It starts with the familiar: a short message, a trusted name, a routine tone. Delivery updates, work pings, brand alerts hum in the background, rarely attracting scrutiny. You check, you answer… — until minutes later you’ve slipped into a trap built to lower your guard and hijack your trust.

That’s why messaging scams cut deep: they exploit everyday habits where instinct, not caution, leads. Communication once moved slowly, leaving room for doubt. Now it’s instant — and that speed is a weapon in criminal hands.

On our blog, we’ve already examined numerous scam schemes in messaging apps — from pig butchering, where the victim is groomed for a very long time, or catfishing, where the scammer creates a fake identity, to phishing via chatbots or through gift-giving campaigns in messaging apps.

Now, for the first time, Kaspersky has set out to capture the full end-to-end reality of messaging-based scams to understand how quickly harm occurs, how they impact trust and what remains after the interaction ends. What emerges is a highly organized and industrialized scam ecosystem embedded within everyday messaging channels such as SMS, WhatsApp, and email.

Kaspersky experts have prepared a report on targeted scams in messaging apps, detailing not only the financial but also the emotional damage caused by such attacks, as well as providing tips on how to protect yourself and avoid them. In this post, we explore the most interesting facts, but you can find more details in the full report.

The damage is underestimated

How much do you think a single successful attack via a messaging app costs the average victim? Ten dollars? Or maybe 50? You’re underestimating the scammers. Although more than a third (36%) of victims incur losses of less than $135, on average a victim loses… $733!

Country	Average loss per victim
Senegal	$392.94
Serbia	$493.32
Morocco	$504.28
Greece	$609.32
United Kingdom	$617.38
Côte d’Ivoire	$654.11
Spain	$672.67
United States	$724.73
Portugal	$868.20
Italy	$896.02
France	$1,193.58
Germany	$1,369.35

On the one hand, the financial hit doesn’t look catastrophic in isolation. These are micro-losses by design. Small enough that some never report them to the police. Small enough that banks don’t always investigate. Small enough to be dismissed as bad luck rather than organized crime.

But $733 is not nothing. It’s enough to cover a month’s worth of groceries, school or daycare fees, or utility bills. Against the backdrop of the global cost-of-living crisis, a single such loss can seriously dent a family’s budget.

In 11% of cases, losses exceed $1,350, and more than a quarter of victims (28%) report having been scammed three or more times in the past six months. Once scammers discover that a phone number responds, that contact becomes an asset, circulating from one database to another.

Now imagine the scale of the problem: if just 10% of the three billion messaging‑app users worldwide fell victim with the average loss, the total damage would amount to… nearly $220 billion! This is comparable to the GDP of Greece, and exceeds that of Morocco, Serbia, or Côte d’Ivoire.

It becomes clear that behind the daily flood of fraudulent schemes lie large scam cartels operating on an industrial scale, using AI to personalize messages that mimic those of family members, friends, and familiar brands. This, in essence, forms the basis of a full-fledged economy built on digital identity theft.

Speed beats scrutiny

More than half of successful messaging scams (52%) unfold in under 30 minutes — from first contact to the moment money or personal data changes hands — or even faster, before the victim begins to doubt the legitimacy of the sender. In fact, one in seven scams takes less than five minutes — quicker than boiling an egg!

The speed isn’t accidental. It’s the method. Scammers structure their schemes to deny the victim a chance to come to their senses. Every element is engineered to compress the decision-making window: the urgency of the scenario, the familiarity of the format, the plausibility of the request.

They rush you — faster, faster, don’t tell anyone, you only have a few minutes, solve the problem, don’t ask questions. Click the link, fill in the details, approve the transaction, or else… Or else what? The scammers’ imagination knows no bounds here, but if you don’t do something right now, you’ll definitely regret it.

Alas, the realization of what has happened usually comes when the damage is already irreversible. More than half of victims (51%) lose money; another 43% hand over their personal data — most commonly phone numbers, names, and email addresses — to scammers, and often the victim loses both.

Where and how attacks occur

A delivery notification, a bank alert, a message from a merchant you ordered from last week — messaging apps permeate every aspect of everyday life, making such interactions completely normal. An attack shouldn’t feel like an attack. It should feel like the same message you’ve received hundreds of times.

It’s no surprise that scammers focus their attention on this method of communication first and foremost. The most popular platforms for scams are predictable: WhatsApp (43%), SMS/iMessage (40%), Facebook (27%), Telegram (22%), and Instagram (19%) — these are the ones that people trust most.

A wide variety of schemes is used. Brand impersonation is now one of the three most common types of messaging scam worldwide — accounting for 31% of cases. Fake delivery notifications top the list at 38%, followed by investment scams at 37%.

At the same time, nearly two-thirds (63%) of fraudulent schemes span multiple platforms, moving from SMS to WhatsApp, from WhatsApp to Telegram, etc. In this way, scammers achieve two goals: they mimic organic messaging and evade moderation algorithms.

AI has taken scams to a new level

Just a couple of years ago, fraudulent messages gave themselves away with bad grammar, awkward phrasing, illogical requests, and an obsessive sense of urgency. Today, a phishing message looks, sounds, and reads just like the real thing.

Scam cartels want to catch people in motion — between meetings, on a commute, or during everyday tasks — when your attention is already fragmented. They mimic your mother’s turn of phrase. They match your bank’s tone of voice. They copy your courier’s format exactly. They mirror the rhythm, structure, and style of authentic brand communications across messaging platforms. And AI is accelerating all of it.

What this creates is overlap. Legitimate and fraudulent messages appear in the same environment, using the same formats, language, and triggers. The difference between them is no longer obvious.

The data shows that two-thirds of victims (66%) believe AI was used in the scam against them, 42% cite messages written by AI, 31% report generated or cloned voices, and 25% encountered deepfake images or videos.

That’s why mere awareness and “tech-savviness” may no longer be enough to protect oneself. From Gen Z to Gen X, messaging scams cut across every generation.

And what about the emotional toll?

But money is far from the only problem a victim is left with after an attack. After what they’ve been through, people develop distrust toward incoming messages, unfamiliar numbers, and any requests for action. As a result, 99% of fraud victims say they no longer trust incoming notifications in messaging apps.

This creates a crisis of trust in all digital channels in general. Every legitimate message can now be perceived as a scam. Brands, banks, and delivery services are forced to operate in an environment where the customer is, by default, in a state of distrust.

Dr. Elizabeth Carter, a forensic linguist and criminologist at Kingston University in London, notes that scammers use familiar contexts, common social settings and embedded linguistic norms to create the illusion for the victim that their decision-making is rational and reasonable in the moment. However, what is actually happening is that they construct false realities in which those decisions end up causing financial and psychological harm. She also notes that it is very hard to identify a false reality while you are in it.

After realizing they had been deceived, more than half of victims felt anger — the kind that comes from having trusted something and discovering it was used against you. 42% of victims report frustration, 38% — feeling upset. Moreover, several months later, these feelings haven’t gone away: nearly half of all victims (48%) are still angry, a third (33%) remain frustrated, and 30% are upset.

And nearly one in 10 victims don’t tell anyone what happened. They feel shame, a sense of having fallen for something so obvious. This leaves a significant portion of the actual damage unreported: only 24% of victims contact the police, and only 23% report it to their bank.

So what can be done?

The crisis of trust — and even a touch of paranoia — that has arisen due to widespread attacks on users can linger in victims’ minds for a long time, affecting their quality of life. To prevent this, follow these guidelines:

• Pause before you act. The sense of urgency you feel is almost always artificial. A legitimate bank, retailer, or delivery service won’t penalize you for taking 30 seconds to verify before clicking a link or confirming details. It’s precisely this instinct to resolve the situation quickly that scammers are counting on.
• Verify through another channel. If a message appears to be from a relative, colleague, or company you trust — contact them through another channel before taking any action. Use secure verification methods, and cross-check identities when something doesn’t feel right. For families, agreeing on a “safe word” in advance can defeat even the most convincing voice clones.
• Use a password manager. It will not only help you generate strong, unique passwords for all your accounts and store them securely, syncing them across all your devices, but also protect you from spoofed sites. Even if you click a phishing link and land on such a site, our password manager will notify you about the domain mismatch and refuse to autofill your username and password.
• Use protection that works in real time. Modern security solutions, such as Kaspersky Premium, provide real-time protection against malicious links and phishing attempts in the apps and websites you use every day. On Android devices, a dedicated layer of anti-phishing security scans and neutralizes suspicious links as they appear, even within notifications, before you even have a chance to click them.

We’ve covered other threats in messaging apps in similar articles:

• Pig butchering: large-scale cryptocurrency fraud
• How to safely meet people online
• How phishers and scammers use AI
• How to avoid falling for scammers in Telegram mini-apps

Kaspersky official blog – ​Read More

Threat actors are already gearing up for this year’s biggest football (soccer) event, the FIFA World Cup 2026. With millions of fans looking for ways to stream matches online, many will turn to IPTV apps to watch live TV broadcasts over the internet. It’s no surprise, then, that cybersecurity researchers have discovered multiple campaigns over the past few months where malware was disguised as fake Android IPTV apps.

In this post, we discuss what IPTV apps are, how criminals use fake versions to spread malware, what this malware is capable of, and, most importantly, how to avoid becoming a victim.

What are IPTV apps?

IPTV stands for Internet Protocol Television. This technology delivers TV content over the internet instead of through cable, over-the-air antennas, or satellites. Naturally, the simplest and most common examples of IPTV are the official platforms of TV networks, which can include both websites and dedicated apps.

However, alongside official options, pirate IPTV services also exist. They usually lure users with free or dirt-cheap access to content that can otherwise be hard to find without expensive subscriptions — most notably broadcasts of various sporting events; football matches in particular.

As is typically the case with pirated content, these apps are blocked from official app stores, forcing users to download them from third-party sites. Consequently, the risk of using these services isn’t tied to IPTV technology itself, but rather to the fake apps and modified APK files distributed under the guise of well-known platforms — both official and pirated.

Massiv banking Trojan disguised as IPTV apps

For instance, in February researchers found the Massiv banking Trojan distributed under the guise of fake IPTV apps. Even then, experts noted that this wasn’t the only malware leveraging this tactic — several others were also spotted in the wild. The primary targets of these IPTV-mimicking malicious fakes have mostly been users in Portugal, Spain, France, and Türkiye.

In most cases, the discovered fake IPTV apps lacked the advertised functionality, so users didn’t get access to any content after installing the apps. Instead, the fake app would open the website of a legitimate IPTV service in a built-in browser to mimic normal functioning and avoid raising user suspicion.

Of course, the most interesting activity happened out of the user’s sight. These are some of the features the malware did have:

• Displaying fake windows on top of legitimate ones: fake forms for entering bank details or signing in to official services, as shown in the screenshot below.
• Activating a keylogger: recording and transmitting screen keyboard taps to the attackers.
• Hijacking control of the compromised device.

Perseus steals valuable information from users’ notes

In March, researchers reported on a new campaign where several fake IPTV apps were used to distribute an even more advanced and feature-rich malware strain: Perseus.

Research into Perseus shows that the malware is based on the source code of an Android banking Trojan called Cerberus, which leaked nearly six years ago. Perseus comes in two different versions: Turkish and English. The English-language version is more advanced and shows clear signs of AI-driven refinement.

Perseus abuses Accessibility Services, a set of Android features originally designed to make life easier for users with severe visual impairments. Fraudsters learned long ago how to leverage this tool to steal data from Android devices — a topic we’ve covered in detail across several of our posts.

By abusing Accessibility Services, Perseus gains remote control over the victim’s device. Here’s what it can do:

• Continuously capture and exfiltrate screenshots.
• Send a structured map of the device’s UI for remote manipulation.
• Mimic taps, swipes, text input, long presses, and other UI interactions.
• Turn on the screen, launch apps, and block them from running.
• Trigger a pitch-black screen overlay to hide its activities.
• Log keystrokes.

On top of that, the English-language version of Perseus boasts another notable feature. The malware can hunt for sensitive information like passwords, recovery phrases, and financial data across an entire range of note-taking apps: Google Keep, Xiaomi Notes, Samsung Notes, ColorNote, Evernote, Microsoft OneNote, and Simple Notes.

All of these capabilities help criminals drain football fans’ money not just from various banking services, but from cryptocurrency apps as well.

How not to let cybercrooks ruin your World Cup

The World Cup is just around the corner, and millions of fans worldwide will definitely want to tune in to this year’s premier football event. Past experience shows that cybercriminals frequently cash in on major spectacles like this. So, how can you watch the  matches safely?

• Don’t download apps from unofficial stores.
• Even when downloading an app from an official store — since malware occasionally slips through the cracks there, too— read the reviews carefully. Users who have been burned by fakes and malware often leave comments to warn others.
• Install a robust security app to keep all your devices safe from malware.
• Avoid storing passwords or other sensitive information in note-taking apps. To ensure your data and finances stay secure, use a reliable password manager. By the way, Kaspersky Password Manager includes an encrypted note-taking feature, allowing you to store your valuable information safely.

You can’t even watch TV safely anymore these days! Check out other threats facing TV lovers:

• Is your TV box renting out your network?
• The perfect storm of Android threats
• Are your TV, smartphone, and smart speakers eavesdropping on you?
• The hidden risks of cheap Android devices

Kaspersky official blog – ​Read More

Welcome to this week’s edition of the Threat Source newsletter. 

Recently, Martin closed his introduction with a warning: Ready or not, the time of much patching is coming. I’ve been chewing on that one for a while because I’m rethinking my own enrichment pipelines along these lines, and the questions Martin raised are the ones I keep running into — with one or two ideas on what practitioners can actually do about it. 

Honestly speaking, most of us are still prioritising the wrong way. CVSS has been the default for over a decade — but it only answers one question: How bad could this be in theory? It’s a severity score, not a risk score. A CVSS 9.8 on something nobody is exploiting (and nobody ever will) is a very different problem from a CVSS 7.2 that’s being weaponised in the wild this morning. If your patch queue is sorted purely by CVSS, you’respending finite operations capacity on hypotheticals. 

This is where EPSS (Exploit Prediction Scoring System) earns its place next to CVSS. EPSS is a probability — between 0 and 1 — that a given CVE will be exploited in the next 30 days, based on real-world signals. The two answer different questions:

Feature	CVSS	EPSS
Focus	Severity (impact)	Risk (likelihood of exploitation)
Nature	Static (usually)	Dynamic (updated daily)
Output	0.0 to 10.0 score	0.0 to 1.0 probability
Primary use	Assesses technical impact	Prioritizes remediation

CVSS tells you how bad it would be if exploited. EPSS tells you how likely it is to actually happen to you soon. Used together, a high CVSS and a high EPSS is your “drop everything” pile, while a high CVSS and a very lowEPSS can probably wait behind a medium with an EPSS of 0.7. That single change in triage logic can meaningfully shrink the patch backlog without weakening your posture. 

The second ingredient is knowing what is actually being exploited — and here, many teams default to CISA’s KEV catalog. KEV is excellent, and I’ve quoted KEV numbers in this newsletter more times than I can count. CISA contributes as an Authorized Data Publisher (ADP) in the CVE Program, enriching records alongside the original CNA’s data. That model works well, but it’s also why KEV is structurally centralized, conservative in what it admits, and naturally scoped to what U.S. federal visibility surfaces. For a global practitioner — and writing this from Germany, I notice — “Is this being exploited?” deserves a broader lens. 

That broader lens is starting to take shape with GCVE (Global CVE), a decentralized approach to vulnerability identification and enrichment. Two properties matter for the surge that’s coming: 

1. Speed of enrichment. Because GCVE is decentralized, enrichment data — references, affected products, exploit indicators — doesn’t have to wait in a single queue. In practice, actionable context arrives meaningfully faster than the traditional NVD pipeline, which has visibly struggled with backlog over the past two years. 
2. Broader exploitation signal. Rather than a single authoritative list of what is being exploited, GCVE makes room for multiple sources of exploitation evidence to surface against the same identifier. That gives defenders outside the U.S. (and frankly, inside it too) a more complete picture than KEV alone. 

Pair that with EPSS on top of CVSS, and you end up with a triage stack that is faster, broader, and probability-informed rather than only severity. 

None of this removes the patching workload that is coming, but it does change which patches you sprint on at 2:00 a.m. and which ones can ride the normal cycle. Before the surge arrives, that’s a worthwhile thing to get right.

The one big thing 

Cisco Talos released EvidenceForge, a new open-source tool designed to generate highly realistic, correlated synthetic security logs. This tool solves the chronic shortage of high-quality, labeled datasets needed to train threat hunters and validate detection logic. By using a single canonical event model and AI-assisted scenario authoring, EvidenceForge ensures causal and temporal consistency across more than 20 log formats. 

Why do I care? 

Relying on heavily scrubbed public datasets or red team engagements often leaves security teams with incomplete telemetry. While most synthetic generators spit out independent events that fail to tell a coherent story, EvidenceForge injects realistic background noise, red herrings, and proper causal sequencing into the mix. This allows your team to work with synchronized datasets that (more) accurately mimic real-world network visibility without the compliance headaches of using production data. 

So now what? 

Security teams can head over to GitHub to clone the EvidenceForge repository and use its guided conversation feature to build custom attack scenarios. Defenders can then use these newly generated datasets to build robust SOC analyst training programs, stress-test a new SIEM, and validate detection pipelines before they touch a production environment. You can find the full details and the link to the open-source repository in the blog post. 

Top security headlines of the week 

Lawmakers demand answers as CISA tries to contain data leak 
Lawmakers are demanding answers from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) after a contractor intentionally published AWS GovCloud keys and a vast trove of other agency secrets on a public GitHub account. (KrebsOnSecurity) 

Over 5,500 GitHub repositories infected in “Megalodon” supply chain attack 
The campaign relies on GitHub Actions workflows containing a payload designed to steal credentials, keys, tokens, and other secrets. The workflows were injected through over 5,700 malicious commits pushed to the impacted repositories on May 18. (SecurityWeek) 

Authorities seized 800 servers of hosting company used to launch cyber attacks 
The investigation centers on a web hosting company established on Feb. 10, 2022, weeks before Russia invaded Ukraine. The infrastructure was allegedly used to support cyber attacks, disinformation campaigns, and sanctions evasion linked to Russia. (CyberSecurityNews) 

Content delivery exploit opens websites to brand hijacking 
The Underminr domain-fronting attack allows threat actors to modify web requests and leverage trusted websites to cloak malicious activity. (Dark Reading) 

Cisco’s risk-based vulnerability disclosure in the age of AI 
Cisco is adapting its vulnerability disclosure practices, focusing on increasing the visibility of detailed technical information for vulnerabilities that are critical, actively exploited, or have a higher likelihood of exploitation. (Cisco blog) 

Can’t get enough Talos? 

DICOM, Pydicom, GDCM, and Orthanc: A technical tour of what really happens in the heap 
Hospitals rely on DICOM-based PACS systems, and those systems often automatically ingest files received over the network. Our latest white paper presents a concrete case study demonstrating the creation of a heap overflow vulnerability through the exploitation of the DICOM file format. 

MediaArea heap-based buffer overflow vulnerabilities 
MediaArea produces digital media analysis open-source software, as well as support tools for file investigation. Talos discovered four vulnerabilities in MediaInfoLib, which provides a UI for technical and tag data for video and audio media files.

Breaking things to keep them safe with Philippe Laulheret 
From his memorable experiment using a green onion to bypass a biometric fingerprint reader to his experience on the frontlines of cybersecurity, Philippe shares the journey that led him to vulnerability research. 

Upcoming events where you can find Talos 

• Cisco Live U.S. (May 31 – June 4) Las Vegas, Nevada 

Most prevalent malware files from Talos telemetry over the past week 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
Example Filename: VID001.exe  
Detection Name: Win.Worm.Coinminer::1201** 

SHA256: 9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f 
MD5: 38de5b216c33833af710e88f7f64fc98  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f 
Example Filename: sample.exe  
Detection Name: Win.Tool.Procpatcher::1201 

SHA256: 5e6060df7e8114cb7b412260870efd1dc05979454bd907d8750c669ae6fcbcfe 
MD5: a2cf85d22a54e26794cbc7be16840bb1 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=5e6060df7e8114cb7b412260870efd1dc05979454bd907d8750c669ae6fcbcfe 
Example Filename: a2cf85d22a54e26794cbc7be16840bb1.exe  
Detection Name: W32.5E6060DF7E-100.SBX.TG 

SHA256: afc8a00883a4ea07df2dc1d4ed02f8a23b35c9456413b438a2d9ce3ae5076638 
MD5: cc4d231df34e57f59eb970353c7d9de2 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=afc8a00883a4ea07df2dc1d4ed02f8a23b35c9456413b438a2d9ce3ae5076638 
Example Filename: AutoPico.exe 
Detection Name: PUA.Win.Tool.Kmsactivator::1201 

Cisco Talos Blog – ​Read More