Brand-impersonation scams using fake support channels to steal credentials and financial data
Multiple brand-impersonation scams are targeting consumers by pushing them to interact with fake customer support and surrender sensitive data. One campaign uses a fraudulent site styled as Avast to convince French-speaking users they were charged €499.99 and must act quickly to “cancel” and receive a refund; the page dynamically inserts the current date via JavaScript, loads the Avast logo from Avast’s own CDN to appear legitimate, and then harvests full payment-card details (PAN, expiry, and CVV) via a cancellation/refund form.
Separate but related social-engineering activity targets Robinhood users with “security alert” SMS and email lures that direct victims to call scam call-center numbers, where operators attempt to extract login credentials, 2FA codes, and other personal/financial information; the email variant also commonly pushes victims toward installing remote-access tools such as AnyDesk or TeamViewer under the guise of support. In another consumer fraud pattern, scammers posing as a mobile carrier (e.g., Spectrum) call shortly after a phone delivery, claim the wrong device was shipped, and trick the recipient into mailing the phone to the attacker—enabling resale and potential identity-fraud follow-on if the device/line is activated under the victim’s details.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Phone return scam targets recent mobile phone buyers
A social-engineering scam targeted people who had just received new phones, with callers impersonating carriers and claiming the wrong device had been shipped so it needed to be returned. The fraud used urgency, knowledge of order details, and sometimes QR-code shipping workflows to facilitate theft of the device.
Robinhood scam texts push victims to fraudulent support lines
A related Robinhood scam campaign used SMS messages such as fake withdrawal-code alerts and phone-number-change notices to get recipients to call attacker-controlled support numbers. The call-center-style operation then socially engineered victims into disclosing account, personal, and financial information.
Avast-themed refund phishing campaign targets French-speaking users
A phishing campaign impersonating Avast used a fake €499.99 charge and refund/cancellation pretext to trick French-speaking users into submitting personal and payment card details. The scam site mimicked Avast branding, validated card numbers, and sent captured data to a backend endpoint while using live chat to pressure victims.
Robinhood phishing emails lure victims to fake support numbers
A scam campaign impersonating Robinhood sent fake security-alert emails claiming a login from a new device and urging recipients to call fraudulent customer-support numbers. The operators attempted to steal credentials, 2FA codes, wallet recovery phrases, or persuade victims to transfer funds and install remote-access tools.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Refund scam impersonates Avast to harvest credit card details | Malwarebytes
malwarebytes.com
Open sourceRobinhood Scam Text and Customer Support
onlinethreatalerts.com
Open sourceOrdering a new phone? Watch out for this convincing scam that hits immediately after | ZDNET
zdnet.com
Open sourceRobinhood Scam Email and Customer Support
onlinethreatalerts.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Consumer Brand Impersonation Phishing and Tech-Support Scams Targeting Apple and Avast Users
Multiple **brand-impersonation phishing** campaigns are targeting consumers by abusing trust in *Avast* and *Apple* to drive victims into disclosing payment or account details. One campaign uses a near-identical fake *Avast* portal aimed at French-speaking users, presenting a fabricated **€499.99** “subscription charge” and a short cancellation window to induce urgency; the site validates entered card numbers using the **Luhn algorithm** and uses a **Tawk.to** live-chat widget (ID `689773de2f0f7c192611b3bf`) to pressure victims in real time into submitting full card details (including CVV) under the pretense of processing a refund. Separate *Apple*-themed scams use **phishing-to-phone** and **SMS** lures to route victims to scam call centers and harvest credentials and financial information. One email purporting to be from an “**Apple Fraud Prevention**” team attempts to panic recipients into calling a fake support number, while an “**Apple Security Alert**” Apple Pay text claims a suspicious **$143.95** Apple Store transaction and urges an immediate call to a `+1 850-85*` number to “cancel” the charge. Another tactic abuses iOS Calendar subscriptions (“**iPhone Calendar Scam**”) to flood devices with fake security/prize alerts that push users to click malicious links; guidance emphasizes unsubscribing from the rogue calendar and avoiding interacting with the spam invites.
Mar 31, 2026
Consumer-Facing Phishing and Payment Scams Using Fake Support and Fraud Alerts
Multiple reports describe **social-engineering scams** that impersonate trusted brands and payment providers to drive victims into credential theft or direct monetary loss. A “crypto compensation” lure abuses a legitimate-looking *Yandex* poll as an entry point, then redirects victims to a fake Bitcoin payout page claiming an approved `0.943 BTC` transaction and imposes a small “commission”/fee to withdraw funds—classic advance-fee fraud wrapped in a polished, multi-step funnel (including a fake chat “support agent”). Separately, Japanese-language phishing emails impersonating **ANA**, **DHL**, and **myTOKYOGAS** show consistent infrastructure patterns (notably `.cn` domains in sender and landing-page URLs), suggesting a single operator or shared kit targeting Japanese-speaking recipients. Several consumer scam advisories highlight **SMS-based fraud alerts** that push targets to call attacker-controlled phone numbers, where scammers pose as “support” to steal **Apple ID/2FA codes** or payment details, or to coerce victims into moving money. One PayPal-themed case escalated to cash withdrawals handed to a courier after a victim called a number from an unsolicited text, illustrating how “fraud department” pretexts can transition from phishing to **cash-out theft**. Additional warnings cover lookalike payment sites (e.g., `payyourbill.aps medical.com`) and generic guidance on what to do after clicking a phishing link; these are broadly consistent with the same theme (phishing/payment fraud) but are not tied to a single, specific campaign or actor across all items.
Jun 19, 2026
Mobile and Messaging Scams Use Impersonation and Urgency to Steal Credentials and Data
Acronis researchers reported a deceptive Android campaign targeting Israeli users with a trojanized version of the *Red Alert* rocket-warning app distributed via SMS messages impersonating Israel’s Home Front Command. The fake app displays legitimate rocket alerts to reduce suspicion while requesting extensive permissions that enable **GPS tracking**, **SMS interception (including one-time passwords)**, contact harvesting, installed-app enumeration, and account discovery; collected data is exfiltrated to a remote server, and the operators used **certificate spoofing** to make the installation appear as if it came from Google Play. Separate consumer-focused advisories described multiple **social-engineering/phishing** lures delivered via text, email, and calendar invites: an “Amazon recall” SMS that pushes victims to a credential-harvesting site for “refunds,” an “Apple Security Alert” pop-up/text/email that attempts to drive victims to call a fraudulent support number or surrender credentials/2FA/payment details, and a trend of **fake calendar invitations** increasingly appearing in Microsoft Outlook (previously more common in Gmail) using urgent subjects (e.g., “Final Notice”) and domain-reconnaissance to personalize invites; the Outlook example noted mixed authentication signals (DMARC/SPF/DKIM pass/fail across relays), underscoring that users and defenders should treat unsolicited invites and urgent account/payment prompts as high-risk even when messages appear superficially legitimate.
Mar 23, 2026