Guides from the team building SafeBrowz. Phishing, wallet drainers, scam emails, and the browser-side protections that actually work.
Try a different keyword like , , or .
FBI PSA260527 (May 27, 2026): Chinese-linked Ghost Stadium operates 300+ lookalike FIFA ticket sites harvesting card and PII data. Our 3-layer detection on typosquat domains + brand-pivot predictions (Olympics 2028, Champions League).
FBI PSA260521 (May 21, 2026): new Microsoft 365 phishing-as-a-service hijacks accounts via OAuth device-code abuse, bypassing MFA entirely. Our 3-layer detection analysis + what enterprises do right now.
UK's #1 phishing topic — HMRC reports 200K+ complaints/year. Fake "£342.78 tax rebate" emails + Self Assessment lures + Marriage Allowance traps. Verify with Gov.uk Gateway only. Recovery via Action Fraud + Cifas.
"Your vehicle tax payment failed — £1,000 fine + clamp threat" SMS/email. DVLA never asks for payment by SMS. Lookalike domains (dvla-payment[.]uk). Verify via gov.uk/check-vehicle-tax. Recovery + Action Fraud.
Fake TV Licensing emails: "Licence expired", "Direct Debit failed", refund offer, over-75 free-licence trap. TV Licensing won't ask for personal/payment info by email. Verify via tvlicensing.co.uk/check-it-s-us.
RCMP 2024: $50M+ CRA impersonation losses. Fake "$428.50 refund" emails + aggressive "send Bitcoin to avoid arrest" voicemails. Verify only via CRA My Account. Recovery via CAFC + credit freeze.
Top scam targeting Canadian newcomers + seniors. Automated voicemail "SIN suspended" → fake officer → SIN/banking/identity extraction. Hang-up + look-up + call-back rule. Service Canada fraud + IDCare recovery.
ATO reports 30K+ phishing reports/year. Peak Jul-Sep (Australian tax year). Fake "$1,247 refund ready" + TFN suspension + BAS overdue templates. Verify only via myGov inbox + ATO ID 13 28 61.
One myGov password = access to Medicare, Centrelink, ATO, Immigration. Fake "account locked" emails route to phishing copies of my.gov.au. Verify only via my.gov.au. Recovery via Services Australia + IDCare.
Cybermalveillance.gouv.fr 2024: €100M+ losses. Fake "Remboursement Impôts 384€" emails + Crédit d'impôt PAJE + TVA refund templates. Verify only via impots.gouv.fr espace particulier. EN guide for expats.
French Assurance Maladie phishing top-5 in 2024. Fake Carte Vitale renewal + IBAN confirmation + refund-pending templates. Verify only via ameli.fr account. Recovery via 3646 + Cybermalveillance.gouv.fr.
France's top consumer scam 2024 per Cybermalveillance. Fake "Vinted Pro" / "Leboncoin Securité" payment links route to phishing pages that drain seller cards. Vinted never uses external payment links.
FBI's #1 P2P payment scam. Fake bank fraud-alert text + impersonator call walks victim through sending money "to themselves" via Zelle. Irreversible. $440M+ losses 2024. Recovery + protection steps.
Gen Z's #1 scam: fake celebrity-endorsed giveaways tag victims on TikTok/IG, then ask for "verification fee" or steal Cash App login. FTC 2024: $1.9B in social-media-contact fraud. 7 red flags + recovery.
Scammer sends Venmo from stolen card, asks for refund. Days later card transaction reversed = victim loses everything. FTC 2024 P2P fraud $1.1B. Why Venmo has no purchase protection on peer-to-peer.
Fake iCloud renewal + hijacked friend Apple Pay requests + "Apple Cash from Apple" wrong-direction scams. FBI IC3 2024: mobile payment fraud +87% YoY. Recovery steps + Apple Pay protection settings.
Largest US bank (80M+ customers, $2.4T deposits) = biggest phishing target. Fake "suspicious login from Chicago" alerts + lookalike domains (chase-secure[.]com). FBI IC3: $1.2B bank-impersonation losses.
132M+ Steam users, $40B+ skin economy = massive target. Fake friend DM → phishing Steam login → session token steal bypasses SteamGuard 2FA. Valve doesn't restore most stolen items. Recovery flow.
70M+ daily users, mostly kids 8-17. "Free Robux" sites, Discord DM trades, OAuth phishing. 1M+ accounts compromised 2024. Written for parents to share with kids. Recovery + 2-step verify setup.
Fake X Premium suspension emails + @SupportTeam DM impersonators steal logins and payment info. Lookalike domains: x-premium[.]help, twitter-secure[.]net. 600M+ MAU = massive attack surface.
Fake "[Company] invited you to Slack" emails route to phishing login pages capturing SSO + OAuth tokens. Initial access for ransomware crews. 65M+ daily users, 200K+ paid orgs targeted. Verify in 60s.
Attacker uploads phishing HTML to Dropbox, sends real "shared a file" link. Passes SPF/DKIM/DMARC because dropbox.com IS the sender. 700M+ users at risk. Detection + 2FA + sharing-settings guide.
Fake Hulu "subscription suspended due to payment problem" emails target 50M+ subscribers. AiTM proxy captures credentials + 2FA. Variants exploit Disney+/ESPN+ bundle confusion. 7 red flags + 5-step verification + recovery flow.
The Max (formerly HBO Max) account-locked email exploits the real Warner Bros Discovery rebrand confusion. Fake billing failure + AiTM proxy login. 7 red flags + recovery flow if you clicked.
NBC Universal Peacock subscribers targeted with fake "billing failure" emails. Olympics + live sports access bait. 3 tier confusion (Free/Premium/Premium+) exploited. Recovery flow if card details entered.
Sports fans targeted with fake ESPN+ "subscription failed before the big game" emails. UFC/F1/MLB PPV access bait drives panic. Disney bundle confusion exploited. 7 red flags + verification flow.
Star Trek + Yellowstone fans targeted with fake Paramount+ "subscription failed" emails. 2024 Showtime merger confusion exploited. Fake "annual plan switch" promo variants. Recovery flow.
Real-time phishing detection for AI agents via SafeBrowz API. Working code examples for 7 frameworks (Hermes Agent, LangChain, AutoGen, CrewAI, OpenAI Assistants, Anthropic Claude, raw HTTP). $0.001 USDC per call via x402 on Solana/Base.
Fake "Meta Verified team" DMs promise a blue check for $4.99 or via an "eligibility form". The real Meta Verified is only via Settings → Accounts Center - never via DM. 7 red flags, 5-step verification, full account recovery flow.
DM from a friend's hijacked account offering free Nitro / Steam keys. Lookalike domains, QR-login hijack, NFT-server raid variants that drop wallet drainer pages. Why gamers + crypto holders are the gold targets - and the 2FA defense that stops it.
"Your channel will be terminated in 24 hours" emails target monetized creators. Linus Tech Tips 2023 hijack case. Info-stealers (Redline, LummaC2) bypass 2FA via session cookies. Hardware-key MFA + Studio-only strike verification.
"Your Disney+ subscription has been suspended" emails ride the real household-sharing crackdown news. Variants for Hulu, ESPN+, HBO Max, Peacock, Paramount+. 7 red flags, in-app verification, recovery flow including reused-password rotation.
Targets 650M+ Spotify users with fake "payment failed" panic emails. Family-plan-member-removed variant, HiFi tier upgrade, refund offer. Real billing issues only show in-app banner. Same template used by Apple Music, YouTube Music, Tidal.
SocGholish / FakeUpdates framework injects fake Chrome update popups via compromised legitimate sites. Drops Redline + LummaC2 info-stealers that target MetaMask/Phantom wallet extensions. Real Chrome updates are ALWAYS silent + automatic. Never via website download.
#2 most-clicked theme in corporate environments per Mandiant 2024. "[Coworker] sent you a document" leads to fake M365 / Google Workspace login. Variants: BEC pivot, fake HR onboarding, fake vendor invoice. Hardware-key MFA defeats AiTM proxy.
"Your bank app needs updating" WhatsApp link drops banking trojan (Anatsa/Hook/BlackRock/Cerberus). Accessibility Service permission overlays fake login on real bank app, reads SMS OTPs, executes silent UPI/IMPS/Pix transfers. Huge in India, SEA, Brazil, Nigeria.
Different from Apple-locked variant - triggers "did someone steal my account?" panic. AiTM proxy captures 6-digit 2FA in real-time. Attackers reset recovery email then Mark as Lost your iPhone via Find My. iCloud Keychain = every saved password gone.
$440M+ Zelle fraud reports 2024 per FTC. Seller scam (buyer reverses Zelle after shipping). Buyer scam (deposit then disappears). Why Zelle is the riskiest p2p payment. Safe alternatives: PayPal Goods & Services, eBay Managed Payments. CFPB Reg E protections.
3 seconds of audio from social media is enough to clone a voice. FBI's fastest-growing phone scam. The grandparent scam, fake kidnapping, CEO fraud playbook — plus the "safe word" defense that stops it cold.
The old "bad grammar = scam" rule is dead. ChatGPT writes phishing emails with perfect English in any language. The 7 new red flags security researchers actually use in 2026 — sender domain, payment rail, link mouseover, thread history.
60,000+ complaints to FBI IC3 in months. The "$2.99 unpaid toll" text targets every state — E-ZPass, FasTrak, SunPass, PikePass, TxTag. State-by-state verification table, real toll-notice format, and recovery if you entered card info.
Fake $399 Norton invoice triggers a panic call. Then the "agent" requests remote access via AnyDesk to "process the refund". McAfee, Best Buy, Microsoft Defender variants use the same play. Recovery flow if you already called the number.
"Hey I sent a code to your number by mistake, can you share it?" The exact social-engineering playbook that hijacks WhatsApp accounts in under a minute. The two-step verification PIN defense + 30-second recovery flow.
You ask a question in a project group. Within minutes, "Admin" DMs you with a KYC link, airdrop form, or recovery prompt. The wallet-drain happens in one signature. How to verify the real admin in 60 seconds — every project's pinned "we never DM first" policy.
$1B+ stolen via vanity-address lookups in transaction history. The zero-value transaction trick that puts a malicious address into your wallet's history — so you accidentally copy it next time you send. Real Bitfinex/OKX cases, defense, and the brutal recovery reality.
$1B+ lost across Asia in 2024 (UN ODC + Singapore Police data). The fake Amazon/TikTok recruiter, the small payouts that build trust, the "premium tasks" deposit trap, and the sunk-cost lockup. Plus what the Cambodia/Myanmar/Laos scam compounds actually are.
FTC says $1.3B lost to romance scams in 2024. The exact 6-week emotional grooming timeline — Tinder/Bumble first contact, love bomb, crisis pivot, then crypto. Why high-income middle-aged singles are #1 targets. Recovery flow including the cut-off-contact reality.
"Your Coinbase account has been suspended — verify within 24 hours." The AiTM proxy login page, the seed-phrase variant, the 2FA hijack flow. Plus Binance, Kraken, KuCoin, and Gemini variants of the same play. Recovery if you already clicked.
Vercel's free static-site hosting is one of the top abused platforms for crypto drainer pages. The lookalike-app on a .vercel.app subdomain pattern, why standard phishing blocklists miss it, and the brand-detection signals SafeBrowz uses to catch them.
The largest crypto-adjacent scam category in the world. $75B estimated global losses. FBI Operation Level Up + 276 arrests in May 2026. Full 5-stage attack chain, 7 red flags, recovery flow via IC3, and how the approval-phishing endgame connects to Permit2 attacks.
TrendAI uncovered a Russian-speaking scammer who used jailbroken Google Gemini to automate crypto theft — impersonating a US veteran on a 17K Telegram channel, hacking 29 WordPress admins, and harvesting 40+ wallet addresses from a single victim. Template for the next generation of phishing.
Amazon is the world's most-impersonated brand in 2026. The "you ordered $1,200 of AirPods" panic email triggers a click before users think. 8 message variants, the URL patterns, and how to recover if you entered your password.
IRS named tax refund phishing in its 2026 Dirty Dozen list. Real IRS never initiates contact via text/email. 6 message variants, the QR-code-on-fake-letter angle, and what to do if you entered your SSN.
FedEx smishing is the second-most-reported delivery scam after USPS. International shipment + customs duty variants push bigger dollar amounts than USPS. 7 message variants and the 10-second check that catches them all.
India's most-reported phishing scam in 2026. TRAI issued public WhatsApp advisory. 6 message variants (festival-themed, operator-impersonation, government scheme), the OTP-harvesting flow, and recovery via cybercrime.gov.in + 1930 helpline.
The fake USPS delivery text is the most-reported phishing scam in the US in 2026. 7 message variants in active rotation, what the destination page actually steals, the 10-second check that catches every variant, and what to do if you already clicked.
ZachXBT flagged an active campaign draining hundreds of EVM wallets via a fake MetaMask upgrade email with a party-hat fox logo. Per-victim losses stay under $2K to delay detection. How the email works and how to spot it.
On May 20, 2026 the DOJ secured guilty pleas from Ringba CEO and CSO for enabling tech-support fraud pipelines that drained elderly victims of life savings. Here is exactly how the fake popup → call center scam works and how browser defense stops it at step one.
The hub explainer. Why technical defenses keep losing to phishing. Kahneman's dual-system brain model + Cialdini's influence research applied to every phishing technique. Links to all 27 SafeBrowz attack-specific posts.
Microsoft Threat Intelligence: AiTM phishing up 146% in H1 2025. Evilginx2 + Modlishka + Muraena tool families. The reverse-proxy attack that captures password AND 2FA. FIDO2/passkeys are the only protocol-level defense.
Disclosed by mr.d0x in 2022. A phishing page draws a perfect HTML/CSS replica of an OS-level SSO popup INSIDE the page. The HTML/CSS recipe + the 2-second drag test that defeats it + password managers as the strongest defense.
Uber September 2022 — Lapsus$ flooded a contractor with 100+ push notifications until one was approved. The number-matching defense Microsoft/Duo/Okta deployed in 2022-2023 fixes this. Push and SMS 2FA do NOT protect against AiTM.
Older Americans lost $3.4B to tech-support scams in 2024 (FBI IC3). The 6 popup variants in 2026 + the 3-key escape (Ctrl+W / Alt+F4) + browser settings that block 99% of these. DOJ Ringba conviction May 2026 ended a major call-center pipeline.
Attacker takes a real email you received and re-sends with one element changed (bank account number, link). DKIM/DMARC pass. The 4 most damaging clone phishing patterns + the second-channel verification rule that beats them.
Attackers buy paid Google Ads above the organic results for crypto and bank keywords. The 30-day attack cycle: register domain, get Ads approval, run until Google catches, repeat. Real cases: Lowe's/Amazon/KeePass/AnyDesk/Brave malvertising.
Calendar invites bypass every spam filter because the invitation email really is from Google's servers (passes DKIM/DMARC). The phishing link lives inside the event description. Lockdown settings for Gmail + Outlook in 3 steps.
Attackers monitor brand mentions on X. They DM you within minutes pretending to be official support. Phantom/Coinbase/MetaMask DM scams. Verified badges can be bought now (X Premium), so blue check is no longer proof. The 10-second sanity check.
Attacker broadcasts a Wi-Fi network with the same name as the real one. Captive portal phishing, SSL stripping, DNS hijack. iOS/Android auto-rejoin networks with matching SSID. The 4 defenses + personal hotspot rule for sensitive work.
Attackers compromise a website the target group visits regularly (industry forum, vendor portal), then serve malicious code from that trusted site. URL filtering allows it. Forbes 2014, Polish bank 2017, Holy Water 2019. The 5-signal check.
Spear phishing makes up 65% of targeted attacks per FBI IC3 2025. The 6-step LinkedIn profiling playbook attackers use to make emails irresistible, why DKIM/DMARC do not stop it, and the 5-second second-channel verification that beats it.
Named cases: Mattel $3M, Pathé $21M, FACC $47M, Ubiquiti $46.7M, Crelan Bank $75M. FBI IC3: $2.9B in BEC losses. The 7-day pattern, why the email passes DKIM/DMARC, and the FBI Financial Fraud Kill Chain 72-hour recovery window.
Vishing up 30% YoY per FBI IC3. AI voice clones (3 seconds of audio = convincing clone). Arup engineering lost $25M to a deepfake CFO video call in Feb 2024. The "hang up and call back" rule + family safeword defense for voice-clone scams.
Microsoft Defender: quishing up 587% YoY. Real cases: Austin / Houston / Atlanta parking meter QR sticker fraud. Why QR phishing bypasses every email URL scanner (the URL is encoded as an image). 6 places quishing attacks show up + how to scan safely.
Tab-nabbing exploits the Document Visibility API. When you switch away, the background tab silently rewrites itself as "Gmail" or your bank. Avast 2024: average user has 15-30 tabs open. The JavaScript that does it + why password managers are the strongest defense.
StableChain is a new USDT-native L1, and drainer operators are already running fake claim and revoke pages that look identical. The 4-step trap, the JS that does the actual drain, and the 5-second verification that beats it.
Why scam texts bypass the email filters that catch them in your inbox. The 4-second psychology that gets you to tap before thinking. The 10-second check that beats every variant. Data from FBI IC3 + Proofpoint + FTC.
Apple is the #1 most-impersonated brand globally. The "Apple ID locked" email triggers a click before users think. 8 variants, URL patterns, and recovery steps if you entered your password.
Fake Netflix payment-failed email is in the top 5 most-reported phishing scams of 2026. 7 message variants, the URL patterns, and what to do if you entered card details.
PayPal is in the top 3 most-impersonated brands every year since 2018. The "verify your account" and "unusual activity" emails. 7 templates including the fake-invoice variant that passes DMARC.
One of the fastest-growing tech-support scams of 2026. Fake $399-$899 Geek Squad renewal triggers a call to a fake support number → remote access → bank drain via gift cards. 6 variants and recovery steps.
Leading international smishing scam of 2026. The $2.99 "customs fee" is bait — the real harvest is your card. 7 templates, why it works in Europe / GCC / India / SE Asia, and what to do if you paid.
One of the biggest crypto wallet drainer kits closed at end of May 2026. Here is who picks up its customers (Inferno, Angel, MS, Atomic), why drainers keep working in 2026, and 5 things to do this week.
A Permit2 signature is not a transaction. It does not cost gas. It does not move funds immediately. That is exactly why it is the most successful crypto wallet drainer of 2026.
SafeBrowz caught hyperliquid-eligibility.xyz in user traffic. The fake "eligibility checker" drains wallets the moment users connect. Pattern + how to verify a real Hyperliquid airdrop.
SafeBrowz Detection API is live. Pay-per-request URL safety scans on x402, settled in USDC on Solana or Base. $0.001 per call, no signup.
11 red flags that give away phishing sites, plus the browser checks most people miss.
Why "click this box to verify you're human" is now the #1 attack chain in 2026.
Microsoft is the #1 impersonated brand. Here's what a real Microsoft email actually looks like.
What's actually recoverable, what isn't, and how to move fast in the first 60 minutes.
Why the thing you thought you copied isn't what you pasted. And why your terminal is especially at risk.
The Ledger email scam family has been running for 3+ years. Here's how it actually works.