F-Alert Cyber Threats Bulletin November 2025

Discover the latest online threats and cyber security trends impacting businesses and consumers worldwide, brought to you by F-Secure’s threat intelligence specialists.

November's F-Alert highlights the rise of AI-driven psychosis, SIM farm-based attacks, and new malware campaigns exploiting social engineering tactics. It provides expert commentary and practical guidance to help navigate these risks.

How AI Chatbots Are Fueling Digital Psychosis

Cases of AI-enabled digital psychosis continue to surface in news media. Multiple documented cases show individuals developing severe mental health crises after intensive chatbot use, including hospitalizations, arrests, homelessness, job losses, and even deaths.

Key facts:

• AI systems can act as “sycophantic” reinforcers that validate and amplify delusional thinking. The problem is especially worrisome in chatbots that are designed to maximize engagement rather than provide therapeutic assistance or containment of delusional thoughts.

• The delusion patterns most cited include messianic or grandiose beliefs, the perception of AI as godlike or sentient, and romantic/attachment delusions.

• The phenomenon of AI-induced delusional thinking can affect both individuals with pre-existing mental health conditions and those without a prior history of mental illness, although people with previous mental health issues are at greatest risk.

New F-Secure Report Reveals the Human Cost of Scams

F-Secure has released its second annual Scam Intelligence & Impacts Report, uncovering the human cost of scams. The findings show how misplaced confidence in spotting fraud leaves people vulnerable, while stigma and shame keep victims silent—making scams one of the world’s most underreported crimes today.

Key facts:

• 69% of people believe they can recognize a scam, yet 43% of those individuals still fell victim in the past year. This overconfidence leaves many emotionally exposed, digitally unprepared, and often too ashamed to speak out.

• Scam victimization is rising sharply: in the US, scam rates doubled from 31% in 2024 to 62% in 2025, while in Vietnam, 90% of respondents were scammed last year. Globally, young adults aged 18–34 face more than double the scam risk of adults aged 65–74.

• Only 7% of scams are reported globally, largely due to shame and victim blaming. Reporting is even lower in some countries—5% in the UK and just 2.6% in the United States.

Read the full Scam Intelligence & Impacts Report 2025

Trending Scam: Watch Out for ‘Grey Area’ AI Shopping Scams This Fall

What’s happening:

• Scammers are creating AI-generated fake online stores with convincing backstories—often posing as small, family-run businesses—to lure in unsuspecting shoppers.

• Many of these are Temu drop-shipping fronts featuring fabricated proprietors and deceptive branding. While the setup is entirely fake, complete with AI-generated “shopkeepers,” customers do receive products—but they’re typically low quality.

• One example is “C’est La Vie,” a supposed UK boutique that claims to have operated in Birmingham for 29 years but lists a returns address in China.

What to do:

• AI has made it increasingly difficult for consumers to recognize fraudulent online stores. Service providers can play a key role in reducing risk by raising awareness about AI-enhanced scams and promoting safe online shopping practices.

• Encouraging customers to verify unfamiliar sites—by checking independent reviews on reputable platforms such as Trustpilot and using tools like F-Secure’s Online Shopping Checker—helps prevent fraud and strengthens customer trust.

Breach That Matters: Threat Actors Claim Theft of Data from 5.5M Discord Users

What’s happening:

• Hackers claim to have stolen the data of 5.5 million unique users from Discord’s Zendesk support system instance, including 2.1 million images of government IDs. Discord, however, disputes this—stating that approximately 70,000 users had their government IDs exposed.

• Discord hasn’t confirmed that the breach originated from Zendesk, only that it involved a third-party service used for customer support.

• As many organizations outsource support and IT help desks to business process outsourcing (BPO) providers, these have become attractive targets for attackers seeking access to downstream customer environments.

What to do:

• Organizations should review how customer data is handled by third-party service providers, especially those managing support systems or ticketing platforms. Strong contractual and technical controls are essential to ensure customer data is properly protected.

• Because many attacks begin with phishing or impersonation, companies should provide ongoing security awareness training for both internal teams and vendor personnel. Implementing phishing-resistant authentication methods can also significantly reduce the risk of credential compromise.

SIM Farm Network Discovered: What It Means for Security

A large network of SIM farms has been discovered and dismantled across New York. The operation contained servers and stacks of SIM cards—more than 100,000 of which were already active. This discovery highlights that criminal infrastructure doesn’t just consist of websites and malware, but also of physical components such as SIM cards.

Key facts:

• A SIM card is an incredibly powerful resource for criminals. It enables not only text messaging, phone calls, and number spoofing, but also access to countless online services that require a valid phone number for registration and verification.

• SIM farms are devices that hold hundreds of SIM cards from multiple operators and use Voice over Internet Protocol (VoIP) technology to send or receive bulk messages and calls. This allows criminals to automate communication, bypass verification checks, and exploit online services such as social media platforms, email accounts, and hosting providers.

• Though the investigation is ongoing, authorities describe this operation as a well-funded, highly organized enterprise—possibly linked to nation-state actors.

Social Engineering and Fake Sites Drive Surge in Malware

Recent malware campaigns highlight how attackers are relying on fake websites and social engineering to trick users into downloading malicious apps. Users in Spain and Italy have been targeted by the Android banking trojan Klopatra, while users in the UAE have been targeted by spyware masquerading as apps like Signal and ToTok.

Key facts:

• Once installed, the malicious apps request extensive device permissions—which should be a red flag for any app, regardless of source. They abuse legitimate Android features such as Accessibility Services, among others.

• Klopatra malware has compromised more than 3,000 devices, leveraging hidden Virtual Network Computing (VNC) for remote control of devices and dynamic overlays to facilitate credential theft. Meanwhile, spyware campaigns ProSpy and ToSpy establish persistent access and exfiltrate data from compromised Android devices.

• These malicious apps aren't available on official app stores but instead require installation from third-party websites. While downloading apps from such sources doesn’t necessarily raise red flags, users should be cautious—fake websites imitating legitimate services are often used to spread malware.