New approaches to social engineering for carding via instant messaging apps

[Student]

For educational purposes, I will prepare a more detailed and structured overview of new approaches to social engineering in the context of carding via messaging apps, focusing on the mechanisms, examples, tools used by attackers, and recommendations for protection. This response is based on current cyberthreat data for 2024–2025, including trends related to artificial intelligence (AI), OSINT (open-source intelligence), and mobile platforms. I will also include example attack scenarios to illustrate how attackers manipulate victims and propose countermeasures to help increase awareness and protection.

New approaches to social engineering for carding via instant messaging apps​

Social engineering in carding is psychological manipulation aimed at obtaining sensitive information (card details, CVV, PIN codes) or persuading the victim to perform actions beneficial to the attacker (e.g., transferring money). In 2024–2025, messaging apps such as Telegram, WhatsApp, Viber, and Signal became the primary channel for such attacks due to their popularity, lax regulation, and potential for automation using AI. According to cybersecurity data, the share of attacks via messaging apps has grown to 23–25% of all social engineering incidents, with mobile attacks growing by 25% and financial losses reaching billions of dollars annually. Below is a detailed description of key approaches, their mechanics, examples, and trends.

1. AI-generated personalized scenarios (Quishing using Deepfakes)​

Mechanics:​

Attackers use AI to create plausible scenarios, including fake voice or video calls (deepfakes), text messages tailored to the victim, and phishing links (quishing - QR codes or URLs leading to fake websites). Data for personalization is collected through OSINT: database leaks (for example, 3+ billion Yahoo accounts in 2024), social media profiles, and purchases on darknet markets. AI analyzes the victim's behavior (activity time, communication style) and generates convincing dialogue.

New for 2025–2026:​

• Deepfake technologies: In 2025, deepfakes attacks were expected to increase by 3000% (according to the FBI IC3 report). Losses from fake video/voice calls amounted to $25 million in financial fraud-related incidents.
• Callback functionality: Scammers leave a voice message in a messenger, enticing the victim to call back. The callback is made using an AI-generated voice impersonating a bank, the police, or a friend.
• Quishing via messaging apps: Links or QR codes in chats lead to fake bank websites, where the victim enters card details. According to Proofpoint, 44% of phishing attacks in 2025 used messaging apps.

Example scenario:​

1. The victim receives a message on Telegram: "This is the bank's security service. Your card has been blocked due to a suspicious transaction. Confirm your details at [fake URL]."
2. The link leads to a website identical to a bank website, where the card number, CVV, and OTP (one-time password) are requested.
3. At the same time, the victim receives a call from a "manager" via Telegram with an AI-generated voice, confirming the "urgency" and asking for the code from the SMS.

Tools used:​

• Deepfake services: Programs like DeepFaceLab or commercial AI APIs for voice (e.g. Respeecher).
• OSINT tools: Maltego, SpiderFoot for collecting data about the victim.
• Phishing kits: Available on the darknet for $50–$200, they include banking website templates and chatbots.

Protection:​

• Check URLs before clicking (use antivirus software with a link analysis feature, such as Kaspersky).
• Ignore calls/messages asking to send codes from SMS.
• Enable two-factor authentication (2FA) for banking apps.

2. Quid Pro Quo: Offering "services" or bonuses​

Mechanics:​

Fraudsters offer victims a "benefit" (e.g., a bonus, a discount, or a fee refund) in exchange for providing card details or performing actions. Attacks are disguised as official services, often through Telegram channels or WhatsApp groups, creating the illusion of trust. AI analyzes the victim's profile (age, interests) for targeting.

New for 2025–2026:​

• Mobile Attacks on the Rise: 4+ million social engineering attacks will be carried out via mobile messaging apps in 2024 (according to Verizon DBIR).
• AI targeting: Algorithms identify vulnerable groups (young people aged 18–25, active e-commerce users) and tailor offers.
• Scalability: Phishing kits can create thousands of messages in hours, with losses of 50k USD per average attack.

Example scenario:​

1. I receive a message on WhatsApp: "Your card is participating in the promotion! Confirm your details to receive 1,000 rubles: [fake URL]."
2. The victim enters card details on a website that imitates a payment system (e.g. Visa/Mastercard).
3. The attacker obtains the data and uses it for purchases or withdrawals through crypto exchanges.

Tools used:​

• Phishing kits: Evilginx, Modlishka for creating fake websites.
• AI Bots: Automated chatbots that respond in real time, simulating support.
• Darknet Markets: Access to Stolen Data for Targeting (Prices from $1 per profile).

Protection:​

• Do not enter card details on unfamiliar websites.
• Check the official status of promotions through the bank's website or by calling the hotline.
• Use virtual cards for online purchases with limits.

3. Multi-stage BEC-like phishing (Business Email Compromise in Chats)​

Mechanics:​

Attackers impersonate a trusted person (a friend, colleague, or bank) to build trust. The attack occurs in several stages:

1. Establishing contact (for example, faking a friend's profile on Telegram).
2. Create urgency ("I urgently need help with translation").
3. Request for card details or actions (entering CVV, transferring money).

New for 2025–2026:​

• Voice cloning: AI voice clones (e.g., ElevenLabs) are used in instant messaging calls. Losses from BEC in 2024 are estimated at $2.77 billion (FBI IC3).
• Multi-stage: Attacks last for days/weeks so that the victim does not suspect deception.
• Mobile focus: 44% of phishing attacks in messengers are targeted at mobile devices.

Example scenario:​

1. A message arrives on Telegram from a "friend": "Hi, I'm in trouble, my phone was stolen, I need help - transfer 2,000 rubles to my card."
2. The victim transfers money or provides information for "verification".
3. The attacker uses the data to make purchases or withdraw money via cryptocurrency.

Tools used:​

• Voice cloning: AI services for fake voices (available for $10–50/month).
• OSINT: Collecting data about friends/colleagues through social networks.
• Fake profiles: Creating fake accounts with real photos of the victim.

Protection:​

• Verify the authenticity of the contact through an alternative channel (e.g. phone call).
• Do not make transfers without verifying your identity.
• Use messengers with authentication features (such as Signal).

4. Automated bots with OSINT integration​

Mechanics:​

Attackers create bots in messaging apps (especially Telegram) that disguise themselves as useful services (for example, "checking a card for blocking"). The bots collect data from leaked accounts (3+ billion accounts in 2024) and tailor their messages to the victim. After receiving the data, the bot self-destructs, making it difficult to track.

New for 2025–2026:​

• OSINT automation: Bots integrate data from the dark web and open sources for personalization.
• Scale: 50% of attacks on organizations in 2025 used social engineering via instant messaging (IBM X-Force).
• Self-destruct: Bots remove traces, minimizing the risk to attackers.

Example scenario:​

1. In a Telegram channel, a bot offers a "free card security audit."
2. The victim enters card details for "verification".
3. The bot transmits data to the darknet and deletes itself.

Tools used:​

• Telegram API: For creating bots (available for free).
• OSINT frameworks: Recon-ng, TheHarvester for data collection.
• Crypto exchangers: For withdrawal of stolen funds.

Protection:​

• Do not interact with unverified bots.
• Check the legitimacy of channels through official sources.
• Use antivirus software with bot protection (e.g. Malwarebytes).

Statistics and trends (2025–2026)​

Approach	Channel	Increase in attacks	Losses (2025)
AI-deepfakes	Telegram, WhatsApp (voice/video)	+3000%	25+ million USD per incident
What for whom?	WhatsApp, Viber (text)	+11 pp.	50k USD (median)
BEC impersonation	Telegram, Signal (groups)	+25% mobile	2.77 billion USD (total)
OSINT bots	Telegram channel	+50% on organizations	460 млн USD (ransomware-linked)

• Mobile Focus: 60% of social engineering attacks in 2025 will target mobile devices (Verizon DBIR).
• AI Dominance: 80% of phishing campaigns use AI for automation (Proofpoint).
• Superapps: In 2026, attacks through superapp messaging apps (e.g. WeChat, Telegram) are expected to increase by 25-30% due to their integration with payments.

Recommendations for protection (educational focus)​

1. Training to recognize attacks:
   • Take phishing simulations (available on platforms like KnowBe4).
   • Learn the signs of deepfake: unnatural pauses in the voice, strange movements in the video.
2. Technical measures:
   • Enable 2FA for all banking and messenger accounts.
   • Use virtual cards with limits for online payments.
   • Install an antivirus with a link analysis function (Kaspersky, Norton).
3. Behavioral measures:
   • Ignore messages with urgent requests to transfer data.
   • Verify the authenticity of contacts through alternative channels.
   • Do not scan QR codes from unverified sources.
4. Organizational measures (for companies):
   • Conduct cybersecurity training.
   • Implement policies to review suspicious requests.

Forecast for 2026​

With the increasing availability of AI (for example, open-source models for deepfake) and data leaks, carding via messaging apps will become more sophisticated. Attacks are expected to increase by 25-30%, especially through Telegram due to its anonymity and super-app functionality. Attackers will increasingly use combinations of methods (deepfake + bots + quishing) for maximum effectiveness.

If you have any questions about specific aspects (for example, how to recognize deepfake or set up protection), let me know, and I'll go into more detail!