Your child’s first data breach may happen before they’ve even opened a bank account. Here’s how to keep their digital life safe.

When we talk about cybersecurity and digital safety in the context of our children, it’s often framed in one of two ways. Either it’s about inappropriate or unsafe content – of the sort that COPPA is meant to regulate in the US. Or it’s about managing the psychological and social impacts of excessive screen time. But there’s an elephant in the room.

Our kids are exposed to many of the same identity, privacy, and data security risks as their parents. In fact they may be even more at risk. Helping them understand how to protect their data and online accounts at an early age is an increasingly important parental responsibility.  

Why do people want my kids’ data?

Our children are digital natives. From an early age they might have logins to school accounts, gaming profiles, cloud photos, health records, and accounts with a variety of other apps. All of these contain potentially lucrative data for identity thieves.

Why is this information a popular target? Because from a fraud perspective it has a relatively long shelf life. That means, if it’s stolen and used by a scammer to open a new line of credit, it’s unlikely the victim would find out, until perhaps they apply for their first loan many years later. What’s more, it will have a pristine credit score, meaning the fraudulent application will likely sail through unchecked. Fraudsters might use it as is, or combine it with made-up information to create synthetic identities.

The emergence of AI tools has made it far easier to spin up these fake identities. They might be harder for companies to spot. But when they do finally flag fraud, the impact on your child’s credit history can be severe.

These are not theoretical risks. One report reveals the story of risk and compliance professional Renata Galvão, whose identity was stolen at the age of six and used to run up debt in excess of $400,000. It reportedly took her over two decades to clear her name and restore her credit rating. In another case, Axton Betz-Hamilton was 11 when her identity was stolen and used to rack up thousands of dollars in unpaid credit card bills. She only found out when applying to set up her first utility bill at college.

Current data is hard to come by, but the FTC claims that child identity theft increased by 40% between 2021 and 2024.

What could go wrong?

Children’s data is at risk in other ways. Kids might be digitally savvy enough to set up online accounts, but they’re not always security-smart. They may be more prone to fall for a phishing message; especially if it appears to be sent from a trusted authority or friend. Too-good-to-be-true offers, innocuous-looking quizzes and FOMO-type ads are all more likely to hit home if the target is a credulous 13-year-old rather than a skeptical adult. Kids are also more likely to unwittingly download malware onto their devices or share their passwords and personal info with their peers, compounding security risk.

But it’s not just our children who represent a potential weak link in the security chain. Research from the University of Southampton last year found that nearly half (45%) of parents regularly share information about their children online. Sharenting like this increases the risk of it falling into the hands of fraudsters. Around one-in-six children have already experienced at least one form of digital harm, including cyberbullying, privacy breaches, or identity misuse, the study claimed.

There’s also a growing risk that the edtech vendors, school platforms, gaming providers, smart toy makers, social media companies and other firms entrusted with your child’s data are themselves breached. The non-profit Identity Theft Resource Center (ITRC) tracked 3322 data breaches in the US last year – an all-time high and a 79% increase from five years ago. Nearly 279 million victims had their data exposed, with the healthcare and education sectors among the top five for breaches.

The proliferation of AI apps is also a privacy risk. Kids may use AI tools with no understanding that they’re actually sharing sensitive information which could end up in the wrong hands if the provider is breached.

Gaming accounts are another attractive target for fraudsters. They contain highly prized assets such as:

• Your credit card/financial information, for use in fraud
• Social graphs that can be used to spam/phish other kids in the same network
• Skins, which can be stolen and cashed out
• Private chats which may contain monetizable information

All of which creates a large potential surface for your child’s personal information to be exposed.

How to check if something’s gone wrong

There are several ways to check if your child has had their identity or personal information (including credentials) stolen. The following should all be red flags:

• Passwords that suddenly don’t work, indicating someone has accessed their account and changed the logins
• Missing skins, coins or other items in your child’s gaming account
• Notifications about account changes, logins or resets
• Purchases that you didn’t authorize
• Friends and contacts reporting strange activity or messages from your child’s account
• Your child is denied welfare benefits (because someone else is using their Social Security details)
• They are denied a student loan or bank account due to a poor credit rating
• Your child receives a government notice claiming unpaid taxes (because someone is using their details to register for new jobs)
• You receive phone calls or correspondence claiming overdue bills run up by your child

It’s a shared responsibility

In truth, there are multiple stakeholders involved in protecting your children’s identity data. Parents are the most obvious. But also your school, and the app developers and device makers they are often forced to share information with. No single party can manage and secure the entire data lifecycle.

So what can you do as a parent? Limit data sharing, securely configure account settings, and teach your child best practices.

Start with the data. Take a step back and consider whether it really is necessary to set up that new account, grant permissions to that school app, or “sharent” online. Data minimization is one of the core principles of the GDPR. The less personal information is out there, the lower the risk of it ending up in the wrong hands.

Next, for the accounts they do have, adjust the settings to minimize risk. That means long, strong and unique passwords for every account, stored in a family password manager. That will reduce the risk of brute-force attacks. Switch on multifactor authentication (MFA) where possible to mitigate phishing risks.

Review all the privacy settings on all their apps and social platforms to lock them down to the most secure version. That should mean location sharing/tracking is restricted or turned off. Restrict any in-app purchases so they require your approval. Keep all devices and apps updated so they’re less exposed to hacking attempts. And use in-app parental controls where available to monitor usage and minimize sensitive data sharing.

Apply for a credit freeze for your child’s identity with all three major credit bureaus. This will require some paperwork, but is worth it for the peace of mind that means no third party can apply for credit in their name.

Finally, it’s time to sit down with your kids and explain the importance of identity protection, what’s at stake, and how bad people can steal and use their data – including popular phishing tactics. Teach them the basics of good password management, and how to spot suspicious activity online. Above all, they should feel safe telling you anything.

Keeping your child’s identity safe should not be about restricting their digital world. It’s about giving them the confidence to traverse it safely – now and in the future.

Using chatbots for medical advice could elicit hallucinations and even expose you to security and privacy risks. Here’s what’s at stake and how to stay safe.

For better or worse, chatbots are changing the way we think, learn and perceive the world around us. This kind of disruption is manifest in many areas of life, but perhaps one of the most sensitive and often concerning is the growing use of generative AI (GenAI) tools for healthcare. Alongside a number of freely available AI chatbots, major technology companies have moved into consumer-facing health AI with the launches of services such as Copilot Health, ChatGPT Health, and Amazon’s HealthAI that models help users interpret their medical records and ask questions about their symptoms, lab results and treatment options.

But there are risks to expecting an AI tool to take on the role of your physician. Also, the risk is not only that users receive the wrong advice, but that they may share deeply sensitive personal information with systems whose privacy protections, data-sharing practices and legal obligations may differ from those of a doctor or hospital, as well as that their data may be exposed to unexpected entities. Misuse of AI chatbots in general is now the number one health technology hazard out there, according to one US patient safety organization.

From theory to practice

The reason why the model-builders are launching in this space is obvious: chatbots have become a hugely popular way to search for medical advice. According to Microsoft, people talk about their health and the health of their loved ones more than any other topic on their mobile devices. Chatbots are there 24/7 with an answer for everything, dispensed in a confident tone that helps to put nervous patients at their ease.

At a time when national healthcare systems are under growing strain, many individuals would probably self-diagnose with the help of AI before deciding whether to seek medical attention. The time, effort and potential cost of entering the labyrinthine health system rather than triaging at home makes this a popular way of doing things.

Yet concerns are already emerging. The first is of hallucinations or incorrect advice. An Oxford University study from February published in Nature Medicine found:

• Users often didn’t know what information they should share with the LLM
• LLMs provided very different answers, even if the questions posed to them varied only slightly
• Models often provided both good and bad advice, but users struggled to distinguish between the two

“Despite all the hype, AI just isn’t ready to take on the role of the physician,” warned the study’s lead medical practitioner, Dr Rebecca Payne. “Patients need to be aware that asking a large language model about their symptoms can be dangerous, giving wrong diagnoses and failing to recognize when urgent help is needed.”

Uncovering the privacy risks

There are also non-health related risks which should encourage individuals to pause for thought. The most obvious is that sharing sensitive medical information with a publicly available chatbot may mean that data is used to train the model and therefore gets regurgitated out to others. Even unintentionally, models have been known to accidentally expose data typed in by their users.

Some providers may use data to improve their models unless users opt out, while others make stronger promises not to use health-related information for training. Either way, everybody should know what kind of service they’re dealing with before uploading anything sensitive. Your health data is not like a stolen credit card that can be frozen while the details are replaced and reissued. It’s yours for life, and once shared with an AI tool, it may become a permanent digital record.

On the other hand, most of the main health-focused chatbots promise not to use this data for training purposes. Still, training is only one part of the privacy picture, and the services may not make the same promises about third-party data sharing. Your personal medical information may up in the hands of a data aggregator, a third party that sits between the model provider and your healthcare provider. It might also be shared with advertisers, either directly or via one of these aggregators, although it will usually be anonymized prior to use. Even so, people should be cautious: health data is unusually sensitive, and anonymization doesn’t always remove every risk.

When breach risk multiplies

The problem with sensitive data traversing so many organizations is that there’s a greater chance it could be exposed to digital thieves and fraudsters. US lawmakers claim to have identified $21 billion in losses tied to a handful of breaches at data broker firms. Health data is highly monetizable by fraudsters for several reasons:

• It retains its value for long periods of time, as it can’t usually be replaced or reissued
• It could include insurance information with which to submit fake claims or receive medical services in your name
• It could be used to blackmail you

The more companies that hold this data, the more opportunities there are for hackers to compromise them and steal it. The challenge is that most healthcare AI tools are not regulated by HIPAA as they are classed as consumer rather than enterprise-grade services. That means the providers may not be subject to the kind of strict data protection rules you would normally expect.

Advice for patients

So how can you minimize your exposure to the risks of healthcare GenAI? If you are concerned about a medical condition, avoid general-purpose bots and look instead for ones specially designed for answering health-related questions. Review whether the service explains how it handles your data, whether it uses your prompts for training, whether it shares information with third parties, and whether it is covered by HIPAA or an equivalent privacy regime in your country.

Don’t blindly trust the output unless there are citation links to verify it. And even then, don’t take its answers as gospel: always check with a medical professional, and/or an official website (e.g., NHS, MedlinePlus).

To protect your privacy, consider the following:

• Never share/upload medical documents, lab results or other sensitive documents with an AI tool unless you understand how the tool handles that data.
• Avoid entering names, addresses, insurance details, patient numbers or other identifiers.
• Ensure training and chat-history features are switched off.
• Share only the minimum information needed for the task.
• Assume everything you type in could be retained or exposed, and adjust your prompts accordingly.

Ultimately, AI chatbots may be useful for brainstorming questions about a specific condition to ask your doctor, or for explaining a medical term you’re not familiar with. But there’s a big difference between using AI to prepare for care and using it as a substitute for care. Don’t treat a confident answer as a diagnosis, and don’t ignore urgent symptoms because a machine sounded reassuring.

The malware pairs remote access capabilities with ready-made campaign tools, lowering the barrier for full device compromise

Our recent review of threat detections in Brazil surfaced BTMOB, an Android remote access trojan (RAT) that is less notable for detection volume than for the damage it can wreak. The combination of phishing-led delivery, ready-made app-building tooling and device takeover capabilities makes BTMOB a threat to watch well beyond Brazil or Latin America.

BTMOB at a glance

First described in February 2025, BTMOB has evolved from the SpySolr malware. Unlike banking trojans, which “only” aim to steal people’s financial credentials or intercept their financial transactions, BTMOB gives adversaries broader options: exfiltrate a range of sensitive data, capture screenshots and record activity on the device, and ultimately take remote control of it. The RAT is also sold with an APK builder interface, allowing anyone to generate new payloads and adapt phishing lures for specific regions at a rapid clip – and without writing any code.

How does BTMOB spread?

Unsurprisingly, everything starts with ordinary social engineering. Operators send victims to phishing websites that pose as streaming services, cryptocurrency mining platforms or other familiar online services. From there, victims are pushed toward fake app stores that mimic legitimate repositories and prompt them to install a malicious APK. Bad actors have also been spotted tailoring their lures to specific regions.

Once installed, BTMOB seeks extensive access to the device. As is common these days, it abuses Android Accessibility Services to gain elevated permissions and grant itself further system access without additional user interaction.

Since it’s built for the malware-as-a-service (MaaS) economy, BTMOB is marketed as a software product, including through a promotional page on the open web that funnels prospective buyers to a Telegram operator. The sales pipeline extends across social media platforms, with a number of accounts on X and Instagram actively peddling the tool. 

Once someone purchases the malicious kit, they can adapt its features, including the phishing lures so they impersonate the brand or agency most likely to lure victims in any given country. For example, researchers Johnk3r and Merl recently spotted campaigns that spread BTMOB while impersonating Argentina’s tax and customs authorities.

Market dynamics and detection challenges

Even where developers initially restrict the tool to paying customers, the economics remain favorable for attackers. A reported $5,000 lifetime license plus a monthly support fee is low compared with the returns a successful fraud operation can generate.

In addition, the MaaS model also lowers the barrier for less sophisticated adversaries. In January 2026, a dark web forum claimed to offer BTMOB-related files for free download. The forum later went offline, and our search didn’t recover the payload(s), but the episode points to a familiar risk with commercial malware: access rarely stays contained forever and the tool can move into secondary markets through resale, barter or sharing inside closed groups. Competing malware families can also copy some elements that make payload customization and campaign management easier for less skilled criminals.

As new variants can be generated quickly, defenders should expect rapid payload turnover rather than a stable set of threats. ESET products detect the primary tool as MSIL/BtmobRat, while related Android variants trigger detections such as Android/Spy.Agent.EED, Android/Spy.Agent.EIJ and Android/Spy.Agent.EIK. Cyble’s report from February 2025 noted that roughly 15 samples of BTMOB v2.5 had been spotted since late January of that year, i.e., in a mere two or so weeks.

How to protect yourself

A few basic tips will go a long way toward staying safe from BTMOB and other Android malware:

• Stick to the official app store: Attackers rely on fake app stores that mimic Google Play. Organizations should mandate that users download software exclusively from official repositories.
• Treat links with suspicion: Be skeptical of unsolicited links delivered via email, messaging apps, social media, and targeted advertisements.
• Use security software: Both individuals and organizations should use mobile security solutions and treat mobile devices with the same rigor as other machines and environments. Corporate security teams must make it clear to employees that a single rogue download could exposes the company’s crown jewels.

Indicators of compromise

Because BTMOB ‘mutates’ quickly, many indicators may age rapidly. Nevertheless, specific infrastructure patterns often recur across different samples and aid in triage. 

IP addresses

74.125.202.103	142.251.183.138	173.194.193.138	173.194.206.106
178.156.177.192	191.101.131.250	195.160.221.203	104.21.64.137
173.194.194.94	191.96.224.87	191.96.225.241	191.96.78.172
191.96.78.28	191.96.79.133	191.96.79.179	191.96.79.41
192.178.209.95	200.9.155.153	74.125.132.95	78.135.93.123
79.133.57.141	arbsniper.com

Hashes – SHA256

ESET detection names

Watch out for bogus World Cup websites that mimic official ticket and merchandise flows to steal money and personal data

As the FIFA World Cup 2026 in the United States, Canada, and Mexico draws closer, anticipation is building toward fever pitch. Many soccer fans may still be hunting for tickets, merchandise, travel and hospitality packages – and scammers know exactly how to exploit this demand. In other words, many people are already in the state of mind that scammers count on: interested, impatient and, indeed, maybe a little worried that the tickets or other goods will sell out. Which is ultimately what makes these scams so effective.

ESET researchers in Latin America recently spotted a number of websites that are built for this very moment. Posing as the FIFA association or the official World Cup website, the imposter sites target people looking for tickets and merchandise, then steer them through fake registration and payment flows that steal their money and personal data. The series of steps is often actually the same as on the genuine World Cup website: register, add tickets for a game, jerseys or other merchandise to the cart, and pay.

Some victims may reach these websites through sponsored search results, while others click on ads on social media or links in email messages forwarded by someone who didn’t check the address properly. Whatever the scenario, here’s what you should know about fake FIFA- and World Cup-themed websites – and how to avoid scoring an ‘own goal.’

First sample

One of the fake sites, hosted at https://***fifa26[.]shop, uses a domain that looks close enough to FIFA and the 2026 World Cup to catch a hurried visitor. Indeed, many sites set up in the run-up to major events will rely on a common trick known as typosquatting, which involves on a domain name that closely resembles the legitimate one, but contains small additions or involves other changes in the domain name that the victim often won’t notice.

The trickery doesn’t stop there, however. The site also copies the look and feel of FIFA’s official site, including the colors, layout, navigation and ticketing flow, all in order to make the victim feel that the experience is legitimate.

And here, for comparison, is the legitimate website:

But back to the fake website – here’s what happens if you want to “purchase” tickets or merchandise. Much like the official FIFA site, the imposter site also asks you to register. If you expect to create a FIFA ID before buying tickets, a fake registration form may not look strange at first. It also asks for the usual things such as your name, email address, and phone number. Nothing about that feels unusual if you believe you are on FIFA’s official website.

Meanwhile, Figure 5 shows the registration step on the official website.

The bogus website also offers what appears to be official merchandise. The point is to keep you inside a familiar shopping routine long enough for the payment page to feel like the next expected step.

It allows you to select any product and add it to the shopping cart:

Once you enter your card details, it goes straight to the people behind the fake site – and there’s no jersey coming from FIFA, of course.

The ticket flow works the same way. After registration, the bogus site lets you select supposed World Cup matches, move toward checkout, and reach a payment page. 

You can choose the desired match, in any stage of the tournament:

And then, it leads to the shopping cart. Once entered into the form, your payments details would travel into the hands of the cybercriminal behind the bogus site. 

The obvious loss is money, but the quieter loss is financial and identity data. A full name, email address, phone number and reused password can be misused by attackers beyond any single fraudulent website. If the same password opens your email or social media account, the fake FIFA registration can become the first step in another, and quite possibly even more damaging, attack. 

Four more sites riffing on the same theme

Another fake site, https://****26-fifa[.]com, follows the same pattern. The domain is World Cup-themed, the site uses FIFA’s visuals, and the visitor is pushed toward registration before being offered purported tickets and merchandise.

The fake World Cup websites in general, including the menu tabs and other visual cues, are designed to look as closely as possible the official one. The top-level domain names matter, too – a .shop or .store domain may make a fake website feel like a retail offshoot, especially when the rest of the URL address contains “fifa” and everything about the site looks polished.

Tactics for staying safe

Crucially, FIFA has made it clear that World Cup tickets can only be bought via three official channels – fifa.com/tickets, fifa.com/hospitality, and special Qatar Airways travel packages (which may actually be sold out by now). It follows then that you’re best off steering clear of various third-party sellers or social media listings.

• Go to FIFA’s official website directly. Type the address yourself; i.e., start from FIFA.com or FIFA’s ticketing portal, not from an ad, a social media post or a link someone has sent to you.
• Look closely at the domain name before entering any information. Extra characters, words, odd endings and near-matches could be the only visible clue that the site is not what it claims to be.
• Be careful with offers built around pressure: “limited tickets,” “VIP access,” “discounts,” “last chance,” or anything that rushes you into action and makes checking feel like a delay you can’t afford.
• Avoid reusing passwords. If a fake registration page steals a password that you also use for your email, social media or banking account, the problem could follow you way beyond the fake site.
• And don’t let a checkout flow reassure you. A working cart and a payment form don’t prove that the seller is legitimate.
• Protect all your accounts with strong, unique passwords and two-factor authentication, as well as use security software on all your devices.

The countdown to the World Cup gives criminals a ready-made audience: countless people hunting for tickets, merchandise and various last-minute opportunities. The fake FIFA sites show how that demand is being turned into a phishing flow, one familiar click at a time. Stay safe!

The Trump administration’s shift in tone and approach toward traditional allies has understandably unsettled many nations, raising doubts about U.S. reliability and concerns over dependence on American technology. Many had become used to China and Russia’s often belligerent tone, flexing their economic and military muscles, but watching the world’s most powerful nation and flag bearer of liberal democracy reach for similar tactics against its friends has certainly been a wake-up call. 

Europe’s push for tech sovereignty 

In Europe, calls for greater tech sovereignty – the ability to choose and act independently, autonomously, and securely – have become almost deafening. The often rather philosophical debates about strategic autonomy or sovereignty have been ongoing within deliberations on defense and energy for several years now, most prominently following Russia’s full-scale invasion of Ukraine in February 2022. However, concern about an over-reliance on China as a market, a source of goods and a supplier of critical minerals had been bubbling away years before that.

In the last year or so, this concept has visibly seeped into a whole spectrum of industrial and economic policies, digital technologies notwithstanding. Conceptual policy ideas and approaches started to take the form of specific policy proposals and initiatives, currently culminating in a line of legislative measures being put on the table. However, reducing dependencies layered over decades will not be easy. Alternative sources of critical technologies and materials will need to be found or, ideally, developed locally, which requires a complex approach cultivating the right ecosystem more conducive to technological innovation in Europe. At a minimum, it has to facilitate digital infrastructure investments, retain and attract needed talent and nurture home-grown tech companies while giving them space to scale.

US firms dominate the tech space, with profits from their international business arguably helping cement their dominance, often through investment in R&D, healthy marketing budgets, and acquisition – including of talent and emerging start-ups from around the globe, Europe not being the exemption.  And it makes sound business sense for them to do so. Additionally, when it comes to tech, early movers with large investment often stay first, which presents Europe with a two-fold challenge – unleashing the competitiveness on its market without reinforcing the position of established leaders.

In this context, the US has also been quick to robustly defend its tech industry in other nations, particularly against what it views as attempts to overregulate and/or seek to narrow the trade surplus in services that the US generally enjoys. Countries or bodies like the European Union taking a leaf out of the assertive US goods trade playbook and turning it against the US in services is not appreciated in D.C and US ringfencing remains.

The technology landscape is becoming increasingly political, and US technology firms are certainly not immune to growing domestic political pressures. For example, a Microsoft representative acknowledged under oath in a French Senate inquiry that the company could not guarantee full digital sovereignty if US authorities requested access to data stored on Microsoft servers abroad, as permitted under the US CLOUD Act. It has also been reported that Microsoft cancelled services to the International Criminal Court’s chief prosecutor following the decision to open an investigation into actions by Israeli officials in Gaza, to comply with US sanctions. Rumours of backdoors for intelligence agencies (who work with tech firms) and kill switches add to the concern.

Assessing risks 

But of course, it is not just the US that uses trade as a geopolitical lever. Every continent (including Europe) has countries willing or inclined to use such methods, making it essential to factor in the political risk of alternatives. Over the last year in the EU, several groups of countries have coalesced around more or less political approaches to tech sovereignty. The emphasis on operational, technical and legal control over the technology is seemingly presented as being at odds with focusing primarily on the country or origin or geographical location of the infrastructure. On the other hand, the fears of a potential kill switch being used against Europe in a confrontation further fuel the political considerations of digital sovereignty, potentially impacting the quality of evidence-based policy debate rooted in legal and technical realities.

A further challenge arises from the differing cultural and regulatory approaches to technology governance. Despite America First, the US generally prioritizes market openness and international competitiveness, whereas the EU places stronger emphasis on consumer protection, public safety, competition enforcement and now digital sovereignty. Some worry that by accepting US tech, they are forced to accept a US approach that is at odds with their own values. Digital sovereignty is gaining traction beyond political and policy circles – with civil society groups, as well as nationalist narratives, precisely because it appears conducive to enforcing a European digital rulebook providing the usual safeguards on the market. Proponents of digital sovereignty therefore tend to stress the legal jurisdiction under which the tech operates. This bears the risk of hijacking the debate and getting carried away on an ideological wave to the detriment of the European innovation ecosystem. Without maintaining reasonable openness, home-grown technologies will struggle to thrive.

Political weaponization of tech is not the only concern. The CrowdStrike outage in 2024 affected several large businesses, including those in the important aviation sector. IT systems can fail and be vulnerable to attacks. Certainly, there seems to be a steady flow of vulnerabilities that can be exploited, including zero-days. This is where the EU’s enhanced focus on ICT supply chain security comes into foreground complementing the initiatives specifically aimed at tech sovereignty. The proposed framework for identifying high-risk vendors in ICT supply chains under the revised Cybersecurity Act aims to provide a comprehensive methodology merging political, legal and technical considerations for excluding high-risk suppliers. This approach aims to increase European control and jurisdiction over critical supply chains, as well as potentially create space for the growth of European alternatives replacing excluded vendors.

In response to growing demands for national tech sovereignty and protection of local competitiveness in various regions around the world, several US tech firms have begun offering “sovereign” solutions tailored to foreign jurisdictions. While these initiatives, such as those in Europe, are intended to address concerns over data governance and operational autonomy, some analysts note that such models may still rely heavily on US-based infrastructure, legal frameworks, and corporate oversight. Critics, including many Members of the European Parliament, call this “tech sovereignty washing”. Similar questions hang over certain domestic providers that market their services as sovereign solutions, yet continue to depend on US origin technology at the core of their platforms, creating uncertainty about the extent to which these offerings can genuinely deliver independent control. 

While criticism is currently focused on the US (and China), we should also recognize that relationships between nations can shift over time. Membership in the same grouping, whether the EU, ASEAN, the African Union, or others, does not guarantee that one member might not use technological leverage against another during a dispute. Political leadership and policy priorities can change rapidly, and with them, the dynamics of trust and cooperation. Some may point to legal frameworks or contracts as reassurance, but arguably these matter little when nation states decide to use their own legal sway over their companies and those that want to operate in their market. The challenge for policymakers is to translate supportive words and sentiment on securing greater tech sovereignty and digital independence into meaningful action.

Trusted cyber defenses made in Europe 

In cybersecurity, there are credible alternatives available – ESET is one strong example, though certainly not the only one. Many European firms are working hard to compete globally. Ultimately, organizations need to understand and reduce their exposure risks, adopting trusted solutions that are tailored to each case and that ensure strong compliance with strict data protection frameworks, such as the GDPR. 

Across the EU, there is also a growing discussion about adapting public procurement processes and public funding schemes to favor such alternatives. Increasing the awarding of public contracts (rather than grants) could be an effective way to stimulate business growth while reducing costs for taxpayers. Switching providers should also be made easier through greater and built-in interoperability, mitigating “technical lock-ins” and easing switching costs. The European Cybersecurity Organisation (ECSO) has advocated for a dedicated industrial strategy for cybersecurity, given its strategic importance. We await the details of the European Commission’s “Tech Sovereignty Package” due at the end of May, as well as the potential revision of public procurement rules under the Public Procurement Act to see tangible, realistic and hopefully practical measures aimed at nurturing and scaling European alternatives. 

Primarily, it is critical to strike the right balance between fluid political and objective technical considerations when setting out criteria defining a “made in Europe” solutions. Sovereignty should not be reduced to the geographical origin of a provider. Greater weight should be placed on objective indicators of how a solution delivers operational autonomy and legal insulation from non-EU jurisdictions. Finally, given the complexity of the challenge and the vastness of the gap that the EU aims to close, it is also necessary to be realistic about timelines and certain specific types of technologies where achieving sovereignty is unlikely for Europe in a short or even medium term. In such cases, a reasonable share of EU-made components in the final product should be a sufficient step towards incrementally increasing domestic capacity. This could be coupled with the assessment of critical functions of a product which should be based (or at least majority of them) on EU-made technology.

The private sector also has a vital role to play by considering technological sovereignty, geopolitical risk and supply chain vulnerabilities within its procurement decisions. If the private sector also aligns itself to the cause, the take-up of alternatives and stimulus would be widely felt. One risk, however, is that support becomes concentrated on just one or two national/regional firms – a mistake that could undermine the sector. Healthy competition drives lower prices, greater innovation, and reduces strategic vulnerability should any single company fail or encounter difficulties. 

The geopolitical landscape has shifted significantly. A complete decoupling from US technology is neither realistic nor necessary, but the changing environment does require nations and companies to reassess their relationships and dependencies. Risks that were barely considered only a few years ago must now be recognized, understood, mainstreamed and actively mitigated. 

Conflict is a boon for opportunistic fraudsters. Look out for their ploys.

It didn’t take long for tensions in the Middle East to spill over into the cyber domain. There’s been significant disruption of a major US medtech provider, the compromise of OT assets in US critical infrastructure, and ongoing ransomware attacks on businesses by Iran-nexus groups. But what about regular internet users? The truth is that geopolitical tension and conflict offers potentially rich pickings for opportunistic online scammers.

Fraudsters know that these events are a great way to grab the attention of potential victims, and exploit their fear and sympathy in equal measure. The backdrop of geopolitical turmoil, whether it’s Ukraine or Iran, adds weight to the stories they spin in order to achieve their goals.

What scams prosper in times of turmoil?

Whatever tactics they choose, the end goal is usually the same: to harvest your credentials and/or personal and financial data. Or to trick you directly into making payments to non-existent entities. These are not novel techniques. They’re tried and tested and could come via email, text, social media or phone call. What’s different is the lure; specially crafted for timeliness and maximum impact.

Watch out for the following scams:

Fraudulent charges

You receive a call or text from a bank or trusted company informing you of non-existent charges related to “Iran” on your account. According to the FTC, you might then be put on to a government official who convinces you to hand over your bank account details.

Romance fraud

Romantic-themed scams are a big money-maker for fraudsters. According to the FBI, they generated over $929m in illegal profits last year. In this new take, a romantic contact you met online may claim to be a soldier deployed to the Middle East, who now needs cash to deal with an emergency.

Fake charities

Geopolitical turmoil often leads to human misery, which tends to pull at the heart strings. Legitimate charities may solicit donations to help their efforts to support innocent citizens caught in the crossfire. Scammers know this and will create their own fake charities – or impersonate legitimate ones – to collect donations. They may have professional-looking websites designed to add weight to their requests. Be in no doubt though, if you fall for these scams you’ll end up handing them your money, your card details, or both.

Travel scams

Military conflict can often result in sudden flight cancellations, border checks and other travel-related disruption. Scammers can take advantage of this by impersonating airlines and government agencies. They might offer streamlined visa processing or refunds on booked flights and accommodation. But all they’re after is your personal and financial details.

Investment fraud

Investment scams raked in more money than any other type of cybercrime last year: over $8.6 billion, according to the FBI. Sure enough, scammers can take advantage of geopolitics to further their goals here, perhaps by claiming to offer guaranteed returns as a hedge against inflation or market instability.

Sensational (fake) news

Political and social unrest usually generates a great deal of click-worthy content. The problem is that some of it is complete fake. Scammers use sensationalist ‘leaked videos’ and ‘breaking news’ stories to lure you into clicking on malicious links. The most likely end result is getting an infostealer on your phone or computers. This category of malware is designed to harvest passwords, record keystrokes and even steal session cookies to bypass multi-factor authentication (MFA) on your accounts.

Advance fee fraud/419 scams

This is perhaps one of the oldest scams in the book. You receive a message out of the blue from someone you’ve never met. They’ll proceed with a fantastical story about how they will let you share in their riches if you can only pay a small fee upfront for some kind of admin. This template is already being repurposed for the current conflict in the Middle East.

How to spot scams like this

Thanks to generative AI tools, it’s easier than ever for scammers to create highly convincing written content, videos and websites to further their goals. But there are some tell-tale signs that will keep you safe. Look out for:

• Offers of large sums of money that are too good to be true
• Unsolicited contact via email, SMS, messaging app, phone call or social media
• Requests for personal and financial information
• Attempts to force you into making a decision in the scammer’s favor, either by ramping up urgency or appealing to your emotional side

Responding to conflict-fueled scams

With the above in mind, it should be easier to spot the warning signs that something doesn’t quite look or sound right. A good rule of thumb is never to click on links or open attachments in unsolicited messages, even if they look convincing and appear as if sent from a trusted source. If you really want to know if it’s a genuine message or not, check independently with the sender; i.e., don’t reply directly or use contact details in the message itself. Or if it’s a news story, go direct to your favored news outlet.

Be cautious of social media accounts, especially those that appear to be customer service accounts for airlines and the like. These are easier than you’d think to set up and platform providers are always a step behind in taking them down. And it goes without saying that you should never hand over sensitive information over the phone.

The next bit of advice may be the most difficult. But try to suppress your instinct to react to emotional pleas from ‘charities’ or urgent requests for you to act. The reason fraudsters use these techniques is because they work. They’re designed to turn our humanity against us.

As an extra layer of defense, ensure all your computers and devices are protected with anti-malware, including anti-phishing capabilities from a trusted vendor. That should help to filter out the majority of the scams. The rest is down to you.

According to a new report from the The Global Initiative Against Transnational Organized Crime, “fraud is a crime that is not only economically driven, but politically shaped.” This is unlikely to change anytime soon. But it doesn’t have to be you that ends up a victim.

Smart glasses allow anyone to track and record the world around them. That could put your data and the privacy of those nearby at risk.

Fashion and many other trends have a way of reappearing every few years. So we probably shouldn’t be surprised that smart glasses are doing the rounds once more, after a failed attempt by Google to popularize them over a decade ago. The difference this time round is that they’re not just more stylish – and arguably harder to tell from regular shades. They’re also packed with far more powerful technology, capable of tracking and recording their surroundings, and allowing the user to ask AI about the things they can see around them.

This presents significant security and privacy risks for both smart glasses users and the people they interact with.

What are the privacy risks?

Anyone who’s ever lived in a city will be used to being monitored. Germany and the UK have among the highest number of CCTV cameras in the world. But when that monitoring is targeted and not based around informed consent, it can quickly get out of hand. Smart glasses give anyone the ability to record or take photos of strangers surreptitiously. Although they feature a small LED light, this can be covered up, and in any case may be difficult for bystanders to spot.

But that’s not all. Harvard University researchers have demonstrated how video taken via smart glasses and livestreamed to Instagram can be connected to AI. Algorithms then work to identify faces and then pull information from the internet on those individuals. Suddenly that cool accessory becomes a powerful, portable surveillance device capable of empowering stalkers, bullies and fraudsters.

The bad news is that Meta may be looking to streamline the process with a controversial Name Tag feature. The social media giant has also come under scrutiny from regulators recently after reports revealed that some outsourced workers in Kenya were able to view highly sensitive images as part of their job to monitor users’ interaction with its AI platform. Even if users don’t have data monitored in this way, it might still be used to train AI models, according to an updated Meta privacy policy. And any voice recordings made after the “Hey Meta” wake word will be stored (along with transcripts) for up to a year by default.

When privacy risk becomes a security problem

This isn’t just about privacy. Any sensitive information shared with a public AI platform via a pair of smart glasses could theoretically be regurgitated to other users if prompted in the right way. That’s a potential security risk if they choose to use the information fraudulently. And then there are those outsourced workers and contractors who may stumble across information harvested by glasses, which they might decide to sell to scammers.

Information you might accidentally send to the cloud/AI model could include:

• Card PINs that you type in at the ATM or in–store payment terminals
• Passwords typed in at your desk or on your phone which could be used to hijack accounts
• Bank statements or bills with full details that could be used to impersonate you

There’s also a risk of nefarious smart glasses users shoulder surfing behind you in public, in order to steal PINs, passwords and other secrets. Combined with facial recognition technology, this data extraction may allow them to build up a sizeable digital profile on their targets. With enough detail they could either launch convincing phishing attacks, hijack your accounts or impersonate you in new account creation attempts.

Hacking the smart glasses ecosystem

Like any smart device, glasses could also be hacked more conventionally, by:

• Exploiting the operating system/firmware
• Hijacking connected apps/smartphones
• Intercepting traffic/inject malicious content via fake Wi–Fi hotspots
• Social engineering, such as sending a malicious QR code to scan
• Malicious lookalike smart glasses apps

These attack vectors could in turn enable bad actors to hijack your device for direct data theft, account takeover, or surveillance that could put you in physical danger.

How to manage smart glasses risks

Whether you are wearing them or being observed by someone else, there are a few steps you can take to mitigate the risks we’ve outlined above:

For wearers:

• Keep your firmware and software (apps) updated to minimize the risk of hackers compromising the device
• Only download companion apps from trusted sources and check permissions before doing so
• Use multi–factor authentication (MFA) and strong, unique passwords for your smart glasses apps and smartphone to minimize the risk of them being hijacked by hackers
• Use strong PINs or biometrics to unlock your smart glasses and switch off pairing mode if not using
• Never connect to public Wi–Fi hotspots unless you also use a virtual private network (VPN), as some public networks may be insecure or may even be rogue access points set up by hackers
• Disable AI training/human review if possible to prevent leakage of recordings to the cloud and potential access by contractors
• Keep your glasses in a case when not in use to minimize the risk of them accidentally capturing sensitive images or information
• Regularly audit and delete any unwanted recordings stored in the companion app, to minimize risk exposure
• Don’t be distracted by AR overlays. It might put you in physical danger if you lose track of your surroundings

For bystanders:

• Keep your eyes peeled for anyone wearing smart glasses. Look for the LED light on the frame; it will pulse if recording video or flash once when taking a photo
• Be mindful of shoulder surfing in crowded public spaces (e.g., on transport) or at ATMs
• Challenge wearers if you feel uncomfortable
• If you feel uneasy about usage in a business setting (e.g., a gym or high–street store) ask the wearer to remove their glasses or report it to management

Meta isn’t the only tech giant rolling out smart glasses. Google, Apple, Amazon and a host of Chinese players are said to be developing similar products. Unfortunately, many prioritize competitive advantage over users’ rights. Keep a close eye on developments to ensure your security and privacy don’t suffer as a result.

How come it’s still possible to ‘secure’ an online account with a six-digit string?

The most-used password globally is exactly what you think it is: ‘123456.’ That’s according to NordPass’s latest annual report on passwords exposed in data breaches globally. Other all-too-predictable choices, such as ‘123456789’, ‘12345678’, ‘12345’ and ‘admin’, also prove to have staying power year after year.

My first instinct is to dismiss this as scaremongering fodder, especially given that poor password hygiene was also part of a community engagement session I presented at the recent RSAC conference, Let’s Rant: 4 Things That Need to Change in Cybersecurity.

But since today is World Password Day, I had to put this to the test: Can I still find a reasonably mainstream website that allows me to create an account using ‘123456’ as the password? Unfortunately, the answer is yes.

There are popular sites, such as ‘evite’, that still allow this exact six-digit string to be used as a password. You may dismiss it as just an e-invite service, until you realize that you’re sharing personal data on your invitations and potentially manage the responses of all your invitees through an account that is not secure. The shocking part of this very crude test is the finding that Evite was subject to a data breach in 2019 that affected the personal information of over 100 million people. The company should probably know better than to allow its users to have such weak passwords.

The situation isn’t drastically better on even more popular services. When I attempted to create a new account on Facebook, the platform did mandate an additional level of password complexity. But still, a string as simple as ‘1234567!’ turned out to be a permitted password. X offered a similar experience.

Now, Facebook, for example, does offer some advice, such as: “avoid using common words such as ‘password’’ and “If your password isn’t strong enough, mix uppercase and lowercase letters. Make it more complex by using a longer phrase or series of words that you can remember but others won’t know.” Yet, it permits ‘1234567!’ to be used, no letters, just a sequential pattern with a simple exclamation mark at the end, all easily guessable, especially by automated scripts that test accounts en masse for commonly used patterns and strings.

Meanwhile, Collins Dictionary, which is home to far less sensitive content, forced me to create an eight-character password containing at least three of the following – lower case (a-z), upper case (A-Z), numbers (i.e. 0-9) and special characters (e.g. !@#$%^&*).

NordPass’s data suggests that there are many more sites that set limited password policies and allow trivial passwords like ‘123456’. However, I think there may also be elements of legacy in the method used to calculate the most common passwords. For example, if a company has existed for 10 years and never deleted any dormant user accounts, then a breach would include outdated dormant account information, some of which may be from before any password policy was enforced. The motivation behind publishing headline-snatching data is also clear: the vendors that create the news story are set to potentially benefit as they provide password management software for a subscription.

Breaking the cycle

Now, how do we resolve this never-ending loop of negativity about passwords, along with the ridiculous situation that platforms still permit non-secure passwords?

I do not support the idea of legislators needing to mollycoddle citizens, but in this instance I think it’s time for lawmakers to step up to the mark and put a stop to the pattern of companies not implementing stringent authentication policies and allowing consumers to take the easy option. There is widespread privacy legislation stating that companies need to secure our personal data if they store it, using appropriate reasonable cybersecurity measures. A core part of these measures is the use of strong, complex passwords and multi-factor authentication (MFA), as required by any self-respecting cybersecurity framework. Yet, in many instances there are no cybersecurity requirements on authentication for customer-facing services.

On the other hand, some industries have been forced to update to modern authentication methods. In the finance industry, for example, there are several regulations, such as the Payment Services Directive 2 (PSD2), that mandate MFA for electronic payments and access to payment accounts online.

Legislation should extend to all industries: simply enforce MFA for all accounts created online regardless of the service being accessed, ditch the outdated use of passwords, and move to more appropriate security for today’s internet.

The potential hurdle to mandating this approach is the barrier to entry for people creating accounts. Companies reliant on advertising or the collection (and sale) of personal data for revenue will lobby significantly against the move, and companies with big budgets will be very demanding that nothing steps in the way of profit, especially something like securing customer accounts by requiring a complex password and/or MFA.

For most of my 30-plus-year career in the cybersecurity industry, the issue of weak passwords has been a staple message pushed out every day, at many events, and on a specially nominated day. There is a simple and effective way to resolve it: mandate complex passwords or, better yet, MFA. Can we please stop the conversation about ‘weak passwords’, once and for all?

Ignoring a real breach notification invites risk, but falling for a bogus one could be even worse. Stop reacting on autopilot.

Receiving a data breach notice may have once been a rare event. With data breaches hitting record numbers, however, these notifications are no longer as surprising as they once were. In the US alone, there were 3,322 such breaches reported last year, resulting in nearly 280 million notices being emailed to victims. In Europe, daily incidents grew by 22% annually in 2025 to reach 443 on average per day.

This represents a growing opportunity for fraudsters. They know that many people may be on the lookout for these notifications. And when they receive one, they may be more predisposed to follow the advice contained in it.

To be clear: real breaches happen every day, and ignoring a legitimate notice could be as dangerous as clicking a fake one. The goal is to stop reacting on autopilot and being able to tell a genuine alert from a fake one. Take a minute to familiarize yourself with data breach-themed scams, and you’ll be better prepared the next time one lands in your inbox.

What do fake breach notification scams look like?

There are two basic tactics at play here. Either:

1. The scammers wait for a real breach, and piggyback on the news to send out a fake notification. In this scenario, the victims are more likely to believe the scam as they’ll be expecting a notification
2. The fraudsters invent a breach and a fake notification providing details of the non-existent event. It’s most likely to be spoofed as if sent from a well-known and popular brand, in order to make it both relevant to the recipient and likely to be trusted. However, scammers could also impersonate the victim’s IT department at work

In both cases, scammers are increasingly using phishing kits and AI tools to automate and enhance the creation of fake notifications. AI is particularly good at crafting lookalike lures in perfect local languages, copying the wording and tone of real notices. Relevant branding and logos will also be included to add further legitimacy. All of this can be done in minutes, meaning fake notifications can be emailed out rapidly at scale after an incident.

The end goal may be to trick you into clicking on a malicious link or opening a malicious attachment, which might trigger installation of infostealing malware, for example. Or it could be a pretext to get hold of your personal and financial information and/or passwords.

Spotting the red flags

Fake breach notifications should be easy to spot if you know what to look out for. Consider the following tell-tale signs:

• Immediate action required: Scammers will use classic social engineering techniques to trick you into handing over your personal information (like Social Security number) or clicking on a malicious link. Often, this involves creating a sense of urgency to rush you into acting – e.g., by saying your data is at risk if you don’t update your password or confirm your personal details.
• Unusual sender email: Scammers will often try to spoof the sender email to make it look as if it came from the organization they’re impersonating. So look out for typos in the name (a sign of typosquatting) and hover your cursor over it in case the display name is hiding a random (and unconnected) sender domain.
• Poor spelling and grammar: As mentioned, this is less likely the more threat actors embrace generative AI (GenAI) to enhance their phishing campaigns. But it’s still a useful first check to run
• Links and attachments: Many of these missives are crammed full of links to phishing sites designed to steal your personal/financial information and passwords. They might also contain attachments masquerading as notices which covertly install malware.
• A lack of specificity: If you get a legitimate letter from a breached company, it will usually include some of your personal details, such as account number and username. But the scammers don’t have these, so their outreach will be vague and lacking detail.

Staying safe

Understanding what to look out for is the first step to staying safe from breach notification scams. If something feels off, don’t be rushed into making a hasty decision on what to do next. Take a deep breath, and slow down.

If you receive a notice, always check directly with the apparent source – but not by replying to the sender or using any contact details in the notice itself. Log into your real account and/or call or email the company to check whether the breach event is real or not. Identity protection features that often come with reputable security software, as well as services like HaveIBeenPwned.com, can provide a useful secondary way of checking whether your details have been compromised.

Mitigate risk further by using strong, unique passwords stored in a password manager, and complemented by multi–factor authentication (MFA). That means, even if hackers get hold of your credentials, they won’t be able to access your accounts.

Make sure you have robust email security installed from a reputable provider. This will ideally leverage AI to help spot and block phishing attempts and malware.

Victims: do this now

If you think you’ve been taken in by a scam, it’s important to act fast. Do the following:

• Change any passwords you might have shared with your hackers (across all the sites you use them for). A password manager is best for storing unique credentials across numerous sites and apps
• Switch on MFA for all sensitive accounts, so that even if the bad guys have your passwords they can’t get in
• Run a malware scan using reputable security software
• If you’ve shared financial information, contact your bank and tell them. Freeze credit/debit cards if applicable
• Keep an eye on your financial accounts to check for suspicious activity
• Report the incident to the FTC (US), Report Fraud (UK), the ASD (Australia), or your local equivalent

As the world becomes saturated in data breach notifications, there’s a risk that we become so inured to them we automatically believe the latest notices that hit our inbox. As tiresome as it is, careful vetting of such notices is essential. This won’t just help you avoid fraud. It will also ensure you take legitimate notifications more seriously.

If you’ve been the victim of fraud, you’re likely already a lead on a ‘sucker list’ – and if you’re not careful, your ordeal may be about to get worse.

The worst thing you can do after falling victim to fraud is let your guard down. Online scammers only care about one thing: making money, so when new opportunities arise to do just that, they take them. It doesn’t matter if it involves re-victimizing someone who has already been defrauded, raising false hopes and exploiting their desperation to get their stolen funds back. All while stealing even more from them.

Fortunately, many of these “recovery” or “refund” scams work the same way. Take some time out to understand what they look like, and you’ll stand a good chance of staying safe next time the fraudsters come knocking. Recently, we looked specifically at cryptocurrency recovery scams, but there’s more to these kind of ploys. Recovery fraud is an umbrella for several predatory tactics, all sharing a common goal: the “second strike.”

How does recovery fraud work?

These scams usually follow a tried-and-tested pattern. Fraudsters either buy “sucker lists” off other criminals or target victims of fraud they’ve just perpetrated. They impersonate specialist recovery service providers, consumer protection agencies, government officials, law enforcers, regulators, etc.

They know a lot about your case and promise to look into getting the funds back for an upfront fee. Or they may claim to already have the money and are either redistributing it to unhappy customers, or completing the paperwork to release reimbursement funds on behalf of the government or agency.

This is basically a kind of advance fee fraud. In the US in 2024 (the latest year for which figures are available) there were over 7,000 reported cases – which made scammers more than $102 million. Even these figures are likely to represent just the tip of the iceberg.

If you push back and ask the scammers to simply take their fee from the money they claim to have recovered (or will recover), they will typically make excuses as to why this isn’t possible. In an even more dangerous variation of the scheme, they may also ask for bank account/crypto  details to pay your refunded money into. This information could then be used for more serious account hijacking and financial fraud.

Examples of messages peddling cryptocurrency recovery services in discussion forums (click to enlarge)

What are sucker lists?

Cybercriminals and fraudsters often share information and knowledge to help each other succeed with their avaricious schemes. Sucker lists are a great example. They work almost like a list of marketing leads – except instead of potential customers, they contain the contact details of prospective victims.

Lists may vary in quality, but usually contain the names and contact details of individuals who have either fallen victim to fraud in the past, or who have previously replied to spam messages. They may even include details of the potential target’s demographic details and propensity to fall for particular scams or tactics.

Red flags to look out for

Watch out for these classic warning signs to stay clear of recovery fraud:

• Bold claims: They’ll usually say either they have your funds and are waiting to return them, or they’ll “guarantee” that they can get your money back
• Unsolicited contact: The scammers will get in touch out of the blue, with an email, social media message, text or even phone call
• Upfront fee: They’ll request a charge upfront for recovering/returning your stolen funds. They might call this a “retainer fee,” a “processing fee,” an “administrative charge,” or something related to tax
• Social engineering: They’ll put pressure on you, hoping to rush you into making a rash decision to pay them. They may claim, for example, that the funds are only available for reimbursement for a limited time
• Impersonation: The scammers will claim to be working for a government or law enforcement agency, a specialist recovery firm, a bank’s fraud department or other “official” organization in order to build trust
• Untraceable payments: They might ask you to pay them in unusual ways, such as cryptocurrency, gift cards or cash apps, which are harder to trace or seek reimbursement from
• Webmail: They may send you an email using a regular Gmail address or similar, rather than a legitimate corporate email address

How to keep recovery fraudsters at bay

The good news is that it shouldn’t be hard to spot the warning signs of recovery fraud. But it’s not always the rational side of our brain that makes decisions. That’s what scammers are good at – exploiting our irrational thinking and desire to get our money back. The same emotional and psychological predisposition for being victimized that first got you into trouble is effectively being targeted again.

To ensure they don’t get the better of you a second time, never pay any upfront fees – especially to individuals who have contacted you out of the blue offering recovery services. Always verify who they say they are independently, by searching for their contact details online. In the UK, you can check the FCA Firm Checker to see if the fraudster’s purported company does offer the services it claims to.

Note the above red flags, and avoid sharing any personal details of being scammed online, as fraudsters continuously trawl the web looking for potential double-dip targets.

I’ve been scammed, now what?

If you’ve been victimized by recovery scammers, there are a limited set of options available to you. It’s always a good idea to report the incident – in the UK to Report Fraud and in the US to the FTC. This will help the authorities track the fraud landscape and improve their support to victims, as well as raise awareness so others don’t fall for the same tricks.

If you’ve made a payment via your bank, tell it ASAP. Monitor your account carefully for any unusual activity and freeze any relevant cards. If you’ve handed over more personal information to the fraudster, change the passwords on any relevant accounts, add multi-factor authentication (MFA) to bolster security, and expect potentially convincing phishing attacks in the future.

Remember: scammers are a persistent bunch. If you’ve been the victim of fraud in the past, expect another visit in the future.