Jan. 20, 2026 /PRNewswire/ — The Q4 2025 Gen Threat Report highlights a significant shift in cybercrime, where fraudulent advertisements and deepfake content have become the primary methods for targeting consumers. These findings indicate that attackers are increasingly exploiting trusted social media platforms like Facebook and YouTube to host fake online shops and deceptive investment schemes. Rather than using complex technical exploits, modern scams trick individuals into performing routine digital actions, such as clicking links or scanning QR codes, to compromise their data. The report also identifies GhostPairing attacks and a sharp rise in identity-related breaches as growing risks that bridge the gap between mobile and desktop devices. Ultimately, the data warns that malvertising has evolved into a sophisticated tool that allows threats to blend seamlessly into everyday internet browsing.
Digital scams in late 2025 evolved by moving away from sophisticated technical exploits and instead embedding themselves into the ordinary digital actions that consumers perform every day. Rather than announcing themselves as threats, these scams blended into everyday digital routines by utilizing familiar platforms and trusted interfaces to scale their reach across various devices.
There are several specific ways these scams integrated into daily life:
Social Media and Malvertising: Scams increasingly appeared where users spend the most time, specifically in social feeds and videos. Malvertising (fake advertisements) became the top cyberthreat to individuals, accounting for 41% of all attacks and serving as the primary entry point for many scams. These fake ads and shops were often indistinguishable from legitimate posts and videos on platforms like Facebook, YouTube, and Reddit until the moment sensitive information or money was requested.
User-Driven Actions: Modern scams succeeded by tricking people into completing the final steps of an attack themselves, such as clicking a link, scanning a QR code, or approving a device pairing. These damaging incidents often began with small, familiar actions performed under a sense of false reassurance or time pressure.
Cross-Platform Integration: Threats evolved to move seamlessly between devices to bypass security. For example, a scam might start on a desktop with a fake tutorial page and then prompt the victim to scan a QR code with their phone, shifting the attack to a mobile environment where permissions and verification might be more easily manipulated.
Exploitation of Messaging Apps: New techniques like “GhostPairing” targeted users on messaging apps like WhatsApp. Victims were tricked into entering a numeric code on their phone, which unknowingly linked an attacker-controlled browser as a “trusted device,” allowing the scam to spread rapidly through their contacts.
AI and Deepfakes: Attackers used AI-generated deepfake content, primarily on video platforms, to create convincing lures related to finance, investment, and cryptocurrency. These scams were often intercepted while users were simply watching videos, rather than during file downloads.
Layered Identity Fraud: Identity abuse became more integrated into common financial activities, showing up as unusual activity in everyday banking accounts, property records, and applications for retail credit or installment loans.
By mimicking the look and feel of routine online interactions, these scams created a continuous attack surface across browsers, chats, and shopping tools, making them harder for the average consumer to detect.
Facebook has the highest phishing rate among social media platforms, accounting for 77% of phishing spread. This is followed by YouTube at 13% and Reddit at 4%.
The report provides additional context regarding how these and other platforms are utilised for different types of digital scams:
Phishing and Fake Shops: Facebook and YouTube are the primary platforms where risky shopping clicks begin. Fake shops make up 65% of all threats blocked on social media, with a heavy concentration on these two platforms.
AI-Generated Scams: When specifically looking at blocked AI scam videos, YouTube holds the largest share, followed by Facebook and X (formerly Twitter). These videos are typically intercepted during playback and often focus on lures related to finance, investment, and cryptocurrency.
Malvertising: Fake advertisements (malvertising) were the top cyberthreat to individuals in 2025, representing 41% of all attacks. Internal documents from Meta (the parent company of Facebook) suggest that scam and banned-goods advertising may account for approximately 10% of their annual ad revenue.
Messaging Apps: Beyond traditional social media feeds, platforms like WhatsApp are targeted through techniques like GhostPairing, where attackers trick users into linking unauthorised devices to their accounts to steal information.
Overall, while phishing is spreading more broadly across various platforms, it remains heavily concentrated on Facebook, which accounts for the vast majority of detected instances.
GhostPairing attacks compromise a WhatsApp account by exploiting a user’s routine digital actions to link an unauthorised device.
The compromise happens through the following steps:
User Manipulation: The attack typically begins with a “small, familiar action” performed by the victim, often under a sense of false reassurance or time pressure.
Numeric Code Entry: Victims are tricked into entering a numeric code directly into the WhatsApp application on their mobile phone.
Unauthorised Device Linking: By entering this code, the victim unknowingly approves a device pairing. This links an attacker-controlled browser to the victim’s account as a “trusted device”.
Data Theft and Propagation: Once the attacker has established this link, they can steal sensitive information and use the compromised account to rapidly spread the scam to the victim’s contacts.
These attacks are part of a broader trend identified in late 2025 where scams move across different platforms and devices—often starting on one device and pushing the victim to complete the compromise on another—to stay invisible and bypass security measures.
GhostPairing attacks succeed by exploiting routine digital actions and a user’s sense of trust or urgency. While the sources do not provide a specific checklist for protection, the following safety measures can be inferred from how these attacks are described to operate:
Never enter unsolicited numeric codes: The primary mechanism of a GhostPairing attack involves a victim entering a numeric code into WhatsApp on their phone. Users should only enter such codes if they have personally initiated a device-linking process (such as setting up WhatsApp Web) themselves.
Be wary of “time pressure” or “false reassurance”: The sources note that the most damaging incidents often begin with small, familiar actions performed under a sense of urgency. If a website or message creates a high-pressure situation requiring immediate verification, it is a significant red flag.
Monitor “Linked Devices” regularly: Because GhostPairing works by linking an attacker-controlled browser as a “trusted device,” users should frequently check the “Linked Devices” section within their WhatsApp settings. Any device or browser session not personally authorised should be removed immediately.
Exercise caution with cross-platform prompts: These scams often move back and forth between devices to stay invisible. For example, a scam might start on a desktop with a fake tutorial and then prompt the user to perform an action on their mobile phone. Users should be highly sceptical when one device asks them to scan a code or enter a verification number on another.
Scrutinise familiar interfaces: Modern scams blend into everyday digital routines by mimicking trusted interfaces. Just because a prompt appears within a familiar app like WhatsApp or a known social feed does not mean the request for information or device access is legitimate.
By understanding that these threats rely on user-driven actions rather than technical exploits, consumers can protect themselves by pausing before completing “final steps” like approving a device pairing or entering a verification code.
Beyond the device-pairing tactics used in GhostPairing, attackers in late 2025 increasingly rely on several other ordinary digital actions to succeed. These attacks are effective because they require the user to complete the “final step” themselves while performing routine tasks.
Familiar online actions exploited by attackers include:
Clicking Links and Advertisements: Malvertising (fake advertisements) was the top cyberthreat to individuals in 2025. These fake ads serve as the “first click” leading to many scams and are often indistinguishable from legitimate posts or ads in social feeds.
Scanning QR Codes: Attackers use QR codes to move an attack from one platform to another. For example, a scam might begin on a desktop with a fake tutorial page and then prompt the user to scan a code with their phone, shifting the attack to a mobile environment where security settings might be different.
Watching or Playing Videos: Scams are increasingly hidden within video content on platforms like YouTube, Facebook, and X (formerly Twitter). AI-generated deepfake lures—specifically those related to finance, investment, and cryptocurrency—are often intercepted during video playback rather than during file downloads.
Entering Verification Codes: Along with device pairing, entering a numeric verification code is a common “final step” that victims are tricked into completing under time pressure or false reassurance.
Online Shopping and Interaction: Users are exploited while performing routine shopping activities, such as clicking on a post for a product. In late 2025, over 45 million fake shop attacks were blocked, many of which began with risky clicks on social media platforms like Facebook and YouTube.
Managing Identity and Financial Records: Attackers exploit the routine nature of checking everyday banking accounts, property-related records, and applications for retail credit or installment loans. Identity fraud is becoming more layered, showing up as unusual activity in these standard financial instruments.
Interacting with Browsers and Messaging Apps: The attack surface has become continuous across common tools, meaning users are at risk while simply using chats, browsers, and money apps.
By focusing on these small, familiar actions, attackers can scale their tactics across various devices and channels while remaining nearly invisible to the average user.
Ultimately, the most damaging incidents in late 2025 succeeded because they required the user to complete the final step of the attack. By creating a sense of false reassurance or time pressure, attackers tricked victims into performing small, familiar actions—such as clicking a link, scanning a code, or approving a device pairing—effectively turning the consumer into a participant in their own compromise.
Read the full Q4/2025 Gen Threat Report