A
Account takeover is a form of identity theft in which a fraudster gains unauthorized access to a victim's online account — such as a bank, email, or social media account — and changes credentials to lock out the legitimate owner. ATOs are typically carried out using stolen credentials from data breaches, phishing attacks, or credential-stuffing automation. According to the 2024 Identity Fraud Study by Javelin Strategy & Research, ATO fraud affected over 14 million U.S. consumers and caused $13 billion in losses in 2023. Scammers use compromised accounts to conduct further fraud, request money transfers from the victim's contacts, drain financial balances, or sell access on dark-web markets. Enabling multi-factor authentication (MFA) is the single most effective countermeasure against account takeover attacks.
Advance-fee fraud, commonly known as the 419 scam (after the relevant section of the Nigerian Criminal Code), involves a fraudster contacting a victim with a promise of a large sum of money in exchange for a relatively small upfront payment — supposedly needed to unlock the funds, cover taxes, or pay legal fees. Once the victim pays, the scammer invents additional fees and emergencies to extract more money; the promised windfall never materializes. These scams originated via letter mail in the 1980s, migrated to fax, and became ubiquitous over email. Despite widespread awareness, the FBI IC3 reports that advance-fee fraud still generates hundreds of millions in losses annually. The tactic relies on greed, urgency, and isolation — scammers instruct victims not to discuss the deal with family or authorities.
B
Baiting is a social engineering attack that lures a victim into performing an action by offering something enticing — typically a free download, a prize, or physical media. The most classic physical baiting technique involves leaving infected USB drives in parking lots or public spaces labelled with attractive text such as "Salary Records 2024"; studies by Google and the University of Illinois found that 45–98% of found USB drives are plugged into computers. Online baiting uses free movie downloads, pirated software, or fake prize notifications that install malware when accessed. Unlike phishing, baiting relies primarily on curiosity and greed rather than fear or authority. The best defence is to never plug unknown USB devices into a computer and to avoid downloading software from unofficial sources.
Business Email Compromise is a sophisticated fraud in which criminals impersonate executives, vendors, or business partners via email to trick employees into transferring money or sensitive data. BEC attacks typically involve compromising a real business email account (or spoofing one convincingly) and then sending wire transfer requests, redirecting payroll deposits, or requesting W-2 tax data. According to the FBI IC3 2024 Internet Crime Report, BEC caused $2.9 billion in adjusted losses — making it one of the costliest cybercrime categories. Unlike mass phishing, BEC is highly targeted and personalized, often researching the organization for weeks before striking. The IC3's Recovery Asset Team (RAT) recovered approximately $560 million of BEC losses in 2024 when notified promptly.
C
Catfishing is the practice of creating a fake online identity to deceive another person, typically for romantic purposes, financial gain, or emotional manipulation. A catfisher constructs a believable persona using stolen photos, fabricated background stories, and consistent communication patterns maintained over weeks or months. The term originated from the 2010 documentary Catfish and the subsequent MTV series. While often associated with personal relationship fraud, catfishing also underpins many romance scams and pig-butchering investment schemes. The FBI reports that romance scam losses exceeded $700 million in 2023. Reverse image searching profile photos using Google Images or TinEye is the most accessible method to detect catfishing, as scammers frequently use stolen photos from models or social media accounts.
Clone phishing is an attack in which a fraudster creates a near-identical copy of a legitimate email previously sent to the victim, replacing any links or attachments with malicious versions. The cloned email is sent from a spoofed or compromised address and typically includes a plausible explanation such as "resending due to a broken link." Because the content closely mirrors a real email the victim has already received and trusted, detection rates are lower than for generic phishing. Clone phishing is particularly effective against corporate email systems. DMARC, DKIM, and SPF email authentication protocols are the primary organizational defence; individuals should verify any resent email with the apparent sender through a separate communication channel before clicking any links.
Credential stuffing is an automated cyberattack in which large sets of stolen username-and-password pairs (obtained from data breaches) are tested against multiple websites and services using bots. The attack exploits password reuse — the widespread habit of using the same credentials across multiple sites. If a user reused their email and password from a breached service on their bank, the attacker gains access without any guessing. Akamai's 2024 State of the Internet report documented over 193 billion credential stuffing attacks globally. The most effective countermeasure is using a unique, strong password for every account (facilitated by a password manager) and enabling MFA, which renders stolen credentials alone insufficient for login.
Cryptocurrency scams are a broad category of fraud exploiting the features of digital currencies — irreversibility, pseudonymity, and global reach — to steal money. Common variants include fake investment platforms, rug pulls, pump-and-dump schemes, pig-butchering, and fake giveaways claiming to double any cryptocurrency sent. The FBI IC3 2024 report identified cryptocurrency fraud as the single largest fraud category by total dollar loss, with $5.6 billion stolen. The irreversible nature of blockchain transactions means that recovery is extremely rare once funds are sent. Red flags include guaranteed returns, unregistered platforms, requests for seed phrases or private keys, and celebrity-endorsed investment opportunities that originate from unsolicited contacts.
Cybersquatting is the practice of registering a domain name that is identical or confusingly similar to an established brand, trademark, or celebrity name with the intent to profit — either by reselling the domain to the legitimate owner, conducting phishing through the lookalike domain, or redirecting traffic to competing or malicious sites. The Anticybersquatting Consumer Protection Act (ACPA) of 1999 provides legal remedies in the United States, and ICANN's Uniform Domain-Name Dispute-Resolution Policy (UDRP) offers international resolution. A related variant, typosquatting, targets common misspellings of popular domains. Cybersquatting is used in phishing campaigns because victims who mistype a URL may land on a fraudulent site that mirrors the legitimate one to steal credentials.
D
Dark patterns are deceptive user interface (UI) or user experience (UX) design techniques intentionally crafted to trick users into taking actions they would not otherwise choose — such as subscribing to recurring charges, sharing more personal data than intended, or making unintended purchases. Examples include hidden unsubscribe buttons, pre-ticked consent checkboxes, confusing double-negatives in privacy settings, forced continuity (free trials that silently convert to paid subscriptions), and roach motel designs (easy to sign up, nearly impossible to cancel). The FTC has taken enforcement action against dark patterns and published guidelines in 2022. While not always criminal, dark patterns are frequently combined with subscription traps to generate fraudulent recurring revenue.
A deepfake is a synthetic media product — video, audio, or image — in which a real person's likeness or voice is convincingly replaced or generated using deep-learning AI models, most commonly Generative Adversarial Networks (GANs) or diffusion models. In the fraud context, deepfakes are used to impersonate executives in fraudulent video conference calls authorizing wire transfers, to clone family members' voices for grandparent scams, to create fake celebrity investment endorsements, and to produce extortion material. A landmark 2024 case saw a Hong Kong employee tricked into transferring $25 million after a deepfake video call in which all "colleagues" were AI-generated. The FBI's 2024 advisory reported a 300%+ surge in voice-cloning fraud. Warning signs include: unusual visual artifacts around the hairline or ears, unnatural blinking, inconsistent lighting shadows, and audio that doesn't perfectly sync with lip movements. Always verify high-stakes requests through an independent communication channel.
A dictionary attack is a brute-force credential cracking technique that systematically tests a list of common words, phrases, and passwords against a login system or encrypted file. Unlike purely random brute-force attacks, dictionary attacks use curated wordlists (such as the RockYou dataset of 14 million real-world leaked passwords) and combine words with common substitutions (e.g., "p@ssw0rd"). They are highly effective against weak passwords and are used both to crack stolen password hashes offline and to attack live login systems at scale. Countermeasures include account lockout policies, CAPTCHA, rate limiting, and — most importantly — using long, random passwords that do not appear in any wordlist.
Domain spoofing is the use of a deceptive domain name or sender address to make an email or website appear to come from a trusted source. In email spoofing, the "From" field is forged to display a legitimate company's address while the actual sending server differs. In website spoofing, a lookalike domain (e.g., "paypa1.com" instead of "paypal.com") hosts a cloned site to harvest credentials. Email authentication standards — SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting & Conformance) — were developed specifically to counter email domain spoofing, but adoption remains incomplete. Phishing toolkits routinely incorporate domain spoofing as a core capability.
Doxing (from "docs" — documents) is the malicious practice of researching and publicly exposing a person's private or identifying information — such as home address, phone number, employer, or family members' details — typically to harass, intimidate, or coerce them. Scammers use doxing as an extortion tool, threatening to publish compromising information unless the victim pays a ransom. Doxing is also combined with swatting (making false emergency reports to send armed law enforcement to a victim's address) in escalated harassment campaigns. Information used in doxing is often aggregated from data broker websites, social media profiles, public records, and prior data breaches. Minimizing your public digital footprint and opting out of data broker databases reduces your vulnerability to doxing.
E
Extortion in the digital context is the act of threatening to expose sensitive information, publish private images, encrypt files (ransomware), or cause harm unless a payment — typically cryptocurrency — is made. Common online extortion variants include sextortion (threatening to share intimate images), ransomware attacks against businesses, and "your computer is infected" scare emails claiming to have recorded the victim via their webcam. The FBI IC3 reports extortion as one of the top five most-reported cybercrime categories, with over 48,000 complaints filed in 2023. A key characteristic of mass-scale extortion emails is that they often include a real password from an old data breach to appear credible. Victims should not pay — payment rarely ends the extortion and encourages repeat attacks. Contact law enforcement and save all communications as evidence.
F
A fake escrow scam occurs when a fraudster — typically posing as a buyer in a high-value transaction — insists on using an "escrow service" that they recommend, which is actually a fraudulent website controlled by the scammer. The victim sends the goods or performs the service believing the funds are held securely by the escrow provider, only to discover the site is fake and no funds exist. Fake escrow scams are common on peer-to-peer marketplaces for vehicles, electronics, and freelance services. Real escrow services are regulated financial institutions; any escrow service referred by the other party in a transaction should be treated with extreme suspicion. Always use independently verified, established escrow providers and verify their regulatory status before proceeding.
Fake invoice scams target businesses by sending fraudulent invoices for services that were never rendered, often for low enough amounts that accounts payable departments process them without scrutiny. More sophisticated variants involve intercepting a real invoice (through email compromise) and altering the bank account number before forwarding it to the paying organization. The Association of Certified Fraud Examiners (ACFE) estimates that billing fraud — of which fake invoices are a major component — accounts for 16% of all occupational fraud, causing a median loss of $150,000 per incident. Controls including vendor master file verification, dual-authorization for payment changes, and invoice matching against purchase orders significantly reduce exposure to this attack.
Fake tech support scams involve fraudsters — typically through unsolicited phone calls, browser pop-up warnings claiming the computer is infected, or deceptive advertisements — convincing victims that their device has a critical problem requiring immediate paid support. Once the victim grants remote access, the scammer demonstrates "proof" of infection by showing normal system processes as threats, installs actual malware, harvests credentials, and charges for fake repairs. The FTC reported 24,000 tech support fraud complaints in 2023, with losses exceeding $800 million and a disproportionate impact on older adults. Microsoft, Apple, and legitimate tech companies will never make unsolicited outreach about computer problems — all such contact should be treated as fraudulent.
G
The grandparent scam targets older adults by having a caller impersonate a grandchild (or a lawyer or police officer representing one) claiming to be in an emergency — arrested, in a car accident, or hospitalized abroad — and urgently needing money. The caller explicitly asks the victim to keep the request secret from other family members, exploiting both concern and isolation. Advances in AI voice-cloning technology have made these scams increasingly convincing, as scammers can clone a grandchild's voice from social media audio in minutes. The FTC reported $41 million in losses to family impersonation scams in 2023. The best defence is a family code word: establish a phrase known only to family members that can be used to verify identity in any emergency call.
H
In the criminal context, a honeypot is a fraudulent lure — such as an attractive online dating profile, a fake investment opportunity, or a seemingly irresistible deal — designed to draw victims into a scam. This contrasts with the cybersecurity use of the term (a decoy system used to detect and study attackers). Romance scam honeypots are often meticulously crafted personas maintained by criminal organizations — particularly in Southeast Asia — that cultivate relationships over months before pivoting to investment fraud. Understanding that any unsolicited "too good to be true" contact online may be a honeypot is a key awareness principle for fraud prevention.
I
Identity theft occurs when someone uses another person's personal information — such as Social Security number, date of birth, financial account numbers, or government ID — without authorization to commit fraud or other crimes. Categories include financial identity theft (opening credit accounts or taking loans in the victim's name), medical identity theft (using the victim's insurance to obtain healthcare), tax identity theft (filing fraudulent tax returns), and synthetic identity theft (combining real and fabricated information to create a new identity). The FTC's Consumer Sentinel Network logged over 1 million identity theft reports in 2023. Recovery typically requires extensive engagement with credit bureaus, financial institutions, and government agencies and can take years. Credit freezes at the three major bureaus are the most effective preventive measure.
Impersonation scams involve a fraudster posing as a trusted entity — a government agency (IRS, Social Security Administration, RCMP, HMRC), a well-known company (Amazon, Microsoft, Apple), a utility provider, or a personal contact — to extract money or information from victims. According to the FTC, impersonation scams were the top fraud category by number of reports in 2023, with government impersonation alone generating $394 million in losses. The scammer exploits the trust and authority associated with the impersonated entity to create urgency, instill fear of consequences (arrest, account suspension), or simulate legitimacy. Legitimate government agencies never demand immediate payment via gift card, cryptocurrency, or wire transfer, and never threaten immediate arrest over the phone.
J
Job scams target people seeking employment by advertising fake positions — often work-from-home, task-based, or data-entry roles — that either require upfront payment for training or equipment, steal personal information during a "hiring process," or recruit victims as unwitting money mules. The Better Business Bureau's 2023 Employment Scams study found job seekers lost an average of $1,995 per incident, with total losses estimated at $2 billion annually in North America. Remote job scams surged following the COVID-19 pandemic as work-from-home demand increased. Warning signs include unsolicited job offers, requests for payment before starting, pressure to send money internationally, communication exclusively via messaging apps, and extremely high pay for minimal-seeming work.
Juice jacking is a cyberattack in which a malicious USB charging station — or a tampered USB cable left in a public location — is used to compromise a connected device, install malware, or exfiltrate data while the user believes they are simply charging their phone. Public charging points in airports, hotels, and shopping centres can be compromised by attackers who replace legitimate hardware with modified equipment. The FBI and CISA have both issued advisories warning against using public USB charging ports. The attack takes advantage of the dual-purpose nature of USB connections, which carry both power and data. The most reliable protection is to use a personal AC adapter and power bank, or to use a "USB data blocker" (sometimes called a USB condom) which allows power to pass while blocking data pins.
K
A keylogger is malicious software (or hardware) that records every keystroke typed on a compromised device and transmits the captured data — including passwords, credit card numbers, messages, and search queries — to the attacker. Software keyloggers are typically installed through phishing, malicious downloads, or exploiting software vulnerabilities. Hardware keyloggers are physical devices inserted between a keyboard and a computer. Keyloggers are a foundational tool in credential theft and are often bundled within broader Remote Access Trojans (RATs). Modern endpoint security suites detect most known software keyloggers; hardware keyloggers on shared or public computers are harder to detect and require physical inspection. Password managers mitigate keylogger risk by autofilling credentials without the user typing them.
L
Lottery scams inform victims that they have won a prize — typically a large cash award, a vehicle, or an expensive holiday — in a lottery or sweepstakes they never entered. To claim the prize, the victim must pay taxes, processing fees, legal fees, or customs charges in advance. Each payment leads to another invented fee, with the prize never delivered. These scams are delivered via email, postal mail, social media messages, and phone calls, and often impersonate legitimate lotteries such as the Powerball, UK National Lottery, or Publisher's Clearing House. The simple rule: you cannot win a lottery you did not enter, and no legitimate lottery requires a winner to pay fees upfront — prizes are distributed after deducting taxes, not collected from winners beforehand.
M
Malware (malicious software) is any software intentionally designed to disrupt, damage, or gain unauthorized access to a computer system. The category encompasses ransomware, keyloggers, trojans, spyware, adware, rootkits, worms, and viruses. In the fraud context, malware is used to steal banking credentials (banking trojans), monitor victim activity (spyware), encrypt files for ransom (ransomware), redirect browsers to phishing pages (browser hijackers), and recruit devices into botnets for spam distribution. The AV-TEST Institute registers over 450,000 new malware samples every day. Malware is typically delivered through phishing email attachments, malicious downloads, drive-by downloads from compromised websites, and USB-based attacks. Protection requires a combination of up-to-date antivirus software, regular OS and application patching, email attachment filtering, and user training to avoid executing unknown files or enabling Office macros from untrusted sources.
A man-in-the-middle attack is a cyberattack in which an adversary secretly intercepts and potentially alters communications between two parties who believe they are communicating directly with each other. MitM attacks on public Wi-Fi networks allow attackers to capture unencrypted traffic, inject malicious content, or redirect victims to phishing pages. Adversary-in-the-Middle (AiTM) phishing proxies represent a modern evolution, sitting between the victim and a legitimate website to intercept session cookies and MFA tokens in real time. HTTPS with HSTS (HTTP Strict Transport Security) mitigates most passive interception; FIDO2/WebAuthn hardware keys are specifically designed to defeat AiTM attacks because authentication is bound to the legitimate origin domain.
A money mule is a person who receives stolen money in their bank account and transfers it to another account — typically internationally — at the direction of a fraudster, often keeping a percentage as commission. Many money mules are unwitting participants, recruited via fake job advertisements, romance scams, or lottery win notifications. Others are knowing participants in criminal networks. Money mules are a critical element of fraud because they help launder the proceeds of cybercrime across jurisdictions, complicating recovery efforts. Participation in money muling — even unknowingly — exposes individuals to criminal prosecution for money laundering. The Financial Action Task Force (FATF) and national law enforcement agencies run periodic awareness campaigns warning against accepting payments to forward from strangers.
N
The Nigeria Prince scam — formally classified as advance-fee fraud and also known as the "419 scam" — is arguably the most widely known email fraud in history. In its classic form, a person posing as a Nigerian prince, government official, or wealthy businessperson contacts the victim claiming to have a large sum of money that needs to be transferred out of the country, and requests help in exchange for a substantial share. The scammer then collects a series of "processing fees" from the victim. Despite its notoriety, these scams continue to generate substantial losses because criminals send them to millions of addresses and the small minority who respond are typically highly susceptible. The deliberate implausibility of the scenario may serve as a self-selection filter to identify only the most susceptible victims, improving the fraudster's return on effort.
O
An overpayment scam occurs when a buyer sends a seller a counterfeit check (or initiates a fraudulent electronic transfer) for more than the agreed price, then requests that the seller refund the difference via wire transfer, gift card, or Zelle. By the time the bank identifies the check as fraudulent — which can take weeks — the seller has already wired real funds from their own account to the scammer. The seller loses both the goods and the refunded "overpayment." This scam is common in peer-to-peer marketplace transactions for vehicles, rental properties, and freelance services. The fundamental rule: never accept overpayment and never refund a difference before confirming that the original payment has fully cleared — not just been "deposited" — which can take 5-10 business days for checks.
P
Phishing is a social engineering attack delivered primarily via email that tricks recipients into revealing sensitive information (credentials, credit card numbers, personal data) or installing malware by impersonating trusted entities — banks, social media platforms, government agencies, or employers. Phishing emails typically create urgency ("Your account will be suspended in 24 hours"), include a link to a spoofed login page, and may evade spam filters through sophisticated obfuscation. The Anti-Phishing Working Group (APWG) recorded over 1.76 million unique phishing attacks in the third quarter of 2024 alone. Variants include spear phishing (targeted), whaling (targeting executives), smishing (SMS), vishing (voice), and quishing (QR code). Browser password managers and hardware security keys are among the most reliable technical defences.
Pig butchering (translated from the Chinese shā zhū pán) is a sophisticated long-con investment scam in which the fraudster spends weeks or months building a relationship with the victim — often through a "wrong number" text, a dating app, or a social media connection — before gradually introducing a fake cryptocurrency or investment platform showing impressive fabricated returns. The victim is encouraged to invest small amounts initially (the "fattening" phase), sees apparent profits, invests larger sums, then discovers they cannot withdraw funds, at which point the scammer disappears with all deposited money. The FBI estimates pig butchering caused over $3.5 billion in losses in 2023. Many operations are run from forced-labour compounds in Southeast Asia. Platforms with no verifiable registration, no regulated exchange status, and funds accessible only through proprietary apps are hallmarks of this fraud.
Pretexting is a social engineering technique in which an attacker fabricates a scenario (the "pretext") to obtain information or access from a target. Unlike phishing, which relies on technical deception, pretexting relies on a convincing backstory — for example, impersonating a new employee who needs IT help, an auditor requiring access to financial records, or a vendor who needs to verify an account. Pretexting is frequently used in business espionage, BEC attacks, and fraud against financial institutions. The Verizon 2024 Data Breach Investigations Report identifies pretexting as one of the most common social engineering vectors. Good pretexts are researched thoroughly using open-source intelligence (OSINT) and exploit the target's desire to be helpful. Security awareness training that specifically covers pretexting scenarios is among the most effective countermeasures.
A prize scam informs a victim that they have won a valuable award — cash, a car, a vacation, electronics — but must pay fees, taxes, or processing charges to collect it. Prize scams arrive via phone, email, social media, and postal mail, and frequently impersonate well-known brands (Publishers Clearing House, McDonald's Monopoly, government consumer protection agencies). A common variant is a fake online survey completion prize, which harvests personal data and credit card information. The fundamental distinguishing factor from legitimate prizes: real contests and lotteries never require winners to pay anything to receive their award — taxes are deducted from the prize or settled by the winner with revenue authorities, never collected upfront by the contest organizer.
Pump-and-dump is a market manipulation scheme in which fraudsters artificially inflate the price of an asset — traditionally penny stocks, now most commonly low-cap cryptocurrencies — through coordinated promotional campaigns, false claims, and social media manipulation, then sell their holdings at the inflated price, leaving retail investors with near-worthless assets. The SEC has prosecuted dozens of traditional stock pump-and-dump schemes; cryptocurrency variants are harder to regulate. Coordination happens in Telegram groups, Discord servers, and Twitter/X communities with names suggesting investment insight. The pattern is recognizable by sudden, unexplained price spikes accompanied by unusually high volume and promotional content from unknown accounts claiming "insider knowledge."
Q
Quishing is a phishing attack that uses a QR code — instead of a hyperlink — to direct victims to a malicious URL, bypassing email filters that scan text-based links but typically cannot decode and inspect QR code content. Quishing attacks are delivered in emails, physical mail, counterfeit parking tickets, and even placed over legitimate QR codes in restaurants and public spaces. Because smartphones handle QR scanning natively, users often proceed directly to the URL without scrutiny. The FBI issued a PSA warning about quishing in 2023, citing exponential growth in cases. Before scanning any unexpected QR code, always preview the URL in your camera app before opening it, verify that the destination matches what the context suggests, and never enter credentials on pages reached via unsolicited QR codes.
R
Ransomware is malicious software that encrypts a victim's files or locks access to their system and demands a ransom payment — typically in cryptocurrency — in exchange for the decryption key. Modern ransomware-as-a-service (RaaS) ecosystems allow criminal affiliates to deploy sophisticated ransomware developed by specialist groups, splitting the proceeds. The FBI IC3 received over 2,800 ransomware complaints in 2023, with adjusted losses exceeding $59 million for reported incidents; the true total including unreported corporate attacks is estimated in the billions. Double and triple extortion variants also exfiltrate data before encrypting it, threatening public release if the ransom is not paid. Regular offline backups remain the most reliable recovery mechanism; paying the ransom does not guarantee decryption and funds further criminal operations.
Romance scams involve fraudsters creating fake romantic relationships — typically through dating apps, social media, or messaging platforms — to gain emotional trust before making financial requests. The fabricated relationship may be maintained for months or years, with the scammer consistently refusing to meet in person or video call (using fabricated excuses such as military deployment, oil rig work, or international business travel). Eventually, a manufactured crisis — medical emergency, legal trouble, travel costs — is used to request money transfers. The FBI IC3 reported $700 million in romance scam losses in 2023, with the median individual victim losing $10,000. A substantial portion of romance scam operations worldwide are now linked to forced-labour pig-butchering compounds in Cambodia, Myanmar, and Laos.
A rug pull is a fraudulent exit scam common in the cryptocurrency and decentralized finance (DeFi) space in which the creators of a token or project raise funds from investors, then abruptly abandon the project and abscond with the capital — metaphorically "pulling the rug" out from under investors. Rug pulls are facilitated by the pseudonymous, permissionless nature of blockchain platforms, where anyone can deploy a token contract without identity verification. Chainalysis estimated that crypto rug pulls caused $2.8 billion in losses in 2021 alone, and thousands of new scam tokens are created monthly. Warning signs include anonymous development teams, no third-party security audits, no token lock period for developer allocations, and liquidity pools that can be drained by the contract owner.
S
Scareware is a type of malware or fraudulent advertisement that uses alarming messages — typically fake virus warnings, system error notifications, or pop-up alerts claiming the user's computer is infected or at risk — to frighten users into purchasing fake security software, granting remote access, or calling a fraudulent tech support number. Scareware pop-ups are designed to resemble legitimate operating system alerts and may use browser APIs to prevent the tab from being closed easily. The "rogue security software" category of scareware typically charges $30–$80 for a fake antivirus product that performs no real security function. Legitimate security software never advertises via aggressive browser pop-ups or unsolicited phone calls; any such encounter should be treated as fraudulent.
SIM swapping (also called SIM hijacking) is an attack in which a fraudster convinces a mobile carrier's customer service representative to transfer a victim's phone number to a SIM card the attacker controls — by impersonating the account holder using personal information gathered from data breaches or social media. Once the number is transferred, the attacker can receive all SMS messages sent to the victim, including one-time passwords (OTPs) used for two-factor authentication, allowing account takeover on banking, email, and cryptocurrency exchange accounts. The FBI reported 1,611 SIM swapping complaints in 2023, with losses over $48 million. Countermeasures include setting a PIN or passphrase on your mobile account, using authenticator apps or hardware keys instead of SMS for 2FA, and avoiding posting information on social media that could be used to verify identity.
Card skimming involves the installation of a physical device — a skimmer — on a payment terminal (ATM, gas pump, point-of-sale terminal) that secretly reads and stores the magnetic stripe data from payment cards inserted into the machine. A small camera or overlay keypad simultaneously captures the entered PIN. The stolen card data is then used to create counterfeit cards or make unauthorized online purchases. The US Secret Service estimates that card skimming costs financial institutions and consumers over $1 billion annually. Chip-and-PIN (EMV) technology has reduced skimming at traditional card terminals because EMV transactions use a dynamic cryptogram rather than the static magnetic stripe data. Contactless (NFC) payment is generally more secure than magnetic stripe. Inspect terminals for loose or misaligned overlays and cover the keypad when entering PINs.
Smishing (SMS phishing) is a phishing attack delivered via text message rather than email. Messages typically impersonate delivery companies (FedEx, UPS), banks, government agencies, or streaming services, and include a shortened URL leading to a spoofed login page or malware download. Because SMS messages feel more personal and trusted than email, and because mobile browsers display less URL metadata, smishing can achieve higher click rates than equivalent email phishing campaigns. The FBI IC3 received over 11,000 smishing complaints in 2023. Legitimate organizations rarely send unsolicited text messages containing clickable links; if you receive such a message, navigate to the organization's website directly rather than clicking the link in the message.
Social engineering is the psychological manipulation of individuals into performing actions or disclosing confidential information, exploiting human psychology rather than technical vulnerabilities. The core principles leveraged include authority (impersonating figures of power), urgency (creating artificial time pressure), scarcity, social proof, reciprocity, and fear. Social engineering is the attack vector underlying phishing, vishing, smishing, pretexting, baiting, and quid pro quo attacks. According to the Verizon 2024 Data Breach Investigations Report, 68% of data breaches involved a human element, making social engineering the most consistently successful attack method available to fraudsters. Security awareness training that teaches employees to pause and verify before acting on urgent requests is the primary organizational defence.
Spear phishing is a highly targeted form of phishing directed at a specific individual, organization, or role rather than sent in mass. Attackers research the target using open-source intelligence (OSINT) — LinkedIn, company websites, social media, prior data breaches — to personalize the message with details that make it appear legitimate: the target's name, their manager's name, recent projects, or supplier relationships. Spear phishing is the initial access vector in approximately 91% of advanced persistent threat (APT) attacks and is the primary method used in BEC fraud. Mitigation requires a combination of email authentication (DMARC), security awareness training with simulated spear phishing exercises, and multi-person authorization for sensitive transactions that cannot be bypassed even by a convincing executive request.
Spoofing broadly refers to impersonation of a trusted identity at a technical level — forging the originating address or identity information in a communication to mislead the recipient. Forms include email spoofing (forging the From header), caller ID spoofing (making a call appear to originate from a legitimate number), IP spoofing (forging source IP addresses), and website spoofing (cloning a legitimate site). Caller ID spoofing is extensively used in government impersonation scams to make calls appear to come from IRS, Social Security Administration, or police numbers. No technical mechanism currently requires caller ID to be authentic; always call back using a number obtained independently to verify the identity of anyone claiming to be from a government agency or financial institution.
Stalkerware is a category of software covertly installed on a victim's device — typically by an intimate partner or family member — that monitors location, reads messages, accesses photos, logs calls, and can activate the camera or microphone remotely, all without the device owner's knowledge. Unlike commercial monitoring software that requires disclosure, stalkerware is specifically designed to operate invisibly and evade detection by security tools. The Coalition Against Stalkerware (coalitionagainststalkerware.org) documents that stalkerware is used as a tool of domestic abuse and coercive control, with incidents increasing during COVID-19 lockdowns. Cybersecurity vendors including Kaspersky, Malwarebytes, and ESET have added stalkerware detection capabilities to their products following advocacy by the coalition.
A subscription trap (or negative option marketing scam) entices consumers with a "free trial" offer that requires credit card details, then automatically enrolls them in a recurring subscription that is deliberately difficult to cancel. The terms disclosing the automatic billing are hidden in fine print, buried at the end of long terms-of-service documents, or rendered in low-contrast text. The FTC's "Click to Cancel" rule, finalized in 2024, requires companies that offer negative-option billing to make cancellation as easy as enrollment. Victims often do not notice the recurring charge for months. Prevention: use virtual one-time credit card numbers for free trials, set calendar reminders to cancel before trial periods end, and review bank statements monthly for unrecognized recurring charges.
Swindling is a broad legal and colloquial term for obtaining money or property through deliberate deception or fraud. In the online context, it encompasses a wide range of deceptive practices including fake online stores that collect payment without delivering goods, counterfeit goods sold as authentic, misrepresented property or investment products, and fraudulent service providers who take deposits and disappear. Swindling differs from theft in that the victim is induced to voluntarily hand over money or property under false pretences. Digital payment traceability has somewhat improved recovery prospects compared to cash swindling, but irreversible payment methods (wire transfers, cryptocurrency, gift cards) remain widely exploited specifically because they cannot be charged back.
T
Typosquatting is the practice of registering domain names that are common typographical errors or near-misspellings of popular websites — for example "gooogle.com", "arnazon.com", or "linkedln.com" — to capture traffic from users who mistype URLs. The registered domains are then used for phishing pages, malware distribution, or advertising revenue. Typosquatting is closely related to cybersquatting but specifically exploits typing errors rather than brand similarity. Brands and domain registrars can combat typosquatting through defensive domain registration, UDRP disputes, and trademark monitoring services. Users should use bookmarks or search engines rather than typing URLs manually for frequently visited sensitive sites such as banking platforms.
V
Vishing (voice phishing) is a social engineering attack conducted via phone call, in which the caller impersonates a trusted entity — a bank fraud department, government agency, tech support team, or even a known contact — to extract sensitive information or pressure the victim into sending money. Vishing attacks increasingly use caller ID spoofing to display legitimate-looking numbers and, increasingly, AI-synthesized voices to impersonate known individuals. The FTC reports that phone-based fraud consistently generates some of the highest per-victim losses of any fraud category, because the real-time interaction allows the fraudster to overcome objections and create urgency more effectively than asynchronous communications. The primary defence: hang up and call back using a number you independently locate from a trusted source — never from a callback number provided by the caller.
W
A watering hole attack is a targeted cyberattack in which an adversary identifies websites frequently visited by the intended victims — a trade association forum, an industry news site, a government contractor portal — compromises those sites by injecting malicious code, and then waits for the targets to visit and become infected. Named after the predator strategy of waiting near a water source for prey, watering hole attacks are difficult to detect because they exploit trusted sites that the victim's security tools may whitelist. The attack is particularly effective against specific industries or government sectors. Unlike phishing, victims do not need to be socially engineered — simply visiting a compromised site can deliver malware through a drive-by download. Browser isolation technology and keeping software fully patched reduce exposure.
Whaling is a form of spear phishing directed specifically at high-value individuals within an organization — C-suite executives, board members, legal counsel, or finance directors. The term reflects that these are the "big fish" targets. Whaling attacks are highly customized, referencing the target's specific role, current business activities, and personal details researched through OSINT. The goal is typically to authorize a large fraudulent wire transfer (BEC), to obtain access credentials for critical systems, or to extract sensitive corporate or personal information. Whaling emails often impersonate external entities trusted by the executive (legal firms, investment banks, regulatory bodies) rather than internal company communications. Executives require dedicated security awareness training that specifically addresses whaling, since their authority means a successful attack can have catastrophic financial consequences.
Z
A zero-day exploit targets a security vulnerability in software or hardware that is unknown to the vendor and for which no patch exists — it has been known for "zero days." Criminals and nation-state actors who discover or purchase zero-day vulnerabilities can exploit them silently before any defensive measures are available. Zero-days are used in sophisticated malware delivery chains, particularly to compromise organizations for ransomware, espionage, or BEC operations. The market price for exploitable zero-days against major platforms ranges from tens of thousands to millions of dollars. In the fraud context, zero-days are most relevant as enablers of initial access; once inside an organization, attackers pivot to social engineering and financial fraud. Organizations can reduce zero-day exposure through network segmentation, endpoint detection and response (EDR) tools, and rapid patch deployment when vendors do release fixes.