Archive for Bitdefender

Guest Post: Fake Interpol Investigation Emails Are Targeting Small Businesses with Ransomware

Posted in Commentary with tags on July 1, 2026 by itnerd

Think your small business is too small to be targeted by ransomware?

That’s precisely the assumption cybercriminals hope you’ll make.

Bitdefender Antispam researchers have uncovered a phishing campaign targeting small businesses across Europe, Asia, the Middle East, and the United States with fake investigation emails impersonating law enforcement officials.

The messages claim to contain evidence of suspicious company activity, but there’s a catch: The attached ‘evidence’ is actually ransomware.

Key takeaways

  • Researchers at Bitdefender Antispam Lab have identified a malicious campaign impersonating Interpol
  • The emails claim to contain evidence of suspicious company activity and pressure recipients into opening a password-protected archive.
  • Recipients are directed to a Proton Drive-hosted file that ultimately delivers ransomware.
  • The ransomware appears to be a custom-built payload rather than a known ransomware family.
  • The operation targeted organizations across Europe, Asia, the Middle East, and the United States.
  • Small businesses are particularly at risk because many lack dedicated IT and cybersecurity resources.

How the attack works

The emails arrive with an urgent tone, claiming to be from Interpol’s cybercrime investigation unit, which is conducting a compliance or security review.

Recipients are told that investigators have obtained information and video material related to their organization and are encouraged to review the evidence as soon as possible.

The message is carefully crafted to create anxiety. Nobody wants to receive an email suggesting their company may be involved in suspicious or fraudulent activity or under investigation.

To review the alleged evidence, recipients are directed to a Proton Drive link containing a password-protected archive. The password is conveniently included in the email itself.

Once opened, the archive appears to contain a video file documenting the supposed activities under investigation.

Instead, the victim is greeted with malware.

The attackers use a familiar trick: disguising an executable as a video file in the hope that recipients won’t notice the difference before opening it.

The malware isn’t sophisticated. The social engineering is.

According to researchers Viorel Vrabie and Andrei Mogage, the fake video contains a ransomware payload hidden within multiple archive layers.

Once executed, the malware seeks to encrypt files across available drives and presents victims with a ransom message:

“Your computer has been compromised, and you will not be able to recover your encrypted files without the decryption key.

Do not delete any files or change their locations. Do not scan your computer, as this may complicate the recovery process.

We are available only through Tox.”

One interesting detail is what the ransom note doesn’t say:

Unlike older ransomware attacks that immediately demanded a fixed payment amount, this note doesn’t specify a ransom at all. Instead, victims are instructed to contact the attackers through a Tox chat channel.

This approach has become increasingly common among ransomware operators. Rather than demanding the same amount from every victim, attackers often prefer to negotiate after establishing contact. The final ransom may depend on the size of the organization, the perceived value of its data, and its ability to pay.

The researchers also found that the malware itself is relatively simple. The code contains hardcoded values, including the password used during encryption and decryption, and lacks many of the features typically associated with large ransomware operations.

Bitdefender researchers observed the campaign targeting organizations across multiple industries, including food and agriculture, legal services, pharmaceuticals, media, technology, and finance.

The campaign was also geographically diverse, with targets identified across Europe, Asia, the Middle East, and the United States.

Is this attack linked to a major ransomware gang?

In fact, the malware seems much simpler than the tools typically used in major ransomware operations. Beyond the relatively basic code observed by our researchers, another notable difference is how victims are instructed to make contact.

Most modern ransomware-as-a-service (RaaS) groups direct victims to a dedicated negotiation portal hosted on the dark web, where they can exchange messages, receive payment instructions, and negotiate the ransom.

In this campaign, however, the attackers simply provide a Tox chat ID. There is no dedicated negotiation portal or victim site, which is another indication that this is likely a custom-built operation rather than the work of an established ransomware group.

This suggests the malware may have been custom-built or assembled using publicly available code and tools.

The campaign highlights an important trend: cybercriminals no longer need the resources or expertise of a large ransomware gang to launch disruptive attacks. Even relatively simple malware can become a serious threat when paired with convincing social engineering.

In this case, the fake investigation email does much of the heavy lifting. The attackers rely on fear, urgency, and authority to persuade victims to launch the malware themselves.

Why small businesses remain attractive targets

Small businesses are often viewed as easier targets than large enterprises.

Many operate without dedicated IT teams or cybersecurity staff. Security responsibilities are often shared among employees who already wear multiple hats, and limited budgets can make it difficult to invest in advanced security measures or ongoing training.

When an alarming email arrives claiming to involve investigators, compliance issues, or evidence of misconduct, there may be no formal process for verifying the claims before someone clicks.

Attackers understand this reality and design campaigns specifically to exploit it.

What should you do if you opened the file?

If you downloaded and opened a file like the one used in this campaign, don’t panic, but don’t ignore it either. Acting quickly can make a big difference.

Disconnect the affected device from the network. If ransomware or other malware is running, taking the computer offline may help prevent it from communicating with attacker-controlled servers or spreading to shared drives and other devices.

Run a full security scan. Use a trusted security solution, such as Bitdefender Ultimate Small Business Security, to perform a complete scan of the affected device. Even if nothing appears unusual, remember that some threats are designed to remain hidden until they’ve completed their job.

Notify your IT administrator or managed service provider, where possible. If you’re part of a business, don’t try to deal with the incident alone. The sooner your IT team is aware, the faster they can isolate affected systems and prevent additional damage.

Inform your team about the attack. Awareness can also make a huge difference in protecting your business, devices, data, and reputation.

Change important passwords from a clean device. If there’s any chance the malware also harvested credentials, update passwords for your business email, cloud storage, financial accounts, and collaboration platforms. Use strong, unique passwords and enable multi-factor authentication wherever it’s available.

Look for signs of suspicious activity. Watch for unexpected login alerts, password reset emails, unfamiliar transactions, or files that suddenly become inaccessible. Continue monitoring your accounts over the following days, as some attacks don’t reveal their full impact immediately.

Report the incident. Report the phishing email through your email provider’s “Report phishing” feature and notify the organization being impersonated when appropriate. If your business has been infected or you suspect ransomware was executed, consider reporting the incident to your national cybersecurity agency. Sharing information about active campaigns helps authorities warn other organizations and better understand emerging threats.

You may also want to read: What to do if you clicked a phishing link in a business email

How to protect your small business moving forward

Campaigns like this prove that ransomware attacks don’t always begin with sophisticated hacking techniques. Often, they start with a message designed to create panic.

To reduce the risk of your small business falling victim to a similar ransomware attack:

Verify all unsolicited correspondence before acting: If you receive a message claiming to come from law enforcement, regulators, or another authority, don’t rely on the contact details provided in the email. Reach out through official channels to confirm whether the communication is legitimate.

Note: One of the biggest red flags in this campaign is the delivery method itself. While the attackers impersonate Interpol, legitimate law enforcement agencies don’t send unsolicited emails containing Proton Drive links to password-protected files and ask organizations to review alleged evidence of wrongdoing. If you receive a message like this, resist the urge to investigate on your own. Instead, verify the communication through official channels before opening any attachments or downloading files.

  • Treat password-protected archives with caution, especially when the password is included in the email.
  • Show file extensions on Windows devices: This makes it easier to spot executables masquerading as videos or documents.
  • Enable multi-factor authentication wherever possible. MFA won’t stop ransomware that’s already running, but it can prevent attackers from accessing your business accounts if they also try to steal passwords.
  • Keep systems and software up to date. Regular security updates help close vulnerabilities that attackers may exploit before or after a phishing attack.
  • Train employees to recognize scams: Criminals increasingly rely on fear and urgency rather than technical exploits.
  • Maintain secure backups: Reliable backups remain one of the best defenses against ransomware.
  • Use layered security designed for small businesses: Even well-trained employees can have an off day, and attackers count on those moments. Solutions such as Bitdefender Ultimate Small Business Security add another layer of defense by helping block phishing emails, detecting malicious downloads, identifying suspicious behavior, and stopping ransomware in its tracks.

This article is published for informational and educational purposes only. The information presented is based on technical research conducted by Bitdefender Labs and publicly available sources. Bitdefender does not make any legal determination regarding the activities described herein. The mention of any company, brand, domain, or individual does not constitute an accusation of illegal activity. Readers should exercise their own judgment and consult appropriate authorities or legal counsel if they believe they have been affected by any of the activities described. Domain names and URLs listed in this article are provided solely to help consumers and security professionals identify potentially harmful infrastructure. Bitdefender disclaims any liability for actions taken based on the information in this article.

Bitdefender Launches RealCheck

Posted in Commentary with tags on June 24, 2026 by itnerd

Bitdefender, a global cybersecurity leader, today announced the launch of Bitdefender RealCheck, a standalone solution that helps consumers evaluate the authenticity of video content circulating across digital platforms and whether it carries malicious intent — such as financial fraud, credential theft, or defamation. As deepfakes proliferate across social media at an unprecedented pace, Bitdefender RealCheck gives consumers a powerful and accessible tool to separate fact from fabrication before they trust, share, or act on what they see.

Deepfakes have become one of the most effective tactics in a cybercriminal’s playbook. Deloitte predicts generative AI could drive fraud losses to $40 billion in the U.S. alone by 2027. According to a Bitdefender global survey of 7,000 consumers, AI-powered deepfake scams ranked as the top security concern — and social media has now surpassed every other channel as the leading medium for successful scams. The same survey found that consumers correctly identify high-quality deepfakes only 24% of the time.

Bitdefender RealCheck is a standalone solution for Android and iOS devices. Once installed, users simply submit a video link or upload a file for analysis. Bitdefender RealCheck conducts a structured, multi-layered analysis, recognizing that not all synthetic or altered videos are malicious (some are clearly satirical or entertainment-driven) and delivers a detailed report covering manipulation likelihood, deceptive intent, and transcript-level indicators. Rather than a simple yes-or-no verdict, Bitdefender RealCheck arms consumers with the context they need to make informed decisions.

Key features and benefits include:

  • Validate deepfakes across all major social media platforms — Bitdefendeer RealCheck assesses video content from local uploads, web-hosted videos, and posts across X, YouTube, Instagram, Facebook, and TikTok. It also identifies public figures, including celebrities, well-known business executives, and politicians, who are currently being impersonated or misused in active deepfake campaigns.
  • In-depth analysis and actionable reports — Bitdefender RealCheck delivers a thorough, multi-layered analysis of video content and associated audio, assessing manipulation likelihood and deception risk at the transcript level — evaluating speech segment by segment to pinpoint exactly where manipulation may have occurred. Rather than a simple yes-or-no result, consumers receive a detailed, structured report telling them what they are looking at and whether it was designed to steal their money, credentials, or personal information.
  • Protect the people you care about — Bitdefender RealCheck analysis and reports are shareable and can be sent to family and friends, even if they don’t have an account. In a world where a single convincing deepfake can spread quickly through a family group chat, the ability to share verified findings is a meaningful line of defense.

Availability: Bitdefender RealCheck is available now for Android and iOS devices in English across 14 countries, including the U.S., U.K., Australia, Canada, Germany, Italy, Spain, and France. Support for additional languages is planned for future releases.

Bitdefender Releases 2026 Global Scam Intelligence Report

Posted in Commentary with tags on June 9, 2026 by itnerd

Bitdefender today released the Bitdefender 2026 Global Scam Intelligence Report, a comprehensive analysis of the global scam landscape over a 12-month period. The report examines how scams have evolved into a sophisticated, cross-platform criminal industry, revealing the tactics, channels, and behavioral patterns that fraudsters use to target consumers worldwide.

Online scams and fraud continue to escalate at an alarming rate. Losses due to scams globally have reached nearly half a billion US dollars in 2025 alone. Bitdefender’s independent global survey of 7,000 consumers reinforces the severity of the problem with 1 in 7 (14%) reporting falling victim to a scam in the past year, a finding that confirms scams as not merely a cybersecurity issue, but a serious threat to consumers’ financial security and digital identity.

The Bitdefender 2026 Global Scam Intelligence Report is built from real-time insights spanning trillions of URLs, billions of messages, live ad ecosystems, call honeypots, and direct consumer submissions. This telemetry captures scam activity as it happens, tracking campaigns across platforms and documenting attacker behavior in motion. The result is a field report that gives both consumers and the security community a comprehensive, data-driven view of how scams operate at scale.

Key findings include:

  • Younger generation is highly targeted – Younger consumers are now twice as likely to fall victim to scams as older generations, with a victimization rate of 20% compared to 9.7% among those 55 and older. Scammers have followed their audience to the social platforms, gaming environments, and messaging apps where younger users spend the most time.
  • 1 in 20 text messages shows signs of fraud – Extensive analysis of SMS traffic found that 5.2% of all messages analyzed (roughly 1 in 20) exhibited characteristics consistent with scam infrastructure or coordinated fraud activity. For a communication channel people inherently trust, that exposure rate is a serious cause for concern.
  • Voice calls remain a high-yield fraud channel – Bitdefender analyzed nearly 150 million incoming calls during the reporting period. More than 23 million were classified as unwanted, meaning about 1 in 6 calls reaching protected devices was deemed fraudulent or unsolicited. The system processed more than 52 million unique phone numbers, with over half a million flagged as unwanted.
  • Finance scams dominate across every channel – Investment fraud, banking phishing, and crypto-themed scams appear consistently across SMS, social ads, WhatsApp, voice calls, and email. The lure changes with the platform, but the objective remains constant: quickly move the victim toward a financial decision before skepticism has a chance to intervene.

To download a complimentary copy of the Bitdefender 2026 Global Scam Intelligence Report, visit here.

Microsoft’s Legacy MSHTA Utility Tool Abused in Attacks, Exploited to Deliver Malware

Posted in Commentary with tags on May 19, 2026 by itnerd

Bitdefender has released new research documenting how attackers continue to abuse Microsoft’s legacy MSHTA utility to deliver malware through stealthy, multi-stage attack chains. The abuse of MSHTA affects both businesses and consumers who run Windows.

Despite Internet Explorer reaching end of support years ago, MSHTA remains enabled by default on Windows systems and continues to be heavily exploited by cybercriminals to execute malicious scripts, retrieve remote payloads, and evade detection using trusted Microsoft-signed processes.

Key findings include:

  • MSHTA used to silently deliver multiple malware families, including LummaStealer, Amatera, ClipBanker, PurpleFox, and CountLoader
  • Multi-stage, fileless attack chains using HTA scripts, PowerShell, and in-memory payloads to bypass traditional detection tools
  • Use of ClickFix-style lures and fake software downloads designed to trick users into manually launching malware infections

The research highlights how legacy Windows utilities continue to pose risks to general users and organizations by providing attackers with trusted tools that blend malicious activity into legitimate system behavior.

You can read the research here: https://www.bitdefender.com/en-us/blog/labs/microsofts-mshta-legacy-malware-windows

UPDATE: Adrian Culley, Senior Sales Engineer, SafeBreach has this comment:

Adrian has extensive global cyber investigations experience, including technical roles at SafeBreach, Trellix, Palo Alto Networks, Norse, and the London Metropolitan Police Service. 

“Reporting this week of a fresh surge in malware campaigns abusing mshta.exe should surprise nobody who has spent any time on the offensive side of the trade. The Windows utility has been shipping for 26 years, it is signed by Microsoft, it runs script in a trusted process context, and it is allow-listed by default in most enterprise estates. From APT28 to FIN7, from MuddyWater to whichever commodity loader is fashionable this month, attackers reach for it for the same reason burglars reach for unlocked doors.

There is no patch for this, because mshta is working as designed. What isn’t working is the quiet assumption — held in nearly every security organisation I walk into — that the AppLocker rule, the ASR policy, the EDR behavioural detection written eighteen months ago all still fire today. Estates drift. Exceptions accumulate. Rules quietly degrade. And almost no defender can prove, on demand, that they don’t.

The fix isn’t another product. It’s a discipline: safely run the attack on your own production estate, on a continuous schedule, and watch your stack respond. Replace “we believe we’re covered” with “we proved we are.”

Anything less is exposure management by hope.”

New Bitdefender Research Exposes Global Transportation Smishing Campaign

Posted in Commentary with tags on April 30, 2026 by itnerd

Bitdefender has released new research on a large-scale global smishing campaign targeting consumers with fake toll, parking, and traffic fine-themed messages designed to steal money and personal information or remotely control devices. The campaign remains active across 12 countries.

Researchers identified more than 79,000 fraudulent text messages and over 31,900 malicious URLs, using techniques such as sender ID spoofing, rotating domains, and masked links to evade detection.

The messages impersonate trusted transport authorities and pressure victims into making payments through fake websites or, in many cases, installing malware.

Key takeaways from the research:

  • Over 79,000 fraudulent messages have already been detected in 40 distinct SMS scam campaigns
  • The scams impersonate DMVs, toll operators, and parking authorities from all over the world
  • Victims are redirected to fake payment sites or, in some cases, malware downloads
  • Its infrastructure is characterized by rapid domain generation, sender-ID spoofing, and multiple evasion techniques targeting mobile operating systems

You can read further into this campaign here.

Bitdefender Launches Powerful Email Security Solution for Businesses and MSPs

Posted in Commentary with tags on April 15, 2026 by itnerd

Bitdefender today announced Bitdefender GravityZone Extended Email Security, unifying email and endpoint protection within a single platform. Built for organizations, managed service providers (MSPs) and their customers, it leverages an Integrated Cloud Email Security (ICES) approach to deliver continuous protection before and after delivery against modern email-borne threats including phishing, business email compromise (BEC), ransomware, impersonation, and insider-driven attacks.

“Email threats are growing more sophisticated and effective as total business email compromise-related payments crossed the $6 billion threshold in 2024”, according to Gartner®.¹ In a global survey of 1,200 IT and security professionals, 42% identified BEC as the greatest threat to their organization, while 66% reported an increase in these types of attacks.

Legacy email security solutions often focus on pre-delivery filtering, leaving gaps once threats reach user inboxes. Siloed email and endpoint security tools further create blind spots attackers exploit, increasing dwell time and delaying detection.

Bitdefender GravityZone Extended Email Security is a native email security solution that closes this gap by combining secure email gateway (SEG) filtering with API-based post-delivery protection. This dual-layer approach stops threats before delivery and continuously detects and remediates them after they reach inboxes, helping ensure complete protection across the email threat lifecycle. The solution builds on technology gained through Bitdefender’s acquisition of Mesh Security, further strengthening its email protection capabilities.

Fully integrated into Bitdefender GravityZone, the company’s unified security, risk analytics, and compliance platform, GravityZone Extended Email Security extends protection from endpoint to inbox. It integrates seamlessly into existing environments, enabling rapid deployment and time to value.

Key Benefits of GravityZone Extended Email Security include:

  • Unified email and endpoint protection – GravityZone Extended Email Security uses artificial intelligence (AI) and real-time threat intelligence to stop phishing, BEC, impersonation, ransomware, and other advanced threats. Emails are inspected before delivery and continuously monitored after delivery, enabling automated quarantine and remediation to reduce dwell time and limit user exposure.
  • Consolidates tools and reduces security team workload – The platform streamlines security management by unifying tools and automating detection and response across the email attack chain. Continuous monitoring and automated remediation reduce manual effort and improve response times.
  • Improves efficiency and scales security operations – Built for modern environments and service delivery models, GravityZone Extended Email Security enables efficient, scalable security for businesses and MSPs. Centralized management, continuous policy enforcement, and streamlined workflows support multi-tenant environments and simplify security across distributed infrastructures.
  • Fast, flexible deployment across any environment – Organizations and MSPs can deploy the solution as a SEG across Microsoft 365, hybrid, and diverse environments, with API-based and combined deployment models supported for Microsoft 365.

Availability

Bitdefender GravityZone Extended Email Security is available now as an add-on to GravityZone endpoint security deployments. For more information, visit here.

¹Gartner, How to Develop an Email Security Strategy, Max Taggett, Nikul Patel, August 20, 2025.

Gartner is a registered trademark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved.

Bitdefender Launches Complimentary Internal Attack Surface Assessment

Posted in Commentary with tags on March 31, 2026 by itnerd

Bitdefender, a global cybersecurity leader, today announced the Bitdefender Attack Surface Assessment, a complimentary evaluation that helps organizations identify and reduce hidden internal cyber risk caused by unnecessary user access to applications, tools, and operating system utilities commonly exploited in modern attacks. The assessment gives organizations a clear, data-driven view of their internal attack surface and provides actionable guidance to help prioritize and remediate exposure.

Businesses face growing challenges defending against Living-Off-the-Land (LOTL), fileless, and other non-malware attack techniques, which leverage legitimate operating system tools and trusted applications to breach systems and evade detection while blending into normal activity.

Analysis of more than 700,000 real-world security incidents found that legitimate tools and LOTL techniques are involved in more than 84% of major attacks. Cybercriminals increasingly exploit widely available utilities such as PowerShell, WMIC, and others to gain access, escalate privileges and move laterally within environments undetected. As a result, organizations are being forced to shift toward a prevention-first security posture to proactively close attack paths before they can be exploited.

The Bitdefender Attack Surface Assessment addresses this critical security gap through a guided engagement that helps organizations uncover this largely invisible internal exposure, assess its impact on overall risk and identify practical steps for remediation. Organizations enroll and immediately begin assessing and monitoring their environment with no disruption to employees or daily operations.

The program is powered by Bitdefender GravityZone PHASR (Proactive Hardening and Attack Surface Reduction), a first-to-market endpoint security innovation that combines dynamic, behavior-based security hardening with real-time threat intelligence. It helps identify excessive user access and restrict or block unnecessary applications and tools without impacting business operations.

Key Benefits of the Attack Surface Assessment include:

  • Quantify internal risk at the user level – Gain precise visibility into attack surface exposure down to each user, including access to applications, tools and utilities, mapped against their baseline behavior and real-time threat intelligence.
  • Identify shadow IT and unauthorized tools – Uncover shadow IT and unauthorized tools, including unusual network activity, access to non-approved binaries, and unrecognized applications attempting to access company resources.
  • Reduce the attack surface using actionable insights – Receive actionable recommendations to focus mitigation and begin hardening the internal attack surface, with the option to apply controls manually or automatically with Bitdefender guidance. Organizations can reduce their attack surface by up to 95%, significantly lowering exposure to modern attack techniques.  

Availability

The Bitdefender Attack Surface Assessment is a complimentary, 45-day turnkey program that requires minimal effort and is available now for organizations with 250 or more employees. To learn more or enroll, visit here.

Bitdefender Research Shows 130% Increase in Attacks Targeting Gulf Countries

Posted in Commentary with tags on March 25, 2026 by itnerd

Bitdefender has released new research revealing that phishing and malware campaigns targeting Gulf countries have surged by approximately 130% on average following the escalation of the war in Iran.

Researchers observed a sustained spike in malicious email activity beginning February 28, with campaigns quickly doubling and peaking at nearly four times pre-war levels.

Key findings:

  • Threat actors are delivering a mix of remote access trojans, spyware, and fileless attacks that execute in memory
  • The attacks rely heavily on business-themed lures, including invoices, contracts, banking communications, and delivery notifications
  • No confirmed state-sponsored attribution; however, phishing is often a precursor to more complex attacks, enabling initial access to targeted environments.

You can read the research here: https://www.bitdefender.com/en-gb/blog/hotforsecurity/gulf-countries-phishing-surge

Windsurf IDE Extension Drops Malware via Solana Blockchain Targeting Developers In The Process

Posted in Commentary with tags on March 18, 2026 by itnerd

Bitdefender has released research warning of an active attack using a malicious extension for the Windsurf IDE (integrated development environment). The campaign intentionally targets software developers, who typically have privileged access, API keys, and other high-value credentials.

Disguised as a legitimate R programming language tool, the extension installs a multi-stage NodeJS credential stealer that retrieves encrypted payloads from the Solana blockchain, leveraging legitimate third-party infrastructure instead of traditional command-and-control (C2) servers to evade detection.

Cybercriminals are increasingly abusing trusted developer ecosystems and decentralized infrastructure to plant malware and establish persistence.

You can read the research here: https://www.bitdefender.com/en-us/blog/labs/windsurf-extension-malware-solana

New Research Reveals Cybercriminals Love Valentine’s Day: 41% of all Valentine’s Day Spam Observed Malicious Intent

Posted in Commentary with tags on February 12, 2026 by itnerd

Bitdefender has released new findings showing that Valentine’s Day–themed spam has spiked in recent weeks, using the promise of love, discounts, and gifts from popular brands such as Dior, Sephora, and Walmart as lures.

41% of all Valentine’s Day spam observed had deceptive or malicious intent. Common tactics used to snare victims included phishing attempts, dating scams, fake giveaways, advance-fee schemes, and misleading surveys.

Findings include:

  • The U.S. was the most targeted destination at 55%, followed by Germany (13%), Ireland (8%), and the UK (6%).
  • The U.S. also ranked as the top source, responsible for over 43% of Valentine’s-related spam.
  • About 10% of scam-related messages used dating-themed lures, often relying on AI-generated profile images

You can get more details here: https://www.bitdefender.com/en-us/blog/hotforsecurity/nearly-4-in-10-valentines-day-emails-are-scams-what-bitdefender-antispam-lab-is-seeing-in-2026