A new Capital One phishing scam with a twist

I’ve been getting this phishing email about twice a day lately, and at first glance it looks pretty convincing. It’s designed to look like a security warning from Capital One — but don’t be fooled.

What makes this one different? Unlike most scams, it doesn’t immediately try to scare you with threats like “your account will be shut down” or “act now or lose access.” Instead, it takes a sneakier approach.

The New Trick They’re Using

The email has a button labeled “Review Your Card Activity.” If you hover over the link, here’s the surprise:

  • It doesn’t take you straight to a shady website.
  • Instead, it runs through Twitter/X first, then redirects to another site.
  • Twitter does flash a warning screen — which is good — but if they know it’s a scam, why not just remove it?

That’s the frustrating reality: social media platforms are slow to remove scam content, even when they know it’s fake.

Who Actually Stopped It

Here’s the good news: the hosting company where the final fake login page lived shut it down almost immediately after it was reported.

That’s why reporting phishing emails matters.

  • Social media may not act quickly,
  • but hosting companies usually do.
  • Reporting helps get the actual phishing pages taken offline, so fewer people can fall for them.

What You Can Do to Stay Safe

Don’t rely on platforms. Social media won’t always protect you — but you can protect yourself.

Hover before you click. Always check where a link really goes.

Be suspicious of redirects. If a link bounces through multiple sites, that’s a red flag.

Report it. Forward phishing emails to reportphishing@apwg.org or report directly to the company being spoofed.

How Hackers Outsmarted Two-Factor Security (And What We Learned)

A cautionary tale about online gaming security – and why some companies get customer support right.

What Happened

One of our founder’s kids loves Roblox. Smart parent, secure setup. The account had two-factor authentication through the parent’s email. Should have been safe.

It wasn’t.

Last week, the kid noticed some game items missing. Strange. When we checked the account, we found a login session from Indonesia. Obviously compromised.

We did everything right. Changed the password to a long, random string. Logged out all other sessions. Problem solved.

Wrong again.

The Real Attack

The hackers were smarter than we realized. The kid had unknowingly installed malware – probably from a sketchy game download or website. This malware could “steal cookies” – essentially copying the digital keys that prove you’re logged in.

With stolen cookies, hackers could log into the account from their own devices without needing the password or email verification. Think of it like someone photocopying your house key.

But here’s where it got clever. After we changed the password, the malware was still on the computer. This time, the hackers:

  1. Logged the kid out of all sessions
  2. Used a keystroke logger to capture the two-factor code as the kid typed it
  3. Switched the account from email-based two-factor to authenticator-based two-factor
  4. Locked us out completely

Now the hackers had total control. The account required an authenticator app they controlled, and we had no backup codes.

The Rescue

This is where Roblox impressed us. Their support team actually helped recover the account. They verified details about how the account was used and confirmed the parent’s email address. Within days, we had access back.

This kind of real human support for compromised accounts is rare. Most companies just point you to automated password reset tools. Roblox deserves credit for going beyond that.

What This Means for You

Your takeaways from our expensive lesson:

Use authenticator apps, not email, for two-factor security. Email-based verification can be bypassed more easily. Apps like Google Authenticator or Microsoft Authenticator are stronger.

Clean devices matter more than strong passwords. Malware can defeat almost any security measure. Keep computers updated and avoid downloading sketchy software.

Hardware security keys are the gold standard. For your most valuable accounts – banking, work, primary email – consider a physical security key. They’re nearly impossible to hack remotely.

Save backup codes somewhere safe. When you set up two-factor authentication, most services give you backup codes. Print them. Store them securely. You’ll need them if your device breaks or gets stolen.

Not all companies will help you recover. Roblox went above and beyond. Many services won’t. Take security seriously upfront.

The Bottom Line

Gaming accounts might seem trivial, but they’re often connected to payment methods and personal information. Treat them seriously.

More importantly, use this as practice for protecting accounts that really matter. The same techniques that compromised a Roblox account could target your bank, work email, or social media.

Security isn’t about being paranoid. It’s about being prepared.

An inside look at how social media phishing scams work

… And how to avoid them

Fun fact about social media phishing scams — they tend to come in waves. Once companies like Meta see a pattern, they shut it down across the board. And that works, until the scammers figure out a new take on that game and it starts all over again.

We are seeing that wave again now — this page has been hit with five phishing attempts so far today. Obviously, these are mostly AI and bots now — anyone who takes the time to read the page would probably not waste the time. For one thing, it’s not going to work, for another, we always report them to Facebook.

Most social media phishing scams work on the same basic format — you get a fake warning that your account is suspended or going to be suspended.

We have illustrated exactly how this works below with an actual phishing attempt against one of our Facebook accounts.

And remember Rule No. 1: It’s always a scam (especially with these Facebook warnings … always).

And a quick reminder, never do what we did here, just ignore the phishing attempt. Interacting in any way, even reporting it to Meta, can put you on the scammer’s radar. We are professional scammer botherers.

Nobody Needs Another Login

Email and Text as a New (Old) UI

Why did we decide to build Scam Prevention Specialists with an experience that doesn’t require you to log in to a website or install another app? It’s simple: We wanted Scam Prevention Specialists to be as seamless and natural to use as possible. 

Today, people are bombarded with messages — texts, emails, notifications — many of which demand immediate action. Scammers know this all too well. They create a sense of urgency, pressuring you to act fast with messages that suggest some dire consequence if you don’t respond immediately. Unfortunately, when it comes to these scam messages, “doing something” is often the wrong move.

This is why we designed Scam Prevention Specialists to fit right into the tools you’re already using — email and text. If you receive a message that seems suspicious, you can instantly forward it to Scam Prevention Specialists without needing to switch devices, open a new app, or remember another login. By making it this easy, we give you a clear action to take right where you are, letting you feel proactive and protected without unnecessary steps.

The second reason we chose this approach? You already have enough logins to remember. Even people who use password managers still have to interact with those tools, filling out login details and navigating extra steps to access new sites or apps. Adding another login would only complicate things, creating one more barrier when the goal is to keep you safe in real time.

Lastly, thanks to the power of AI, Scam Prevention Specialists’s email and text-based UI doesn’t compromise functionality. The AI we’ve built can handle natural, straightforward interactions, so there’s no need to learn a new site or interface. Everything is designed to be as simple and accessible as possible, so you can get the guidance you need and get on with your day, fully protected.

SafeScan is Built Different: Why We Combine AI with Human Intelligence in Our Services

SafeScan is Built Different: Why We Combine AI with Human Intelligence in Our Services

The way we’ve developed Scam Prevention Specialists and our SafeScan technology cuts against the grain of current trends in tech. While many companies are rushing to replace tasks with AI, we’ve taken a different path: we’re focused on how AI and human intelligence can complement each other, producing results far better than either can achieve alone.

At its core, SafeScan is an AI-powered service designed to help users answer a critical question: “Is this email or text message legitimate or not?” Our users don’t care whether the response comes from AI or a human—they just want the answer to be right. And when it comes to scams, phishing, and fraud, 90% or even 95% accuracy simply isn’t good enough. That’s why we blend AI’s data-processing power with human intuition and decision-making.

AI is very effective at recognizing patterns and leveraging its vast training data. But it’s not perfect, especially when it encounters something outside of its prior knowledge or training. Humans may not have the same volume of data at their disposal, but they can ask questions, dig deeper, and catch subtle clues that AI might miss. When you combine these strengths, you get a system that’s truly greater than the sum of its parts.

Many companies rely on AI as a first line of defense in customer service, leaving complex cases to human agents only after the AI reaches its limits. We take a different approach: humans are involved from the start, guided by AI-generated insights, creating a seamless process where human and machine intelligence work together. The result? Better accuracy, more confidence, and ultimately, greater peace of mind for our users.

At SafeScan, we believe this approach isn’t just different — it’s better.