Cybercrime is increasingly targeting people, not devices. Attackers are using so-called “scam-yourself” techniques across everyday channels such as SMS, email, and social media, walking users into taking harmful actions themselves.
According to latest Gen Digital’s Threat Report, this new class of social engineering increasingly combines generative AI with platform distribution tools to scale rapidly and bypass traditional security defences. In many cases, victims are tricked into transferring funds themselves – without malware, phishing links, or credential theft.
YouTube Deepfake “Advisors” Case
One of the most illustrative examples of this broader scam-yourself trend involved AI-generated “crypto advisors” on YouTube. Cybersecurity researchers documented a campaign that used deepfake personas across more than 500 videos to promote tools designed to exploit price discrepancies between blockchain networks.
- Chat Group Scams Targeting New Zealanders Are Increasing: Regulator Receives Complaints
- Confidence to Avoid Scams Runs Low among Rookie Traders: Survey
- CySEC and FCA Are "Aware" of Rife Investor Fraud on Social Media. Stopping It Is Harder.
Rather than delivering malware or stealing credentials, the attackers relied on user participation. Victims were instructed to copy and paste code into web-based integrated development environments (IDEs) and then fund smart contracts. In practice, the code redirected funds to attacker-controlled wallets – with users completing each step themselves.
The campaign also used typo-squatted domains mimicking TradingView, such as “tradlngview.com.” These near-identical URLs were designed to reduce friction and suppress standard security warnings during code compilation, making red flags easier to miss unless users manually verified addresses.
Why This Matters
The YouTube campaign captures the defining feature of scam-yourself attacks described in Gen Digital’s report: defenders can harden systems, but attackers win by manipulating trust, familiarity, and routine behaviour across channels. There is no malicious file to quarantine and no credential database to reset if the user has been persuaded to authorise the transaction.
As scams become more coordinated across platforms, effective defences increasingly depend on user behaviour: checking URLs, questioning step-by-step instructions, and being cautious of polished presentation.
