Scam Watch

The FBI issued a formal public service announcement in May 2026 about Kali365, a phishing kit being sold on Telegram that bypasses multi-factor authentication without ever stealing your password. The attack works by sending a phishing email with a legitimate-looking Microsoft device authorization code and a link to Microsoft’s real login page. When you sign in and complete MFA normally, the attacker’s device receives your OAuth access token, giving them persistent access to your Outlook, Teams, and OneDrive without triggering any further security prompts. Even users with MFA enabled are vulnerable. The FBI has tracked active attacks across government, financial services, and healthcare.

The FTC issued an alert on June 8, 2026 about a scam that looks exactly like a standard CAPTCHA verification. You encounter a pop-up that asks you to prove you are human, but instead of clicking images or typing characters, it instructs you to press Windows + R, then Ctrl + V, then Enter. Following those steps pastes and runs hidden malware that was placed in your clipboard without your knowledge. The screen may say “security verification” throughout the process.

The FTC warned in late May 2026 that scammers are sending fake digital invitations impersonating platforms like Evite and Paperless Post. The invitation may list someone you know as the host and looks completely legitimate. To RSVP, it asks you to sign in with Google or Microsoft. Those login screens are fake and capture your credentials, giving attackers access to every service linked to that account. Over 80 fraudulent domains built since late 2025 are running this campaign.

Google’s June 2026 scams advisory flagged fake calendar invites as an emerging attack vector. Scammers send invitations that automatically appear on your Google Calendar even from unknown senders. The invites look like security alerts, billing notices, subscription renewals, or event notifications and include links or phone numbers. Because calendar invites arrive outside the email inbox, they bypass many phishing filters and feel more trustworthy to recipients.

Over 80% of phishing emails are now AI-generated, with a 60% higher click rate than traditionally written scams. These emails are grammatically perfect, match your organization’s tone, and can appear to come from someone you know. You can no longer use poor writing or odd phrasing as a warning sign. AI is also being used to generate personalized spear-phishing emails using details pulled from LinkedIn and company websites.

In a widely reported case, a finance employee wired $25.6 million after joining a video call where every participant, including the CFO, was a deepfake. AI voice and video cloning tools are now inexpensive and widely available. The FBI’s 2025 Internet Crime Report noted that deepfake and voice cloning scams cost Americans nearly $900 million in 2025 alone. Attackers are impersonating executives, family members, colleagues, and government officials in real-time calls.

Emails appearing to come from your CEO or a senior executive urgently requesting a wire transfer, gift card purchase, or payment instruction change. AI now mimics the exact writing style of specific executives pulled from public sources. Business email compromise caused $2.7 billion in verified losses in 2024, with 2025 figures expected to be significantly higher.

You receive an email with a fake invoice, subscription renewal, or security alert telling you to call a phone number to resolve the issue. Phone numbers bypass email security filters entirely. Once you call, attackers use social engineering to walk you through installing remote access software or revealing credentials. This method increased 500% in late 2025 and continues to grow in 2026.

A scammer compromises a vendor’s email account or spoofs their domain and sends a fraudulent invoice or updated banking details notice. Payments are redirected to the attacker’s account without the legitimate vendor’s knowledge. The FTC flagged fake invoice scams targeting small businesses specifically in May 2026, noting that scammers send invoices for products or services never ordered, counting on busy staff to pay without checking.

The IRS published its 2026 Dirty Dozen list in March 2026. Top threats include emails impersonating the IRS, QuickBooks, TurboTax, and DocuSign with fake filing alerts, AI robocalls using cloned IRS agent voices, and spear-phishing targeting tax professionals. The IRS also flagged fabricated long-term capital gains claims on Form 2439 as a new scheme. Over 600 social media IRS impersonators were reported in fiscal year 2025.

Scammers monitor real estate transaction email threads and at a critical moment send fraudulent wire instructions appearing to come from your agent, attorney, or title company. Funds sent to the wrong account are rarely recovered. This remains a consistently active threat reported regularly to the NJCCIC from New Jersey residents.

A pop-up, email, or phone call claims your computer has a critical security problem and instructs you to call a number or grant remote access. The caller poses as Microsoft, Apple, or another tech company. Once they have remote access, they install malware, steal data, or demand payment. Apple issued a specific warning in early 2026 about a surge in Apple Pay impersonation scams targeting iPhone users, designed to create panic about fake account charges.

The FTC received over 330,000 government impersonation complaints in 2025, a 25% increase over the prior year. A resurgent version involves scammers claiming you missed jury duty and threatening arrest or fines payable immediately by gift card or cryptocurrency. They may use spoofed phone numbers that appear to come from real courthouses or agencies. The FTC also warned in June 2026 that scammers are actively impersonating FTC employees specifically.

With over 1.17 million U.S. layoffs in 2025, employment scams continue to grow in 2026. Scammers post fake positions on legitimate job boards or contact job seekers directly to collect Social Security numbers, banking details, or upfront fees. The FTC has also flagged fake training and coaching program ads on social media that promise significant income from crypto, forex, or business ventures.