Consumer-Facing Phishing and Payment Scams Using Fake Support and Fraud Alerts
Multiple reports describe social-engineering scams that impersonate trusted brands and payment providers to drive victims into credential theft or direct monetary loss. A “crypto compensation” lure abuses a legitimate-looking Yandex poll as an entry point, then redirects victims to a fake Bitcoin payout page claiming an approved 0.943 BTC transaction and imposes a small “commission”/fee to withdraw funds—classic advance-fee fraud wrapped in a polished, multi-step funnel (including a fake chat “support agent”). Separately, Japanese-language phishing emails impersonating ANA, DHL, and myTOKYOGAS show consistent infrastructure patterns (notably .cn domains in sender and landing-page URLs), suggesting a single operator or shared kit targeting Japanese-speaking recipients.
Several consumer scam advisories highlight SMS-based fraud alerts that push targets to call attacker-controlled phone numbers, where scammers pose as “support” to steal Apple ID/2FA codes or payment details, or to coerce victims into moving money. One PayPal-themed case escalated to cash withdrawals handed to a courier after a victim called a number from an unsolicited text, illustrating how “fraud department” pretexts can transition from phishing to cash-out theft. Additional warnings cover lookalike payment sites (e.g., payyourbill.aps medical.com) and generic guidance on what to do after clicking a phishing link; these are broadly consistent with the same theme (phishing/payment fraud) but are not tied to a single, specific campaign or actor across all items.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
45 events from the most recent confirmed update back to the earliest known activity.
WBD Global Streaming texts impersonate Warner Bros. Discovery in task scam
A scam campaign was reported in which unsolicited text or WhatsApp messages posing as Warner Bros. Discovery HR offered a remote 'Content Promotion Assistant' job with unrealistic pay, flexible hours, and a large joining bonus. Victims were told to complete simple content-promotion tasks and later pressured to send their own money to 'upgrade' accounts and unlock more tasks or earnings, after which the scammers disappeared.
Apple Pay confirmation text scam pushes victims to call 1-888-593-6001
A scam text campaign was reported in which messages falsely claimed an Apple Pay transaction required confirmation and used urgency to push recipients to click malicious links or call 1-888-593-6001. The apparent goal was to steal personal or financial information by impersonating Apple-related support.
Fraudulent mcrev.store site impersonates Aldi with $750 gift card lure
A report published on 2026-06-13 identified mcrev.store as a scam website falsely tied to Aldi that advertised a $750 Aldi gift card and large MacBook discounts. The site allegedly used fake or automated social media promotion to harvest personal and payment information and expose victims to spam, identity theft, unauthorized charges, subscription traps, and fraudulent card use.
Fake law firm recovery scam offers fund retrieval for upfront fees
A warning published on 2026-06-08 described unsolicited messages from supposed law firms such as 'Kimmel and Rowe' offering to recover inherited, lost, or scammed funds as likely advance-fee fraud. The scam reportedly impersonates attorneys, recovery agencies, or government entities and demands upfront payments labeled as retainers, taxes, or processing fees before any recovery occurs.
Trump Accounts scam uses fake activation and processing-fee phishing lures
A scam campaign was reported in which fraudsters exploited the rollout of children's Trump Accounts by sending phishing emails and text messages. The messages allegedly asked targets to pay fake processing fees to unlock funds or provide sensitive personal information such as Social Security numbers under the guise of speeding up enrollment, while guidance said legitimate activation emails would come only from no-reply@TrumpAccounts.Treasury.gov.
USPS smishing campaign uses PDF attachments and fake redelivery pages
A widespread USPS-themed phishing campaign was reported in which text messages claimed a package could not be delivered due to an incorrect or incomplete address and urged recipients to open a PDF attachment. The PDF linked to a fake USPS website that attempted to steal personal information and payment card details, often by requesting a small redelivery fee.
PayPal Bitcoin invoice scam emails push victims to call 1-656-556-2147
A PayPal-themed scam was reported in which fake invoice emails falsely claimed a $1,489.99 Bitcoin purchase would be charged through PayPal Auto Pay unless the recipient called 1-656-556-2147. The scammers allegedly impersonated PayPal billing support to trick callers into disclosing account credentials and personal information.
PayPal Business upgrade scam emails push victims to call 1-888-717-6077
A PayPal-themed phishing scam was reported in which emails falsely claimed a PayPal Business account upgrade request was under review and referenced a $649.00 processing fee, SSN verification, and a June 2, 2026 verification date. Recipients were urged to call 1-888-717-6077, where scammers allegedly impersonated PayPal representatives to steal account credentials and personal information.
NCB smishing scam uses fake account-hold alerts and ncbonlinefiles.info
An ongoing phishing and smishing campaign was reported that impersonates National Commercial Bank (NCB) with text messages claiming an account has been placed on hold due to unusual activity. The messages direct recipients to the fraudulent site ncbonlinefiles.info, which mimics the bank's portal to steal credentials, personal information, OTPs, PINs, passwords, and RSA token codes.
Suspicious costcosaved.com site impersonates Costco to steal data or payments
A warning published on 2026-06-01 identified costcosaved.com as a fraudulent site impersonating Costco. The site was described as part of scams using fake Costco branding to harvest personal information or login credentials, or to sell nonexistent goods and capture payment card data.
Fraudulent BlockFi payout emails abuse GovDelivery-linked infrastructure
A scam campaign was reported in which fraudulent emails claiming to be from BlockFi or Kroll used service.govdelivery.com or public.govdelivery.com-related delivery paths to promote fake estate withdrawal or claim payout messages. The emails were described as leveraging GovDelivery-associated trust to appear legitimate and evade spam filtering while directing recipients toward cryptocurrency fraud.
Amazon MacBook scam uses fake purchase alerts to lure victims to fake support
A scam campaign was reported in which fraudsters impersonated Amazon through calls, texts, or emails claiming an expensive purchase such as a MacBook Pro or iPhone had been made. The messages pressured recipients to contact fake customer service, where scammers attempted to steal credit card or bank details under the guise of canceling the charge or issuing a refund.
Apple support scam abuses real Apple notifications to steal Apple ID codes
An Apple support impersonation scam was reported in which attackers sent alarming messages about suspicious Apple ID activity or Apple Pay charges and then triggered legitimate Apple password reset or support notifications to make the fraud appear credible. Victims were pressured to call fake support numbers or visit cloned sites where scammers attempted to steal Apple ID credentials and two-factor authentication codes.
PCP refund smishing scam impersonates lenders and regulators
A scam campaign was reported in which text messages falsely claimed recipients were owed refunds for mis-sold PCP car finance. The messages impersonated car finance lenders, claims firms, or regulatory bodies and used links or replies to steal personal or banking information.
Mayline loan scam uses texts and voicemails to demand upfront fees
A scam campaign was reported in which fraudsters posing as 'Mayline USA' sent unsolicited text messages and voicemails claiming recipients had been approved for large personal loans. The scam sought sensitive personal information or advance payments through fabricated charges such as processing fees, insurance, or first-month payments.
Spoofed buah.de emails push fake Celsius and Bitcoin phishing lures
A phishing campaign was reported in which attackers spoofed the legitimate info@buah.de address of German company buah GmbH to send fraudulent emails themed around Celsius Network payouts, unclaimed Bitcoin balances, remaining crypto funds, and fake order confirmations. The messages reportedly used the trusted buah.de identity to improve credibility and potentially bypass spam filters while attempting to trick recipients into clicking links, opening attachments, or disclosing personal information.
Geek Squad renewal scam emails and texts push victims to fake support
A phishing scam was reported in which fraudulent emails or text messages impersonated Geek Squad and falsely claimed a subscription renewal or imminent large charge. The messages pressured recipients to call a fake support number, where scammers allegedly sought financial information, remote access, malware installation, or refund fraud payments via gift cards or bank transfers.
Venmo hotline scam uses OTP theft to hijack accounts and drain funds
A widespread scam was reported in which fraudsters impersonated Venmo support by phone or text, claimed unauthorized activity or password changes, and directed victims to press a button or call a hotline. Once engaged, the scammers triggered a real Venmo one-time passcode and tricked victims into reading it aloud, enabling account takeover, credential changes, and theft of funds.
Elon Musk lottery scam emails promise cash and a Tesla to lure victims
A scam email campaign was reported in which messages falsely claimed recipients had won an 'Elon Musk Mega Millions Jackpot' prize, including money and a Tesla Model X. The emails used fake winner language and codes to induce engagement, with the apparent goal of extracting advance fees, sending fake checks, or stealing personal and banking information.
Fake Aldi rewards site grocerysaved.com pushes $750 gift card survey scam
A fraudulent website, grocerysaved.com, was reported impersonating an Aldi rewards program and falsely promising visitors a $750 gift card. The site allegedly redirected users to other scam offers and collected email addresses and potentially other personal information for spam, follow-on scams, or fraud.
Melio Payments scam emails fake Bitcoin invoices and PayPal withdrawal alerts
A scam email campaign was reported in which messages impersonating Melio Payments falsely claimed the recipient owed money for a Bitcoin purchase and warned that funds would be withdrawn from their PayPal account within 12 to 24 hours. The alert characterized the emails as fraudulent and advised users to verify account activity only through the official Melio app or meliopayments.com.
CoinSpot scam texts and emails impersonate support to steal funds
A scam campaign was reported in which attackers impersonated CoinSpot through SMS and email messages claiming suspicious logins, unauthorized withdrawals, or unexpected verification codes. The messages urged recipients to call a fake support number, while guidance noted that CoinSpot does not provide phone support and advised users to use only official support channels and account-freezing features.
Fake Schylling stores abuse NeeDoh brand to steal payment card details
A scam campaign was reported in which fraudulent online stores impersonated toy company Schylling, especially its NeeDoh product line, to harvest customers' payment card information. Victims reportedly saw payment errors such as declined or unsupported cards, followed by unauthorized attempts to add the stolen card details to Apple Pay or Google Pay; any goods shipped were warned to be potentially counterfeit.
Infomedics phishing emails demand payment of fake healthcare bills
A phishing campaign was reported in which emails impersonating Infomedics claimed recipients had outstanding healthcare bills, typically demanding urgent payment amounts between €115 and €158. The messages reportedly used malicious links or fake payment pages, while guidance noted legitimate Infomedics emails do not include direct iDEAL payment links or attachments and should be verified through official channels.
Ledger phishing emails impersonate wallet alerts to steal recovery phrases
A Ledger-themed phishing campaign was reported in which spoofed emails, including typo-squatted sender names such as "legder," used fake firmware updates, security alerts, or breach notices to lure users to counterfeit Ledger sites. The scam aimed to steal victims’ 24-word Secret Recovery Phrases, with warnings that follow-up phone calls could be used to reinforce the fraud and enable cryptocurrency theft.
Norton and LifeLock billing scam emails push victims to fake support
A phishing scam was reported in which fraudulent emails impersonated Norton or LifeLock and falsely claimed an antivirus subscription renewal or charge, typically for roughly $200 to more than $300. The messages urged recipients to call a fake support number or click malicious links in an attempt to steal payment card details, personal information, or potentially deliver malware.
Crypto.com verification-code scam uses phishing alerts and fake support follow-up
A scam campaign was reported in which attackers impersonated Crypto.com through SMS or email messages claiming unauthorized logins or withdrawals, then directed victims to fraudulent sites or possible follow-up calls posing as support. The scam sought credentials, 2FA verification codes, and anti-phishing codes to enable account compromise and theft.
Suspicious nfeeds.com site impersonates Lidl to harvest card details
A warning published on April 26, 2026 described nfeeds.com as a suspicious website copying Lidl branding and allegedly showing denied transactions during checkout. The reported behavior suggested the site was designed to collect payment card information rather than fulfill purchases, with unrealistic pricing cited as an additional fraud indicator.
Kaiser Permanente scam calls spoof medical and billing numbers
A scam call campaign was reported in which fraudsters impersonated Kaiser Permanente and spoofed legitimate-looking medical center or billing numbers to pressure targets into disclosing personal or financial information. The callers used pretexts including unpaid bills, insurance problems, identity theft, Medicare issues, or urgent membership cancellation, and some reportedly targeted people with Asian surnames and insisted on speaking Mandarin.
McAfee billing scam emails push victims to call fake support numbers
A phishing scam was reported in which fraudulent emails impersonated McAfee and falsely claimed an automatic subscription renewal or purchase charge of about USD559.44 to USD583.66. The messages urged recipients to call 1-810-353-2779 or 1(808)221-2318, where scammers allegedly sought financial information, remote access, or malware delivery through attached fake invoices.
PayPal scam uses 0.01 MXN transfer and fake Coinbase deposit alert
A PayPal-themed scam was reported in which attackers used a real 0.01 MXN or one-cent transaction to make a fraudulent notification appear legitimate, falsely claiming that USD 987.90 was pending deposit to Coinbase via PayPal. The message instructed recipients to call 888-632-2011, where scammers allegedly impersonated PayPal support to steal credentials or banking information.
Revolut scam calls impersonate bank staff to steal money and account data
A phone scam was reported in which fraudsters impersonated Revolut staff, used urgent claims of suspicious account activity, and sometimes spoofed official-looking caller ID information. The scam sought to steal money or sensitive information, while guidance emphasized that Revolut does not make unsolicited calls or ask for PINs, 2FA codes, or transfers to so-called safe accounts.
Robinhood security alert scam uses phishing texts and emails
A scam campaign was reported in which attackers impersonated Robinhood through text messages and emails claiming unusual activity, anomalies, or account freezes. The messages used malicious links or fake support numbers to steal usernames, passwords, and other sensitive account information or facilitate financial theft.
PayPal PHP scam uses tiny deposits and fake invoices to drive GCash theft
A PayPal scam variant was reported that used Philippine Peso transactions, including tiny 1 PHP deposits and fake alerts about large unauthorized charges such as 20,000 PHP, to lure victims into calling fraudulent support numbers or visiting phishing pages. The campaign reportedly aimed to steal credentials and drain funds, with some stolen money transferred to GCash.
Evri delivery smishing scam uses failed-delivery and redelivery-fee texts
A phishing scam was reported in which fraudsters impersonated parcel company Evri via text messages claiming failed delivery, incomplete address details, or a small redelivery fee. The messages used urgency and phishing links to steal personal or payment information, while Evri stated it does not request such details or fees by SMS.
PayPal PDF invoice scam emails push victims to call fake support
A PayPal-themed email scam was reported in which recipients received fake invoices or order confirmations as PDF attachments claiming a transaction needed to be reversed. The messages used unauthorized-payment scare tactics to pressure targets into calling a fraudulent support number so scammers could steal personal or payment information.
Bank of America scam calls spoof bank numbers to steal funds and account data
A Bank of America impersonation phone scam was reported in which fraudsters spoofed official-looking bank numbers and falsely claimed fraudulent account activity to pressure victims. The callers attempted to obtain PINs, Social Security numbers, account numbers, one-time authentication codes, or convince targets to send money through Zelle, cryptocurrency, or gift cards.
DPD delivery scam uses fake missed-parcel and courier fee messages
A scam campaign was reported in which fraudsters impersonated DPD through SMS, email, and marketplace messages, commonly claiming a missed parcel delivery and directing victims to pay a small redelivery fee on lookalike sites to steal personal and banking data. The reporting also described related variants involving fake DPD collection arrangements on Facebook Marketplace and bogus courier insurance or service fees.
PayPal billing scam emails push victims to call 1-808-371-1635
A phone-based scam was reported in which fraudulent emails impersonating PayPal's billing department falsely claimed a $349.99 auto-debit charge and told recipients to call 1-808-371-1635 if the payment was unauthorized. Callers were reportedly routed to a scam call center where operators impersonated Norton and other technology companies to steal sensitive information or gain device access.
PayPal scam uses real $0.02 transfer to lend credibility to fake support message
A PayPal-themed social engineering scam was reported in which attackers sent a real 2-cent PayPal transaction and a message claiming a payout had been processed, then directed victims to call 1-800-613-9844. The goal was to impersonate PayPal support and steal account or banking information over the phone.
Crypto advance-fee scam uses fake BTC compensation and Octa payment lures
An active scam campaign was documented that redirected users from seemingly legitimate survey links to fake Bitcoin compensation pages promising large payouts, then demanded small commission payments before withdrawal. A second variant impersonated Octa with a fake transfer notification and OTP-style flow before requesting a similar fee.
PayPal-themed smishing and courier cash scam victimized targets
A PayPal fraud impersonation scam was reported in which a victim received an unsolicited text, called the provided number, and was manipulated into withdrawing thousands of dollars in cash for collection by a courier. The scammers later attempted to extract additional funds, using spoofed identities and urgency to pressure the victim.
Apple Support impersonation SMS scam circulates fake Apple Pay fraud alerts
A smishing campaign was reported in which recipients received text messages posing as Apple Security Alert or Apple Support notices about unauthorized Apple Pay transactions and were urged to call a phone number. The messages were described as fraudulent attempts to harvest sensitive information through social engineering.
February 2026 phishing samples show shared infrastructure and tooling
Three phishing emails observed in February 2026 shared similar header artifacts, including the same Foxmail X-mailer string, suggesting a common operator or toolkit behind the Japanese-brand impersonation campaign. The samples reinforced the pattern of .cn-linked infrastructure across multiple lures.
Japanese-language phishing campaign targets recipients for at least a year
Bradley Duncan reported that he had been receiving Japanese-language phishing emails targeting his @malware-traffic-analysis.net addresses for at least the past year. The messages impersonated brands including ANA, DHL, and myTOKYOGAS and used recurring .cn sender domains and .cn-hosted phishing URLs.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
50 references tracked. Mallory keeps watching after this page renders.
Apple Pay Charge Scam Text Message - How to Protect Yourself
onlinethreatalerts.com
Open sourceWBD Global Streaming Scam Text Message - How to Protect Yourself
onlinethreatalerts.com
Open sourceApple Pay Transaction Text Scam - How to Protect Yourself
onlinethreatalerts.com
Open source888-743-4760 Apple Pay Scam Text Message - Beware
onlinethreatalerts.com
Open source"ARTURO ACEITUNO D.M.D. LLC" PayPal Scam - Beware
onlinethreatalerts.com
Open source888-632-2011 PayPal Scam - Beware
onlinethreatalerts.com
Open source"AVERY RSUMMIT TECHNOLOGIES LLC" PayPal Scam
onlinethreatalerts.com
Open source"EB JV Jared LLC" PayPal Scam - Beware
onlinethreatalerts.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Consumer Brand Impersonation Phishing and Tech-Support Scams Targeting Apple and Avast Users
Multiple **brand-impersonation phishing** campaigns are targeting consumers by abusing trust in *Avast* and *Apple* to drive victims into disclosing payment or account details. One campaign uses a near-identical fake *Avast* portal aimed at French-speaking users, presenting a fabricated **€499.99** “subscription charge” and a short cancellation window to induce urgency; the site validates entered card numbers using the **Luhn algorithm** and uses a **Tawk.to** live-chat widget (ID `689773de2f0f7c192611b3bf`) to pressure victims in real time into submitting full card details (including CVV) under the pretense of processing a refund. Separate *Apple*-themed scams use **phishing-to-phone** and **SMS** lures to route victims to scam call centers and harvest credentials and financial information. One email purporting to be from an “**Apple Fraud Prevention**” team attempts to panic recipients into calling a fake support number, while an “**Apple Security Alert**” Apple Pay text claims a suspicious **$143.95** Apple Store transaction and urges an immediate call to a `+1 850-85*` number to “cancel” the charge. Another tactic abuses iOS Calendar subscriptions (“**iPhone Calendar Scam**”) to flood devices with fake security/prize alerts that push users to click malicious links; guidance emphasizes unsubscribing from the rogue calendar and avoiding interacting with the spam invites.
Mar 31, 2026
Phishing and Smishing Campaigns Delivering Malware via Fake Apps and Trusted-Looking Lures
Multiple reports describe **social-engineering campaigns** that use trusted-looking lures (meeting invites, public-safety alerts, and official-looking documents) to drive victims to install malware or disclose credentials. Microsoft researchers reported a wave of **fake Zoom/Teams/Adobe update sites** reached via meeting-invite and document lures; the downloaded executables were signed with a **compromised EV code-signing certificate** (issued to *TrustConnect Software PTY LTD*) and acted as droppers for **remote monitoring and management (RMM) tools**, enabling persistent access. Separately, ClearSky described a suspected **Russian espionage** phishing operation targeting Ukraine that delivers a ZIP containing a Ukrainian-language border-crossing “permit” document, installing a loader (**BadPaw**) and a backdoor (**MeowMeow**) with file manipulation capabilities and sandbox/VM evasion; attribution was assessed as high confidence to a Russian state-aligned actor and low confidence to **APT28**. Mobile-focused lures were also reported: CloudSEK detailed **SMS phishing** targeting Israeli civilians with a trojanized **Red Alert** rocket-warning app, using a multi-stage loader chain to deploy spyware with **banking trojan** capabilities and exfiltrate **SMS, contacts, and location** to attacker infrastructure—raising concerns about surveillance and erosion of trust in official alerting. Other items in the set are either broader research or consumer-oriented scam advisories: a Zimperium write-up on the Android **“Massiv”** IPTV-app disguise highlights overlay-based banking fraud techniques, while Kaspersky’s mobile threat landscape report provides 2025 ecosystem statistics; two OnlineThreatAlerts posts describe generic **smishing** patterns (Amazon “refund” and flood-warning texts) without tying to a specific, evidenced campaign or new technical findings.
Mar 21, 2026
Phishing Campaigns Abuse Trusted Platforms and Legitimate Workflows to Evade Detection
Multiple campaigns are abusing *legitimate* cloud and platform workflows to make phishing and fraud harder to detect. Attackers are generating real Apple and PayPal invoice/dispute emails and embedding scam phone numbers in user-controlled fields (e.g., “seller notes”), resulting in messages that carry valid **DKIM** signatures and originate from high-reputation domains; this “**DKIM replay**” style abuse bypasses many email controls because authentication validates the sender domain, not the safety of the embedded content. In parallel, threat actors are leveraging free **Google Firebase** developer accounts to host brand-mimicking phishing pages on trusted `firebaseapp.com` / `web.app` subdomains, increasing delivery and click-through rates by exploiting domain reputation and common allowlisting of Google infrastructure. A separate but related social-engineering technique targets **Telegram** users by manipulating Telegram’s official authentication workflows to obtain fully authorized sessions rather than simply stealing passwords. Victims are lured to Telegram-lookalike pages (often on ephemeral domains) that prompt QR scanning or phone-number entry; user interaction triggers a real login attempt initiated by the attacker, and once the victim approves the authorization prompt on their device, the attacker gains persistent account access and can pivot to follow-on attacks via the victim’s contacts. These incidents collectively highlight a shift toward “living off trusted services,” where adversaries avoid compromising vendors and instead weaponize legitimate features, trusted domains, and sanctioned authentication flows to reduce detection and increase victim compliance.
Mar 21, 2026