The IT Nerd

More than 700 participants took part in a week-long experiment conducted by Surfshark and MSc students from Malmö University. Of them, 53% correctly identified more bots than they wrongly flagged humans as bots on the simulated social platforms. However, nearly half (47%) failed the task. A cybersecurity expert warns that the number of people unable to tell bots from real humans on social media will continue to grow rapidly.

“The ‘Bot or Not’ game and experiment help us keep connecting the dots and better understand the influence bad bots have on us, real social media users. Earlier this year, we found that major platforms remove over 6.3 billion fake accounts every year — roughly 47 times the annual number of babies born worldwide (around 135 million). Bots are being generated by the billions, and our latest experiment shows that half of the participants can no longer tell them apart from real people. This trend will accelerate, as the technology lets bots blend in seamlessly with real human profiles,” says Justas Pukys, Senior Product Manager at Surfshark.

When our emotions take over, bots thrive

The results of the recent social media bot experiment were eye-opening. The data suggests that engaging with sensitive political or social topics may reduce people’s ability to spot bots and make them more likely to falsely accuse real people.

The moment the “Bot or Not” simulation shifted to a more emotional tone, our participants’ bot-detection skills dropped. When the debate turned political and focused on immigration, participants’ bot-detection rate dropped to 54%, meaning that nearly half the social media bots slipped right past the players. Participants’ accuracy rate also declined to 63%, showing a spike in internet paranoia when participants accused humans of being bots.

The women’s rights topic presented the biggest bot-spotting challenges. The bot-detection rate crashed to 49%, meaning users missed more bots than they found. Worse, their accuracy rate fell to 61%, showing players most often accused real human content of being bot-generated.

“In comparison, while engaging in the data centers, a more technical debate for many, users performed the largest bot-detection rate of 71% (finding the majority of the bots), and a high (76%) accuracy rate. This suggests that when not directly emotionally triggered, we could detect more AI bots and are less likely to falsely accuse real humans,” explains Luís Costa, Research Lead at Surfshark.

The “Bot or Not” game is now online for everyone to play and take part.

Can we distinguish who is who on social platforms in the future?

“The experiment’s results are novel and significant. They suggest we can’t simply ‘read’ our way out of ‘botted’ social media. Bot-detection skills appear to be shaped by age, preferred platforms, and time spent on them. But the most striking finding was that our biggest blind spot is emotion: when debates get heated, it hijacks our digital radar.

To fight back against automated deception, we don’t need better textual analysis. We need a cooler head and a deeper awareness of our own vulnerabilities,” claims Luís Costa.

Justas Pukys, a cybersecurity expert at Surfshark, shares practical recommendations.

“Don’t forget to double-check the information you find on social media. Also, don’t take everything random users post at face value. Be careful when accepting and interacting with private messages that offer you prizes, invite you to click on strange links, or try to grab your attention with lines like ‘Your family member has been in an accident!’,” he advises.

The expert also highlights the importance of digital security hygiene, such as using anti-scam tools daily. They will help you analyze the content of emails, text messages, and websites and assess whether it has been generated by bots or other attackers.

This “Bot or Not” experiment inspired the launch of Surfshark’s Cybersecurity Advocacy Fund, which provides up to €100,000 in annual financial support distributed among students, researchers, and creative cybersecurity awareness initiatives worldwide. The upcoming application process will open in September 2026 — more information will follow.

METHODOLOGY

This bot-detection study analyzed data from 710 participants who played the interactive simulation “Bot or Not.” This machine and gameplay were created by Interaction Design students from Malmö University for the UNFOLD exhibition — a design competition for universities around the world during Milan Design Week, the world’s largest trade fair. Throughout the week-long public exhibition, visitors were invited to take part in the experiment.

Please find the full research methodology here.

Popular social media platforms are constantly removing massive amounts of fake accounts and spam content. Surfshark’s analysis of annual public transparency reports reveals the staggering scale of this cleanup: Facebook, TikTok, X, and LinkedIn collectively remove 6.3B fake accounts. These platforms, along with YouTube and Instagram, also remove 11.1B pieces of spam content. On the dark market, fake account prices start at $0.08.

While AI agents are learning to interact with each other on their designated social media, bots pretending to be humans continue to sink popular platforms.

“I am convinced that the majority of fake accounts on social media are bots. Especially with the evolution of AI, producing and managing bots becomes easier. On some platforms, AI can fully cover the needs of “faking”. In contrast, on others it’s not that simple — for example, on Facebook, where interaction with real people and response to context are required,” says Justas Pukys, Senior Product Manager at Surfshark.

He explains that bots are programs designed to impersonate humans. They are centrally controlled, like marionettes, and trained to deceive both systems and humans. In addition, bots can also be real people who manage several accounts with a common goal, for example, to influence social media users’ attitudes, push an agenda on a certain issue, provoke society, or show exaggerated support for certain institutions or figures.

Comparing fake account removal volumes to active users reveals the enormous scale of the monitoring and removal that social media must perform.

On some platforms, the number of annual removals rivals or even exceeds the entire active user base. For example, Facebook, with 3B active users, removes 4.5B fake accounts annually — a volume 1.5 times its user count. Similarly, X reports removing 671M accounts each year for platform manipulation and spam, a figure that surpasses its 570M active users. TikTok deletes 1B fake accounts, equivalent to over half its active user base — 1.9B.

“Considering those platforms’ size, global reach, and impact on human opinion and behavior, I wouldn’t be surprised if the number of fake accounts and content were even higher than presented in the official transparency reports. Also, I believe these numbers will continue to grow drastically in the future, unless social media finds effective ways to combat the threat,” says cybersecurity expert at Surfshark.

Real users face increasing scam risks

Given that social media is flooded with fake accounts and content, a really worrying issue is that real users can easily be scammed and harmed, both morally and financially. Consider these recommendations from Surfshark’s experts on how to avoid getting scammed:

Pay attention to suspicious account profile details: fake accounts usually have very few photos or only associative images. Usually, the account is created recently and has a vague or overly promotional bio.

Be aware of unnatural behavior: fake accounts often send friend requests to many people in a short period of time. They may immediately send you links or other suspicious offers, usually encouraging you to move the conversation to WhatsApp or Telegram quickly.

Fake accounts send repetitive or copy-paste comments: they tend to post the same message under many posts. They typically offer “too good to be true” benefits, such as crypto, giveaways, and miracle cures.

What should you do to avoid harm?

• Don’t engage with suspicious accounts and content: don’t reply, argue, or click links;
• Always check: look at important details such as the account’s age, bio, and number of friends;
• Report the account and content: use the social media platform’s report feature;
• Protect yourself: enable two-factor authentication (2FA) on your account, make your social media profile private, and avoid sharing personal details publicly.

Government-imposed internet shutdowns introduced in 2025 alone reached 2.5 billion people — about a third of the world’s 8.2 billion population, Surfshark’s annual study shows.

Key insights:

• 2025 began with 47 internet restrictions imposed by 22 countries.
• Throughout the year, 81 new restrictions were introduced across 21 countries, 29% increase compared to 2024.
• Asia continues to lead the world in internet censorship cases. The governments of 10 Asian countries imposed 56 new restrictions.
• India remained the country with the most internet restrictions (24).
• Social media was targeted in 21 out of 81 internet restrictions introduced in 2025, a slight increase from 18 social media restrictions in 2024.
• Telegram was the most-restricted social media platform in 2025.

You can read the research here: surfshark.com/research/study/internet-shutdowns-2025

Addictive scrolling, which develops faster than you think, is not the only thing you should watch out for this holiday season. A Surfshark expert highlights the main online risks you can encounter while scrolling.

Unsupervised AI shopping agents

AI shopping agents are a booming trend, with Big Tech announcing AI updates that can buy the exact sweater you are searching for and even call the shop to ask if they have it in stock. The trend of using chatbots like ChatGPT or Gemini AI to assist you with shopping is also at its peak.

Tomas Stamulis, Chief Security Officer at Surfshark, says the risk arises when you trust AI shopping assistants entirely and without double-checking. “I sometimes use a chatbot to help me with shopping. However, I evaluate what online shops it offers because sometimes they can be scams, taking me to malicious websites. So, always review what AI suggests before purchasing, and never grant unlimited access to your financial details.”

Phone snatching in Christmas markets

Phone snatching, when street criminals take your mobile phone from your hands, usually unlocked, is a particularly common crime in crowded Christmas markets. A moment of your distraction can result in far-reaching consequences. According to Surfshark expert Tomas Stamulis, taking simple steps can help protect you from the damage caused by phone snatching. “Stay vigilant in public, especially in crowded or high-risk areas. Keep your phone out of sight when not in use. Use an anti-spying screen so people around you can’t easily see what you’re doing. Also, ensure “Stolen Device Protection” is active on iOS or “Theft Protection” on Android (depends on device) and your home and work addresses are correct.”

Sneaky links in Christmas greetings

People’s interest in creating Christmas greetings online and sharing them with loved ones does not go unnoticed by scammers. You probably receive those snappy interactive greetings via social media, email, and SMS. Thank the sender for goodwill, yet never click the links included in those greetings. If you did and were led to a strange site, we hope you didn’t provide any of your private information, such as your real name, surname, email address, telephone number, or home address.

Sorry, it’s too good to be true

Have you ever encountered a Christmas deal that seemed too good to be true? It probably was. Scammers create fake gift deals for popular and hard-to-find items to trick shoppers into falling for them. Mr. Stamulis advises being skeptical of Christmas deals that seem unrealistically good. “Always verify the offer by checking the retailer’s official website. If you spot something that seems like a ‘hot deal’, look closely at URLs and other text for typos or unusual characters, which are red flags.”

Gifting your personal data via public Wi-Fi

Free Wi-Fi is available at cafes, restaurants, train stations, hotels, and other public spaces for your convenience. It’s just that the number one rule for a privacy-conscious person is never to use free public Wi-Fi. Public networks are frequently exploited by hackers, who can intercept sensitive data, including account credentials, email addresses, passwords, and financial information. “Without an active VPN, using public Wi-Fi is insecure; it’s like gifting your personal data to total strangers,” points out Tomas Stamulis.

Christmas cleaning your private data will thank you for

Most people want to tie up loose ends before the New Year. Paying back debts, making peace with those you’ve argued with, and just finishing unfinished business. Review the apps you’ve accumulated over the year and get rid of those that just take up space. Surfshark conducted at least a few studies that revealed mobile apps to be extremely data-hungry and privacy-intrusive. Your private data will thank you for this Christmas cleaning.

ABOUT SURFSHARK

Surfshark is a cybersecurity company offering products including an audited VPN, certified antivirus, data leak warning system, private search engine, and a tool for generating an online identity. Recognized as a leading VPN by CNET and TechRadar, Surfshark has also been featured on the FT1000: Europe’s Fastest Growing Companies ranking. Headquartered in the Netherlands, Surfshark has offices in Lithuania and Poland. For information on Surfshark’s operations and highlights, read our Annual Wrap-up. For more research projects, visit our research hub.

As shoppers gear up for the holiday season, Surfshark investigated the data collection practices of the 10 most popular shopping apps in the US, finding that US-based apps tend to collect more data compared to their counterparts in China and Canada. For example, Amazon collects 25 unique data types out of 35, but among Chinese apps, Alibaba is the most data-hungry, collecting 19 unique data types.

“Scrolling through tempting deals on Temu, Shein, Amazon, and other shopping apps is a Black Friday tradition for many. However, before downloading any shopping app, people should consider whether they are truly willing to trade their privacy for a discount,” says Miguel Fornes, Information Security Manager at Surfshark. “Many shopping apps collect far more data than people realize, and this extends beyond purchase history. Some apps can even gather sensitive information such as political views, racial background, or biometric and health data.”

The Amazon shopping app is the most privacy-intrusive. It collects 25 unique data types out of 35, Walmart and Costco each collect 23, and Whatnot — another US-based app — collects 20. Among Chinese apps, Alibaba is the most data-hungry, collecting 19 unique data types, followed by Temu with 17, Aliexpress with 16, and Shein with 15. The Canadian app, Shop, collects 19 data types, which places it on par with the most data-collecting Chinese app.

All the analyzed apps collect information such as email address, name, payment information, physical address, user ID, search history, and product interaction. The majority of these apps also gather device IDs (except for Temu), phone numbers (except for Shein), photos or videos (except for Shop), and location data (except for Shein). Additionally, most of this collected data is directly linked to individual users, enabling these apps to build comprehensive user profiles, which raises privacy concerns. 

Some of the data collected by these shopping apps is surprising and even bizarre. For instance, Amazon and Walmart collect sensitive information — which could include political opinions, racial or ethnic background, biometric data, genetic information, sexual orientation, disability status, or pregnancy details. Whatnot and Alibaba collect users’ contacts, such as contact lists from a user’s phone or address book. In addition, Amazon, Walmart, Whatnot, and Alibaba collect users’ voice or sound recordings.

According to Fornes, these abusive data collection practices can be very dangerous if an app is breached and information about a person is leaked. First, leaked bank account information and purchase history can lead to unauthorized charges, identity theft, and significant financial loss. Second, leaked sensitive information – especially sensitive data like political views or health data – can damage your reputation and financial standing, as health data rarely changes and may be used by insurance and healthcare companies. Finally, all this leaked data might fuel subsequent highly personalized phishing campaigns. Therefore, Fornes advises:

• Don’t download apps you don’t need. If you only shop on Amazon occasionally, accessing their website through a browser is more private than keeping the app installed. Besides, you may improve your battery or device health by offloading those.
• Grant permissions selectively. Only allow access to data essential and directly relevant to the app’s functionality.
• Revoke unnecessary permissions. Regularly review and revoke permissions you have granted. For example, go to settings, apps, app name, permissions on iOS, and change them. Remember the app will still work as intended after removing unnecessary permissions, but just triggering some informational notifications.
• Read the Privacy Policy and opt out of data sharing. Understand what data the app collects, how it’s used, and with whom it’s shared. Many apps offer options to limit data collection for advertising purposes. Look for these settings.
• Strengthen your account security. Use strong, unique passwords; enable two-factor authentication (2FA); consider having a dedicated virtual debit card or escrow payment methods (such as PayPal) for such apps or shopping at less-trusted sites.

 For the complete research material behind this study, visit here.

Surfshark has launched the email scam checker to help protect against email phishing attacks. This on-demand solution aims to provide users with an additional security layer against sophisticated scams, considering the alarming statistic of 3.4 billion phishing emails sent daily and 1.5 million new phishing websites created every month.

The email scam checker, a new feature of the Surfshark Chrome browser extension, offers a robust security layer against drastically increasing email phishing attacks. This tool helps improve users’ online security by allowing them to check suspicious emails and get notified about fraud and phishing attempts.

By identifying malicious attachments and links, Surfshark’s email scam checker significantly reduces the risk of potential fraud and malware infections on users’ devices. Using AI-driven technology, the new feature rapidly detects phishing attempts, safeguarding users’ sensitive data with increased accuracy. With the email scam checker, users can browse the internet with greater confidence and safety, having a powerful ally to combat email scam threats whenever needed.

This advanced protection is crucial because email phishing scams are a growing threat, becoming increasingly sophisticated and harder to detect. With the rapid advancement of AI tools, scammers are constantly evolving their tactics, making fraudulent emails more convincing and the problem harder to control.

The email scam checker is now available on the Surfshark Chrome browser extension for Gmail users with a Surfshark One or One+ subscription.

Surfshark has launched a new feature called the web content blocker that focuses on safeguarding every household when browsing online. It allows you to filter various websites based on categories provided, lock them using 2FA (Two-factor Authentication), and help protect family members from potential online threats caused by curiosity or carelessness.

Unlike traditional tracking applications, the web content blocker helps you protect family members from seeing malicious content and websites — without snooping on their browsing activity or monitoring the actual websites they visit. With this new feature, you can filter various websites by category and lock specific content across all family mobile devices.

To extend this protection to your household, install and open the Surfshark app on the device you’d like to add, log in using the same account, enable Web content blocker, and lock with 2FA if needed. Then, under the Web content blocker feature on the Surfshark website app, you can find the Your devices section, where you can select content categories and ensure a safe online environment for your loved ones.

The web content blocker is now available on Android and iOS platforms for Surfshark One or One+ plan users — more platforms are coming soon.

Additionally, Surfshark announces that its server count has surpassed 4,500. Over the years, Surfshark has continually upgraded its server network to enhance performance and reliability, and this figure reflects its growth.

Surfshark has announced that they have introduced 100Gbps bandwidth servers in response to the growing demand for higher bandwidth and to ensure VPN services won’t become a bottleneck as internet speeds continue to rise.

Surfshark’s new 100Gbps servers allow VPN technology to be future-proof and ready for the growing demand when the shift to higher-capacity hardware happens.

Increased bandwidth also reduces the need for throttling or deprioritizing traffic, allowing users to get closer to their maximum internet speeds more often, even when backing up heavy documents to the cloud or downloading a game.

For this solution, Surfshark has chosen the Amsterdam location due to its impressive internet exchange (AMS-IX), which handles over 14 trillion bits per second, making it one of the world’s largest internet exchanges by traffic volume. To put this into perspective, that’s roughly 1.75 terabytes of data every second, ~560,000 simultaneous 4K streams, equivalent to about 7.5 million people watching TikTok videos simultaneously, or around 63 million people playing Fortnite at once.

Surfshark has launched a dedicated IP feature for its browser extension, available on Google Chrome, Mozilla Firefox, and Microsoft Edge. This addition allows users to route only browser traffic through a dedicated IP.

According to Justas Pukys, Senior Product Manager at Surfshark, the company constantly looks for opportunities to improve the user experience and provide innovative solutions across the industry.

A dedicated IP is well known for reducing human verification requests (CAPTCHA). When multiple users share the same IP address, websites often send verification requests, such as “Select images with traffic lights.” Dedicated IP minimizes this issue by assigning a static address, making traffic appear more consistent to websites. Also, as only one user generates traffic through the IP, it may lead to more stable connections.

Additionally, dedicated IP simplifies access to remote networks by eliminating the unpredictability of changing addresses associated with shared VPN servers. This provides unrestricted service access, allowing users to access apps and websites that block shared IPs or don’t work when IP changes frequently.

Currently Surfshark offers 20 dedicated IP locations: Australia – Sydney; Brazil – Sao Paulo; Canada – Toronto; France – Paris; Germany – Frankfurt am Main; Hong Kong – Hong Kong; Italy – Milan; Japan – Tokyo; the Netherlands – Amsterdam; Poland – Warsaw; Singapore – Singapore; South Africa – Johannesburg; Turkey – Istanbul; United Kingdom – London; United States – Dallas, Denver, Las Vegas, Los Angeles, New York, and San Jose.

The dedicated IP feature is available on Android, Windows, iOS, and macOS and supports all major protocols, including WireGuard®, for maximum speed. Since it has now been included in the extension, all users can access it on Google Chrome, Mozilla Firefox, and Microsoft Edge browsers.