Scams now operate like real businesses with budgets and targets

Social media has overtaken email as a primary attack vector, showing changes in how people consume information and interact online, according to Bitdefender’s Global Scam Intelligence Report 2026. Fraud campaigns use advertisements, sponsored content, impersonation pages, and direct messages to reach users.

Global scam breakdown by category (Source: Bitdefender)

One in seven consumers fell victim to a scam during the past year. Scam operations resemble organized businesses, with structured workflows, dedicated personnel, and tactics designed to exploit trust through familiar brands, platforms, and communication channels.

Financial scams remain dominant

Financially motivated fraud accounted for a large share of scam activity throughout the year. Phishing remained the most common web-based scam category, representing roughly a quarter of reported incidents. Financial and investment scams, fake shops and advertising scams, and job scams ranked among the leading categories identified in Bitdefender’s data.

Many campaigns relied on familiar social engineering techniques. Fraudsters impersonated financial institutions, online services, retailers, and government organizations to persuade victims to disclose credentials, transfer money, or install malicious software.

Malvertising played a larger role in scam operations during 2025. Attackers abused advertising ecosystems on major platforms to distribute malware, harvest credentials, and promote fraudulent investment opportunities. Some campaigns used sponsored advertisements to direct users to convincing impersonation pages, while others delivered malware through multi-stage infection chains.

Event-driven scams remained common. Campaigns adapted to major news stories, sporting events, holiday shopping periods, concerts, travel demand, and viral online trends. By inserting fraudulent offers and messages into subjects people were already discussing or searching for, attackers increased the likelihood of engagement. Examples ranged from fake ticket sales and travel offers to scams tied to widely publicized events and seasonal shopping campaigns.

Younger users experienced higher scam victimization rates than older age groups. Bitdefender attributed the trend in part to greater time spent on platforms where scammers concentrate their activity.

Messaging platforms continue to attract attackers

SMS remained a significant delivery channel for scam campaigns. Finance-related scams represented the largest category of risky SMS activity, followed by entertainment, delivery, toll road, insurance, healthcare, government, and prize-themed messages.

WhatsApp accounted for a substantial share of messaging-based scam activity. Business accounts played a significant role in risky conversations, giving fraud attempts an appearance of legitimacy. Several campaigns used social pressure and trust-based interactions to encourage users to share messages, submit verification codes, or interact with fraudulent websites.

Observed campaigns included voting-themed scams and promotional campaigns that leveraged viral sharing mechanisms. These approaches relied less on technical sophistication and more on convincing users to participate voluntarily.

Active phone scams

Analysis of phone traffic found that more than 23 million of nearly 150 million calls were classified as unwanted.

Financial institutions represented the largest phone-scam category, highlighting the continued focus on schemes designed to extract money, credentials, or other sensitive information.

Voice-call fraud resembled an industrialized ecosystem combining robocalls, scripted conversations, social engineering, and human operators. Scam operations use structured workflows similar to those found in legitimate contact centers, including dedicated personnel, supervisors, scripts, performance tracking, and shift-based schedules.

Phone-based fraud followed recognizable patterns, including recurring call schedules and conversation lengths that varied by scam type. Some operations focused on collecting sensitive information, while others attempted to convince targets to transfer money or grant remote access to devices.

Caller ID spoofing and other impersonation techniques helped fraudulent calls appear legitimate. These tactics exploit established trust relationships between individuals and organizations.