Imposter Scams Hit Record High as Cybercriminals Exploit New Malware Evasion Tricks

Criminals posing as trusted organizations have stolen a record-breaking $3.5 billion from Americans in 2025, according to a fresh warning from the Federal Trade Commission. The surge in losses coincides with emerging hacking techniques that allow malicious software to hide from standard security tools, creating a perfect storm for unsuspecting victims.

The threat landscape has grown more dangerous as attackers combine social engineering scams with sophisticated evasion tactics. Security researchers recently uncovered a technique called GhostTree that exploits how Windows organizes files on computers. By creating layers of nested shortcuts and links, hackers can generate thousands of fake file paths that confuse Microsoft Defender—the built-in antivirus protection on Windows systems—causing security scans to get stuck in endless loops and never complete their job.

What this means

When your antivirus software fails to finish scanning your computer, dangerous programs can slip through undetected. Think of it like a security guard trying to count inventory in a warehouse where new shelves keep appearing faster than they can be checked. Eventually, the guard gives up, and stolen items remain hidden on the premises.

This technical vulnerability combines with human psychology in devastating ways. Scammers call, email, or text pretending to be your bank, the IRS, tech support, or loved ones in trouble. They create urgency and fear, pressuring victims to send money or share personal information immediately. Once someone believes they're dealing with a legitimate organization, their guard drops—and that's when the theft happens.

The $3.5 billion figure represents a staggering increase in losses. To put this in perspective, that's enough money to fund a major university's operations for several years, and it came directly from people's retirement accounts, savings, and emergency funds.

Why you should care

No one is immune to these scams. Victims include retirees, young professionals, small business owners, and tech-savvy individuals. Scammers use publicly available information from social media and data breaches to make their stories more believable. They might mention your real employer, reference actual family members, or cite real government programs.

The combination of advanced malware hiding techniques and increasingly convincing social engineering makes this a critical moment for digital safety. If hackers can compromise your device without detection, they gain access to passwords, banking information, and sensitive documents.

What you can do

• Never trust unsolicited contact. Real banks and government agencies don't call demanding immediate payment or threatening arrest. Hang up and call the official number from their website instead.
• Keep security software updated. Install patches for Windows and your antivirus software as soon as they're available. Updates close the gaps that malware exploits.
• Verify caller identity independently. If someone claims to be from your bank, end the call and dial the number on your statement or card.
• Use strong, unique passwords. Enable multi-factor authentication on email, banking, and financial accounts.
• Enable extra security features. Windows Defender includes advanced options—make sure they're turned on.
• Report suspicious contact. Tell the FTC at reportfraud.ftc.gov and your local police.

Protecting yourself requires staying informed about both the social tactics criminals use and the technical tricks they employ to stay hidden on your devices.