The landscape of online threats targeting children has evolved into a complex web of dangers that extend far beyond simple scams. New research from McAfee reveals that parents now rank cyberbullying as their single highest concern, with nearly one in four families (22%) reporting their child has already been targeted by some form of online threat. The risks spike dramatically during the middle school years and peak around age 13, precisely when children gain digital independence but may lack the knowledge and tools to protect themselves.

The findings paint a troubling picture of digital childhood, where traditional dangers like cyberbullying persist alongside emerging threats like AI-generated deepfakes, “nudify” technology, and sophisticated manipulation tactics that can devastate young people’s mental health and safety.

Cyberbullying is Parents’ Top Concern

Cyberbullying and harassment are devastating to young people’s digital experiences. The research shows that 43% of children who have encountered online threats experienced cyberbullying, making it the most common threat families face. The impact disproportionately affects girls, with more than half of targeted girls (51%) experiencing cyberbullying compared to 39% of boys.

The peak vulnerability occurs during early adolescence, with 62% of targeted girls and 52% of targeted boys aged 13-15 facing harassment online. For parents of teen daughters aged 13-15, cyberbullying ranks as the top concern for 17% of families, reflecting the real-world impact these digital attacks have on young people’s well-being.

AI-Generated Content Creates New Dangers

The emergence of AI-powered manipulation tools has introduced unprecedented risks to children’s online safety. Nearly one in five targeted kids (19%) have faced deepfake and “nudify” app misuse, with rates doubling to 38% among girls aged 13-15. These statistics become even more alarming when considering that 18% of parents overall list AI-generated deepfakes and nudify technology among their top three concerns, rising to one in three parents (33%) under age 35.

The broader landscape of AI-generated content exposure is widespread, with significant implications for how children understand truth and authenticity online. The research underscores the challenge parents face in preparing their children to navigate an environment where sophisticated forgeries can be created and distributed with relative ease.

“Today’s online threats aren’t abstract risks — families are facing them every day,” said Abhishek Karnik, head of threat research for McAfee. “Parents’ top concerns are the toll harmful content, particularly cyberbullying and AI-generated deepfakes, takes on their children’s mental health, self-image, and safety. That’s why it’s critical to pair AI-powered online protection with open, ongoing conversations about what kids encounter online. When children know how to recognize risks and misinformation and feel safe talking about these issues with loved ones, they’re better prepared to navigate the digital world with confidence.”

The Growing Confidence Gap

As digital threats become more sophisticated, parents find themselves increasingly outpaced by both technology and their children’s technical abilities. The research reveals that nearly half of parents (48%) admit their child knows more about technology than they do, while 42% say it’s challenging to keep up with the pace of evolving risks.

This knowledge disparity creates real vulnerabilities in family digital safety strategies. Only 34% of parents feel very confident their child can distinguish between real and fake content online, particularly when it comes to AI-generated material or misinformation. The confidence crisis deepens as children age and gain more independence online, precisely when threats become most complex and potentially harmful.

The monitoring habits of families reflect these growing challenges. While parents identify late at night (56%) and after school (41%) as the times when children face the greatest online risks, monitoring practices don’t align with these danger windows. Only about a third of parents (33%) check devices daily, and 41% review them weekly, creating significant gaps in oversight during high-risk periods.

Age-Related Patterns Reveal Critical Vulnerabilities

The research uncovers troubling patterns in how online safety behaviors change as children mature. While 95% of parents report discussing online safety with their children, the frequency and effectiveness of these conversations decline as kids enter their teen years. Regular safety discussions drop from 63% with younger children to just 54% with teenagers, even as threats become more severe and complex.

Daily device monitoring shows even sharper declines, plummeting to just 20% for boys aged 16-18 and dropping as low as 6-9% for girls aged 17-18. This reduction in oversight occurs precisely when older teens face heightened risks of blackmail, “scamtortion,” and other sophisticated threats. The research shows that more than half of targeted boys aged 16-18 (53%) have experienced threats to release fake or real content, representing one of the most psychologically damaging forms of online exploitation.

Gaming and Financial Exploitation

Online gaming platforms have become significant vectors for exploitation, particularly targeting boys. The research shows that 30% of children who have been targeted experienced online gaming scams or manipulation, with the rate climbing to 43% among targeted boys aged 13-15. These platforms often combine social interaction with financial incentives, creating opportunities for bad actors to manipulate young users through false friendships, fake rewards, and pressure tactics.

Real-World Consequences Extend Beyond Screens

The emotional and social impact of online threats creates lasting effects that extend well into children’s offline lives. Among families whose children have been targeted, the consequences reach far beyond momentary embarrassment or frustration. The research shows that 42% of affected families report their children experienced anxiety, felt unsafe, or were embarrassed after online incidents.

The social ramifications prove equally significant, with 37% of families dealing with issues that spilled over into school performance or friendships. Perhaps most concerning, 31% of affected children withdrew from technology altogether after negative experiences, potentially limiting their ability to develop healthy digital literacy skills and participate fully in an increasingly connected world.

The severity of these impacts has driven many families to seek professional support, with 26% requiring therapy or counseling to help their children cope with online harms. This statistic underscores that digital threats can create trauma requiring the same level of professional intervention as offline dangers.

Building Trust Through Technology Agreements

Creating a foundation for open dialogue about digital safety starts with establishing clear expectations and boundaries. McAfee’s Family Tech Pledge provides parents with a structured framework to initiate these crucial conversations with their children about responsible device use. Currently, few families have implemented formal agreements about technology use, representing a significant opportunity for improving digital safety through collaborative rule-setting.

A technology pledge serves as more than just a set of rules, it becomes a collaborative tool that helps parents and children discuss the reasoning behind safe online practices. By involving children in the creation of these agreements, families can address age-appropriate concerns while building trust and understanding. The process naturally opens doors to conversations about the threats identified in the research, from predators and cyberbullying to AI-generated content and manipulation attempts.

These agreements work best when they evolve alongside children’s digital maturity. What starts as basic screen time limits for younger children can expand to include discussions about social media interactions, sharing personal information, and recognizing suspicious content as they enter their teen years. The key is making the technology pledge a living document that adapts to new platforms, emerging threats, and changing family circumstances.

Advanced Protection Through AI-Powered Detection

While conversations and agreements form the foundation of digital safety, today’s threat landscape requires technological solutions that can keep pace with rapidly evolving risks. McAfee’s Scam Detector represents a crucial additional layer of defense, using artificial intelligence to identify and flag suspicious links, manipulated content, and potential threats before they can cause harm.

The tool’s AI-powered approach is particularly valuable given the research findings about manipulated media and deepfake content. With AI-generated content becoming weapons used against children, especially teenage girls, automated detection becomes essential for catching threats that might bypass both parental oversight and children’s developing digital literacy skills.

For parents who feel overwhelmed by the pace of technological change, 42% report struggling to keep up with the risk landscape, Scam Detector provides professional-grade protection without requiring extensive technical knowledge. It offers families a way to maintain security while fostering the trust and communication that the research shows is essential for long-term digital safety.

The technology is especially crucial during the high-risk periods identified in the research. Since 56% of parents recognize that late-night hours present the greatest danger, and monitoring naturally decreases during these times, automated protection tools can provide continuous vigilance when human oversight is most difficult to maintain.

A Path Forward for Families

The research reveals that addressing online threats requires a comprehensive approach combining technology, communication, and ongoing education. Parents need practical tools and strategies that can evolve with both the threat landscape and their children’s developing digital independence.

Effective protection starts with pairing parental controls with regular, judgment-free conversations about harmful content, coercion, and bullying, ensuring children know they can seek help without fear of punishment or restrictions. Teaching children to “trust but verify” by checking sources and asking for help when something feels suspicious becomes especially important as AI-generated content makes deception increasingly sophisticated.

Keeping devices secure with updated security settings and AI-powered protection tools like McAfee’s Scam Detector helps create multiple layers of defense against evolving threats. These technological safeguards work best when combined with family agreements that establish clear expectations for online behavior and regular check-ins that maintain open communication as children mature.

Research Methodology

This comprehensive analysis is based on an online survey conducted in August 2025 of approximately 4,300 parents or guardians of children under 18 across Australia, France, Germany, India, Japan, the United Kingdom, and the United States. The research provides crucial insights into the current state of children’s online safety and the challenges families face in protecting their digital natives from increasingly sophisticated threats.

The data reveals that today’s parents are navigating unprecedented challenges in protecting their children online, with peak vulnerability occurring during the middle school years when digital independence collides with developing judgment and incomplete knowledge of online risks. While the threats may be evolving and complex, the research shows that informed, proactive families who combine technology tools with open communication are better positioned to help their children develop the skills needed to safely navigate the digital world.

The post From Cyberbullying to AI-Generated Content – McAfee’s Research Reveals the Shocking Risks appeared first on McAfee Blog.

We’re standing at the threshold of a new era in cybersecurity threats. While most consumers are still getting familiar with ChatGPT and basic AI chatbots, cybercriminals are already moving to the next frontier: Agentic AI. Unlike the AI tools you may have tried that simply respond to your questions, these new systems can think, plan, and act independently, making them the perfect digital accomplices for sophisticated scammers. The next evolution of cybercrime is here, and it’s learning to think for itself.

The threat is already here and growing rapidly. According to McAfee’s latest State of the Scamiverse report, the average American sees more than 14 scams every day, including an average of 3 deepfake videos. Even more concerning, detected deepfakes surged tenfold globally in the past year, with North America alone experiencing a 1,740% increase.

At McAfee, we’re seeing early warning signs of this shift, and we believe every consumer needs to understand what’s coming. The good news? By learning about these emerging threats now, you can protect yourself before they become widespread.

A Real-World Example: How Anthropic’s Claude AI Was Used for Espionage

A new case disclosed by Anthropic, first reported by Axios, marks a turning point: a Chinese state-sponsored group used the company’s Claude Code agent to automate the majority of an espionage campaign across nearly thirty organizations. Attackers allegedly bypassed guardrails through jailbreaking techniques, fed the model fragmented tasks, and convinced it that it was conducting defensive security tests. Once operational, the agent performed reconnaissance, wrote exploit code, harvested credentials, identified high-value databases, created backdoors, and generated documentation of the intrusion. In all, they completed 80–90% of the work without any human involvement.

This is the first publicly documented case of an AI agent running a large-scale intrusion with minimal human direction. It validates our core warning: agentic AI dramatically lowers the barrier to sophisticated attacks and turns what was once weeks of human labor into minutes of autonomous execution. While this case targeted major companies and government entities, the same capabilities can, and likely will, be adapted for consumer-focused scams, identity theft, and social engineering campaigns.

Understanding AI: From Simple Tools to Autonomous Agents

Before we dive into the threats, let’s break down what we’re actually talking about when we discuss AI and its evolution:

Traditional AI: The Helper

The AI most people know today works like a very sophisticated search engine or writing assistant. You ask it a question, it gives you an answer. You request help with a task, it provides suggestions. Think of ChatGPT, Google’s Gemini, or the AI features on your smartphone. They’re reactive tools that respond to your input but don’t take independent action.

Generative AI: The Creator

Generative AI, which powers many current scams, can create content like emails, images, or even fake videos (deepfakes). This technology has already made scams more convincing by cloning real human voices and eliminating telltale signs like poor grammar and obvious language errors.

The impact is already visible in the data. McAfee Labs found that for just $5 and 10 minutes of setup time, scammers can create powerful, realistic-looking deepfake video and audio scams using readily available tools. What once required experts weeks to produce can now be achieved for less than the cost of a latte—and in less time than it takes to drink it.

Agentic AI: The Independent Actor

Agentic AI represents a fundamental leap forward. These systems can think, make decisions, learn from mistakes, and work together to solve tough problems, just like a team of human experts. Unlike previous AI that waits for your commands, agentic AI can set its own goals, make plans to achieve them, and adapt when circumstances change

Key Characteristics of Agentic AI:

• Autonomous operation: Works without constant human guidance from a cybercriminal
• Goal-oriented behavior: Actively pursues specific objectives without requiring regular input.
• Adaptive learning: Improves performance based on experience through previous attempts.
• Multi-step planning: Can execute complex, long-term strategies based on the requirements of the criminal.
• Environmental awareness: Understands and responds to changing conditions online.

Gartner predicts that by 2028, a third of our interactions with AI will shift from simply typing commands to fully engaging with autonomous agents that can act on their own goals and intentions. Unfortunately, cybercriminals won’t be far behind in exploiting these capabilities.

The Scammer’s Apprentice: How Agentic AI Becomes the Perfect Criminal Assistant

Think of agentic AI as giving scammers their own team of tireless, intelligent apprentices that never sleep, never make mistakes, and get better at their job every day. Here’s how this digital apprenticeship makes scams exponentially more dangerous.

Traditional scammers spend hours manually researching targets, scrolling through social media profiles, and piecing together personal information. Agentic AI recon agents operate persistently and autonomously, self-prompting questions like “What data do I need to identify a weak point in this organization?” and then collecting it from social media, breach data, exposed APIs and cloud misconfigurations.

What The Scammer’s Apprentice Can Do

• Continuous surveillance: Monitors your social media posts, job changes, and online activity 24/7.
• Pattern recognition: Identifies your routines, interests, and vulnerabilities from scattered digital breadcrumbs.
• Relationship mapping: Understands your connections, colleagues, and family relationships.
• Behavioral analysis: Learns from your communication style, preferred platforms, and response patterns.

Unlike traditional phishing that uses static messages, agentic AI can dynamically update or alter their approach based on a recipient’s response, location, holidays, events, or the target’s interests, marking a significant shift from static attacks to highly adaptive and real-time social engineering threats.

An agentic AI scammer targeting you might start with a LinkedIn message about a job opportunity. If you don’t respond, it switches to an email about a package delivery. If that fails, it tries a text message about suspicious account activity. Each attempt uses lessons learned from your previous reactions, becoming more convincing with every interaction.

AI-generated phishing emails achieve a 54% click-through rate compared to just 12% for their human-crafted counterparts. With agentic AI, scammers can create messages that don’t just look professional, they sound exactly like the people and organizations you trust.

The technology is already sophisticated enough to fool even cautious consumers. As McAfee’s latest research shows, social media users shared over 500,000 deepfakes in 2023 alone. The tools have become so accessible that scammers can now create convincing real-time avatars for video calls, allowing them to impersonate anyone from your boss to your bank representative during live conversations.

Advanced Impersonation Capabilities:

• Voice cloning: Create phone calls that sound exactly like your boss, family member, senator, or bank representative
• Writing style mimicry: Craft emails that perfectly match your company’s communication style.
• Visual deepfakes: Generate fake video calls for “face-to-face” verification.
• Context awareness: Reference specific projects, recent conversations, or personal details

Perhaps most concerning is agentic AI’s ability to learn and improve. As the AI interacts with more victims over time, it gathers data on what types of messages or approaches work best for certain demographics, adapting itself and refining future campaigns to make each subsequent attack more powerful, convincing, and effective. This means that every failed scam attempt makes the AI smarter for its next victim. Understanding how agentic AI will transform specific types of scams helps us prepare for what’s coming. Here are the most concerning developments:

Multi-Stage Campaign Orchestration

Agentic AI can potentially orchestrate complex multi-stage social engineering attacks, leveraging data from one interaction to drive the next one. Instead of simple one-and-done phishing emails, expect sophisticated campaigns that unfold over weeks or months.

Automated Spear Phishing at Scale

Traditional spear phishing required manual research and customization for each target. In the new world order, malicious AI agents will autonomously harvest data from social media profiles, craft phishing messages, and tailor them to individual targets without human intervention. This means cybercriminals can now launch thousands of highly personalized attacks simultaneously, each one crafted specifically for its intended victim.

Real-Time Adaptive Attacks

When a target hesitates or questions an initial approach, agents adjust their tactics immediately based on the response. This continuous refinement makes each interaction more convincing than the last, wearing down even skeptical targets through persistence and learning. Traditional red flags like “This seems suspicious” or “Let me verify this” no longer end the attack, they just trigger the AI to try a different approach.

Cross-Platform Coordination

These autonomous systems now independently launch coordinated phishing campaigns across multiple channels simultaneously, operating with an efficiency human attackers cannot match. An agentic AI scammer might contact you via email, text message, phone call, and social media—all as part of a coordinated campaign designed to overwhelm your defenses.

How to Protect Yourself in the Age of Agentic AI Scams

The rise of agentic AI scams requires a fundamental shift in how we think about cybersecurity. Traditional advice like “watch for poor grammar” no longer applies. Here’s what you need to know to protect yourself:

• The Golden Rule: Never act on urgent requests without independent verification, no matter how convincing they seem.
• Use different communication channels: If someone emails you, call them back using a number you look up independently
• Verify through trusted contacts: When your “boss” asks for something unusual, confirm with colleagues or HR
• Check official websites: Go directly to company websites rather than clicking links in messages
• Trust your instincts: If something feels off, it probably is—even if you can’t identify exactly why

Understanding a New Era of Red Flags

Since agentic AI eliminates traditional warning signs, focus on these behavioral red flags:

High-Priority Warning Signs:

Emotional urgency: Messages designed to make you panic, feel guilty, or act without thinking

Requests for unusual actions: Being asked to do something outside normal procedures

Isolation tactics: Instructions not to tell anyone else or to handle something “confidentially”

Multiple contact attempts: Being contacted through several channels about the same issue

Perfect personalization: Messages that seem to know too much about your specific situation

How McAfee Fights AI with AI: Your Defense Against Agentic Threats

At McAfee, we understand that fighting AI-powered attacks requires AI-powered defenses. Our security solutions are designed to detect and stop sophisticated scams before they reach you. McAfee’s Scam Detector provides lightning-fast alerts, automatically spotting scams and blocking risky links even if you click them, with all-in-one protection that keeps you safer across text, email, and video. Our AI analyzes incoming messages using advanced pattern recognition that can identify AI-generated content, even when it’s grammatically perfect and highly personalized.

Scam Detector keeps you safer across text, email, and video, providing comprehensive coverage against multi-channel agentic AI campaigns. Beyond analyzing message content, our system evaluates sender behavior patterns, communication timing, and request characteristics that may indicate AI-generated scams. Just as agentic AI attacks learn and evolve, our detection systems continuously improve their ability to identify new threat patterns.

Protecting yourself from agentic AI scams requires combining smart technology with informed human judgment. Security experts believe it’s highly likely that bad actors have already begun weaponizing agentic AI, and the sooner organizations and individuals can build up defenses, train awareness, and invest in stronger security controls, the better they will be equipped to outpace AI-powered adversaries.

We’re entering an era of AI versus AI, where the speed and sophistication of both attacks and defenses will continue to escalate. According to IBM’s 2025 Threat Intelligence Index, threat actors are pursuing bigger, broader campaigns than in the past, partly due to adopting generative AI tools that help them carry out more attacks in less time.

Hope in Human + AI Collaboration

While the threat landscape is evolving rapidly, the combination of human intelligence and AI-powered security tools gives us powerful advantages. Humans excel at recognizing context, understanding emotional manipulation, and making nuanced judgments that AI still struggles with. When combined with AI’s ability to process vast amounts of data and detect subtle patterns, this creates a formidable defense.

Staying Human in an AI World

The rise of agentic AI represents both a significant threat and an opportunity. While cybercriminals will certainly exploit these technologies to create more sophisticated scams, we’re not defenseless. By understanding how these systems work, recognizing the new threat landscape, and combining human wisdom with AI-powered protection tools like McAfee‘s Scam Detector, we can stay ahead of the threats.

The key insight is that while AI can mimic human communication and behavior with unprecedented accuracy, it still relies on exploiting fundamental human psychology—our desire to help, our fear of consequences, and our tendency to trust. By developing better awareness of these psychological vulnerabilities and implementing verification protocols that don’t depend on technological red flags, we can maintain our security even as the threats become more sophisticated.

Remember: in the age of agentic AI, the most important security tool you have is still your human judgment. Trust your instincts, verify before you act, and never let urgency override prudence, no matter how convincing the request might seem.

The post How Agentic AI Will Be Weaponized for Social Engineering Attacks appeared first on McAfee Blog.

There’s little rest for your hard-working smartphone. If you’re like many professionals today, you use it for work, play, and a mix of personal business in between. Now, what if something went wrong with that phone, like loss or theft? Worse yet, what if your smartphone got hacked? 

Globally, plenty of people pull double duty with their smartphones. One survey found that 87% of companies have policies that integrate personal devices in the workplace. Therein lies the higher potential for security risks such as data breaches, malware infection, and difficulties in maintaining data privacy and compliance. You see, a smartphone loaded with both business and personal data makes it a desirable, high-value target. It only takes one dedicated hacker—and there are plenty—to infiltrate an unprotected smartphone and access the treasure trove of both your personal and company information in a single effort. 

Let’s try to keep that from happening to you. This guide will walk you through exactly how to keep your digital life secure.

Why protecting your phone from hackers is critical

Smartphone hacking is when someone gains unauthorized access to your phone and the vast amount of personal data it contains. As you can imagine, this type of digital break-in can have serious real-world consequences, including financial loss from compromised banking apps, identity theft using your private information, and a complete invasion of your privacy through access to your emails, photos, and messages. This isn’t a distant threat; mobile malware is consistently on the rise, with cybercriminals developing more sophisticated methods to target unsuspecting users. The good news is that you have the power to stop them. Understanding how to protect your phone from hackers is the first step.

How attackers break into smartphones

• Phishing and smishing: These are fraudulent messages via email or SMS that trick you into clicking a malicious link or downloading an infected file. You might unknowingly give away your login credentials or install malware by thinking you’re responding to a legitimate request from a bank or service provider.
• Malicious apps: Cybercriminals create fake apps that look real or hide malware inside seemingly harmless applications. You might download one from outside official app stores, granting it permissions that allow it to steal your data in the background.
• Unsecured public Wi-Fi: When you connect to a public network at a café or airport without a VPN, hackers on the same network can intercept your data. You enable this attack simply by using the free Wi-Fi to check sensitive information like emails or bank accounts.
• SIM-swapping: An attacker convinces your mobile carrier to transfer your phone number to a SIM card they control. They often use personal information gathered from data breaches to impersonate you, effectively hijacking your number to intercept verification codes.
• Spyware: This type of software secretly monitors your activity, recording calls, tracking your location, and stealing passwords. It’s often installed through phishing links or by someone with physical access to your phone.
• Zero-click exploits: These are advanced and rare attacks that can infect a phone without any action from you at all—no clicks needed. While typically used against high-profile targets, they highlight the importance of keeping your device’s software up to date to patch the vulnerabilities they exploit.

Signs your phone may be hacked

• Sudden battery drain: If your phone’s battery life suddenly plummets, it could be due to malware or spyware running constantly in the background.
• Unusually high data usage: A spike in your data consumption could mean a malicious app is transmitting information from your device without your knowledge.
• Overheating: While phones can get warm, consistent overheating without heavy use can be a sign that hidden processes are overworking your phone’s processor.
• Apps you don’t recognize: Discovering new apps on your phone that you never installed is a major red flag for a security breach.
• Constant pop-ups: A sudden increase in strange or aggressive pop-up ads, even when your browser is closed, often indicates adware or other malware.
• Strange activity on your accounts: If friends report receiving odd messages from you on social media or email, a hacker may have taken control of your accounts via your phone.
• Poor performance: If your phone becomes noticeably slow, crashes frequently, or reboots on its own, malicious software could be consuming its resources.
• Security software is disabled: If you find that your mobile security app or other built-in security settings are turned off and you didn’t do it, an attacker may be trying to cover their tracks.

If you notice one or more of these signs, don’t panic. Investigate further and follow the recovery steps below. Sometimes, these issues can be caused by a legitimate but buggy app or an aging battery.

What to do if your phone is hacked

1. Disconnect immediately: Turn off Wi-Fi and mobile data on your phone. This severs the hacker’s connection and stops them from sending more of your data.
2. Inform your contacts: Warn your friends, family, and colleagues that your phone has been compromised and to be wary of any strange messages coming from your number or accounts.
3. Run a security scan: Use a trusted antivirus app to scan your device. It’s designed to find and remove malware that may be causing the problem.
4. Change your passwords: From a separate, trusted device like a laptop, immediately change the passwords for your critical accounts—email, banking, social media, and your Apple/Google ID.
5. Remove suspicious apps: Manually delete any apps that you don’t recognize or that the security scan flagged as malicious.
6. Notify your bank: Contact your financial institutions to alert them of the potential breach. Monitor your accounts closely for any fraudulent activity.
7. Consider a factory reset: If you can’t remove the malware, a full factory reset is your best option. This will wipe the phone clean. Before you do this, make sure you have a recent backup of your important data.

7 tips to secure your phone for the future

Once you’ve resolved an attack, the next step is to prevent phone hacking from happening again. Think of it as strengthening your digital front door. As both a parent and professional, I have put together a few things you can do to protect your smartphone from future hacks, so that you can keep your personal and work life safe:

1. Add extra protection with your face, finger, pattern, or PIN

Locking your phone with facial ID, a fingerprint, a pattern, or a PIN is your most basic form of protection, particularly in the event of loss or theft. (Your options will vary depending on the device, operating system, and manufacturer.) Take it a step further for even more protection. Secure the accounts on your phone with strong passwords and use two-factor authentication on the apps that offer it.

2. Use a virtual private network

Don’t hop onto public Wi-Fi networks without protection. A virtual private network (VPN) masks your connection from hackers, allowing you to browse privately on unsecure public networks at airports, cafes, hotels, and the like. With a VPN connection, your sensitive data, documents, and activities are protected from snooping. It’s definitely a great feeling given the amount of personal and professional business we manage with our smartphones.

3. Stick to the official app stores

Both Google Play and Apple’s App Store have measures in place to help prevent potentially dangerous apps from making it into their stores. Malicious apps are often found outside of the app stores, which can run in the background and compromise your personal data such as passwords, credit card numbers, and more—practically everything that you keep on your phone. Further, when you are in the app stores, look closely at the descriptions and reviews for apps before you download them as malicious apps and counterfeits can still find their way into stores.

4. Back up the data in the cloud

Backing up your phone is always a good idea for two reasons:

• First, it makes the process of transitioning to a new phone easy by transferring that backed-up data from your old phone to your new phone.
• Second, it ensures that your data stays with you if your phone is lost or stolen, allowing you to remotely wipe the data while still having a secure copy stored in the cloud. 

Both iPhones and Android phones have straightforward ways of backing up your phone regularly.

5. Learn to lock or wipe your phone remotely in case of emergency

Worst case scenario—your phone is gone. Really gone. Either it’s hopelessly lost or got stolen. What now? Lock it remotely or even wipe its data entirely. While it seems like a drastic move, your data is secure in the cloud ready to be restored IF you maintain regular backups as mentioned above. This means hackers won’t be able to access your or your company’s sensitive information, keeping you and your professional business safe. Apple and Google provide their users with a step-by-step guide for remotely wiping devices.

6. Get rid of old apps and update the ones you keep

Needless to say, smartphone updates should always start with the operating system (OS). In addition, you also need to conduct app updates as soon as they’re available, as they contain critical security patches. Take a few moments to swipe through your screen, see which ones you’re truly done with and delete them along with their data. Every extra app is another app that needs updating or that may come with a security issue. Along with deleting the app, also delete your account associated with it. As for the ones you keep, update them regularly and turn on auto-updates if that’s an option.

7. Protect your phone

With so much of your life on your phone, getting security software installed on it can protect you and the things you keep. Whether you’re an Android owner or iOS owner, McAfee+ conducts regular security scans to help you keep your personal, financial, and even company data secure.

Bonus tips: Limit the information stored on your phone

While it’s convenient to have everything at your fingertips, storing too much sensitive information on your smartphone makes you vulnerable if your device is lost, stolen, or compromised. Here are some tips to limit the data on your phone and reduce your risk of identity theft, financial fraud, and privacy breaches.

• Conduct a digital detox: Regularly go through your phone and delete old, unnecessary files. This includes screenshots of boarding passes, expired event tickets, and old photos of sensitive documents. Every piece of data you remove is one less thing a hacker can steal.
• Limit saved payment information: While convenient, letting apps and browsers save your credit card details creates a treasure trove for criminals. Instead, enter payment information manually when you shop or use a secure digital wallet that masks your actual card number.
• Be mindful of notes and messages: Avoid storing passwords, social security numbers, or other credentials in your notes app or text messages. If a hacker gains access, these are often the first places they look for valuable information that could be used for identity theft or to leverage a SIM-swap attack.

Advanced mobile device security considerations

At a deeper level, there are several lesser-known settings you can adjust to protect your phone from being hacked. These advanced steps add extra layers of security to your device.

• Turn off Bluetooth and NFC when not in use: Leaving Bluetooth and near field communication (NFC) on all the time makes your device discoverable and potential gateways for attackers. To secure your phone, simply toggle them off from your control center or settings menu when you aren’t actively using them.
• Revoke unnecessary app permissions: Many apps request access to your contacts, location, camera, and microphone even when they don’t need it. This is a common method for data harvesting. Periodically go to your phone’s privacy settings (on iOS, look under Privacy & Security; on Android, Security and Privacy, then Permission manager) and review which apps have access to what. If a photo-editing app doesn’t need your location, revoke that permission.
• Disable developer options: This is a hidden menu intended for app developers that provides deep system access. An attacker with physical or remote access could exploit these settings. Make sure to disable it. On Android, you can typically find the toggle to turn Developer Options off at the bottom of the main Settings menu. This is a simple but effective way to protect your phone from hacking.
• Enable auto-delete for temporary files and messages: Your browser history, text messages, and temporary app files can build up and contain sensitive information. Both iOS and Android have settings to automatically delete old messages (e.g., after 30 days or a year). Similarly, you can periodically clear the cache and data for your web browser and other apps to remove any lingering digital footprints.
• Encrypt your device storage: Encryption is a powerful digital vault for your data that is built into most modern smartphones. Encryption scrambles your data—photos, contacts, messages—into unreadable code. Without your passcode, fingerprint, or Face ID, it’s just gibberish. Using a complex, unique passcode instead of a simple four-digit PIN makes it exponentially harder for a thief to break in. 

FAQs about smartphone hacking 

Can my phone’s camera be hacked?

Yes, malware or spyware can give a hacker access to your camera and microphone, allowing them to see and hear you without your knowledge. To prevent this, be cautious about app permissions and consider using a physical camera cover for peace of mind.

Can I get hacked just by visiting a website?

It’s possible. Some malicious websites can attempt to automatically download malware or exploit browser vulnerabilities to compromise your device. Using a secure browser and comprehensive security software that warns you of risky sites is your best defense.

Is my phone safe from hackers when it’s turned off?

For the vast majority of users, a phone that is completely powered off cannot be hacked remotely. Hacking requires the device’s operating system and network connections to be active, so turning it off effectively cuts that connection.

Can answering a phone call hack my phone?

Simply answering a call from an unknown number is highly unlikely to hack your phone. The real danger lies in social engineering, where the scammer on the other end tries to trick you into revealing personal information, visiting a malicious website, or dialing a specific code.

Final thoughts

Your smartphone is central to your life, and understanding how to keep your phone safe from hackers is not about being fearful, but about being prepared. By taking proactive and consistent steps, you create powerful layers of defense that make you a much harder target for cybercriminals. Combining smart habits with the advanced protection offered by security solutions like McAfee+ ensures your data, privacy, and peace of mind are always safeguarded. Stay informed about new threats, keep your security software current, and enjoy all the good your connected life has to offer, safely and securely.

The post 7 Tips to Protect Your Smartphone from Getting Hacked appeared first on McAfee Blog.

“My phone’s been hacked!” These are words you never want to hear or say. Ever. You are not alone in this sentiment.

Our phones have become the central hub of our lives, storing everything from personal and financial information, access to payment apps, files, photos, and contacts. This has made our phones irresistible, prized targets for cyber criminals. And because these devices are always on and always with us, the opportunity for attack is constant. What are the signs that you have been hacked and how can you reclaim your control? This guide walks you through the common indicators of a hacked phone and what steps you can take to protect your data and privacy.

What is phone hacking and how does it work?

Phone hacking is the unauthorized access and control of your smartphone and its data. It can happen to any person and any device, whether it’s an iPhone or an Android. To achieve this, cybercriminals—also called hackers—use various types of malicious software, sometimes called malware, such as:

• Spyware, which secretly tracks your every move
• Adware, which bombards your device with pop-up ads
• Ransomware, which locks your files until you pay a fee 

These attacks are typically motivated by financial gain, such as stealing banking credentials, or by a desire to monitor someone’s personal life. 

The cost of phone hacking to you

Phone hacking isn’t just a technical or convenience issue. It has real and often costly consequences for your personal life, finances, and privacy. Here, we list the kinds of losses you might face with a hacked phone:

• Financial loss: Hackers can access banking apps to drain your accounts, steal credit card information for fraudulent purchases, or use your phone to subscribe to premium services without your consent.
• Identity theft: Cybercriminals can steal personal information from your device, such as your social security number, passwords, and photos—to open new accounts or commit crimes in your name.
• Severe privacy invasion: Through spyware, an attacker can turn on your phone’s camera and microphone to secretly record you, track your location in real-time, and read all your private messages.
• Emotional and reputational damage: The stress of being hacked is significant. A criminal could use your accounts to impersonate you, spread misinformation or damage your relationships with family, friends, and colleagues.

The consequences of a hacked phone go far beyond inconvenience. This is why it is so critical to stay alert for the warning signs of a compromise and know exactly what to do if your phone is hacked.

Common ways hackers gain access to your smartphone

The unfortunate reality is that anyone’s phone can be targeted and successfully hacked. Cybercriminals have developed several sophisticated methods that allow them to remotely take over your device. These tactics are done mainly by surreptitiously installing malicious software or malware, monitoring calls and messages, stealing personal information, or even taking over your various accounts. Here are detailed explanations for each hacking method:

• Malicious apps: Malware can be disguised as legitimate applications, such as games and utility tools, available on unofficial third-party app stores. Once installed, it can steal data, track your location, or install more malware. Always be cautious of apps that ask for permissions that exceed their intended function, such as a calculator app requesting access to your contacts.
• Visiting malicious websites: Visiting a compromised website on your phone could infect it with malware through a drive-by download which automatically installs malicious software, scripts that exploit your phone’s operating system vulnerabilities, or pop-ups or ads that trick you into authorizing a download, often disguised as a software update or a prize notification. 
• Phishing or smishing: You might receive a text message (SMS) or email that appears to be from a trusted source, like your bank or a delivery service. These messages contain links that lead to fake websites designed to trick you into entering your passwords or personal information. A common example is a text claiming there’s a problem with a package delivery, urging you to click a link to reschedule.
• Unsecured public Wi-Fi: When you connect to a free, public Wi-Fi network at a café, airport, or hotel without protection, your data can be vulnerable. Hackers on the same network can intercept the information you send, including passwords and credit card details. Using a virtual private network (VPN) protects you on public networks.
• SIM swapping: This sophisticated scam involves a hacker impersonating you and convincing your mobile carrier to transfer your phone number to a new SIM card they control. Once they have your number, they can intercept calls and texts, including two-factor authentication codes, allowing them to take over your online accounts.
• Juice-jacking: Cybercriminals can modify public USB charging stations to install malware onto your phone while it charges. This technique can steal sensitive data from your phone. It’s always safer to use your own AC power adapter and a wall outlet.
• Outdated operating systems: Hackers actively search for security holes in older versions of iOS and Android. Installing the latest security updates for your phone’s operating system locks the doors to malware as these updates contain critical patches that protect you from newly discovered threats.

12 signs your phone was hacked

To be certain that your phone has been hacked, here are some signs you should consider. Note that these might be signs of a hacked phone, yet not always. 

1. More popups than usual: Phones hit with adware will be bombarded with pop-up ads. Never tap or click on them, as they might take you to pages designed to steal personal information.
2. Data spikes or unknown call charges: A hacker is likely using your phone to transfer data, make purchases, send messages, or make calls via your phone. 
3. Issues with online accounts: Spyware might have stolen your account credentials, then transmitted them to the hacker, leading to credit and debit fraud. In some cases, hackers will change the password and lock out the device owner.
4. Unexpected battery drain: Your phone’s battery dies much faster than usual because hidden malware is constantly running in the background.
5. Sluggish performance: Your device freezes, crashes, or lags significantly as malicious software consumes its processing power and memory.
6. Unfamiliar apps or messages: You discover apps you never installed or see outgoing calls and texts you didn’t make, indicating unauthorized use.
7. Phone overheats while idle: Your device feels unusually warm even when you’re not using it, a sign of malware overworking the processor.
8. Random reboots or shutdowns: The phone restarts on its own, which could be caused by conflicting malicious code or a hacker remotely controlling it.
9. Camera or mic activates unexpectedly: Someone may be spying on you when the camera or microphone indicator light turns on when you aren’t using it.
10. Websites look different: Pages you visit look unusual or frequently redirect you to spammy sites, indicating your web traffic is being hijacked.
11. Unauthorized 2FA requests: You receive notifications for two-factor authentication codes you didn’t request, a strong signal that someone has your password and is trying to access your accounts.
12. Inability to shut down properly: Your phone resists being turned off or fails to shut down completely, as malware may be designed to keep it running. 

If you see several of these signs, it’s crucial to take immediate action to secure your device and data.

Clarifying misconceptions about phone hacking

Ultimately, the biggest factor in security is user behavior. Regardless of whether you use Android or iOS, practising safe habits—like avoiding suspicious links, using strong passwords, and keeping your operating system updated—is the most critical defense against having your phone hacked.

What’s easier to hack: Android or iPhone?

This is a long-standing debate, and the truth is that both platforms can be hacked. Android’s open-source nature and accommodation of third-party sources apps create more potential vulnerabilities. Additionally, security updates can sometimes be delayed depending on the device manufacturer. iPhones, while generally more secure, can be vulnerable if a user jailbreaks the device or falls victim to phishing and other social engineering scams.

Can answering a phone call get you hacked?

Simply answering a phone call cannot install malware on a modern, updated smartphone. The real danger comes from social engineering, where the caller will convince you into taking an action that compromises your security such as giving your personal information or installing something yourself. This is often called vishing or voice phishing.

Can your phone camera be hacked?

Yes, your phone’s camera and microphone can be hacked, a process known as camfecting. This is typically done using spyware hidden in malicious apps disguised as legitimate software that you may have been tricked into installing. Signs of a compromised camera include the indicator light turning on unexpectedly, finding photos or videos in your gallery that you didn’t take, or experiencing unusually high battery drain.

Can a phone be hacked when turned off?

When your phone is completely powered down, its network connections and most of its hardware are inactive, making it impossible to be actively hacked over the internet. However, some modern smartphones have features that remain active even when the device seems off, like the location tracker. Sophisticated, state-level spyware like Pegasus are also theoretically capable of attacking a device’s firmware even while turned off. 

Hacking off a hacker: A step-by-step recovery guide 

Sometimes you are fortunate enough to catch the hacking attempt while it is in progress, such as during a vishing incident. When this happens, you can take these immediate steps to thwart the hacker before, during and after:

• Use call screening and blocking: Enable your carrier’s spam call filtering services and manually block any suspicious numbers that call you.
• Never share one-time codes: Legitimate companies will never call you to ask for a password, PIN, or two-factor authentication (2FA) code. Treat any such request as a scam.
• Hang up and verify independently: If you receive a suspicious call, hang up immediately. Find the official phone number for the company online and call them directly.

Discovering that your phone has been hacked can be alarming, but acting quickly can help minimize the damage and restore your privacy. Here are the actions to take to regain control and protect your personal information:

1. Back up essential data: Before taking any action, save your irreplaceable data such as photos, contacts, and important documents to a cloud service or computer. Do not back up applications or system data, as these may be infected.
2. Disconnect immediately: The first step is to restart your phone in Safe Mode (for Android) or Recovery Mode (for iPhone). This cuts off its connection to Wi-Fi and cellular networks, preventing the hacker from sending or receiving more data.
3. Run a security scan: Use a trusted mobile security app, like McAfee Mobile Security to scan your device. It’s designed to find and remove malware that may be hiding on your phone.
4. Delete suspicious apps and files: Manually go through your applications and delete anything you don’t remember installing or that looks unfamiliar. Check your downloads folder for suspicious files and delete those as well.
5. Clear browser cache and data: Malicious code could be stored in your browser’s cache. Go into your browser settings and clear all history, cookies, and cached data to remove lingering threats.
6. Change your passwords: From a separate, uninfected device, change the passwords for your critical accounts, including email, banking, and social media. Use a password manager to create and store strong, unique passwords for each account. Enable 2FA where possible for added security. 
7. Secure your accounts: Review recent activity on your online accounts for any unauthorized transactions or messages. Have your bank accounts frozen and request new cards and credentials.
8. Update your operating system: Check for and install the latest OS update for your device. These updates often contain critical security patches that can fix the vulnerability the hacker exploited in the first place.
9. Perform a full shutdown when needed, disable always-on location features if you’re concerned.
10. Perform a factory reset: If the issues persist, a factory reset is your most effective —and last—option. Once you have backed up files, resetting is a straightforward process and will completely remove any lingering malware.
11. Verify backups before restoring: After cleaning your device or a factory reset, be cautious when restoring data. Ensure your backup is from a date before the hacking occurred to avoid reinfecting your phone. Restore only essential data and manually reinstall apps only from official app stores.
12. Notify your contacts and authorities: Let your contacts know your phone was hacked so they can be wary of strange messages from your number. If you suspect identity theft or financial fraud, report it to the relevant authorities and your financial institutions immediately.

Future-proof your phone from hacks

• Set a SIM PIN: Add a personal identification number to your SIM card through your phone’s settings. This prevents a fraudster from using your SIM in another device to execute a SIM swap attack.
• Enable automatic security updates: Ensure your phone is set to automatically download and install OS updates. These patches often fix critical security vulnerabilities that hackers actively exploit.
• Use encrypted DNS: Enable the Private DNS feature on Android or an equivalent app on iOS to encrypt your web traffic lookups. This prevents eavesdroppers on public Wi-Fi from seeing which websites you visit.
• Disable developer options and USB debugging: These settings are for app developers and can create security backdoors if left on. Turn them off in your phone’s settings unless you have a specific need for them.

Protective measures to take in the first place

Applying security measures the moment you bring home your brand new phone helps to keep your phone from getting hacked in the first place. It only takes a few minutes. Follow these tips to find yourself much safer from the start:  

1. Install trusted security software immediately. You’ve adopted this good habit on your desktops and laptops. Your phones? Not so much. Online protection software gives you the first line of defense against attacks, and more.
2. Go with a VPN. Make a public network safe by deploying a virtual private network, which serves as your Wi-Fi hotspot.  It will encrypt your data to keep you safe from advertisers and prying eyes.
3. Use a password manager. Strong, unique passwords offer another primary line of defense. Try a password manager that can create and safely store them. 
4. Avoid public charging stations. Look into a portable power pack that you can charge up ahead of time or run on AA batteries. They’re pretty inexpensive and are a safer alternative to public charging stations.  
5. Keep your eyes on your phone. Preventing the actual theft of your phone is important. This is a good case for password or PIN protecting your phone, and turning on device tracking. In case it is stolen, Apple and Google provide a step-by-step guide for remotely wiping devices.  
6. Stick with trusted app stores. Stick with legitimate app stores like Google Play and Apple’s App Store, which vet apps to ensure they are safe.
7. Keep an eye on app permissions. Check what permissions your apps are asking for. Both iPhone and Android users can allow or revoke app permission.
8. Update your phone’s operating system. Keeping your phone’s operating system up to date can fix vulnerabilities that hackers rely on to pull off attacks—it’s another tried and true method to keep your phone safe and performing well.

Advanced ways to block hackers from your phone

• Enable a SIM Card PIN: Set up a PIN for your SIM card to prevent hackers from using it in another phone for a SIM swap attack, which requires the PIN upon restart.
• Use an eSIM if possible: An embedded SIM (eSIM) cannot be physically removed from your phone, making it difficult for criminals to execute a fraudulent SIM swap.
• Enforce encrypted DNS: Configure your phone to use DNS-over-HTTPS (DoH), which encrypts your DNS queries, preventing eavesdroppers on public Wi-Fi from seeing which websites you visit.
• Deploy a hardware security key: For the ultimate 2FA protection, a physical key (like a YubiKey) for sensitive accounts makes it nearly impossible for hackers to log in without it.
• Disable USB debugging and developer mode: Unless you are an app developer, keep these advanced Android features off to close potential backdoors that malware could exploit.
• Turn off unused wireless radios: Manually disable Wi-Fi, Bluetooth, and NFC when you aren’t using them to reduce your phone’s attack surface and prevent unauthorized connections.

Stay proactive with mobile security

Protecting your phone from hackers doesn’t have to be overwhelming. By remaining vigilant for the warning signs, keeping your software updated, and using trusted security tools, you can significantly reduce your risk of getting your phone infiltrated. Think of your digital security as an ongoing practice, not a one-time fix. 

Mobile security solutions like McAfee Mobile Security are specifically designed to scan your device for malware, spyware, and other malicious code. Key features to look for in a quality security app include real-time antivirus protection, web protection to block dangerous websites, and privacy monitoring to check which apps have access to your personal data. McAfee Mobile Security also offers award-winning antivirus, real-time malware scanning to stop malicious apps before they can cause harm. The included Secure VPN encrypts your connection, making public Wi-Fi safe for browsing and banking. With features like Identity Monitoring to alert you if your details are found on the dark web and Safe Browsing to block risky websites, you’re protected from multiple angles. 

Be very cautious of fake anti-hack apps; these could be scams that can install malware themselves. To be safe, always download security software from reputable providers through official channels like the Google Play Store or Apple’s App Store.

The post How to Know If Your Phone Has Been Hacked appeared first on McAfee Blog.

There are plenty of phish in the sea. 

Millions of bogus phishing emails land in millions of inboxes each day with one purpose in mind—to rip off the recipient. Whether they’re out to crack your bank account, steal personal information, or both, you can learn how to spot phishing emails and keep yourself safe. 

And some of today’s phishing emails are indeed getting tougher to spot.  

They seem like they come from companies you know and trust, like your bank, your credit card company, or services like Netflix, PayPal, and Amazon. And some of them look convincing. The writing and the layout are crisp, and the overall presentation looks professional. Yet still, there’s still something off about them.  

And there’s certainly something wrong with that email. It was written by a scammer. Phishing emails employ a bait-and-hook tactic, where an urgent or enticing message is the bait and malware or a link to a phony login page is the hook.  

Once the hook gets set, several things might happen. That phony login page may steal account and personal information. Or that malware might install keylogging software that steals information, viruses that open a back door through which data can get hijacked, or ransomware that holds a device and its data hostage until a fee is paid. 

Again, you can sidestep these attacks if you know how to spot them. There are signs. 

Let’s look at how prolific these attacks are, pick apart a few examples, and then break down the things you should look for. 

Phishing attack statistics—the millions of attempts made each year. 

In the U.S. alone, more than 300,000 victims reported a phishing attack to the FBI in 2022. Phishing attacks topped the list of reported complaints, roughly six times greater than the second top offender, personal data breaches. The actual figure is undoubtedly higher, given that not all attacks get reported. 

Looking at phishing attacks worldwide, one study suggests that more than 255 million phishing attempts were made in the second half of 2022 alone. That marks a 61% increase over the previous year. Another study concluded that 1 in every 99 mails sent contained a phishing attack.  

Yet scammers won’t always cast such a wide net. Statistics point to a rise in targeted spear phishing, where the attacker goes after a specific person. They will often target people at businesses who have the authority to transfer funds or make payments. Other targets include people who have access to sensitive information like passwords, proprietary data, and account information. 

As such, the price of these attacks can get costly. In 2022, the FBI received 21,832 complaints from businesses that said they fell victim to a spear phishing attack. The adjusted losses were over $2.7 billion—an average cost of $123,671 per attack. 

So while exacting phishing attack statistics remain somewhat elusive, there’s no question that phishing attacks are prolific. And costly. 

What does a phishing attack look like? 

Nearly every phishing attack sends an urgent message. One designed to get you to act. 

Some examples … 

• “You’ve won our cash prize drawing! Send us your banking information so we can deposit your winnings!” 

• “You owe back taxes. Send payment immediately using this link or we will refer your case to law enforcement.” 
• “We spotted what might be unusual activity on your credit card. Follow this link to confirm your account information.” 
• “There was an unauthorized attempt to access your streaming account. Click here to verify your identity.” 
• “Your package was undeliverable. Click the attached document to provide delivery instructions.” 

When set within a nice design and paired some official-looking logos, it’s easy to see why plenty of people click the link or attachment that comes with messages like these. 

And that’s the tricky thing with phishing attacks. Scammers have leveled up their game in recent years. Their phishing emails can look convincing. Not long ago, you could point to misspellings, lousy grammar, poor design, and logos that looked stretched or that used the wrong colors. Poorly executed phishing attacks like that still make their way into the world. However, it’s increasingly common to see far more sophisticated attacks today. Attacks that appear like a genuine message or notice. 

Case in point: 

Say you got an email that said your PayPal account had an issue. Would you type your account information here if you found yourself on this page? If so, you would have handed over your information to a scammer. 

We took the screenshot above as part of following a phishing attack to its end—without entering any legitimate info, of course. In fact, we entered a garbage email address and password, and it still let us in. That’s because the scammers were after other information, as you’ll soon see. 

As we dug into the site more deeply, it looked pretty spot on. The design mirrored PayPal’s style, and the footer links appeared official enough. Yet then we looked more closely. 

Note the subtle errors, like “card informations” and “Configuration of my activity.” While companies make grammatical errors on occasion, spotting them in an interface should hoist a big red flag. Plus, the site asks for credit card information very early in the process. All suspicious. 

Here’s where the attackers really got bold.  

They ask for bank “informations,” which not only includes routing and account numbers, but they ask for the account password too. As said, bold. And entirely bogus. 

Taken all together, the subtle errors and the bald-faced grab for exacting account information clearly mark this as a scam. 

Let’s take a few steps back, though. Who sent the phishing email that directed us to this malicious site? None other than “paypal at inc dot-com.” 

Clearly, that’s a phony email. And typical of a phishing attack where an attacker shoehorns a familiar name into an unassociated email address, in this case “inc dot-com.” Attackers may also gin up phony addresses that mimic official addresses, like “paypalcustsv dot-com.” Anything to trick you.  

Likewise, the malicious site that the phishing email sent us to used a spoofed address as well. It had no official association with PayPal at all—which is proof positive of a phishing attack. 

Note that companies only send emails from their official domain names, just as their sites only use their official domain names. Several companies and organizations will list those official domains on their websites to help curb phishing attacks.  

For example, PayPal has a page that clearly states how it will and will not contact you. At McAfee, we have an entire page dedicated to preventing phishing attacks, which also lists the official email addresses we use. 

Other examples of phishing attacks 

Not every scammer is so sophisticated, at least in the way that they design their phishing emails. We can point to a few phishing emails that posed as legitimate communication from McAfee as examples. 

There’s a lot going on in this first email example. The scammers try to mimic the McAfee brand, yet don’t pull it off. Still, they do several things to try to act convincing. 

Note the use of photography and the box shot of our software, paired with a prominent “act now” headline. It’s not the style of photography we use. Not that people would generally know this. However, some might have a passing thought like, “Huh. That doesn’t really look like what McAfee usually sends me.” 

Beyond that, there are a few capitalization errors, some misplaced punctuation, and the “order now” and “60% off” icons look rather slapped on. Also note the little dash of fear it throws in with a mention of “There are (42) viruses on your computer …” 

Taken all together, someone can readily spot that this is a scam with a closer look. 

This next ad falls into the less sophisticated category. It’s practically all text and goes heavy on the red ink. Once again, it hosts plenty of capitalization errors, with a few gaffes in grammar as well. In all, it doesn’t read smoothly. Nor is it easy on the eye, as a proper email about your account should be. 

What sets this example apart is the “advertisement” disclaimer below, which tries to lend the attack some legitimacy. Also note the phony “unsubscribe” link, plus the (scratched out) mailing address and phone, which all try to do the same. 

This last example doesn’t get our font right, and the trademark symbol is awkwardly placed. The usual grammar and capitalization errors crop up again, yet this piece of phishing takes a slightly different approach. 

The scammers placed a little timer at the bottom of the email. That adds a degree of scarcity. They want you to think that you have about half an hour before you are unable to register for protection. That’s bogus, of course. 

Seeing any recurring themes? There are a few for sure. With these examples in mind, get into the details—how you can spot phishing attacks and how you can avoid them altogether. 

How to spot and prevent phishing attacks. 

Just as we saw, some phishing attacks indeed appear fishy from the start. Yet sometimes it takes a bit of time and a particularly critical eye to spot. 

And that’s what scammers count on. They hope that you’re moving quickly or otherwise a little preoccupied when you’re going through your email or messages. Distracted enough so that you might not pause to think, is this message really legit? 

One of the best ways to beat scammers is to take a moment to scrutinize that message while keeping the following in mind … 

They play on your emotions. 

Fear. That’s a big one. Maybe it’s an angry-sounding email from a government agency saying that you owe back taxes. Or maybe it’s another from a family member asking for money because there’s an emergency. Either way, scammers will lean heavily on fear as a motivator. 

If you receive such a message, think twice. Consider if it’s genuine. For instance, consider that tax email example. In the U.S., the Internal Revenue Service (IRS) has specific guidelines as to how and when they will contact you. As a rule, they will likely contact you via physical mail delivered by the U.S. Postal Service. (They won’t call or apply pressure tactics—only scammers do that.) Likewise, other nations will have similar standards as well. 

They ask you to act—NOW. 

Scammers also love urgency. Phishing attacks begin by stirring up your emotions and getting you to act quickly. Scammers might use threats or overly excitable language to create that sense of urgency, both of which are clear signs of a potential scam. 

Granted, legitimate businesses and organizations might reach out to notify you of a late payment or possible illicit activity on one of your accounts. Yet they’ll take a far more professional and even-handed tone than a scammer would. For example, it’s highly unlikely that your local electric utility will angrily shut off your service if you don’t pay your past due bill immediately. 

They want you to pay a certain way. 

Gift cards, cryptocurrency, money orders—these forms of payment are another sign that you might be looking at a phishing attack. Scammers prefer these methods of payment because they’re difficult to trace. Additionally, consumers have little or no way to recover lost funds from these payment methods. 

Legitimate businesses and organizations won’t ask for payments in those forms. If you get a message asking for payment in one of those forms, you can bet it’s a scam. 

They use mismatched addresses. 

Here’s another way you can spot a phishing attack. Take a close look at the addresses the message is using. If it’s an email, look at the email address. Maybe the address doesn’t match the company or organization at all. Or maybe it does somewhat, yet it adds a few letters or words to the name. This marks yet another sign that you might have a phishing attack on your hands. 

Likewise, if the message contains a web link, closely examine that as well. If the name looks at all unfamiliar or altered from the way you’ve seen it before, that might also mean you’re looking at a phishing attempt. 

Protect yourself from phishing attacks 

1. Go directly to the source. Some phishing attacks can look convincing. So much so that you’ll want to follow up on them, like if your bank reports irregular activity on your account or a bill appears to be past due. In these cases, don’t click on the link in the message. Go straight to the website of the business or organization in question and access your account from there. Likewise, if you have questions, you can always reach out to their customer service number or web page.  
2. Follow up with the sender. Keep an eye out for emails that might be a spear phishing attack. If an email that looks like it came from a family member, friend, or business associate, follow up with them to see if they sent it. Particularly if asks for money, contains a questionable attachment or link, or simply doesn’t sound quite like them. Text, phone, or check in with them in person. Don’t follow up by replying to the email, as it may have been compromised.   
3. Don’t download attachments. Some phishing attacks send attachments packed with malware like the ransomware, viruses, and keyloggers we mentioned earlier. Scammers may pass them off as an invoice, a report, or even an offer for coupons. If you receive a message with such an attachment, delete it. And most certainly don’t open it. Even if you receive an email with an attachment from someone you know, follow up with that person. Particularly if you weren’t expecting an attachment from them. Scammers will often hijack or spoof email accounts of everyday people to spread malware.  
4. Hover over links to verify the URL. On computers and laptops, you can hover your cursor over links without clicking on them to see the web address. If the URL looks suspicious in any of the ways we mentioned just above, delete the message, and don’t ever click. 

Protect yourself from email attacks even further 

Online protection software can protect you from phishing attacks in several ways. 

For starters, it offers web protection that warns you when links lead to malicious websites, such as the ones used in phishing attacks. In the same way, online protection software can warn you about malicious downloads and email attachments so that you don’t end up with malware on your device. And, if the unfortunate does happen, antivirus can block and remove malware. 

Online protection software like ours can also address the root of the problem. Scammers must get your email address from somewhere. Often, they get it from online data brokers, sites that gather and sell personal information to any buyer—scammers included.  

Data brokers source this information from public records and third parties alike that they sell in bulk, providing scammers with massive mailing lists that can target thousands of potential victims. You can remove your personal info from some of the riskiest data broker sites with our Personal Data Cleanup, which can lower your exposure to scammers by keeping your email address out of their hands. 

In all, phishing emails have telltale signs, some more difficult to see than others. Yet you can spot them when you know what to look for and take the time to look for them. With these attacks so prevalent and on the rise, looking at your email with a critical eye is a must today. 

The post How to Spot Phishing Emails and Scams appeared first on McAfee Blog.

Look both ways for a new form of scam that’s on the rise, especially if you live in Dallas, Atlanta, Los Angeles, Chicago, or Orlando — fake toll road scams. They’re the top five cities getting targeted by scammers. 

We’ve uncovered plenty of these scams, and our research team at McAfee Labs has revealed a major uptick in them over the past few weeks. Fake toll road scams have nearly quadrupled at the end of February compared to where they were in January.  

Figure 1. A chart showing the increasing frequency and volume of toll road scam messages

What is a toll road scam? 

The scams play out like this:  

Ping. You get a text notification. It says you have an unpaid tab for tolls and that you need to pay right away. And like many scams, it contains a link where you can pay up. Of course, that takes you to a phishing site that asks for your payment info (and sometimes your driver’s license number or even your Social Security number), which can lead to identity fraud and possibly identity theft. 

Here’s one example that our Labs team tracked down. Pay close attention to the link. It follows the form of a classic scammer trick by altering the address of a known company so that it looks legit. 

Figure 2. A screenshot showing an example of a Toll Roads scam text 

The scam messages come in multiple varieties, however, so it’s important to stay vigilant of both your text and email inboxes. McAfee Labs found, for example, that some text messages and emails included PDFs while others included links using popular URL shortener services such as bit.ly, shorturl.at, qrco.de, and short.gy. The use of URL shorteners can also falsely create a sense of security when people recognize the popular format and don’t see typos or suspicious parts of the full URL. 

Figure 3. A screenshot of a toll road scam text that urges recipients to open a PDF 

Additionally, these scammers put in a lot of effort to create legitimate-looking web pages and notices. Note how the following example does its best to look like branded digital letterhead. And, as usual, it uses urgent language about fines and legal action to help make sure you “Pay Now.” 

Figure 4. An example of a PDF included in a scam toll road text message
 

Why so many toll road scams?  

They work. Scammers target their victims by matching them with the toll payment service in their city or state, which makes the scam look extra official. For example, a scammer would use an “E-ZPass” email to target someone in Orlando, our #5 city for toll road scams, which is one of the 19 states that E-ZPass serves. In southern California, victims get hit with phony texts from scammers posing as “The Toll Roads,” which is a payment service in that region. 

The apparent legitimacy combined with the emotional sense of urgency creates the perfect snare for scammers.  

Now, about those URLs to phishing sites. We mentioned that scammers take the URLs of known toll payment services and add some extra characters to them. In other cases, they’ve latched on to the root term “paytoll” as well. Our research team dug up several examples of fake toll sites, including: 

1. paytollbysuab[dot]top/pay  
2. thetollroads-paytollhmm[dot]world  
3. thetollroads-paytollxtd[dot]world/us  
4. thetollroads-paytollwpc[dot]world/us  
5. thetollroads-paytollolno[dot]xin/us  
6. thetollroads-paytollktc[dot]world/us  
7. thetollroads-paytoll[dot]world/us  
8. paytollmit[dot]vip  
9. paytollaqs[dot]vip  
10. paytollcqb[dot]top/ezdrivema  

Of course, don’t follow any of those links. And something else about those links — you can see scammers dot-top, dot-vip, and dot-xin. These domains are cheap, available, and easy to purchase, which makes them attractive to scammers. 

The cities facing the biggest influx of toll road scams 

According to McAfee Labs research, the following U.S. cities are experiencing the most of these scam texts: 

1. Dallas, Texas  
2. Atlanta, Georgia  
3. Los Angeles, California  
4. Chicago, Illinois  
5. Orlando, Florida  
6. Miami, Florida  
7. San Antonio, Texas  
8. Las Vegas, Nevada  
9. Houston, Texas  
10. Denver, Colorado 
11. San Diego, California  
12. Phoenix, Arizona  
13. Seattle, Washington  
14. Indianapolis, Indiana  
15. Boardman, Ohio 

Figure 5. The top cities where toll road scams are most prevalent 

Avoiding toll road scams 

The scam has gotten so out of hand that the U.S. Federal Trade Commission (FTC) has issued a warning about it. They offer up the following advice: 

• Don’t click on any links in, or respond to, unexpected texts. Scammers want you to react quickly, but it’s best to stop and check it out. 

• Check to see if the text is legit. Reach out to the state’s tolling agency using a phone number or website you know is real — not the info from the text. 

• Report and delete unwanted text messages. Use your phone’s “report junk” option to report unwanted texts to your messaging app or forward them to 7726 (SPAM). Once you’ve checked it out and reported it, delete the text. 

We’ll add to that too, with: 

• If in doubt, use a search engine to locate the toll websites in your area. 

• Report suspicious texts to www.ic3.gov so that law enforcement can track them and warn others about them. 

• Get text scam protection. Our Text Scam Detector automatically detects scams by scanning URLs in your text messages. If you accidentally tap or click? Don’t worry, it blocks risky sites if you follow a suspicious link. 

Additional examples of phishing pages found by McAfee

The following images show additional phishing pages and links McAfee found in relation to different toll road scams.

The post Fake Toll Road Scam Texts are Everywhere. These Cities are The Most Targeted. appeared first on McAfee Blog.