• In 2023, Talos collaborated with NetHope and Cisco Crisis Response to create a customized Backdoors & Breaches expansion deck for international humanitarian organizations, addressing their unique cybersecurity challenges. 
• The new expansion deck helps NGOs with constrained budgets improve proactive security and incident response skills through engaging tabletop exercises that are specific to their technical, political, and logistical challenges. 
• Hundreds of expansion decks have been distributed to international NGOs, and Talos has received positive feedback for their practicality and relevance. 
• Building on this success, we partnered with NGO-ISAC to develop a United States-specific deck for domestic NGOs, enhancing their cybersecurity preparedness.

---

Humanitarian organizations and the cybersecurity landscape

Hello friends! My name is Joe Marshall and I work at Cisco Talos as a cyber threat researcher and security strategist. Throughout my travels with Talos, I’ve met extraordinary individuals and organizations who fight injustices in a variety of ways: caring for children, feeding the unhoused, promoting democracy, protecting the environment, or resettling refugees who are fleeing from war. 

In moments of unimaginable crisis and pain, the international non-governmental organization (NGO) folks I met are on the front lines distributing aid, documenting human rights abuses, assisting first responders, and offering comfort to people who have had their worlds upended. I unabashedly admire and respect them. 

Unfortunately, international NGOs have historically struggled in cybersecurity. No matter an NGO’s size, limited donor and grant dollars mean that sustaining the organization competes with delivering aid, leaving little (if any) funding for cybersecurity. As a result, public sector offensive actors, mercenary spyware organizations, and state-sponsored actors take advantage of this to target or financially exploit these NGOs, even though they are assisting some of the most vulnerable people in the world. No one gets a pass in this modern era of cybercrime!

Helping the helpers

In 2023, the Cisco Crisis Response (CCR) team — a group that helps local agencies and communities prepare for, respond to, and sustainably rebuild from crises — approached my team at Talos with a rare opportunity to help incorporate cybersecurity into their work alongside their partner, NetHope.

NetHope is a humanitarian assistance organization that “helps our nonprofit Members effectively address the world’s most pressing challenges through collaboration, collective action and the smarter use of technology.” They also host the NetHope Global Summit, a yearly gathering of international NGOs to discuss technical issues and solutions to enable their member NGOs’ missions.

Before this project, I was not well-versed in the challenges of the NGO cybersecurity landscape or operating realities. Every business vertical is unique, and my first few meetings with NetHope forced me to confront the stark realities of the cybersecurity poverty line. With NGOs’ limited cybersecurity budgets, expertise, and resources, I knew our project had to have a low barrier to entry.

After much brainstorming, I suggested that we create an NGO-centric version of the popular cybersecurity tabletop exercise, “Backdoors & Breaches,” to keep workers’ incident response skills sharp.

What is a tabletop exercise? 

A tabletop exercise (TTX) is a group thought experiment. The “Game Master” presents various scenarios and variables to their players, who are usually team leaders in their business, to see how they respond as a group. At a high level, TTXs are a way to help your team prepare for worst-case scenarios and cost-effectively develop plans and responses to a variety of incidents. As they say, “Fortune favors the prepared.”

For example, a hospital might want to conduct a TTX to develop and test incident response and data recovery if hackers were to attack their electronic health records. An electric utility company might conduct a TTX to test critical infrastructure restoration and coordination with emergency responders. And, of course, a humanitarian assistance organization may need to protect itself against cyber attacks to keep their life-saving work going!

An introduction to Backdoors & Breaches

Backdoors & Breaches is a card-based TTX developed and published under a GNU license by Black Hills Information Security. It’s a novel game designed to teach both technical and non-technical players cybersecurity incident response in a format similar to the popular Dungeons & Dragons roleplaying game. Here’s an example of gameplay at the RSA Conference, with the digital version of the game:

If you want to accommodate a specific technical aspect of security, like industrial control systems, the cloud, or threat hunting, you can modify Backdoors & Breaches with expansion decks. Customizing cards to reflect your team’s unique circumstances can result in better buy-in and even a higher level of preparedness when a breach occurs.

Talos and NetHope create a new expansion

It was this potential customization that attracted me to making a new expansion deck for the international humanitarian community. The concept of Talos and NetHope adapting a cost-effective, portable, and easy-to-understand TTX to fit the limited cybersecurity budgets of typical NGOs was irresistible. To bring this vision to life, I assembled a diverse team of seasoned cybersecurity NGO professionals, technologists, and crisis response specialists who recognized the value in developing new cards.

The result was a new deck that seamlessly merged into the original Backdoors & Breaches game. These unique cards are modeled from real events and speak to the unique technical, political, and logistical challenges that humanitarian assistance organizations may face during cyber attacks. Here are some examples:

We presented this new expansion at the NetHope Global Summit in 2023, where participants widely enjoyed it. We found that this expansion pack brought them together in ways the generic deck on its own likely wouldn’t have. Many people shared first-hand experiences with the stressful situations these cards presented, which led to authentic and open conversations on the best responses to the scenarios.

Over the course of several summits, Talos and NetHope have given away hundreds of physical copies of the expansion, and we’ve received a lot of positive reception from the international NGO community. If you’re curious, you can also find the cards online here.

The U.S. domestic NGO edition

In a country as large as the United States, there are hundreds of domestic NGOs that operate solely within the country and local communities. The NGO Information Sharing and Analysis Center (NGO-ISAC) is a 501(c)(3) nonprofit organization that focuses on domestic civil society organizations.

Using the momentum of our Backdoors & Breaches international humanitarian expansion pack, Talos partnered with NGO-ISAC to create a new deck that reflects U.S.-specific NGO security situations.

If the NGO’s team is spread across the country and wants to play, that’s not a problem! Using this GitHub link you can instantiate and connect to a mini web server on your local computer. With a web sharing tool, you can stream it to any size audience and folks can play along virtually. You can easily use Python for this.

Conclusion

International and domestic NGOs are critical to aid delivery and civil society, but they’re heavily targeted by threat actors who seek to disrupt or exploit their missions. TTXs like Backdoors & Breaches lower the barrier to entry for organizations to have serious conversations about security posture and response, and NetHope and Talos’ custom expansions provide industry-specific scenarios to enrich the experience.

I feel very fortunate to have had the opportunity to volunteer and donate my time to help NGO workers and volunteers fight the good fight. Whether you’re a threat intelligence organization, an international NGO providing medical care to refugees, or a domestic food bank fighting hunger, Talos is with you.

Cisco Talos Blog – ​Read More

X (formerly Twitter) has long had a solid reputation as a primary source of crypto scams, which are often promoted on the social network by compromised or fake accounts of celebrities or major companies. Meanwhile, Meta’s ubiquitous platforms — Instagram, Facebook, and WhatsApp — are earning a similar reputation in a different category: investment fraud involving deepfakes.

Criminals are eagerly exploiting AI tools to create fake videos of prominent figures in the financial sector — from famous economists and TV hosts to heads of government. Attackers then promote these videos by placing ads on social media. In this post, we explain how these schemes work, how victims are duped after watching these videos, the role WhatsApp plays in the schemes, and how you can avoid falling for them.

Instagram, deepfakes, and WhatsApp: investment scams in Canada

To understand how these scams work, we’ll start with a recent campaign that targeted customers of Canadian banks. Attackers began by running Instagram ads in the name of BMO Belski.

The abbreviation BMO was a deliberate choice; Canadian users consistently associate it with the country’s oldest bank, the Bank of Montreal. The mention of the Belski surname was no accident either: Brian Belski is BMO’s chief investment strategist and head of the bank’s investment strategy team.

The BMO Belski ads showed AI-generated deepfake videos of Belski himself promising users the chance to join a private investment group on WhatsApp. The criminals’ strategy was to dupe unsuspecting Canadian users into believing they’re getting trustworthy financial and investment advice from a recognized expert. The users would then rush to chat with the scammers through WhatsApp.

A curious detail: the BMO Belski account that ran these ads on Instagram had no profile on that social media platform at all. The ads ran through BMO Belski’s Facebook page. Meta, the company that owns both social networks, lets advertisers run Instagram ads from a Facebook business page, thus eliminating the need to create a separate Instagram account.

It’s also interesting that the Facebook page used to promote the fraudulent ads had existed since October 27, 2023, and was previously titled “Brentlinger Matt Blumm” — whatever or whoever that may be. The scammers likely used a pre-made or previously stolen account that was “marinated” for a few years to avoid suspicion and bypass moderation.

Researchers don’t know exactly what went on in the WhatsApp private investment chats promoted by the deepfake. There’s also no information about victims of the ad featuring the fake banker, or the amount of their losses. However, other cases involving similar schemes, which we discuss later in this post, give us an idea of how this could’ve looked.

Scammers impersonate Financial Times’ chief economics commentator

Several months ago in the UK, scammers employed a similar scheme, which featured a deepfake of Martin Wolf, the chief economics commentator for the Financial Times. Similarly to the Canadian bank scam, the fraudsters disseminated ads on Instagram that showed a fake Martin Wolf inviting people to join his WhatsApp group for investment advice.

A former colleague of Wolf’s first alerted the journalist to the ad in March 2025. Once alerted, Wolf started pushing Meta to block the ads because they violated several of the platform’s own advertising policies. After some back-and-forth with Meta, the journalist managed to get one of the fraudulent ads taken down. However, Wolf soon began receiving links to other similar videos.

A subsequent investigation by the journalist’s colleagues at the Financial Times showed that the scam campaign included at least three different deepfake videos and several digitally manipulated images of Martin Wolf. These materials appeared in more than 1700 ads across Facebook and Instagram.

According to data from the Meta Ad Library, these ads reached more than 970 000 users in EU countries alone (excluding the UK), where legislation requires platforms to disclose such information. At least ten accounts ran the campaign, with new profiles joining the game as soon as the previous ones were blocked.

The most shocking part? All of this occurred even though Martin Wolf was enrolled in Meta’s new face recognition system, which is specifically designed to automatically detect and remove this kind of content. The journalist himself questions why an organization as large as Meta, with plenty of resources and AI-powered tools, is unable to detect and block such schemes — if not fully automatically, then at least after direct notifications. Is it really that difficult?

What goes on inside WhatsApp scam chats: a British victim’s story

A British office manager named Sarah shared what happens inside “exclusive communities” on WhatsApp after she became a victim of scammers. She joined a WhatsApp group after watching an Instagram ad that featured Peter Hargreaves, the co-founder of the UK’s largest investment platform, Hargreaves Lansdown. You guessed it: the video was also a deepfake.

After Sarah gave the scammers her number, they contacted her and sent her an invitation to the WhatsApp group. Following that, they sent a link to download a supposed investment app to her smartphone. Sarah was told a “mentor” would assist her by telling her when and at what price to buy and sell assets to lock in a profit.

Initially, Sarah invested £50, but she soon began putting more and more of her savings into assets recommended in the WhatsApp group. Sarah believed she was investing in small, growing companies and quickly earning a profit. In just two weeks, her account showed about £300 in profits on a total investment of about £2 000.

Problems only began several weeks later when Sarah wanted to transfer the profit to her bank account. She started receiving requests to pay taxes, withdrawal fees, and regulatory fees. She continued to pay, convinced that she’d soon get her money back with a large profit.

When Sarah suspected a scam, it was already too late: all the money was gone. The WhatsApp group disappeared, her “mentor” stopped responding, and the investment app quit working. Along with the app, the £4000 she had invested and all of her supposed profits vanished.

More than 600 advertisements featuring deepfakes of Peter Hargreaves were found on the Meta platform. One of these ads led Sarah into the hands of scammers. Twenty-two fraudulent accounts placed the ads, and Hargreaves Lansdown had them removed in May of this year after filing a trademark infringement complaint.

To lure victims, the scammers also deployed deepfakes of other British financial celebrities besides Peter Hargreaves and Martin Wolf. These included Anthony Bolton, a former Fidelity International fund manager, and Stephanie Flanders, a former JP Morgan Asset Management economist.

From The Wolf of Wall Street to WhatsApp groups: how deepfake pump-and-dump schemes work

Malicious actors also employ deepfake videos in Facebook and Instagram ads to carry out another type of investment scam known as pump and dump. This scheme involves genuine financial assets — not fictional tokens in a fake application. The catch is that criminals buy up cheap, unattractive stocks to inflate their price. They then launch an aggressive advertising campaign on social media urging users to invest and promising rapid returns.

Due to the heightened interest, the stock price continues to rise for a time, and more people invest with hopes of easy profit. Once the value peaks, the scammers quickly sell off their shares and disappear with the earnings. After that, the price plummets, and everyone else is left with almost worthless stock.

A similar scheme existed long before the widespread adoption of deepfakes. One of the most famous examples of its execution was the work of Jordan Belfort, the inspiration for the main character in the movie The Wolf of Wall Street. In the early 1990s, his brokerage firm sold cheap, little-known stocks to clients, artificially inflating demand for them before dumping them at an inflated price.

Whereas stock market scammers in the past relied on their own asserted authority to convince victims to purchase dubious stocks, deepfake technology now allows them to exploit the reputations of experts and well-known figures.

For example, a scheme was recently uncovered in Israel where bad actors artificially inflated the stock price of Ostin Technology Group Co. Ltd. (OST). To do this, they circulated deepfake videos featuring business journalist Guy Rolnik, entrepreneur Eyal Waldman, and businesswoman Shari Arison. The scammers also impersonated reputable financial institutions, including the Tel Aviv Stock Exchange, the Israel Securities Authority, Bank Hapoalim, and Israel Discount Bank.

The fraudsters distributed fake promotional videos on Facebook and Instagram and, as in the previous scheme, invited users to join WhatsApp groups, where they provided them with advice on how to purchase OST stock. It didn’t take much persuading; a quick Google search confirmed that OST stock was, in fact, on the rise.

Over several weeks, the company’s stock rose multiple times, reaching US$9.02 at its peak, after which it collapsed by 93%, with the stock price falling to 13 cents. In the two most serious cases, two victims lost 250 000 and 150 000 shekels (about US$75 000 and US$45 000), respectively.

Meta can’t protect users from deepfakes: a story from Australia

Scam ads that targeted Australian Facebook and Instagram audiences employed deepfake videos of several well-known personalities to promote fraudulent investment schemes. These videos featured TV host and financial journalist David Koch, billionaire Gina Rinehart, conservationist and TV host Robert Irwin, and even Australia’s current prime minister, Anthony Albanese.

In a deepfake video, Anthony Albanese enthusiastically advertised an investment program that promised significant returns for minimal outlay. The links within the deepfake videos of him and the other personalities directed viewers to a fake news story. The article included what appeared to be quotes from famous Australian public figures to support investments in cryptocurrencies, or other get-rich-quick schemes. Facebook users were asked to sign up for the program, after which scammers would contact them to convince them to deposit money.

In response to user complaints about fraudulent ads, Facebook sent out the following boilerplate message:

“We didn’t remove the ad. Thanks again for your report. This information helps us improve the integrity and relevance of advertising on Facebook. […]

We understand this might be frustrating, so we recommend influencing the ads you see by hiding ads and changing your ad preferences”.

In short, Meta’s efforts to fight deepfakes and investment scams on its platforms remain inadequate. Even with its plentiful resources and AI-powered tools, the company is unable to quickly detect and block obviously fake videos that exploit the likeness of public figures.

These ads appear daily in users’ feeds as paid promotions from fake yet seemingly legitimate accounts. This means that Facebook and Instagram ultimately profit from their being spread.

How to avoid falling victim to deepfake ads on Instagram and Facebook

To avoid suffering from questionable and outright fraudulent investment advice, our primary recommendation is not to make financial decisions based on information from Instagram or Facebook. In addition to that:

• Approach ads on social media with caution. As the stories in this post clearly show, ad moderation on Facebook and Instagram (and X, too) is less than ideal.
• Don’t forget about deepfakes. For several years now, we’ve been living in a reality where videos of any famous person can be easily, quickly, and cheaply faked. You should keep this in mind and verify any information you receive from dubious sources.
• Remember the universal rule of investing: the higher the potential return, the greater the risk involved. Therefore, you shouldn’t invest money you aren’t prepared to lose in schemes with supposedly high profits (which actually have a high risk).
• Be especially careful with offers that promise quick profits with minimal outlay. This is one of the most obvious signs of a scam — you know what they say about free lunch.
• Use only reliable investment apps from vetted brokers downloaded from official app stores. You shouldn’t trust download links sent by strangers in messaging apps.
• Tell your family and friends about deepfake video scams. This will help protect them from losing money and the emotional distress that can follow.

Learn more about deepfakes:

• Watch the (verified) birdie, or new ways to recognize fakes
• Don’t believe your ears: voice deepfakes
• You’re in for a big payout again
• How to mitigate the impact of deepfakes
• Scams targeting lovers or the lovelorn

Kaspersky official blog – ​Read More