A complete field reference. Threat taxonomy, defense architecture, and primary source ledger. Every claim traces to a government or institutional source. Updated continuously.
Two indexes. Locate your threat. Locate your defense. Jump directly to the relevant section.
AI changed scale and realism. The underlying mechanism is identical to every fraud operation ever run.
You can hang up. Right now. In the middle of any conversation. With anyone. You do not owe a stranger on the phone your time, your attention, or your information. That feeling of urgency on a call or in a message — that is the attack. Your calmness is the defense.
Every entry: mechanism, scale, documented case, defense protocol, and primary source citation.
A scammer extracts thirty seconds of audio from a social media video. They feed it into a voice cloning model. Within minutes they have a synthetic voice indistinguishable from your family member — including the way they cry, the cadence of panic. They call you. You hear your child's voice saying they've been arrested. The voice is real. The emergency is fabricated.
Voice cloning is also deployed against bank voice-authentication systems. A synthesized version of your voice passes the biometric gate. The bank hears you. You gave them no such permission.
Establish a family codeword now. A phrase known only to immediate family. Any emergency call must use it before any action is taken. Hang up on any distress call and call the person directly at a saved number. Set social media to private. Restrict who can see videos containing your voice.
Scammers scrape public photos from social media and feed them into AI generation tools. They produce fabricated images or videos of you in compromising situations that never occurred. They contact you demanding payment to suppress the material. This is happening to ordinary people — not public figures.
The more publicly accessible photos you have online, the larger the scammer's material library. A private profile is a meaningful structural defense.
A scammer calls your mobile carrier with your name, address, and the last four digits of your Social Security number — likely purchased from a data breach. They claim to have lost their phone and need a replacement SIM. Your number transfers to a SIM they control. Every call, every text, every two-factor authentication code now routes to them. Every bank alert. Every password reset link.
In 2025 a California arbitrator ordered T-Mobile to pay $33 million after a SIM swap attack enabled the theft of $38 million in cryptocurrency from a customer who had extra security measures on their account. SIM swapping defeats SMS-based two-factor authentication completely.
For decades the tell of a phishing email was broken grammar and generic greetings. That tell is gone. Large language models produce flawless, contextually appropriate, professionally crafted messages in any language at zero cost and at scale. 82.6% of phishing emails now contain AI-generated content. The mechanism is unchanged. The quality is indistinguishable from legitimate communication.
If you did not initiate the contact, do not click any link in any message. Close it. Navigate directly to the institution's website through your browser or call the number on the back of your card. The link in the message is the attack. The message is the delivery mechanism.
In 2024 a finance worker in Hong Kong was tricked into transferring $25 million after a deepfake video call impersonated the company's CFO and other colleagues. The worker attended what appeared to be a legitimate multi-person video conference. Every face on the call was synthetic. Real-time deepfake video is no longer theoretical — it is being deployed in targeted attacks against financial decision-makers.
For any high-stakes decision made over video call — financial transfers, access grants, sensitive information — establish a separate verification step through a known channel before acting. Any caller who resists verification for a high-stakes request is the verification you needed.
Someone contacts you online. They are warm, attentive, patient. Over weeks or months they build genuine trust. Then they introduce an investment opportunity — typically cryptocurrency on a platform you have never heard of. They show you impressive returns. They encourage you to invest more. When you attempt to withdraw, the platform invents reasons you cannot access your funds. The relationship, the warmth, the patience — all of it was manufactured. Pig butchering revenue grew 40% in 2024. Total crypto fraud hit a record $9.9 billion that year.
Any investment opportunity introduced by someone you met online is a scam until independently verified through a licensed financial institution. Never send money to someone you have only met online regardless of how long the relationship has developed. Tell a family member about any new online relationship that moves toward financial discussion.
The IRS does not call. The Social Security Administration does not call to tell you your number has been suspended. Medicare does not call to verify benefits. Law enforcement does not call to tell you there is a warrant that can be resolved with a gift card payment. If any caller claims to be from a government agency and demands immediate payment in any form — it is a scam. The real agency will send a letter. Caller ID is fakeable. The number displayed proves nothing.
Hang up. Find the agency's real phone number through a web search or a physical document you already have — never call back the number that called you. Every government agency with legitimate business sends written notice first. Payment demand by phone from a government agency is the defining signature of a scam.
A pop-up appears on your screen warning your computer has been infected. It displays a phone number. The person on the line is professional and helpful. They ask for remote access to your computer. Once they have it they can see everything — saved passwords, banking information, stored files, session cookies for every account you are logged into. Microsoft, Apple, and Google do not send unsolicited pop-up warnings with phone numbers to call.
Organized by the principle that governs all of them: compartmentalization. The goal is to limit the blast radius of any single compromise.
Banking credentials, personal email, retail accounts, social media, and work accounts must exist in separate compartments that share no passwords, email addresses, or phone numbers.
Call your mobile carrier today. Request all three of the following. Document the representative's name and the date.
A credit freeze prevents any new credit from being opened in your name without your explicit unfreeze. It is free. It does not affect your existing accounts or your credit score. It is the single most effective defense against identity theft. A freeze at one bureau does not cover the others — all three are required.
Agree on a word or phrase known only to your immediate family. Any emergency call requesting money or action must include the codeword before any response is given. A voice clone cannot guess a word it has never heard. This is the primary structural defense against the grandparent scam and every variant of it.
Every hour that passes is an hour the attacker has to use what they took. Speed is the primary variable.
The phone number. What was said. What information you provided. What payment you made. What accounts were mentioned. Do this while it is fresh. This documentation is essential for every subsequent step including law enforcement reporting.
Every account where you used the same password as a compromised account. Every account linked to a compromised email. Change to unique passwords. Enable the strongest available 2FA on each. Act before the attacker does — do not wait for signs of compromise.
Call your bank and credit card companies using the number on the back of your card. Report what happened. Request account flags for suspicious activity. Credit card payments may be reversible. Wire transfers, gift cards, cryptocurrency, and Zelle payments generally are not — report them anyway. Documentation matters for law enforcement.
Equifax · Experian · TransUnion. A freeze at one does not cover the others. Free. Reversible. Do it before any new credit can be opened in your name.
File with the FTC at ReportFraud.ftc.gov. File with the FBI's Internet Crime Complaint Center at ic3.gov. Report to local law enforcement as well. These reports contribute to pattern analysis that identifies and prosecutes criminal networks. Your report matters even if the individual loss cannot be recovered.
The shame of being scammed is one of the scammer's most powerful tools. It keeps victims silent. Silent victims do not report. Silent victims do not warn their communities. The scammer counts on this silence to continue operating. The embarrassment belongs to the criminal. Never to the person who was targeted.
This document cites no secondary sources where a primary exists. Every institution, report, and dataset below is the origin record — not an article about it.