AI Scams in 2026: How Fake Texts, Deepfakes, and Broker Alerts Steal Your Money

In 2026, AI has made scams faster, cheaper, and eerily convincing. Google recently outlined how a China-based operation—nicknamed “Outsider Enterprise”—blasted Android users with millions of smishing texts in days and spun up thousands of phishing sites to harvest logins and payments (Google (The Keyword)).

At the same time, voice cloning has gone mainstream. One in four Americans say they’ve received a deepfake voice call in the past year, according to an industry report (Hiya).

The financial damage is real. The FBI logged more than a million internet-crime complaints in 2025 and $20.877 billion in reported losses, including nearly $900 million tied to AI-related cases (FBI IC3 2025).

This guide shows how the newest AI scams work—fake texts, deepfakes, and phony broker alerts—plus the checks to run before you click, send, or trade.

How AI turbocharges scams in 2026

AI tools write near‑perfect messages, translate them instantly, spin up realistic websites, and clone voices. That compresses the time between “idea” and “attack.” In May 2026 alone, Google says Outsider Enterprise sent about 2.5 million scam texts to Android users in two weeks and stood up roughly 9,000 fake sites and over a million fraudulent URLs to funnel victims to look‑alike pages (Google).

Users also flagged around 55,000 spam texts in that same two‑week window—more than two reports per minute—showcasing the sheer volume platforms are fighting (Google).

At a macro level, the FBI’s Internet Crime Complaint Center (IC3) recorded 1,008,597 complaints and $20.877 billion in losses for 2025, including 22,364 AI‑related complaints with an estimated $893.3 million in AI‑linked losses (FBI IC3 2025). The numbers confirm what consumers feel daily: more lures, more pressure, and more account takeovers.

Fake texts and messaging lures: what they look like and how to verify

Common lures in 2026

• “Delivery failed” notices with a small “redelivery fee.”
• “Unusual activity” alerts allegedly from your bank, broker, payroll, or tax platform.
• “DMCA/copyright” takedown warnings aimed at creators and small businesses.
• “Account bonus expiring” promos that require sign‑in via a short link.

Fast checks before you click

1. Don’t tap the link. Open the official app or type a saved bookmark to check for any alert inside your account.
2. Check sender details. Bank and broker texts usually come from short codes or known IDs; random 10‑digit numbers and strange domains are red flags.
3. Scan the timing and tone. Real fraud teams don’t threaten account closure in minutes or ask for full passwords/PINs by text.
4. Test the link safely. If you must inspect it, expand the URL preview and look for subtle misspellings. When in doubt, ignore and use the app.
5. Search the exact message. Copy a unique phrase into a search engine; large‑scale campaigns often leave traces fast.

Mistakes to avoid

• Entering credentials on any page reached from a text or DM—even if it “looks right.”
• Approving a login push or passkey prompt you didn’t start. That’s often a “MFA fatigue” play.
• Calling back numbers embedded in the message. Use the number on your card or the app’s help menu.

Deepfake voice and video impersonations: spotting the tells

Voice clones are now common enough that you can’t trust a familiar voice by itself. One in four U.S. consumers report receiving a deepfake voice call in the past year, and unwanted call volume has grown at a 16% annual rate since 2023 (Hiya).

How the con unfolds

• Scammers scrape public audio (podcasts, livestreams, voicemail greetings) to clone a voice in minutes.
• They spoof caller ID to display a real contact or institution.
• The script leans on urgency: “wire now,” “don’t tell anyone,”

Defensive moves that work

• Establish a family/work “challenge” phrase. If the call is about money, ask for the phrase. No phrase, no transaction.
• Hang up and call back using a saved contact card or the number on the institution’s website/app.
• Insist on a channel change. Move to a verified video call, or ask them to send a message inside the official app inbox.
• Slow the tempo. Scams punish delay; legitimate staff can wait while you verify.

Older adults remain prime targets and suffer larger losses. In 2025, more than 201,000 complaints from people 60+ totaled over $7.7 billion, with average losses above $38,000 (FBI). Build verification rituals with parents and grandparents now.

“Broker alerts” and investment messages: real vs. fake

Bogus broker alerts capitalize on market volatility and “security scare” fatigue. They mimic real brands, then redirect to credential‑harvesting pages or push you into “urgent trades” on fake platforms.

How to tell them apart

Safer habits

• Use the official app and built‑in inbox for any security or margin message.
• Lock down 2FA with hardware keys or app‑based codes, and set transaction alerts inside the account.
• Keep a separate, private email and phone number just for financial accounts to reduce exposure.

Payment methods scammers prefer—and your recourse

Scammers push you to irreversible or hard‑to‑reverse rails. Understand what has dispute protections and what often doesn’t.

• High risk of no recourse: crypto transfers, gift cards, wire transfers, cash, and many instant P2P payments sent to the wrong person.
• Some recourse with conditions: ACH debits and credit cards (chargeback rights and error‑resolution windows vary by issuer and network).
• Checks/cashier’s checks: can be forged; funds can appear “available” then bounce later.

When in doubt, pause and move the request to a slower, more protected rail—or wait entirely until you verify via an official channel.

What to check before acting

• Channel: Are you inside the official app or on a link from a message?
• Identity: Can you verify the sender independently (callback to a saved number, app inbox, known email)?
• Details: Does the domain spelling, SSL certificate, and URL path exactly match the institution?
• Behavior: Are you being rushed, isolated from others, or asked for full credentials/2FA codes?
• Payment: Is the requested method reversible, and are you comfortable with the risk if it isn’t?
• Records: Will you have a paper trail (ticket number, in‑app message, email from the official domain)?

If you clicked, paid, or shared info: steps to limit damage

1. Secure the account. Change the password from a trusted device, revoke active sessions, and rotate backup codes. Enable stronger 2FA.
2. Contact the institution immediately using the number on the back of your card or the app. Ask about stopping or disputing the transaction.
3. Freeze what’s exposed. Place card holds, lock debit cards, or freeze credit at the bureaus if identity data leaked.
4. Scan devices and browsers. Remove unknown extensions, check autofill vaults, and clear saved logins for sites you don’t recognize.
5. Monitor statements and set alerts. Daily text/app alerts help you catch follow‑on fraud quickly.
6. Report the incident. File at ic3.gov (FBI Internet Crime Complaint Center) and with your state attorney general or consumer‑protection office. Keep screenshots and message headers.

The sooner you act, the more options you typically have with disputes and account recovery.

Policy and platform defenses to watch

Platforms and carriers are rolling out more pre‑delivery filtering, account‑takeover monitoring, and takedown programs. Google’s recent post details efforts to disrupt large-scale AI‑assisted operations like Outsider Enterprise by blocking messages, de‑indexing phishing pages, and sharing indicators with partners (Google).

Industry call‑authentication and spam‑filtering continue to improve, but surveys suggest scammers still reach consumers too often and that unwanted call volume remains elevated (Hiya). Expect more carrier‑level blocking, stricter sender verification for bulk messaging, and faster domain takedowns over the next year.

Frequently Asked Questions

Are verification codes safe to share with customer support?

No. Legitimate staff won’t ask for one‑time passcodes, full passwords, seed phrases, or recovery keys. If someone asks, stop and contact the institution via its official app or known phone number.

How can I tell if a security alert is real without clicking the link?

Open the institution’s app or type its saved bookmark. Check the in‑app inbox or notification center. If there’s no matching alert inside your account, treat the message as suspicious.

What if the caller sounds exactly like my spouse or manager?

Assume voice alone isn’t proof. Use a pre‑agreed challenge phrase or hang up and call back using a saved contact card. Deepfake voice reports are now widespread, so build this habit.

Are QR codes in texts safe?

QR codes can hide malicious links just like short URLs. If a financial or delivery message includes a QR, ignore it and access the service from the official app or website instead.

Do older adults face different scam tactics?

Often, yes. Scammers lean on benefits, tech‑support, and grandparent emergencies. Losses are also higher on average for people 60+, according to the FBI. Establish slow‑down and callback rules with family.

Should I delete a suspicious message after reporting it?

Keep evidence (screenshots, headers) until you’ve reported to your bank and relevant authorities and confirmed next steps. Afterward, deleting reduces the risk of accidental clicks later.