Loading...
Loading...
Intelligence updated: March 16, 202613 threats tracked
This week saw major developments across multiple fronts. The FBI issued a new PSA on phishing schemes impersonating city/county officials for planning permits, while toll road smishing continues to surge with hundreds of new impersonation domains created in the past week alone. AI-powered scams crossed a critical threshold — voice cloning is now "indistinguishable" from real voices per the 2026 International AI Safety Report, and 1 in 4 Americans has received an AI-generated deepfake voice call.
A sophisticated threat group dubbed 'Scripted Sparrow' by Fortra researchers is sending 6.6 million BEC emails per month using AI-generated, context-aware messages. Unlike traditional BEC which requires manual research and crafting, Scripted Sparrow automates the entire pipeline — from scraping executive names and vendor relationships to generating personalized payment redirect requests. The volume represents a 136% increase in BEC wire transfer attacks per APWG Q4 2025.
BEC was already the #2 cybercrime by losses ($2.77B in 2024). Automation lowers the cost per attack to near zero, meaning even low success rates generate massive returns. This shifts BEC from a targeted attack to a spray-and-pray model.
Criminals fuse real data (e.g., a child's stolen SSN) with fabricated details to create non-existent personas. These 'Frankenstein' identities are incubated for years — opening small accounts, building credit history — then execute coordinated bust-outs: maxing credit lines, auto loans, and personal loans before abandoning the identity. TransUnion's 2026 Global Fraud Trends Report identifies synthetic identity fraud as 23% of all fraud types in the UK. Experian's 2026 Forecast projects AI-driven identity synthesis will overtake human error as the leading breach vector globally. Deepfake-related financial crimes have escalated 1,500% in APAC alone.
Traditional identity theft harms a specific real person. Synthetic identity fraud creates 'victimless' crimes from a consumer perspective — the financial institution is the victim. This makes detection harder because no real person reports the fraud. KYC/AML systems are not designed to catch entities that don't exist.
Adversary-in-the-Middle (AiTM) phishing kits like EvilProxy, Modlishka, and Muraena are now commodity tools available for $200-$500/month on dark web marketplaces. These kits intercept MFA tokens in real-time by proxying the legitimate login page, capturing both the password AND the time-based one-time password (TOTP) as the victim enters them. Microsoft reports over 10,000 organizations targeted monthly by AiTM attacks in late 2025.
MFA was the primary defense recommendation for most account-security guidance. AiTM attacks render SMS-based and authenticator-app-based MFA ineffective, requiring a shift to phishing-resistant MFA (FIDO2/passkeys). Most consumers and small businesses still use TOTP-based MFA.
Scam operations — particularly those based in Southeast Asian compound operations — are deploying AI voice agents that can conduct entire scam phone calls autonomously. Group-IB's January 2026 report documents operations using multi-language AI agents capable of real-time voice synthesis, emotional response adaptation, and script branching based on victim reactions. These systems can operate 24/7, handle thousands of simultaneous calls, and speak any language fluently.
Human-operated scam call centers were capacity-limited and required recruitment, training, and management of operators (often trafficking victims). AI agents remove this bottleneck entirely, enabling a single operator to run thousands of concurrent scam calls. Combined with voice cloning (already crossing the 'indistinguishable threshold' per Fortune Dec 2025), AI agents can impersonate specific individuals in real-time.
Advanced criminal syndicates are migrating core attack infrastructure onto public blockchains. By leveraging DeFi platforms for command-and-control operations and automated smart contracts for data exfiltration and instant monetization, attackers achieve near-absolute resilience against takedowns. The Huione Guarantee marketplace alone facilitated over $49 billion in illicit transactions before wider exposure. Traditional law enforcement domain seizures and server takedowns are ineffective against decentralized infrastructure.
Existing categories classify crypto as a payment method. This represents a fundamental shift in criminal architecture — bulletproof backend infrastructure that cannot be dismantled by conventional means. It enables every other scam category to operate with greater impunity.
An evolution of SIM swapping — 'smooshing' involves coordinated, large-scale hijacking of mobile phone numbers via eSIM exploitation. Attackers trick carriers into transferring a victim's number to a remote eSIM, then intercept all incoming MFA texts and calls. This enables rapid, total account takeover across banking, email, and social media before the victim notices service loss. As SMS-based MFA becomes the default authentication method, the mobile phone number becomes the master key to digital life.
Existing phishing/smishing categories require the victim to take action (click a link, enter credentials). In smooshing, the victim is entirely passive — their phone simply loses service, and accounts are drained silently using intercepted MFA codes. No social engineering of the victim is needed.
Criminals scrape publicly available permit information, then send emails impersonating city and county officials citing real permit numbers, zoning application IDs, and property addresses. Victims are instructed to pay "invoices" via wire transfer, P2P payment, or cryptocurrency.
This threat targets Homeowners, businesses, and contractors who recently filed building/zoning permits — any jurisdiction in the US.. Scammers are using language like: "References specific permit numbers and property addresses; includes official-sounding invoice with wire transfer instructions."
Fraudulent text messages impersonate E-ZPass, state tolling authorities, and now courts (Michigan AG warned of texts impersonating 36th District Court). Victims are told they owe unpaid tolls and face license suspension or prosecution. Links lead to credential/payment harvesting sites.
This threat targets Drivers nationwide — active in 20+ states. Michigan and several other states issued specific warnings this week.. Scammers are using language like: ""Your toll account has an outstanding balance of $X.XX. Pay immediately to avoid a late fee of $50.00 and possible license suspension." / "You have a pending court fine for toll violation...""
Russian-backed hackers (identified by Dutch intelligence AIVD/MIVD) pose as "Signal Security Support Chatbot" or "Signal Support" to trick targets into sharing verification codes or adding a malicious "linked device" to their account. Not an app vulnerability — pure social engineering.
This threat targets Senior officials, military personnel, civil servants, journalists. But the same technique can easily be adapted for consumer targeting.. Scammers are using language like: ""Your Signal account requires verification. Please share your PIN to confirm identity" / "Link this device to secure your account.""
As spring/summer travel season approaches, scammers operate copycat websites mimicking the official ESTA (Electronic System for Travel Authorization) site. These sites overcharge for the application and may not even submit the paperwork.
This threat targets International travelers to the US, or US residents helping international visitors..
BBB Scam Tracker received 170+ reports of a product called "LipoMax" marketed via deepfake celebrity endorsement videos (including Oprah Winfrey and alleged physicians) promoting a "pink salt trick" weight loss solution. Videos are AI-generated and distributed on social media.
This threat targets Health-conscious consumers, social media users, particularly those who follow wellness content..
Extortionists are shifting from encrypting corporate servers to breaching poorly secured IoT devices in homes. Attackers target smart thermostats, door locks, security cameras, and appliances. Rather than stealing data, they lock physical devices or alter environmental controls (e.g., maximizing heat, permanently locking doors) and demand cryptocurrency ransom to restore control. This brings ransomware into the physical domestic space.
Current ransomware categories focus on data/enterprise disruption. IoT extortion threatens physical safety and comfort. The attack surface is massive — most consumer IoT devices ship with weak security, rarely receive updates, and lack standardized security regulations.
With mass deployment of LLMs and RAG architectures in corporate customer service and internal databases, attackers are focusing on data poisoning and prompt injection. Malicious inputs trick enterprise AI chatbots into bypassing security guardrails — autonomously authorizing fraudulent refunds, leaking customer databases, or distributing malware to users engaging with the bot. This is psychological manipulation of the machine itself.
This attack targets AI logic pathways, not humans. As enterprises deploy more customer-facing and internal AI systems, the attack surface grows exponentially. A single successful prompt injection could affect thousands of customers simultaneously.