Phishing no longer announces itself with obvious red flags or clumsy impersonations.
New research from Bolster AI shows today’s most effective scams are engineered to blend into routine digital interactions, hiding in search results, paid ads, document workflows, and online marketplaces rather than obvious spoofed emails.
“Attackers are designing scams that look and feel real from start to finish,” said Rod Schultz, CEO of Bolster AI in an email to eSecurityPlanet.
He explained, “They are abusing high trust, every day digital activities to scam people, including search results, paid ads, document approvals, and login prompts. Every step is intentional, and every step is optimized to get someone to act.”
Rod added, “AI will be used to create the most precise attack that can be scaled just in time as the identified target reveals its weakness. That’s the world we are moving towards: Perfectly designed fraud at the perfect time targeting the perfect person.”
The New Fraud Infrastructure Model
This transformation represents far more than a surge in phishing volume — it marks a structural shift in how fraud is engineered, operationalized, and scaled.
Bolster AI researchers tracked more than 11.9 million malicious domains in 2025 tied to phishing, fraud, and misinformation campaigns, highlighting how inexpensive and efficient modern scam infrastructure has become.
Attackers can now register domains, test distribution channels, measure conversion, and rotate infrastructure once detection begins — often in a matter of hours or days.
How Modern Fraud Is Built to Scale
What changed in 2025 was not just the number of attacks, but how they were executed.
Instead of relying on one-off brand impersonations or mass phishing blasts, threat actors increasingly developed repeatable fraud lifecycles that mirror legitimate marketing funnels.
Campaigns are deliberately structured to move victims from initial discovery to engagement, credential capture, and ultimately monetization — often across multiple trusted platforms.
Infrastructure is frequently staged weeks in advance and timed around predictable events such as account renewals, tax deadlines, government enrollment periods, and seasonal travel spikes.
High-performing tactics are refined, replicated, and scaled with operational discipline.
Why Trust Is the New Attack Surface
The mechanics behind these campaigns are rooted in placement rather than persuasion.
Rather than convincing users to trust something unfamiliar, attackers embed scams inside environments that already carry built-in credibility.
Search engines, paid advertising networks, SaaS login portals, productivity platforms, and online marketplaces effectively perform the trust-building on the attacker’s behalf. When a scam appears within a familiar workflow or trusted ecosystem, suspicion drops.
How Attackers Exploit Search, Ads, and SaaS
Search engine abuse offers one of the clearest illustrations of this shift. Bolster identified 7,168 government-themed domains publishing nearly 40,000 malicious pages designed to outrank official sources in search results.
These content farms presented realistic information about public benefits, relief programs, and enrollment requirements.
Instead of driving traffic from suspicious emails, attackers captured victims through ordinary search queries, shaping perceptions before any phishing lure was introduced.
Paid advertising abuse expanded in parallel. Attackers purchased sponsored ads targeting users at moments of intent — when they were actively trying to log into cloud services, verify accounts, resolve billing disputes, or contact support.
Because these ads appeared within legitimate ad networks and were often short-lived, they frequently generated meaningful impact before being taken down. Once flagged, attackers simply rotated domains and relaunched campaigns.
Workflow abuse also proved highly effective. Bolster documented 29,183 phishing and scam domains leveraging e-signature and document approval themes.
Victims received urgent prompts to review or sign documents, only to be redirected to spoofed enterprise login pages harvesting credentials.
Since document approvals, authentication prompts, and cloud logins are routine in modern business operations, these attacks blended seamlessly into daily workflows and raised few immediate red flags.
Beyond Phishing Pages: Emerging Tactics
Experimentation has also moved beyond traditional phishing pages.
In cryptocurrency-related campaigns, Bolster observed early cases where victims were instructed to paste malicious JavaScript into browser developer tools, manipulating legitimate interfaces to redirect funds.
While not yet widespread, this tactic signals a move toward in-session manipulation — operating inside trusted environments rather than simply redirecting users to fake sites.
The cumulative effect is fraud that increasingly resembles normal digital activity.
Bolster’s beta testing of abuse mailbox programs with large brands revealed that some organizations processed more than 30,000 customer-submitted “Is this real?” messages per month.
Roughly one in three were confirmed phishing threats, while many of the remainder fell into ambiguous territory.
That uncertainty reflects the broader challenge: users can no longer rely on just visual cues, context, or channel familiarity to determine legitimacy.
For defenders, the implications are serious.
Email filtering and reactive domain blocking fall short when scams are embedded in search results, ad platforms, SaaS logins, and cloud infrastructure.
In these environments, attackers inherit built-in trust, making fraud far harder for both users and security teams to detect.
Reducing Risk From Engineered Fraud Campaigns
As fraud campaigns evolve into coordinated, cross-channel operations, organizations must rethink how they approach defense.
Traditional controls focused solely on email or perimeter security are no longer enough to address scams embedded in search engines, advertising platforms, and everyday business workflows.
Security teams need a broader, more integrated strategy that addresses infrastructure abuse, identity protection, endpoint hardening, and rapid response.
- Monitor brand and infrastructure exposure by tracking domain registrations, hosting patterns, SEO manipulation, paid ad abuse, and marketplace impersonation tied to your organization.
- Extend protection beyond email by incorporating search engine abuse, sponsored ad impersonation, document workflow phishing, and marketplace fraud into threat models and detection strategies.
- Enforce phishing-resistant identity controls, including FIDO2-based MFA, conditional access policies, least-privilege access, and separation of administrative accounts from daily-use accounts.
- Harden endpoints and browsers by restricting unapproved extensions, limiting PowerShell and script execution, applying application control policies, and monitoring for suspicious clipboard-to-execution behavior.
- Reduce credential exposure by limiting browser-based password storage, deploying enterprise password managers, and isolating privileged access to hardened devices or dedicated browser profiles.
- Strengthen intelligence and response workflows by operationalizing abuse mailbox reporting, accelerating malicious domain takedowns, and coordinating across security, legal, marketing, and platform providers.
- Regularly test and update incident response plans through tabletop exercises that simulate cross-channel fraud scenarios, including SEO poisoning, paid ad abuse, workflow credential harvesting, and account takeover.
These steps help organizations reduce exposure and limit the blast radius from engineered fraud campaigns.
Modern Fraud Demands Broader Security Controls
As scams evolve into coordinated, cross-channel operations, security teams must look beyond simply blocking malicious messages and focus on disrupting the broader systems that support fraud.
Abuse now extends across search engines, advertising platforms, SaaS applications, and routine business workflows, making visibility and context more important than ever.
With threat actors increasingly exploiting trusted systems and everyday workflows, organizations are turning to zero-trust solutions to enforce continuous verification and reduce implicit trust across their environments.
