Discover the latest online threats and cyber security trends impacting businesses and consumers in the United States, brought to you by F-Secure's threat intelligence specialists.
April's F‑Alert explores how scams are evolving across policy and practice—from government crackdowns and public 'name and shame' tactics to AI tools that can uncover the real identities behind anonymous accounts and enable account hijacking. Throughout, we provide expert commentary and practical guidance to help navigate these risks.
As European governments accelerate efforts to restrict children's access to social media, Joel Latto examines whether similar restrictions could take hold in the United States—exploring the constitutional hurdles, tradeoffs, privacy risks, and practical enforcement challenges that make sweeping bans difficult to implement and sustain.
Dutch police are taking a more public approach to tackling fraud, publishing the faces of suspected scammers across national media. In this article, Joel Latto examines how the 'Game Over?!' campaign works and whether similar measures could be used in the U.S.
A new phishing scam is targeting Signal users by posing as official support bots to hijack accounts. In this article, we explain how the scam works, why trusted messaging apps are being targeted, and what users can do to avoid falling victim.
A popular calorie-tracking app has exposed millions of user records, including sensitive health and personal data. In this article, we examine what was leaked, how the breach occurred, and what users can do to protect their personal information.
A recent wave of malware campaigns shows how attackers are increasingly using social engineering and fake websites to trick users into downloading malicious apps. In this article, Joel Latto examines a new trojan masquerading as a legitimate application.
A recent wave of malware campaigns shows how attackers are increasingly using social engineering and fake websites to trick users into downloading malicious apps. In this article, Joel Latto examines a new trojan masquerading as a legitimate application.
Europe Cracks Down on Social Media—Will the U.S. Follow?
The Netherlands is the latest country to propose banning social media for children. This raises a key question: could similar age restrictions take hold in the United States? For now, that appears doubtful. First Amendment protections make it difficult to implement a broad social media ban.
Key facts:
France has already approved a social media ban for children under 15, set to take effect in September, while the UK government is considering a ban for children under 16. However, the United States faces significant legal barriers to adopting comparable restrictions.
According to a Harvard Law Review article, age-verification requirements for social media may conflict with First Amendment protections covering both users' access rights and platforms' editorial control. Regulatory authority is largely limited to platform design features rather than blanket limits tied solely to age or content.
While the intention may be well meaning—and the harms social media can pose to children are well documented—such bans come with tradeoffs. ID checks carry privacy risks, and moderating content in a consistently fair way is nearly impossible.
While a nationwide ban is unlikely in the U.S. any time soon, governments proposing social media restrictions are multiplying across Europe. It almost goes without saying that children will seek—and likely find—ways to circumvent such bans. If policymakers want to make a meaningful impact, they may be better off focusing on potentially harmful platform features, such as infinite scrolling, rather than broad access restrictions.
Dr Laura James, Vice President of Research at F‑Secure
Dutch Police Shame Scammers—Could It Work in the U.S.?
Dutch police are taking a bold new approach to catching scammers: publishing their faces everywhere. Billboards, television, online ads—you name it. The large-scale 'Game Over?!' campaign aims to identify and bring in prolific criminals. This raises the question of whether similar measures could be used in the U.S.
Key facts:
In early March, Dutch police announced that 100 suspected scammers would have two weeks to surrender, or their faces would be made public. The campaign has a dual aim: to identify suspects and deter others from engaging in scam activity. And it appears to be working—21 suspects either came forward or were identified through tips.
On March 23, the police followed through by publishing the faces of the remaining 79 suspects. The individuals are believed to be linked to around 13,000 scam cases, with total losses estimated at over $78 million.
Public exposure tactics are not new in the U.S.—from the FBI's Most Wanted list to televised policing and law enforcement footage—suggesting that while the Dutch approach is more direct, similar tactics already exist and could be expanded.
The current scam landscape has removed many of the technical barriers traditionally associated with cyber crime. This makes scamming particularly appealing to young people looking for easy money, who may not fully grasp the seriousness of the crime. I do commend this public shaming tactic and can see other countries, including the U.S., taking their own 'name and shame' strategies a step further too.
Joel Latto, Threat Advisor at F‑Secure
Trending Scam: Signal 'Support Bot' Scam Used to Hijack Accounts
What's happening:
Dutch intelligence agencies warn that Russian state-backed hackers are using a phishing scam posing as a Signal 'support bot' to hijack accounts, tricking users into sharing verification codes or linking new devices.
The attacks don’t exploit the apps themselves but rely on user trust in secure messaging apps. Once access is granted, attackers can silently read private messages and group chats without alerting the victim.
Officials, journalists, and others discussing sensitive topics are primary targets, as trusted messaging apps have become key channels for high-value communications.
What to do:
Never share verification codes or follow instructions from unsolicited support messages—legitimate services will not ask for this information.
Check linked devices, look out for duplicate accounts in group member lists, and treat unexpected account-related messages as potential phishing attempts.
Breach That Matters: Misconfigured Cal AI App Exposes 3M User Records
What's happening:
Calorie-tracking app 'Cal AI' has reportedly exposed data from around three million users after a major security misconfiguration left its database accessible without authentication.
The breach includes sensitive personal data such as email addresses, names, dates of birth, and detailed health information including weight history, eating habits, and exercise goals.
Subscription and transaction data were also exposed, increasing the risk of targeted scams, phishing, and account abuse using personalized information.
What to do:
Be cautious of unsolicited emails, messages, or offers related to health apps, subscriptions, or fitness services—especially those that reference personal details.
Review accounts linked to health or fitness apps, enable two-factor authentication where possible, and avoid reusing passwords across services.
Government-Grade iPhone Exploit Is in Criminal Hands
A government-grade iOS exploit kit known as "Coruna" has fallen into the hands of cyber criminals and is now being deployed at scale. The tool allows attackers to silently compromise iPhones simply by luring users to malicious websites—creating a new opportunity for scam operations to combine social engineering with device-level access.
Key facts:
The exploit kit contains 23 exploits and multiple attack chains, enabling attackers to fully compromise iPhones running iOS versions from 2019 through late 2023 just by getting users to visit a malicious or fake website.
Scam sites—particularly fake cryptocurrency and financial platforms—have already been found embedding the exploit, turning routine social engineering lures into full device takeovers without visible signs to the victim.
Once deployed, the malware can steal sensitive data, access photos and emails, and drain crypto wallets. Around 42,000 devices are estimated to have been impacted by financially motivated attacks.
When advanced exploit tools designed for government use enter the criminal ecosystem, they lower the barrier for large-scale attacks. For consumers, visiting a malicious website is no longer just a phishing risk—it can lead to full device compromise. Keeping devices updated and avoiding untrusted sites is now critical to staying protected.
Timo Salmi, Senior Product Marketing Manager at F‑Secure
U.S. Makes Scam Centers a National Security Priority
In March, U.S. President Trump signed an executive order to make cyber crime and scam centers a national security priority. The order aims to coordinate a whole-of-government response to protect Americans from scams such as cryptocurrency investment fraud, phishing, and sextortion.
Key facts:
Cabinet-level departments have been given 60 days to review existing frameworks and 120 days to deliver an action plan identifying the transnational criminal organizations behind scam centers and proposing ways to dismantle them.
The order also formalizes a Victims Restoration Program, giving the Attorney General 90 days to recommend how funds can be returned to victims.
It calls for international consequences against nations that tolerate transnational criminal organizations, including sanctions, visa restrictions, trade penalties, and the expulsion of complicit foreign diplomats.
In today's polarized political climate, cracking down on scams and fraud is something that everyone can agree is a good idea. Any disagreements with this executive order will likely hinge on execution, not the rationale behind it.
Dr Megan Squire, Threat Intelligence Researcher at F‑Secure
