Consumer-Facing Phishing and Payment Scams Using Fake Support and Fraud Alerts
Multiple reports describe social-engineering scams that impersonate trusted brands and payment providers to drive victims into credential theft or direct monetary loss. A “crypto compensation” lure abuses a legitimate-looking Yandex poll as an entry point, then redirects victims to a fake Bitcoin payout page claiming an approved 0.943 BTC transaction and imposes a small “commission”/fee to withdraw funds—classic advance-fee fraud wrapped in a polished, multi-step funnel (including a fake chat “support agent”). Separately, Japanese-language phishing emails impersonating ANA, DHL, and myTOKYOGAS show consistent infrastructure patterns (notably .cn domains in sender and landing-page URLs), suggesting a single operator or shared kit targeting Japanese-speaking recipients.
Several consumer scam advisories highlight SMS-based fraud alerts that push targets to call attacker-controlled phone numbers, where scammers pose as “support” to steal Apple ID/2FA codes or payment details, or to coerce victims into moving money. One PayPal-themed case escalated to cash withdrawals handed to a courier after a victim called a number from an unsolicited text, illustrating how “fraud department” pretexts can transition from phishing to cash-out theft. Additional warnings cover lookalike payment sites (e.g., payyourbill.aps medical.com) and generic guidance on what to do after clicking a phishing link; these are broadly consistent with the same theme (phishing/payment fraud) but are not tied to a single, specific campaign or actor across all items.
Timeline
May 2, 2026
CoinSpot scam texts and emails impersonate support to steal funds
A scam campaign was reported in which attackers impersonated CoinSpot through SMS and email messages claiming suspicious logins, unauthorized withdrawals, or unexpected verification codes. The messages urged recipients to call a fake support number, while guidance noted that CoinSpot does not provide phone support and advised users to use only official support channels and account-freezing features.
May 1, 2026
Fake Schylling stores abuse NeeDoh brand to steal payment card details
A scam campaign was reported in which fraudulent online stores impersonated toy company Schylling, especially its NeeDoh product line, to harvest customers' payment card information. Victims reportedly saw payment errors such as declined or unsupported cards, followed by unauthorized attempts to add the stolen card details to Apple Pay or Google Pay; any goods shipped were warned to be potentially counterfeit.
Apr 29, 2026
Infomedics phishing emails demand payment of fake healthcare bills
A phishing campaign was reported in which emails impersonating Infomedics claimed recipients had outstanding healthcare bills, typically demanding urgent payment amounts between €115 and €158. The messages reportedly used malicious links or fake payment pages, while guidance noted legitimate Infomedics emails do not include direct iDEAL payment links or attachments and should be verified through official channels.
Apr 28, 2026
Ledger phishing emails impersonate wallet alerts to steal recovery phrases
A Ledger-themed phishing campaign was reported in which spoofed emails, including typo-squatted sender names such as "legder," used fake firmware updates, security alerts, or breach notices to lure users to counterfeit Ledger sites. The scam aimed to steal victims’ 24-word Secret Recovery Phrases, with warnings that follow-up phone calls could be used to reinforce the fraud and enable cryptocurrency theft.
Apr 28, 2026
Norton and LifeLock billing scam emails push victims to fake support
A phishing scam was reported in which fraudulent emails impersonated Norton or LifeLock and falsely claimed an antivirus subscription renewal or charge, typically for roughly $200 to more than $300. The messages urged recipients to call a fake support number or click malicious links in an attempt to steal payment card details, personal information, or potentially deliver malware.
Apr 27, 2026
Crypto.com verification-code scam uses phishing alerts and fake support follow-up
A scam campaign was reported in which attackers impersonated Crypto.com through SMS or email messages claiming unauthorized logins or withdrawals, then directed victims to fraudulent sites or possible follow-up calls posing as support. The scam sought credentials, 2FA verification codes, and anti-phishing codes to enable account compromise and theft.
Apr 26, 2026
Suspicious nfeeds.com site impersonates Lidl to harvest card details
A warning published on April 26, 2026 described nfeeds.com as a suspicious website copying Lidl branding and allegedly showing denied transactions during checkout. The reported behavior suggested the site was designed to collect payment card information rather than fulfill purchases, with unrealistic pricing cited as an additional fraud indicator.
Apr 26, 2026
Kaiser Permanente scam calls spoof medical and billing numbers
A scam call campaign was reported in which fraudsters impersonated Kaiser Permanente and spoofed legitimate-looking medical center or billing numbers to pressure targets into disclosing personal or financial information. The callers used pretexts including unpaid bills, insurance problems, identity theft, Medicare issues, or urgent membership cancellation, and some reportedly targeted people with Asian surnames and insisted on speaking Mandarin.
Apr 25, 2026
McAfee billing scam emails push victims to call fake support numbers
A phishing scam was reported in which fraudulent emails impersonated McAfee and falsely claimed an automatic subscription renewal or purchase charge of about USD559.44 to USD583.66. The messages urged recipients to call 1-810-353-2779 or 1(808)221-2318, where scammers allegedly sought financial information, remote access, or malware delivery through attached fake invoices.
Apr 23, 2026
PayPal scam uses 0.01 MXN transfer and fake Coinbase deposit alert
A PayPal-themed scam was reported in which attackers used a real 0.01 MXN or one-cent transaction to make a fraudulent notification appear legitimate, falsely claiming that USD 987.90 was pending deposit to Coinbase via PayPal. The message instructed recipients to call 888-632-2011, where scammers allegedly impersonated PayPal support to steal credentials or banking information.
Apr 22, 2026
Revolut scam calls impersonate bank staff to steal money and account data
A phone scam was reported in which fraudsters impersonated Revolut staff, used urgent claims of suspicious account activity, and sometimes spoofed official-looking caller ID information. The scam sought to steal money or sensitive information, while guidance emphasized that Revolut does not make unsolicited calls or ask for PINs, 2FA codes, or transfers to so-called safe accounts.
Apr 21, 2026
Robinhood security alert scam uses phishing texts and emails
A scam campaign was reported in which attackers impersonated Robinhood through text messages and emails claiming unusual activity, anomalies, or account freezes. The messages used malicious links or fake support numbers to steal usernames, passwords, and other sensitive account information or facilitate financial theft.
Apr 16, 2026
PayPal PHP scam uses tiny deposits and fake invoices to drive GCash theft
A PayPal scam variant was reported that used Philippine Peso transactions, including tiny 1 PHP deposits and fake alerts about large unauthorized charges such as 20,000 PHP, to lure victims into calling fraudulent support numbers or visiting phishing pages. The campaign reportedly aimed to steal credentials and drain funds, with some stolen money transferred to GCash.
Apr 9, 2026
Evri delivery smishing scam uses failed-delivery and redelivery-fee texts
A phishing scam was reported in which fraudsters impersonated parcel company Evri via text messages claiming failed delivery, incomplete address details, or a small redelivery fee. The messages used urgency and phishing links to steal personal or payment information, while Evri stated it does not request such details or fees by SMS.
Mar 28, 2026
PayPal PDF invoice scam emails push victims to call fake support
A PayPal-themed email scam was reported in which recipients received fake invoices or order confirmations as PDF attachments claiming a transaction needed to be reversed. The messages used unauthorized-payment scare tactics to pressure targets into calling a fraudulent support number so scammers could steal personal or payment information.
Mar 27, 2026
Bank of America scam calls spoof bank numbers to steal funds and account data
A Bank of America impersonation phone scam was reported in which fraudsters spoofed official-looking bank numbers and falsely claimed fraudulent account activity to pressure victims. The callers attempted to obtain PINs, Social Security numbers, account numbers, one-time authentication codes, or convince targets to send money through Zelle, cryptocurrency, or gift cards.
Mar 26, 2026
DPD delivery scam uses fake missed-parcel and courier fee messages
A scam campaign was reported in which fraudsters impersonated DPD through SMS, email, and marketplace messages, commonly claiming a missed parcel delivery and directing victims to pay a small redelivery fee on lookalike sites to steal personal and banking data. The reporting also described related variants involving fake DPD collection arrangements on Facebook Marketplace and bogus courier insurance or service fees.
Mar 26, 2026
PayPal billing scam emails push victims to call 1-808-371-1635
A phone-based scam was reported in which fraudulent emails impersonating PayPal's billing department falsely claimed a $349.99 auto-debit charge and told recipients to call 1-808-371-1635 if the payment was unauthorized. Callers were reportedly routed to a scam call center where operators impersonated Norton and other technology companies to steal sensitive information or gain device access.
Mar 20, 2026
PayPal scam uses real $0.02 transfer to lend credibility to fake support message
A PayPal-themed social engineering scam was reported in which attackers sent a real 2-cent PayPal transaction and a message claiming a payout had been processed, then directed victims to call 1-800-613-9844. The goal was to impersonate PayPal support and steal account or banking information over the phone.
Feb 21, 2026
Crypto advance-fee scam uses fake BTC compensation and Octa payment lures
An active scam campaign was documented that redirected users from seemingly legitimate survey links to fake Bitcoin compensation pages promising large payouts, then demanded small commission payments before withdrawal. A second variant impersonated Octa with a fake transfer notification and OTP-style flow before requesting a similar fee.
Feb 20, 2026
PayPal-themed smishing and courier cash scam victimized targets
A PayPal fraud impersonation scam was reported in which a victim received an unsolicited text, called the provided number, and was manipulated into withdrawing thousands of dollars in cash for collection by a courier. The scammers later attempted to extract additional funds, using spoofed identities and urgency to pressure the victim.
Feb 20, 2026
Apple Support impersonation SMS scam circulates fake Apple Pay fraud alerts
A smishing campaign was reported in which recipients received text messages posing as Apple Security Alert or Apple Support notices about unauthorized Apple Pay transactions and were urged to call a phone number. The messages were described as fraudulent attempts to harvest sensitive information through social engineering.
Feb 1, 2026
February 2026 phishing samples show shared infrastructure and tooling
Three phishing emails observed in February 2026 shared similar header artifacts, including the same Foxmail X-mailer string, suggesting a common operator or toolkit behind the Japanese-brand impersonation campaign. The samples reinforced the pattern of .cn-linked infrastructure across multiple lures.
Feb 21, 2025
Japanese-language phishing campaign targets recipients for at least a year
Bradley Duncan reported that he had been receiving Japanese-language phishing emails targeting his @malware-traffic-analysis.net addresses for at least the past year. The messages impersonated brands including ANA, DHL, and myTOKYOGAS and used recurring .cn sender domains and .cn-hosted phishing URLs.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Sources
5 more from sources like online threat alerts
Related Stories
Consumer Brand Impersonation Phishing and Tech-Support Scams Targeting Apple and Avast Users
Multiple **brand-impersonation phishing** campaigns are targeting consumers by abusing trust in *Avast* and *Apple* to drive victims into disclosing payment or account details. One campaign uses a near-identical fake *Avast* portal aimed at French-speaking users, presenting a fabricated **€499.99** “subscription charge” and a short cancellation window to induce urgency; the site validates entered card numbers using the **Luhn algorithm** and uses a **Tawk.to** live-chat widget (ID `689773de2f0f7c192611b3bf`) to pressure victims in real time into submitting full card details (including CVV) under the pretense of processing a refund. Separate *Apple*-themed scams use **phishing-to-phone** and **SMS** lures to route victims to scam call centers and harvest credentials and financial information. One email purporting to be from an “**Apple Fraud Prevention**” team attempts to panic recipients into calling a fake support number, while an “**Apple Security Alert**” Apple Pay text claims a suspicious **$143.95** Apple Store transaction and urges an immediate call to a `+1 850-85*` number to “cancel” the charge. Another tactic abuses iOS Calendar subscriptions (“**iPhone Calendar Scam**”) to flood devices with fake security/prize alerts that push users to click malicious links; guidance emphasizes unsubscribing from the rogue calendar and avoiding interacting with the spam invites.
1 months ago
Phishing and Smishing Campaigns Delivering Malware via Fake Apps and Trusted-Looking Lures
Multiple reports describe **social-engineering campaigns** that use trusted-looking lures (meeting invites, public-safety alerts, and official-looking documents) to drive victims to install malware or disclose credentials. Microsoft researchers reported a wave of **fake Zoom/Teams/Adobe update sites** reached via meeting-invite and document lures; the downloaded executables were signed with a **compromised EV code-signing certificate** (issued to *TrustConnect Software PTY LTD*) and acted as droppers for **remote monitoring and management (RMM) tools**, enabling persistent access. Separately, ClearSky described a suspected **Russian espionage** phishing operation targeting Ukraine that delivers a ZIP containing a Ukrainian-language border-crossing “permit” document, installing a loader (**BadPaw**) and a backdoor (**MeowMeow**) with file manipulation capabilities and sandbox/VM evasion; attribution was assessed as high confidence to a Russian state-aligned actor and low confidence to **APT28**. Mobile-focused lures were also reported: CloudSEK detailed **SMS phishing** targeting Israeli civilians with a trojanized **Red Alert** rocket-warning app, using a multi-stage loader chain to deploy spyware with **banking trojan** capabilities and exfiltrate **SMS, contacts, and location** to attacker infrastructure—raising concerns about surveillance and erosion of trust in official alerting. Other items in the set are either broader research or consumer-oriented scam advisories: a Zimperium write-up on the Android **“Massiv”** IPTV-app disguise highlights overlay-based banking fraud techniques, while Kaspersky’s mobile threat landscape report provides 2025 ecosystem statistics; two OnlineThreatAlerts posts describe generic **smishing** patterns (Amazon “refund” and flood-warning texts) without tying to a specific, evidenced campaign or new technical findings.
1 months ago
Phishing Campaigns Abuse Trusted Platforms and Legitimate Workflows to Evade Detection
Multiple campaigns are abusing *legitimate* cloud and platform workflows to make phishing and fraud harder to detect. Attackers are generating real Apple and PayPal invoice/dispute emails and embedding scam phone numbers in user-controlled fields (e.g., “seller notes”), resulting in messages that carry valid **DKIM** signatures and originate from high-reputation domains; this “**DKIM replay**” style abuse bypasses many email controls because authentication validates the sender domain, not the safety of the embedded content. In parallel, threat actors are leveraging free **Google Firebase** developer accounts to host brand-mimicking phishing pages on trusted `firebaseapp.com` / `web.app` subdomains, increasing delivery and click-through rates by exploiting domain reputation and common allowlisting of Google infrastructure. A separate but related social-engineering technique targets **Telegram** users by manipulating Telegram’s official authentication workflows to obtain fully authorized sessions rather than simply stealing passwords. Victims are lured to Telegram-lookalike pages (often on ephemeral domains) that prompt QR scanning or phone-number entry; user interaction triggers a real login attempt initiated by the attacker, and once the victim approves the authorization prompt on their device, the attacker gains persistent account access and can pivot to follow-on attacks via the victim’s contacts. These incidents collectively highlight a shift toward “living off trusted services,” where adversaries avoid compromising vendors and instead weaponize legitimate features, trusted domains, and sanctioned authentication flows to reduce detection and increase victim compliance.
1 months ago