Emerging Threats

A sophisticated threat group dubbed 'Scripted Sparrow' by Fortra researchers is sending 6.6 million BEC emails per month using AI-generated, context-aware messages. Unlike traditional BEC which requires manual research and crafting, Scripted Sparrow automates the entire pipeline — from scraping executive names and vendor relationships to generating personalized payment redirect requests. The volume represents a 136% increase in BEC wire transfer attacks per APWG Q4 2025.

Why It Matters

BEC was already the #2 cybercrime by losses ($2.77B in 2024). Automation lowers the cost per attack to near zero, meaning even low success rates generate massive returns. This shifts BEC from a targeted attack to a spray-and-pray model.

Indicators to Watch For

• •BEC emails that reference real, current vendor relationships (scraped from LinkedIn/public filings)
• •AI-generated text with no spelling errors, natural tone, and correct business context
• •Payment redirect requests arriving at statistically optimal times (Friday afternoons, month-end)
• •Multiple employees at the same company receiving BEC attempts within the same week

Defenses

• ✓Mandatory out-of-band verification for ALL payment changes (phone call to known number, not the one in the email)
• ✓Email authentication (DMARC, DKIM, SPF) enforced at reject policy
• ✓AI-based email security that detects behavioral anomalies, not just known signatures
• ✓Dual-authorization for wire transfers above a threshold

Criminals fuse real data (e.g., a child's stolen SSN) with fabricated details to create non-existent personas. These 'Frankenstein' identities are incubated for years — opening small accounts, building credit history — then execute coordinated bust-outs: maxing credit lines, auto loans, and personal loans before abandoning the identity. TransUnion's 2026 Global Fraud Trends Report identifies synthetic identity fraud as 23% of all fraud types in the UK. Experian's 2026 Forecast projects AI-driven identity synthesis will overtake human error as the leading breach vector globally. Deepfake-related financial crimes have escalated 1,500% in APAC alone.

Why It Matters

Traditional identity theft harms a specific real person. Synthetic identity fraud creates 'victimless' crimes from a consumer perspective — the financial institution is the victim. This makes detection harder because no real person reports the fraud. KYC/AML systems are not designed to catch entities that don't exist.

Indicators to Watch For

• •Credit applications with SSNs that don't match any known adult (often belong to children, elderly, or deceased individuals)
• •Credit files with no history that suddenly appear fully formed
• •Multiple accounts opened in rapid succession across different institutions
• •Addresses and phone numbers shared across seemingly unrelated applicants

Defenses

• ✓Financial institutions: implement behavioral biometric analysis beyond static KYC checks
• ✓Parents: freeze children's credit with all three bureaus (free since 2018)
• ✓Consumers: monitor credit reports for unknown accounts or inquiries
• ✓Regulators: push for cross-institution SSN velocity checks

Adversary-in-the-Middle (AiTM) phishing kits like EvilProxy, Modlishka, and Muraena are now commodity tools available for $200-$500/month on dark web marketplaces. These kits intercept MFA tokens in real-time by proxying the legitimate login page, capturing both the password AND the time-based one-time password (TOTP) as the victim enters them. Microsoft reports over 10,000 organizations targeted monthly by AiTM attacks in late 2025.

Why It Matters

MFA was the primary defense recommendation for most account-security guidance. AiTM attacks render SMS-based and authenticator-app-based MFA ineffective, requiring a shift to phishing-resistant MFA (FIDO2/passkeys). Most consumers and small businesses still use TOTP-based MFA.

Indicators to Watch For

• •Login page URL that is NOT the real service domain but visually identical
• •Slight delays during login (the proxy is relaying to the real site in real-time)
• •Unexpected re-authentication prompts shortly after a successful login
• •Session cookie theft leading to account access from unknown locations

Defenses

• ✓Switch to phishing-resistant MFA: FIDO2 security keys or passkeys (not SMS, not TOTP apps)
• ✓Enable conditional access policies that require device compliance
• ✓Use browser extensions that verify the domain before entering credentials (e.g., password managers that won't autofill on fake domains)
• ✓Monitor for impossible-travel or anomalous session activity

Scam operations — particularly those based in Southeast Asian compound operations — are deploying AI voice agents that can conduct entire scam phone calls autonomously. Group-IB's January 2026 report documents operations using multi-language AI agents capable of real-time voice synthesis, emotional response adaptation, and script branching based on victim reactions. These systems can operate 24/7, handle thousands of simultaneous calls, and speak any language fluently.

Why It Matters

Human-operated scam call centers were capacity-limited and required recruitment, training, and management of operators (often trafficking victims). AI agents remove this bottleneck entirely, enabling a single operator to run thousands of concurrent scam calls. Combined with voice cloning (already crossing the 'indistinguishable threshold' per Fortune Dec 2025), AI agents can impersonate specific individuals in real-time.

Indicators to Watch For

• •Callers with unnaturally smooth speech and zero background noise
• •Perfect multi-language capability (same 'person' switches languages flawlessly)
• •Responses that sound natural but occasionally repeat phrasing patterns
• •Calls at unusual hours (AI operates 24/7, no timezone constraints)
• •Inability to handle unexpected conversational tangents or humor

Defenses

• ✓Family code words for identity verification on unexpected calls
• ✓Hang up and call back on a known number — never trust inbound caller ID
• ✓Be suspicious of any call demanding immediate action or payment
• ✓Ask unexpected questions to test if the caller is a real person vs. AI script
• ✓Use call-screening features (Google Call Screen, carrier spam filtering)

Advanced criminal syndicates are migrating core attack infrastructure onto public blockchains. By leveraging DeFi platforms for command-and-control operations and automated smart contracts for data exfiltration and instant monetization, attackers achieve near-absolute resilience against takedowns. The Huione Guarantee marketplace alone facilitated over $49 billion in illicit transactions before wider exposure. Traditional law enforcement domain seizures and server takedowns are ineffective against decentralized infrastructure.

Why It Matters

Existing categories classify crypto as a payment method. This represents a fundamental shift in criminal architecture — bulletproof backend infrastructure that cannot be dismantled by conventional means. It enables every other scam category to operate with greater impunity.

Indicators to Watch For

• •Scam operations that survive multiple takedown attempts
• •Payment flows through DeFi protocols rather than centralized exchanges
• •Smart contract-based automated laundering pipelines
• •Infrastructure hosted on decentralized storage (IPFS, Arweave)

Defenses

• ✓Blockchain analytics (Chainalysis, Elliptic) for tracing flows
• ✓International cooperation to sanction known mixer/tumbler services
• ✓DeFi protocol governance implementing compliance checks
• ✓Consumer education: legitimate services don't require DeFi interactions

An evolution of SIM swapping — 'smooshing' involves coordinated, large-scale hijacking of mobile phone numbers via eSIM exploitation. Attackers trick carriers into transferring a victim's number to a remote eSIM, then intercept all incoming MFA texts and calls. This enables rapid, total account takeover across banking, email, and social media before the victim notices service loss. As SMS-based MFA becomes the default authentication method, the mobile phone number becomes the master key to digital life.

Why It Matters

Existing phishing/smishing categories require the victim to take action (click a link, enter credentials). In smooshing, the victim is entirely passive — their phone simply loses service, and accounts are drained silently using intercepted MFA codes. No social engineering of the victim is needed.

Indicators to Watch For

• •Sudden, unexpected loss of cellular service
• •Unable to make calls or send texts but WiFi works normally
• •Receiving notifications of password resets you didn't request
• •Bank/email/social accounts locked out simultaneously

Defenses

• ✓Set a PIN/passphrase with your carrier (not just a 4-digit PIN)
• ✓Switch from SMS-based MFA to app-based (TOTP) or FIDO2/passkeys
• ✓Enable SIM lock/port freeze with your carrier if available
• ✓Monitor for unexpected 'eSIM activation' emails from your carrier

Extortionists are shifting from encrypting corporate servers to breaching poorly secured IoT devices in homes. Attackers target smart thermostats, door locks, security cameras, and appliances. Rather than stealing data, they lock physical devices or alter environmental controls (e.g., maximizing heat, permanently locking doors) and demand cryptocurrency ransom to restore control. This brings ransomware into the physical domestic space.

Why It Matters

Current ransomware categories focus on data/enterprise disruption. IoT extortion threatens physical safety and comfort. The attack surface is massive — most consumer IoT devices ship with weak security, rarely receive updates, and lack standardized security regulations.

Indicators to Watch For

• •Smart home devices becoming unresponsive or behaving erratically
• •Unknown changes to thermostat settings, lock codes, or camera access
• •Ransom demands appearing on smart displays or via device notifications
• •New unknown devices appearing on home network

Defenses

• ✓Segment IoT devices onto a separate network/VLAN
• ✓Change default passwords on ALL connected devices
• ✓Keep firmware updated; replace devices that no longer receive updates
• ✓Use a router with built-in IoT security scanning

With mass deployment of LLMs and RAG architectures in corporate customer service and internal databases, attackers are focusing on data poisoning and prompt injection. Malicious inputs trick enterprise AI chatbots into bypassing security guardrails — autonomously authorizing fraudulent refunds, leaking customer databases, or distributing malware to users engaging with the bot. This is psychological manipulation of the machine itself.

Why It Matters

This attack targets AI logic pathways, not humans. As enterprises deploy more customer-facing and internal AI systems, the attack surface grows exponentially. A single successful prompt injection could affect thousands of customers simultaneously.

Indicators to Watch For

• •Enterprise chatbot providing unexpected discounts or authorizing unusual refunds
• •AI assistant sharing information it shouldn't have access to
• •Chatbot responses containing links or instructions inconsistent with company policy
• •Anomalous patterns in AI-authorized transactions

Defenses

• ✓Input sanitization and prompt hardening for all LLM endpoints
• ✓Output filtering and anomaly detection on AI responses
• ✓Restrict AI agents' ability to execute financial transactions without human approval
• ✓Regular red-teaming and adversarial testing of deployed models