Scam Watch

Security Reference

Last updated: June 2026

A regularly updated reference of active scams targeting businesses and individuals. Use the tabs below to browse by how the scam reaches you. Bookmark this page and check back as we update it when new threats emerge.

⚠ High Risk

MFA Bypass via Microsoft 365 OAuth Tokens

The FBI issued a formal warning in May 2026 about Kali365, a phishing kit sold on Telegram that bypasses multi-factor authentication without ever stealing your password. The attack works by sending a phishing email with a legitimate-looking Microsoft device authorization code and a link to Microsoft’s real login page. When you sign in and complete MFA normally, the attacker receives your OAuth access token, giving them persistent access to your Outlook, Teams, and OneDrive with no further prompts. Even users with MFA enabled are vulnerable. Active attacks have been tracked across government, financial services, and healthcare.

What to do: Be suspicious of any email asking you to visit a Microsoft device authorization page or enter a device code. Your IT administrator can restrict device code authentication through Conditional Access policies. If you believe your account was compromised, revoke active session tokens immediately and contact IT support.

Also arrives via: Text

Added June 2026

⚠ High Risk

Fake CAPTCHA Malware Installs

The FTC issued an alert on June 8, 2026 about a scam that looks exactly like a standard CAPTCHA verification. A pop-up asks you to prove you are human, but instead of clicking images or typing characters, it instructs you to press Windows + R, then Ctrl + V, then Enter. Following those steps pastes and runs hidden malware that was placed in your clipboard. The screen says “security verification” throughout to appear legitimate.

What to do: A real CAPTCHA will never ask you to press keyboard shortcuts or run commands. If any website asks you to press Windows + R or open a Run dialog, close the browser tab immediately and run a malware scan. Report suspicious pop-ups to the FTC at ReportFraud.ftc.gov.

Added June 2026

⚠ High Risk

Fake Party & Event Invitation Phishing

The FTC warned in May 2026 that scammers are sending fake digital invitations impersonating platforms like Evite and Paperless Post. The invitation may list someone you know as the host and looks completely legitimate. To RSVP, it asks you to sign in with Google or Microsoft. Those login screens are fake and capture your credentials, giving attackers access to every account linked to that login. Over 80 fraudulent domains built since late 2025 are running this campaign.

What to do: Real invitation platforms do not ask for your Google or Microsoft login to open an invitation. If you receive an unexpected invite requiring a login, contact the supposed host directly to confirm it is real before clicking anything.

Also arrives via: Text

Added June 2026

⚠ High Risk

AI-Generated Phishing Emails

Over 80% of phishing emails are now AI-generated, with a 60% higher click rate than traditionally written scams. These emails are grammatically perfect, match your organization’s tone, and can appear to come from someone you know. You can no longer use poor writing or odd phrasing as a warning sign. AI is also used to generate personalized spear-phishing emails using details pulled from LinkedIn and company websites.

What to do: Verify any unusual request through a separate channel. Call the sender directly using a known number. Do not reply to the email or use any contact information provided within it.

Added March 2026

⚠ High Risk

CEO / Executive Impersonation (BEC)

Emails appearing to come from your CEO or a senior executive urgently requesting a wire transfer, gift card purchase, or payment instruction change. AI now mimics the exact writing style of specific executives pulled from public sources. Business email compromise caused $2.7 billion in verified losses in 2024, with 2025 figures expected to be significantly higher.

What to do: Never act on financial requests received only by email. Call the executive directly using a known number. Establish a two-person approval policy for all wire transfers regardless of who is asking.

Added March 2026

⚠ High Risk

Callback Phishing

You receive an email with a fake invoice, subscription renewal, or security alert telling you to call a phone number to resolve the issue. Phone numbers bypass email security filters entirely. Once you call, attackers use social engineering to walk you through installing remote access software or revealing credentials. This method increased 500% in late 2025 and continues to grow.

What to do: Never call a phone number provided in an unexpected email. Look up the company’s contact information independently. Legitimate companies do not send alarming notices requiring you to call immediately to avoid consequences.

Also involves: Phone

Added March 2026

⚠ High Risk

Vendor / Invoice Fraud

A scammer compromises a vendor’s email account or spoofs their domain and sends a fraudulent invoice or updated banking details notice. Payments are redirected to the attacker’s account without the legitimate vendor’s knowledge. The FTC flagged fake invoice scams targeting small businesses specifically in May 2026, noting that scammers send invoices for products or services never ordered, counting on busy staff to pay without checking.

What to do: Any change to payment instructions from a vendor must be verified by calling at a number you already have on file. Verify any unexpected invoice against your purchase records before paying. Never use contact information provided in the invoice itself.

Added March 2026

⚠ High Risk

Fake Microsoft / Google Login Pages

Microsoft is the most impersonated brand in phishing attacks in 2026, followed by Google. Emails warn of unusual account activity and link to convincing fake login pages. A compromised Microsoft 365 or Google Workspace account gives attackers access to your entire operation, including email history, contacts, and connected services.

What to do: Never click login links in emails. Type addresses directly into your browser. Enable multi-factor authentication on all accounts and use an authenticator app rather than SMS codes where possible.

Added March 2026

⚠ High Risk

Tax & IRS Phishing (2026 Dirty Dozen)

The IRS published its 2026 Dirty Dozen list in March 2026. Top threats include emails impersonating the IRS, QuickBooks, TurboTax, and DocuSign with fake filing alerts, AI robocalls using cloned IRS agent voices, and spear-phishing targeting tax professionals. The IRS also flagged fabricated long-term capital gains claims on Form 2439 as a new scheme.

What to do: The IRS contacts taxpayers by mail first, never by unsolicited email, text, or social media. Go directly to irs.gov to check your account status. Report suspicious IRS-related emails to phishing@irs.gov.

Also arrives via: Phone, Text

Added March 2026

⚠ High Risk

Real Estate Wire Transfer Fraud

Scammers monitor real estate transaction email threads and at a critical moment send fraudulent wire instructions appearing to come from your agent, attorney, or title company. Funds sent to the wrong account are rarely recovered. This remains a consistently active threat reported regularly to the NJCCIC from New Jersey residents.

What to do: Always verify wire instructions by calling your agent, attorney, or title company at an independently sourced number before sending any funds. Be especially cautious of any last-minute changes to payment details.

Added March 2026

⚠ High Risk

Fake Job Offers & Employment Scams

With over 1.17 million U.S. layoffs in 2025, employment scams continue to grow in 2026. Scammers post fake positions on legitimate job boards or contact job seekers directly to collect Social Security numbers, banking details, or upfront fees. The FTC has also flagged fake training and coaching program ads on social media that promise significant income from crypto, forex, or business ventures.

What to do: Never pay any fee to obtain a job or interview. Research the company independently before providing any personal information. A legitimate employer will never ask for upfront payment of any kind.

Also arrives via: Text, Social Media

Added May 2026

● Medium Risk

Amazon Prime & Subscription Renewal Scams

The NJCCIC issued an alert in April 2026 about an active phishing campaign impersonating Amazon Prime renewal notices claiming payment issues or billing problems. Similar campaigns target Netflix, Adobe, and other subscription services. The sender address is not associated with the real company despite official-looking branding. Clicking the link leads to a credential and payment harvesting site.

What to do: Do not click links in subscription renewal emails. Navigate directly to the company’s website by typing the address yourself to check your account status. Check the actual sender email address carefully for misspellings or unrelated domains.

Added April 2026

● Medium Risk

Investment Scams

Scammers use deepfake videos of celebrities and public figures to promote fake investment platforms. They contact victims through social media, email, and dating apps with promises of guaranteed high returns. Crypto phishing losses reached $2.17 billion in 2025. Romance-based crypto investment scams remain one of the most prevalent fraud types of 2026, often involving weeks or months of trust-building before a request for money.

What to do: No legitimate investment guarantees profit. Be skeptical of any unsolicited investment opportunity, especially those promoted by someone you met online. Never invest money you cannot afford to lose entirely.

Also arrives via: Social Media, Phone

Added March 2026

● Medium Risk

Social Engineering & Pretexting

Attackers research targets using LinkedIn and company websites, then craft personalized scenarios to manipulate them into revealing information or granting access. Multi-channel attacks, where the same fake message arrives through email, text, and a calendar invite simultaneously, are more convincing than single-channel attempts. Google’s June 2026 advisory specifically flagged this combination as a growing tactic.

What to do: Verify the identity of anyone requesting sensitive information or system access through a separate, independently sourced channel. A second opinion from a colleague before acting on an unusual request can prevent costly mistakes.

Also arrives via: Phone, Text

Added March 2026

⚠ High Risk

Calendar Invite Phishing

Google’s June 2026 scams advisory flagged fake calendar invites as an emerging attack vector. Scammers send invitations that automatically appear on your Google Calendar even from unknown senders. The invites look like security alerts, billing notices, subscription renewals, or event notifications and include links or phone numbers. Because calendar invites arrive outside the email inbox, they bypass many phishing filters and feel more trustworthy to recipients.

What to do: In Google Calendar settings, change your invitation settings to only show invitations from people in your contacts. Do not click links in unexpected calendar invites. Turn off automatic event creation from emails if you do not use that feature.

Added June 2026

⚠ High Risk

NJ MVC & E-ZPass Text Scams

The NJCCIC continues to receive reports in 2026 of SMS phishing targeting New Jersey residents. Texts impersonate the NJ Motor Vehicle Commission claiming unpaid traffic tickets and threatening license suspension, registration loss, and credit damage. Separate campaigns impersonate E-ZPass claiming unpaid tolls. URLs in these messages include terms like “ezpassnj” and “.gov” to appear legitimate but lead to credential and payment harvesting sites.

What to do: The NJ MVC only texts residents about scheduled appointments. E-ZPass does not send unsolicited payment requests by text. Go directly to the official agency website to check your account. Forward suspicious texts to 7726 (SPAM).

Added May 2026

⚠ High Risk

Fake Party & Event Invitation Phishing

The FTC warned in May 2026 that scammers are sending fake digital invitations by text as well as email, impersonating platforms like Evite and Paperless Post. The invitation may list someone you know as the host. To RSVP, it asks you to sign in with Google or Microsoft. Those login screens are fake and capture your credentials, giving attackers access to every account linked to that login.

Also arrives via: Email

Added June 2026

● Medium Risk

QR Code Phishing (“Quishing”)

Emails and physical materials contain QR codes directing you to fake login pages or malware downloads. Attackers place fake QR code stickers over legitimate codes at parking meters, retail locations, and office signage. QR codes bypass email security filters because the destination URL is embedded in an image. Google’s June 2026 advisory confirmed quishing remains an active and growing attack method.

What to do: Use a QR scanner that previews the destination URL before opening it. Be skeptical of QR codes in unexpected emails or on physical signs, especially those requesting login credentials or payment.

Also arrives via: Email, In-Person

Added March 2026

● Medium Risk

Toll Road & Delivery Text Scams

Toll road scams increased 900% in 2025 and remain active in 2026. Text messages claim you have an unpaid toll balance or an undeliverable package, with a link to pay a small fee. The link leads to a phishing site collecting payment information. Scammers impersonate E-ZPass, SunPass, UPS, FedEx, and USPS.

What to do: Do not click links in unexpected texts. Go directly to the carrier’s or toll authority’s official website by typing the address yourself. Legitimate services do not demand immediate payment by text.

Added May 2026

⚠ High Risk

Deepfake Video & Voice Call Scams

In a widely reported case, a finance employee wired $25.6 million after joining a video call where every participant, including the CFO, was a deepfake. AI voice and video cloning tools are now inexpensive and widely available. The FBI’s 2025 Internet Crime Report noted that deepfake and voice cloning scams cost Americans nearly $900 million in 2025. Attackers are impersonating executives, family members, colleagues, and government officials in real-time calls.

What to do: Establish a verbal code word with your family and colleagues for genuine emergencies. For any financial request made by phone or video, hang up and call back on a number you have on file independently. Treat any unexpected video call involving a request for money or credentials as suspicious regardless of who appears on screen.

Added May 2026

⚠ High Risk

Tech Support Impersonation

A pop-up, email, or phone call claims your computer has a critical security problem and instructs you to call a number or grant remote access. The caller poses as Microsoft, Apple, or another tech company. Once they have remote access, they install malware, steal data, or demand payment. Apple issued a specific warning in early 2026 about a surge in Apple Pay impersonation scams targeting iPhone users designed to create panic about fake account charges.

What to do: Microsoft and Apple do not contact you unsolicited about computer or account problems. Close the pop-up, hang up the call, and never grant remote access to someone who contacts you first.

Also arrives via: Email, Pop-Up

Added March 2026

⚠ High Risk

Government Impersonation & Jury Duty Scams

The FTC received over 330,000 government impersonation complaints in 2025, a 25% increase over the prior year. A resurgent version involves scammers claiming you missed jury duty and threatening arrest or fines payable immediately by gift card or cryptocurrency. Callers use spoofed phone numbers that appear to come from real courthouses or agencies. The FTC warned in June 2026 that scammers are also actively impersonating FTC employees specifically.

What to do: Real courts and law enforcement do not call to threaten arrest for missed jury duty. Government agencies do not demand payment by gift card, cryptocurrency, or wire transfer. Hang up and call the agency directly using a number from their official .gov website.

Also arrives via: Email, Text

Added March 2026

⚠ High Risk

Callback Phishing

A phishing email with a fake invoice or security alert instructs you to call a phone number to resolve the issue. Phone numbers bypass email security filters. Once you call, attackers use social engineering to walk you through installing remote access software or revealing credentials. This method increased 500% in late 2025 and continues to grow in 2026.

Starts via: Email

Added March 2026

● Medium Risk

Pension & Retirement Plan Scams

Scammers contact employees by phone, email, or social media offering a free review of retirement savings with promises of better returns, collecting personal information and attempting to redirect deposits. Fraudulent domains have been created to mimic official state pension websites, including those for New Jersey state employees.

What to do: Contact your HR department or plan administrator directly using contact information from official company communications, not from any unsolicited message. Never provide financial information to someone who reaches out to you first.

Also arrives via: Email, Social Media

Added March 2026

⚠ High Risk

FIFA World Cup 2026 Scams (Active Now)

With the FIFA World Cup running June 11 through July 19, 2026, and MetLife Stadium in East Rutherford, NJ hosting eight matches including the final, the NJCCIC has issued advance warnings about fraudulent ticketing websites, fake merchandise stores, malicious mobile apps, and phishing campaigns using World Cup branding. Hundreds of scam domains impersonating FIFA and venue websites have already been registered.

What to do: Purchase tickets only through FIFA’s official website or authorized sellers. Be cautious of any third-party ticketing site, especially those with recently registered domains. Verify the URL carefully before entering payment information.

Also arrives via: Email, Text

Added May 2026

● Medium Risk

QR Code Stickers on Physical Signs

Attackers place fake QR code stickers over legitimate codes at parking meters, retail locations, restaurants, and office signage. Scanning these takes you to a convincing fake payment or login page. This is increasingly reported at parking facilities and electric vehicle charging stations. The codes look identical to the originals and are placed precisely enough that most people do not notice the substitution.

What to do: Before scanning any QR code in a public place, look for signs of tampering — a sticker placed over the original is the most common sign. Use a QR scanner that previews the destination URL before opening it. If the URL looks unusual for the location, do not proceed.

Also arrives via: Email, Text

Added March 2026

● Medium Risk

Health Insurance Search Scams

The FTC warned in June 2026 that scammers are buying search engine ads that appear at the top of results for terms like “health insurance” or “Medicare.” Clicking the first result can lead to fake broker sites or impersonators of HealthCare.gov. These sites collect personal and payment information while enrolling victims in plans they did not choose, or no plan at all.

What to do: When searching for health insurance or government healthcare programs, scroll past the ads and go directly to HealthCare.gov or Medicare.gov by typing the address yourself. Official government sites end in .gov.

Also arrives via: Email, Phone

Added June 2026

Report suspicious activity to the FBI IC3, the FTC, or the NJCCIC. Forward suspicious texts to 7726 (SPAM). Forward phishing emails to reportphishing@apwg.org.

// ── PARTICLES ──
(function() {
const canvas = document.getElementById(‘nt-particles’);
const ctx = canvas.getContext(‘2d’);
let particles = [];
let w, h;

function resize() {
w = canvas.width = window.innerWidth;
h = canvas.height = window.innerHeight;
}

resize();
createParticles();
draw();
window.addEventListener(‘resize’, () => { resize(); createParticles(); });
})();