📚 Online Scam Case Studies

In the spring of 2023, a sophisticated phishing campaign targeted Amazon Prime members across the United States, Canada, and Europe. The operation began with mass email distributions—estimated at over 100 million messages—claiming that the recipient's Amazon Prime membership was about to expire or that a suspicious purchase had been detected on their account. The emails were meticulously crafted with Amazon's official branding, including the correct logo, font styles, and even a spoofed sender address that closely resembled a legitimate Amazon domain (e.g., "[email protected]").

The timeline of the scam followed a calculated pattern. In Phase 1 (March–April 2023), victims received the initial phishing email with a sense of urgency: "Your Prime membership expires in 24 hours." In Phase 2, clicking the embedded link redirected users through a series of URL shorteners to a near-perfect replica of the Amazon login page. In Phase 3, after entering credentials, victims were prompted to "verify" their payment information, handing over full credit card details. In Phase 4 (May–July 2023), stolen credentials were either used for unauthorized purchases or sold in bulk on dark web marketplaces for $5–$15 per account.

According to the FBI's 2023 Internet Crime Report, phishing and spoofing accounted for over 298,000 complaints that year, with losses exceeding $18.7 billion across all cybercrime categories. The FTC reported that impersonation scams, including brand phishing like this campaign, cost consumers over $1.1 billion in 2023 alone. Security firm Avanan estimated this specific Amazon campaign compromised at least 200,000 accounts in its first three months.

Key red flags: The email used a slightly misspelled domain. It created artificial urgency with a 24-hour deadline. The "Update Payment" button URL did not match amazon.com when hovered over. The email addressed the recipient as "Dear Customer" rather than by name. There were subtle grammatical errors in the fine print.

"Pig butchering" (from the Chinese term "Sha Zhu Pan," meaning "fattening the pig before slaughter") has become one of the most devastating scam categories worldwide. In a well-documented 2023 case, a 52-year-old retired teacher from Ohio lost $450,000—her entire retirement savings—over a six-month period to a scammer she met on a popular dating app. The scammer, posing as a successful Hong Kong-based financial consultant, spent two months building an emotional relationship before ever mentioning investments.

The scam followed a precise timeline. Weeks 1–3: initial contact and daily messaging to build rapport and emotional attachment. Weeks 4–8: deepening of the relationship with video calls (using pre-recorded or AI-enhanced footage), sharing of personal stories, and future plans together. Weeks 9–12: the scammer casually mentioned making great returns on cryptocurrency and showed screenshots of a trading dashboard. Weeks 13–16: the victim was invited to try a "beginner-friendly" platform, making a small deposit of $500 and seeing immediate "returns." Weeks 17–24: encouraged by fabricated profits, the victim invested increasingly larger sums, eventually liquidating retirement accounts and taking out a home equity loan. When she attempted to withdraw $50,000, the platform demanded a 15% "tax fee" before releasing funds. After paying it, a new "regulatory compliance fee" appeared. The money was gone.

The FBI IC3's 2023 report identified investment fraud as the costliest cybercrime category, with losses reaching $4.57 billion—a 38% increase from 2022. Romance-linked investment scams ("pig butchering") accounted for a significant and growing share of this total. The FTC noted that adults aged 50–69 reported the highest individual losses to romance scams. Many victims reported feeling too ashamed to contact law enforcement, meaning actual losses are likely much higher than reported figures.

Key red flags: An online romantic interest who always has excuses for not meeting in person. Conversations that shift from romance to investment opportunities. Being directed to a trading platform you've never heard of. Initial "profits" that appear too good to be true. Pressure to invest more before you can withdraw existing funds. Requests to keep the investment "private" from friends and family.

Tech support scams remain one of the most persistent fraud types, disproportionately targeting older adults. In a landmark 2023 case prosecuted by the U.S. Department of Justice, a network of call centers based in India was dismantled after defrauding over 20,000 American victims of more than $10 million. The operation impersonated Microsoft, Apple, and Norton security representatives, using a combination of cold calls and malicious browser pop-ups to reach victims.

The scam operated in two primary modes. In the cold-call variant, victims received unsolicited phone calls from someone identifying as a "Microsoft Certified Technician" who claimed to have detected malware or a security breach on the victim's computer. The caller used technical jargon and referenced real Microsoft products to sound credible. In the pop-up variant, victims browsing the web encountered a full-screen browser alert that mimicked a Windows error message. The pop-up displayed a toll-free number and warned: "Your computer has been compromised. Call Microsoft Support immediately." In both cases, once the victim engaged, the scammer requested remote desktop access via legitimate software like TeamViewer or AnyDesk.

After gaining remote access, scammers performed a series of deceptive steps. They opened the Windows Event Viewer (which always shows harmless warning entries on any computer) and presented these normal log entries as evidence of a "serious infection." They then offered to fix the problem for fees ranging from $199 to $1,499 for "lifetime protection plans." In many cases, while connected, they also installed keyloggers or banking trojans to steal additional financial information. Payment was requested via gift cards (iTunes, Google Play, or Target cards), wire transfers, or cryptocurrency—all methods that are nearly impossible to reverse.

The FTC's 2023 Consumer Sentinel Network report showed that tech support scams accounted for $924 million in reported losses, with a median individual loss of $1,400. Victims over 60 accounted for 66% of financial losses, with a median loss nearly three times higher than younger age groups. The FBI IC3 received over 37,500 tech support fraud complaints in 2023.

Key red flags: Unsolicited calls or pop-ups claiming your computer is infected. Requests for remote access to your machine. Payment demanded via gift cards, wire transfer, or cryptocurrency. Use of urgency and fear ("Your bank account is at risk!"). A "technician" showing you the Event Viewer or command prompt as "proof" of infection. Pressure to act immediately without time to think or consult someone.

In January 2023, Sarah K., an accounting clerk at a mid-sized manufacturing company in Michigan, received what appeared to be an urgent email from the company's CEO. The email, sent at 4:47 PM on a Friday (a common tactic to exploit end-of-week urgency), requested an immediate wire transfer of $2 million to a "new vendor in Singapore" for a "confidential acquisition." The email included the CEO's standard email signature, the correct company logo, and language that matched the CEO's typical communication style.

Business Email Compromise (BEC) is among the most financially damaging cybercrimes. The FBI IC3's 2023 report documented 21,489 BEC complaints with adjusted losses exceeding $2.9 billion. BEC scams work by compromising or spoofing executive email accounts and instructing employees to make fraudulent wire transfers. The average BEC attempt targets $120,000–$200,000, but some cases involve tens of millions of dollars. The FBI notes that BEC scammers increasingly use AI to study executive communication patterns, making fraudulent emails harder to detect.

Several subtle details caught Sarah's attention. The email came from "[email protected]" instead of the correct "[email protected]"—a single hyphen difference. The request bypassed the company's standard vendor onboarding process. The CEO, who was traveling, would not typically authorize such a large transaction via email alone. Most importantly, the email asked Sarah to "keep this confidential until the deal closes," which was unusual.

Following the company's verification protocol, Sarah called the CEO directly on his mobile phone. The CEO confirmed he had sent no such email. The IT department was immediately alerted, and a forensic investigation revealed that the scammers had conducted weeks of reconnaissance: studying the company's organizational chart on LinkedIn, monitoring publicly available travel schedules, and registering the look-alike domain two days before the attack. The $2 million transfer was never made. The FBI was contacted, and the fraudulent domain was taken down within 48 hours.

Key red flags: Urgent request sent late on a Friday. A request that bypassed normal approval processes. A look-alike email domain with a subtle spelling difference. A demand for confidentiality. An unusually large transaction to a new, unverified vendor. Pressure to complete the transfer immediately without verification.

In January 2024, a finance employee at a multinational corporation's Hong Kong office was tricked into transferring $25.6 million (HK$200 million) to fraudsters who used AI-generated deepfake technology to impersonate the company's UK-based Chief Financial Officer and other senior executives during a video conference call. This case, confirmed by Hong Kong police, represents one of the largest known losses from a deepfake-enabled scam and signals a alarming new frontier in cybercrime.

The attack unfolded over several days. The employee initially received a message purporting to be from the company's CFO in London, requesting a confidential transaction. Suspicious at first, the employee's doubts were dispelled when he was invited to a video conference call that appeared to include the CFO and several other colleagues he recognized. Every person on the call—their faces, voices, and mannerisms—had been convincingly recreated using AI deepfake technology trained on publicly available video footage from corporate presentations, earnings calls, and social media. The employee, believing the request was legitimate, executed 15 separate transfers totaling HK$200 million to five different Hong Kong bank accounts.

The scam was only discovered a week later when the employee followed up with the company's head office. By then, the funds had been dispersed across multiple accounts and jurisdictions, making recovery extremely difficult. Hong Kong police arrested six people in connection with the fraud, but the mastermind operators remained at large. According to cybersecurity firm Sumsub, deepfake-related fraud attempts increased by 3,000% globally between 2022 and 2024. The FBI issued a public service announcement (PSA I-050924-PSA) warning that criminals are increasingly using AI-generated content for fraud and extortion schemes.

This case is not an isolated incident. In 2023, a CEO of a UK-based energy firm was tricked into transferring $243,000 after receiving a phone call from what he believed was his parent company's CEO—the voice had been cloned using AI. McAfee research in 2024 found that only 3 seconds of audio is now sufficient to create a convincing voice clone, and 77% of AI voice scam victims reported losing money.

Key red flags: A request for a large, confidential transfer initiated via unusual channels. Being asked to bypass standard verification procedures. Video call participants who seem slightly "off"—unnatural blinking, lip sync issues, or a fixed background. An inability to deviate from scripted conversation during the call. Urgency and pressure to complete the transaction immediately.

In late October 2021, a cryptocurrency token called "Squid Game" ($SQUID)—capitalizing on the viral popularity of Netflix's hit series—appeared on decentralized exchanges and quickly became one of the most talked-about tokens on social media. Launched by anonymous developers, the token's price skyrocketed from $0.01 to over $2,861 in just a few days, fueled by speculative buying and social media hype. Then, on November 1, 2021, the developers drained the liquidity pool and vanished, sending the token's value to virtually zero within seconds. Investors lost an estimated $3.38 million.

The anatomy of this rug pull followed a pattern that has since been replicated hundreds of times. Phase 1 (Setup): Anonymous developers created a token with a trendy, recognizable name and a professional-looking website with a whitepaper full of vague promises. Phase 2 (Hype): Coordinated social media campaigns across Twitter, Telegram, and Reddit generated excitement. Paid influencers promoted the token without disclosing their compensation. Phase 3 (Pump): As demand surged, the price rose exponentially, creating FOMO (Fear of Missing Out) among retail investors. Phase 4 (Trap): The token's smart contract contained a hidden "anti-dump" mechanism that prevented anyone except the developers from selling—a critical red flag that many investors did not investigate. Phase 5 (Rug Pull): Developers removed all liquidity from the trading pool and disappeared with the funds.

According to blockchain analytics firm Chainalysis, crypto rug pulls stole $2.57 billion from investors in 2022 alone. The FTC reported that consumers lost over $1 billion to cryptocurrency-related fraud in 2023, with a median individual loss of $3,800. The SEC has since taken enforcement action against multiple crypto projects for unregistered securities offerings and fraud, but the decentralized and pseudonymous nature of cryptocurrency makes recovery exceedingly rare—fewer than 5% of rug pull victims ever recover any funds.

Key red flags: Anonymous or pseudonymous development team with no verifiable track record. A token name tied to a trending pop-culture phenomenon. Promises of guaranteed returns or extraordinary gains. A smart contract that has not been independently audited. Inability to sell or swap the token (a "honeypot" contract). Aggressive promotion by paid influencers. Extremely rapid price increases with no underlying utility. No legitimate use case, partnerships, or technology behind the project.

QR code phishing, known as "quishing," has emerged as one of the fastest-growing cyber threats. In December 2023, the FBI issued a public warning about criminals tampering with QR codes to redirect victims to malicious websites that steal personal and financial information. By 2024, quishing had become a mainstream attack vector, with cybersecurity firm Abnormal Security reporting a 587% increase in QR code-based phishing attacks between Q3 2023 and Q3 2024.

One of the most widely reported real-world examples occurred in Austin, Texas, and other major U.S. cities, where criminals placed fraudulent QR code stickers over legitimate ones on parking meters. When drivers scanned the code to pay for parking, they were directed to a convincing fake payment site that harvested their credit card numbers and personal details. The Austin Police Department issued a public alert in early 2024 after receiving dozens of complaints. Similar schemes were reported in San Francisco, Chicago, and Houston.

Quishing attacks have also infiltrated corporate environments. In a widespread campaign documented by Microsoft Threat Intelligence in late 2024, attackers sent emails to corporate employees containing QR codes that purportedly linked to a "mandatory security update" or "2FA verification page." Because QR codes are images—not clickable URLs—they bypass most traditional email security filters that scan links for malicious content. When employees scanned the codes with their personal phones (which typically lack corporate security protections), they were directed to credential-harvesting sites designed to steal Microsoft 365 login information. This campaign affected over 29,000 email recipients across multiple industries.

The threat extends to restaurant menus, event flyers, package delivery notices, and even cryptocurrency ATMs, where criminals overlay legitimate QR codes with malicious ones. According to the FTC, consumers reported losing over $60 million to scams initiated through QR codes in 2024. The FBI IC3 has noted that quishing is particularly effective because users generally trust QR codes, and most people cannot distinguish a legitimate QR code from a malicious one by looking at it.

Key red flags: A QR code sticker that appears to be placed over another QR code (especially on parking meters or public signage). A QR code in an unsolicited email, especially one creating urgency. The destination URL, once scanned, does not match the expected domain (always check before entering any information). Being asked to enter payment details or login credentials immediately after scanning. A QR code that triggers an app download rather than opening a webpage. Poor print quality or signs of tampering on physical QR codes.

Au printemps 2023, une campagne de hameçonnage sophistiquée a ciblé les membres Amazon Prime aux États-Unis, au Canada et en Europe. Plus de 100 millions de messages ont été envoyés, prétendant que l'abonnement Prime du destinataire allait expirer ou qu'un achat suspect avait été détecté. Les e-mails étaient minutieusement conçus avec l'identité visuelle officielle d'Amazon, incluant une adresse expéditeur falsifiée ressemblant à un domaine Amazon légitime. Les identifiants volés étaient utilisés pour des achats non autorisés ou vendus sur des marchés du dark web entre 5 et 15 dollars par compte.

Selon le rapport IC3 2023 du FBI, les arnaques par hameçonnage et usurpation d'identité ont représenté plus de 298 000 plaintes cette année-là, avec des pertes dépassant 18,7 milliards de dollars.

Le « pig butchering » (de l'expression chinoise « engraisser le cochon avant l'abattage ») est devenu l'une des catégories d'arnaques les plus dévastatrices dans le monde. Dans un cas documenté en 2023, une enseignante retraitée de l'Ohio a perdu 450 000 $ — l'intégralité de ses économies de retraite — sur six mois à un escroc rencontré sur une application de rencontres. L'escroc a passé deux mois à construire une relation émotionnelle avant de mentionner des investissements. Lorsqu'elle a tenté de retirer des fonds, des « frais de conformité réglementaire » ont continué d'apparaître.

Les arnaques au support technique restent l'un des types de fraude les plus persistants, ciblant de manière disproportionnée les personnes âgées. En 2023, un réseau de centres d'appels basés en Inde a été démantelé après avoir escroqué plus de 20 000 victimes américaines de plus de 10 millions de dollars, en usurpant l'identité de représentants de Microsoft, Apple et Norton. Les escrocs demandaient un accès à distance via TeamViewer, montraient des journaux d'événements normaux comme preuve d'infection, puis exigeaient un paiement par cartes cadeaux.

En janvier 2023, une comptable d'une entreprise manufacturière du Michigan a reçu un e-mail prétendument du PDG, demandant un virement immédiat de 2 millions de dollars pour une « acquisition confidentielle ». L'e-mail comportait une légère différence dans le domaine (un trait d'union de plus). En suivant le protocole de vérification de l'entreprise — un simple appel téléphonique au PDG — elle a déjoué l'arnaque. L'enquête a révélé que les escrocs avaient étudié l'entreprise pendant des semaines via LinkedIn.

En janvier 2024, un employé de la finance d'une multinationale à Hong Kong a été trompé pour transférer 25,6 millions de dollars à des fraudeurs qui avaient utilisé la technologie deepfake IA pour usurper l'identité du directeur financier et d'autres cadres lors d'une vidéoconférence. Chaque personne lors de l'appel — leur visage, leur voix et leurs manières — avait été recréée de manière convaincante grâce à l'IA entraînée sur des vidéos accessibles au public.

En octobre 2021, un token de cryptomonnaie appelé « Squid Game » a bondi de 0,01 $ à plus de 2 861 $ en quelques jours, avant que les développeurs ne vident le pool de liquidités et disparaissent, faisant chuter la valeur à pratiquement zéro en quelques secondes. Le contrat intelligent comprenait un mécanisme caché empêchant quiconque sauf les développeurs de vendre. Selon Chainalysis, les rug pulls crypto ont volé 2,57 milliards $ aux investisseurs rien qu'en 2022.

Le hameçonnage par QR code est devenu l'une des cyber-menaces à la croissance la plus rapide. Des criminels ont placé de faux autocollants de QR code sur des parcomètres à Austin au Texas et dans d'autres grandes villes américaines. Lorsque les conducteurs scannaient le code pour payer le stationnement, ils étaient redirigés vers un faux site de paiement. Des attaques similaires ont ciblé des employés d'entreprises via des QR codes dans des e-mails, contournant les filtres de sécurité qui analysent les URL.