and easy money, targeting individuals willing to participate knowingly. Others are drawn in through scams such as fake job listings or romance fraud, where victims are manipulated into moving money without understanding its illegal origin. This wide range of intent makes detection far more complex than traditional fraud cases.

To improve identification, fraud teams categorize mule behavior into five distinct profiles.

The first group includes individuals who intentionally commit fraud. These users open accounts with the clear purpose of laundering money and often rely on stolen or fabricated identities to avoid detection. Identifying them requires strong screening during account creation and close monitoring of early account behavior.

Another group consists of people who sell access to their bank accounts. These users may not move funds themselves, but they allow criminals to take control of their accounts. Because these accounts often have a history of normal use, detection depends on spotting sudden changes such as unfamiliar devices, new users, or altered behavior patterns. External intelligence sources can also support identification.

Some mules act as willing intermediaries, knowingly transferring illegal funds for personal gain. These individuals continue everyday banking activities alongside fraudulent transactions, making them harder to detect. Indicators include unusual transaction speed, abnormal payment destinations, and increased use of peer-to-peer payment services.

There are also mules who unknowingly facilitate fraud. These individuals believe they are handling legitimate payments, such as proceeds from online sales or temporary work. Detecting such cases requires careful analysis of transaction context, payment origins, and inconsistencies with the customer’s normal activity.

The final category includes victims whose accounts are exploited through account takeover. In these cases, fraudsters gain access and use the account as a laundering channel. Sudden deviations in login behavior, device usage, or transaction patterns are critical warning signs.

To reduce financial crime effectively, banks must monitor accounts continuously from the moment they are opened. Attempting to trace funds after they have moved through multiple institutions is costly and rarely successful. Cross-industry information sharing also remains essential to disrupting mule networks early and preventing widespread harm. 

Read more »
Sensitive data
Cyber Fraud Doxing Email Law Enforcement Sensitive data

Hackers Are Posing as Police to Steal User Data from Tech Companies

 


Cybersecurity investigators are warning about a spreading threat in which cybercriminals impersonate law enforcement officers to unlawfully obtain sensitive user information from major technology companies. These attackers exploit emergency data request systems that are designed to help police respond quickly in life-threatening situations.

In one documented incident earlier this year, a US internet service provider received what appeared to be an urgent email from a police officer requesting user data. The request was treated as authentic, and within a short time, the company shared private details belonging to a gamer based in New York. The information included personal identifiers such as name, residential address, phone numbers, and email contact. Later investigations revealed that the email was fraudulent and not sent by any law enforcement authority.

Journalistic review of internal evidence indicates that the message originated from an organized hacking group that profits by selling stolen personal data. These groups offer what is commonly referred to as doxing services, where private information is extracted from companies and delivered to paying clients.

One individual associated with the operation admitted involvement in the incident and claimed that similar impersonation tactics have worked against multiple large technology platforms. According to the individual, the process requires minimal time and relies on exploiting weak verification procedures. Some companies acknowledged receiving inquiries about these incidents but declined to provide further comment.

Law enforcement officials have expressed concern over the misuse of officer identities, particularly when attackers use real names, badge numbers, and department references to appear legitimate. This tactic exponentially increases the likelihood that companies will comply without deeper scrutiny.

Under normal circumstances, police data requests are processed through formal legal channels, often taking several days. Emergency requests, however, are designed to bypass standard timelines when immediate harm is suspected. Hackers take advantage of this urgency by submitting forged documents that mimic legitimate legal language, seals, and citations.

Once attackers obtain a small amount of publicly accessible data, such as a username or IP address, they can convincingly frame their requests. In some cases, falsified warrants were used to seek even more sensitive records, including communication logs.

Evidence reviewed by journalists suggests the operation is extensive, involving hundreds of fraudulent requests and generating substantial financial gain. Materials such as call recordings and internal documents indicate repeated successful interactions with corporate legal teams. In certain cases, companies later detected irregularities and blocked further communication, introducing additional safeguards without disclosing technical details.

A concerning weakness lies in the fragmented nature of US law enforcement communication systems. With thousands of agencies using different email domains and formats, companies struggle to establish consistent verification standards. Attackers exploit this by registering domains that closely resemble legitimate police addresses and spoofing official phone numbers.

Experts note that many companies still rely on email-based systems for emergency data requests and publicly available submission guidelines. While intended to assist law enforcement, these instructions can unintentionally provide attackers with ready-made templates.

Although warnings about fake emergency requests have circulated for years, recent findings show the practice remains widespread. The issue gives centre stage to a broader challenge in balancing rapid response with rigorous verification, especially when human judgment is pressured by perceived urgency. Without systemic improvements, trust-based processes will continue to be abused.


Read more »
Subscribe to: Comments (Atom)