Technology

2025 Tech Scams: Deepfakes, BEC, Phishing & Crypto

2025 Tech Scams: Deepfakes, BEC, Phishing & Crypto

Tech Scams 2025: The New Playbook of Deepfakes, BEC, Phishing, and Crypto Cons

When a Hong Kong finance employee wired roughly $25 million after a video call with what looked and sounded like his company’s executives, investigators later concluded it was a sophisticated deepfake—an AI-forged face and voice guiding a real-time scam (CNN). That headline-grabbing case mirrors a broader surge in cyber-enabled fraud. In 2023, U.S. consumers reported more than $10 billion in losses to the FTC—the most ever recorded (FTC). The FBI’s Internet Crime Complaint Center (IC3) logged 880,418 complaints and $12.5 billion in losses the same year (FBI IC3 2023), underscoring how scams have industrialized—with AI supercharging social engineering at scale.

AI Deepfake Scams

Recent Cases and Financial Impact

– A multinational in Hong Kong was duped into transferring about $25 million after a live video conference filled with deepfaked participants, including an apparent CFO (CNN).
– Identity verification firm Sumsub reported a 10x year-over-year increase in detected deepfakes across identity fraud attempts in 2024 (Sumsub 2024).

How This Scam Works

  • Recon: Criminals harvest public audio/video of executives or family members from earnings calls, conference talks, social media, and interviews.
  • Cloning: AI tools clone voices and faces; adversaries rehearse scripts and timing to mimic gestures and cadence.
  • Staging: Attackers orchestrate a “private” Zoom/Teams call or send a convincing voice note ordering urgent payments or secret projects.
  • Execution: They push for wire transfers, gift cards, or crypto to new accounts, often just before close of business to compress scrutiny.
  • Laundering: Funds are quickly moved through mules, exchanges, or mixers to frustrate clawbacks.

Warning Signs

  • Uncharacteristic urgency or secrecy from an executive or family member.
  • Odd lip-sync, blinking, or lighting artifacts; slightly delayed responses.
  • Requests to bypass standard approval or vendor processes.
  • New or changed payment coordinates announced mid-call.
  • Voice notes instead of normal text/email workflows for high-value actions.

Protection Strategies

  • [For business owners] Institute a no-exceptions “out-of-band” verification for any payment or data request: confirm via a known phone number or a pre-agreed code word.
  • [For consumers/elderly users] Create family “safe words” for money requests, especially after odd calls or messages.
  • [For tech-savvy users] Use video platform features that watermark or identify participants; require waiting rooms and authenticated join links.
  • [For finance teams] Require dual control and callback verification for all wires and account changes; enforce cut-off times to avoid end-of-day rush scams.
  • [For IT/security] Deploy liveness checks for executive account recoveries, and log anomalous meeting invites from newly created domains.

Business Email Compromise (BEC)

Recent Cases and Financial Impact

– The FBI reports BEC schemes accounted for approximately $2.9 billion in reported losses in 2023 (FBI IC3 2023).
– Overall, IC3 logged 880,418 complaints and $12.5 billion in aggregate losses in 2023, with BEC among the costliest categories (FBI IC3 2023).

How This Scam Works

  • Pretexting: Attackers impersonate CEOs, CFOs, or vendors using lookalike domains or compromised accounts.
  • Thread hijacking: Criminals reply within real email conversations after stealing credentials, redirecting payments to attacker-controlled accounts.
  • Invoice fraud: Fake or altered invoices reflect “new bank details” for legitimate payables.
  • Payment re-routing: Victims are pressured to “urgently” use alternate accounts due to audits, bank issues, or quarter-end cutoff.

Warning Signs

  • Domain lookalikes (e.g., rn vs. m, .co vs. .com), or late-stage changes to known vendor bank details.
  • Unusual tone or timing from an executive, especially asking for secrecy.
  • Invoices with subtle formatting differences, new remittance addresses, or mismatched tax IDs.
  • Requests to skip PO processes, apportion urgent partial payments, or split wires.

Protection Strategies

  • [For businesses] Enforce dual approval for all vendor changes and wires; verify bank changes via a known phone number on file, never the email requesting changes.
  • [For finance/AP] Lock vendor master file edits behind ticketing; generate alerts for changes to bank info and payee names.
  • [For IT/security] Deploy DMARC/DKIM/SPF with p=reject; use banners on external email; monitor impossible travel and MFA prompts.
  • [For SMBs] Maintain a BEC playbook: immediate bank recall, contact FBI RAT (via IC3), notify cyber insurer and counsel.
  • [For all users] Never authenticate MFA or approve payments solely from an email request; confirm via phone or secure chat.

Tech Support Fraud

Recent Cases and Financial Impact

– In 2023, tech support scams led to about $924 million in reported losses, with roughly 19,000 victims; more than half were 60+ years old (FBI IC3 2023).
– Older adults reported $3.4 billion in losses overall in 2023, with an average loss of $33,915 (FBI IC3 Elder Fraud 2023).

How This Scam Works

  • Pop-up panic: Fake antivirus alerts claim your device is infected; a toll-free number offers “help.”
  • Cold calls: Imposters pose as Microsoft/Apple, claiming suspicious activity on your account.
  • Remote control: Victims are convinced to install legitimate remote tools, handing attackers full access.
  • Refund scam: Crooks “accidentally” overpay a refund and ask you to return the difference via gift cards or wire.

Warning Signs

  • Unsolicited calls or pop-ups claiming to be from major tech firms.
  • Pressure to install software, disable antivirus, or provide bank/crypto access.
  • Requests for gift cards or wire transfers to correct a “refund error.”

Protection Strategies

  • [For consumers/elderly users] Never call numbers in pop-ups; close your browser, reboot, and contact the company via its official website or app.
  • [For all users] Use a password manager, enable automatic updates, and turn on MFA for email, banking, and cloud accounts.
  • [For caregivers] Set up restricted user accounts and DNS filtering; place a family “do not pay” rule for any phone/remote demand.
  • [For businesses] Block remote admin tools by default, allow only approved remote support software, and log all sessions.

Cryptocurrency Investment & Wallet Draining Schemes

Recent Cases and Financial Impact

– Investment scams were the largest fraud category tracked by IC3 in 2023 at approximately $4.57 billion in reported losses, with many tied to crypto-related “pig butchering” operations (FBI IC3 2023).
– The FTC reported more than $10 billion in total consumer losses in 2023 across all scam types, with investment scams leading losses (FTC).

How This Scam Works

  • Long con: Scammers build trust on social media/dating apps, then pitch “mentored” trading on a fake platform.
  • Fake dashboards: Victims see fabricated profits and are pressured to “upgrade” to withdraw.
  • Drainers: Malicious smart contracts or wallet-drainer kits empty wallets after users approve bogus permissions.
  • Exit: Criminals vanish after a large top-up, leaving victims locked out or “taxed” into paying more.

Warning Signs

  • Guaranteed returns, secret algorithms, or pressure to keep investments “confidential.”
  • Platforms that cannot be found in reputable app stores or lack independent reviews.
  • Requests to move funds off trusted exchanges into private wallets they “configure.”
  • Wallet approval prompts that seek unlimited spending permissions.

Protection Strategies

  • [For consumers] Use regulated exchanges and never transfer funds based on a new online contact.
  • [For tech-savvy users] Review token approvals (e.g., via Etherscan/Revokers); use hardware wallets with on-device confirmation.
  • [For businesses] Mandate custodial controls, role-based approvals, and transaction limits; segregate treasury and operational wallets.
  • [For all users] Verify platforms with independent sources; distrust screenshots and “guaranteed” yields.

Romance & Social Engineering (Including Pig Butchering)

Recent Cases and Financial Impact

– Many high-dollar “pig butchering” cases are tracked within investment fraud statistics—IC3 attributes about $4.57 billion to investment scams in 2023, a category that includes romance-driven crypto cons (FBI IC3 2023).
– The FTC recorded a median loss of $500 across all scams in 2023, but romance/investment cons often far exceed that (FTC).

How This Scam Works

  • Grooming: Weeks of daily messaging to build trust, often mirroring your interests and schedule.
  • Isolation: Scammers steer you away from friends/family who may challenge the “opportunity.”
  • Escalation: Initial small wins shown on a fake platform, then larger deposits demanded.
  • Extraction: Withdrawals suddenly “require” taxes/fees; more money is requested until the victim runs out.

Warning Signs

  • New relationships that quickly pivot to investments, secrecy, and urgency.
  • Contacts insisting on communicating only on encrypted apps and refusing video calls at normal hours.
  • Emotional manipulation tied to money requests.

Protection Strategies

  • [For general consumers] Pressure-test claims with a trusted friend; never invest based on a romantic contact.
  • [For elderly users] Involve family or a financial caregiver before any large transfer; set banking transfer limits.
  • [For businesses] Train staff on social engineering tactics that lead to data exfiltration or payroll diversion.
  • [For tech-savvy users] Reverse-image search profile photos; look up domain age and hosting footprints.

Phishing’s Evolution: AI-Generated Emails, Smishing, Vishing, and Quishing

Recent Cases and Financial Impact

– The 2024 Verizon DBIR found the human element was involved in 68% of breaches, with phishing and social engineering central drivers (Verizon DBIR 2024).
– Proofpoint’s State of the Phish 2024 reported that 71% of organizations experienced at least one successful email-based attack in the prior year (Proofpoint 2024).

How This Scam Works

  • LLM-crafted messages: AI reduces spelling errors and mimics corporate voice/tone.
  • Multichannel: Attackers blend email, SMS (smishing), voice (vishing), and QR codes (quishing) to bypass filters and exploit mobile users.
  • Credential harvesting: Lookalike portals capture MFA tokens; adversaries race to replay sessions.
  • OAuth abuse: “Grant access” requests give persistent inbox or file access without a password.

Warning Signs

  • Unexpected MFA prompts or password reset notices.
  • QR codes in emails asking for login, payment, or delivery fees.
  • Links that resolve to mismatched domains or newly registered sites.
  • App consent screens requesting broad scopes (offline access, mailbox read).

Protection Strategies

  • [For all users] Use a password manager and FIDO2 security keys where possible; avoid scanning QR codes from unsolicited emails.
  • [For businesses] Enforce conditional access and phishing-resistant MFA; require admin consent for third-party apps.
  • [For consumers] Verify delivery fee texts in the official carrier app; never pay via gift cards.
  • [For IT/security] Implement DMARC p=reject, disable legacy auth, and monitor OAuth grants and risky sign-ins.

Industry Expert Insights

– AI lowers the cost of persuasion: Generative tools make scams more grammatically correct, better localized, and more personalized—reducing classic “tell” errors.
– Identity is the battleground: Expect more deepfake-enabled account recovery fraud and synthetic identities; liveness detection and hardware-bound passkeys will matter more.
– Payment control is king: Dual control, callback verification, and just-in-time verification reduce BEC and invoice fraud risk even when email accounts are compromised.
– Mobile-first defense: Because smishing/vishing/quishing target phones, organizations are adopting mobile security awareness, SMS filtering, and strict app-consent policies.

Immediate Action Steps

  • All readers: Freeze your credit at all three bureaus; enable transaction alerts and daily balance notifications on bank/credit accounts.
  • Consumers: Turn on MFA for email, banking, cloud storage, and messaging; use a password manager and security keys where supported.
  • Elderly users and caregivers: Establish a money “pause rule” and family safe words; pre-share official phone numbers for banks and service providers.
  • Business owners: Enforce dual approval and out-of-band callbacks for wires/vendor changes; deploy DMARC p=reject and phishing-resistant MFA; conduct quarterly BEC tabletop exercises.
  • Tech-savvy users: Review wallet token approvals, use hardware wallets, restrict OAuth app consent, and audit admin accounts.
  • If you’re a victim: Immediately contact your bank for a recall, file with IC3, notify your local police, and alert your cyber insurer if applicable.

Conclusion

Scammers have scaled persuasion with AI—but you can scale verification. Treat every urgent request as untrusted until verified out-of-band; require two people for high-risk payments; insist on phishing-resistant MFA; and keep your financial and identity settings locked down. These steps don’t just reduce risk—they break the scammer’s script. Share this playbook with your family, your finance team, and your peers today, and set up your callbacks, safewords, and dual controls before the next “urgent” request arrives.

Related Posts