In this issue:

• Return label phishing scam

• "Nomani" investment scam

• Data breaches this week

Return label phishing scam

I buy things from social media ads, especially when something looks useful in my feed. That is exactly why the “Return Label Phish” scam, which started showing up this holiday season, is so effective. It targets people right after a purchase, when you are already frustrated and just want a refund.

The scenario feels normal. You buy an item you found on a social media ad, often from platforms like Instagram or TikTok. The product arrives late, does not work, or looks nothing like the photos. You email customer support to return it, and they send back a “pre-paid return label.”

That is where things go wrong.

In one version of this scam, the link to download the return label takes you to a fake site. To get the label, you are asked to log in to an email, shipping, or payment account. Those credentials are stolen, or a malicious ClickFix software script installs malware that can grab saved passwords and browser data. It all happens during what feels like a routine return.

In another version, the label itself is real, but the address is not. The package is sent to a private home instead of a warehouse. Tracking shows it was delivered, so you assume everything is fine. Weeks later, you realize the seller claims they never received the return, and the refund never comes.

What makes this scam work is timing. You are already annoyed with the purchase and focused on fixing the problem quickly. Most people do not stop to question a return label or double-check an address.

If you shop through social media ads, slow down during returns. Be suspicious of download links, verify return addresses, and never enter account credentials just to get a shipping label. Social media shopping can be convenient, but returns are where the real risk often shows up.

"Nomani" investment scam

In a previous article, I wrote about fake ads on Facebook and how scammers abuse trusted social media platforms to push fraud at scale. The “Nomani” investment scam shows just how far that problem has progressed, driven by AI-generated deepfake technology.

The Nomani campaign first surged in December 2024 and expanded rapidly in late 2025. Fraudsters created realistic video testimonials using AI to impersonate well-known public figures. Reports and takedowns tied to this campaign have included deepfake videos portraying figures such as Elon Musk and Martin Lewis, among other recognizable business and finance personalities. In these videos, the fake spokesperson appears to personally endorse a trading platform called “Nomani,” often claiming it is a proven or insider investment opportunity with unusually high returns. The platform itself does not exist.

These ads are commonly delivered through YouTube and Facebook as sponsored content. They blend naturally into users’ feeds and link to professional-looking websites that mimic legitimate investment services. Victims are shown fake account balances, fabricated profits, and urgent prompts to deposit money quickly before the opportunity “closes.”

What makes the Nomani scam especially alarming is its scale. ESET, a global cybersecurity firm known for researching malware, phishing, and online fraud, reported blocking more than 64,000 unique URLs connected to this single campaign. That volume highlights how criminals use automation and generative AI to constantly rotate domains, ads, and videos to stay ahead of takedowns.

This mirrors the warning from my earlier article on fake Facebook ads. Social media provides reach and credibility, while AI supplies instant fake authority. The result is industrial-scale fraud that looks increasingly believable.

The warning signs remain consistent. Be skeptical of investment ads on social media, especially those using celebrity endorsements, urgency, or guaranteed returns. Legitimate investments do not rely on viral videos or borrowed fame.

Data breaches this week

Most of the time these will be companies that you don’t have any personal data with, but scan the names to make sure you aren’t affected.

• University of Phoenix: 3.5M individuals: 3.5 Million Affected by University of Phoenix Data Breach

• Nissan: 21k customers: Nissan Confirms Impact From Red Hat Data Breach

• Aflac: 22.65M individuals: Aflac updates June 2025 security incident

Do you have an idea for a future newsletter? Please reply to this email and let me know.

Thank you so much!

Sincerely,
Cassie Crossley
Founder, Cyber Safe Center
https://www.cybersafecenter.com