When you spend your days keeping track of scams, malware and malicious activities, it can seem like they're everywhere. But that also makes it easier to see which scams and hacks are getting popular or spreading fast and wide.
As we close out the year, these are the three trends in scams, hacks and threats that we've seen cross our desks most frequently in 2025. It's not a comprehensive list by any means, just an unofficial summary of the things we've noticed that hackers, scammers and threat actors seem to be up to.
1. QR code phishing
Though they're not a new scam, there was an increase in several scams this year centered around malicious QR codes. Most QR code attacks focus on stealing either payment information (credit card or banking details), or login credentials (Microsoft 365, Google Workspace).
The use of QR codes in malicious attacks and phishing attacks actually went up so much this year, that it resulted in an FBI alert. In July, IC3 issued a notice warning about brushing scams that were leading victims to malicious tracking websites designed to steal their personal and financial information.
This year also saw QR codes being placed over legitimate codes left in public, such as on parking meters, restaurant menus or public transit posters. This leads targets away from their intended sources (payment websites in particular) in order to steal their credentials or even drain their bank accounts.
How to stay safe: Be wary of scanning any QR code you come across in public. Inspect it to see if it looks like a sticker was placed over it. If the poster, menu or parking ticket offers a website URL as well, just enter that manually.
Many smartphones will pop up a preview of the link before navigating to it; if your phone does that, then examine the preview to make sure you’re being redirected to the right place.
Lastly, be wary if the QR code wants you to log back in or re-authenticate your account a second time after scanning the code.
2. AI Impersonation
AI is being used by everyone — and scammers and hackers are not getting left out. Generative AI tools are being used in text, images and videos to create all manner of malicious scams to victimize people across the internet.
From more natural-sounding phishing emails and text messages to more convincing look-a-like websites and emails, AI is big business for both legitimate and illegitimate reasons. It's estimated that more than 80% of phishing emails now use AI generated content to sound more natural.
These techniques are often tied into other popular scams, like an imposter scam where a scammer pretends to be someone you know in order to trick you out of money. Research has shown that the volume of deepfake files in 2025 were projected to reach 8 million (up from 500K in 2023), and vishing (voice phishing) calls had increased 442% year over year. More than 77% of victims who had been targeted by an AI voice clone reported a financial loss, so the tools are working.
How to stay safe: First, don't give out money over the phone and secondly, have a family code word.
Next make sure to verify all emails or texts, especially any that ask you to login, send money or click on a link, download anything or use a QR code, by manually visiting your account through an independent method.
Lastly, don’t participate in investment opportunities unless you’ve thoroughly investigated them first.
3. Toll text message scam
In 2025, the road toll smishing scam became one of the most statistically significant cyber threats in the United States. Heck, I've written about it myself three separate times — and then still had to warn my own partner not to click on one. The first half of 2025 was particularly bad for any user of a toll service like FasTrak, E-ZPass, or SunPass as phishing kits made these scams even easier to create and distribute.
During Q1 in 2025, there was a 604% increase in toll scam texts; IC3 reported receiving more than 2,000 formal complaints in a single month about the scam, and New York Governor Kathy Hochul had to issue a statewide alert after reports indicated that almost every E-ZPass user in that state had been targeted by that scam, at least once. It was, according to data from the IC3 and cybersecurity firms, a massive coordinated effort by international scam syndicates, and it's likely not even over yet.
How to stay safe: Never, ever click on links in unsolicited messages and don't reply to them, either. If you've made the mistake of clicking on a link or replying to a text, change your passwords for any accounts involved and contact your bank to report it and to see about monitoring or freezing your account.
As always, follow the usual rules to protect against phishing: be wary of anything that claims you need to pay urgently, uses threats or consequences, or comes from an unknown source. Know which toll agencies are local to you, what their websites are and how they usually ask for payment.
If you're concerned about your toll account, go to the company’s website directly and log in to your account independently or call the company directly to check on your account. Don't ever interact with this text.
Additionally, if you receive these types of messages, block and report the number so it can be reported. You can also report the number or file a complaints at the IC3 portal.
Follow Tom's Guide on Google News and add us as a preferred source to get our up-to-date news, analysis, and reviews in your feeds.
More from Tom's Guide
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
