UK online shopping scams soar 416% amid ad fraud surge
Gen has reported a sharp rise in online shopping scams in the UK during the final quarter of 2025, alongside continued growth in malicious online advertising and early signs of deepfake scam media appearing on major social platforms.
The company, which owns consumer cyber safety brands Norton and Avast, said e-shop scams in the UK rose 416% quarter on quarter between October and December. It also recorded growth in other scam categories, with dating scams up 55% and financial scams up 54% over the same period. Gen said overall scams rose 41%.
Gen also pointed to malvertising as a persistent issue. It said malicious push notifications increased by 30% in the quarter. It also said malvertising represented the largest share of attacks against individuals across 2025, at 41% of all attacks recorded in its telemetry.
The company described many of the most damaging incidents as those that rely on routine online behaviour rather than software exploits. Gen said attackers increasingly relied on victims completing actions themselves, including clicking links, scanning QR codes, approving device pairings, or entering verification codes.
"Increasingly throughout 2025, scams did not announce themselves as threats. They blended into everyday digital routines," said Siggi Stefnisson, Cyber Safety CTO, Gen. "Attackers leaned on familiar platforms, trusted interfaces, and automated persuasion, then scaled those tactics across devices and channels."
Shopping and feeds
Gen said fake online shops dominated scam activity during the festive season. It reported more than 45 million blocked fake shop attacks in the quarter across its measurements. It said attacks during the Christmas season represented more than half of all fake shop attacks blocked in 2025.
The company said fake shop activity rose in the UK during the quarter, and it also cited a 62% increase globally compared with the same period in 2024. Gen said fake shops represented 65% of all threats it blocked on social media in the quarter.
Gen said the activity concentrated on Facebook and YouTube. It said these platforms accounted for a large share of risky shopping clicks in its dataset. It also said phishing activity appeared across a broader range of platforms. Gen said Facebook represented 77% of phishing activity it recorded in the quarter, followed by YouTube at 13% and Reddit at 4%.
Gen linked the spread of scams to advertising formats and social content. It said scams often appeared as ordinary ads, posts, and videos until a user faced a request for money, credentials, or remote access.
Malvertising trends
Gen said fake adverts remained a significant route into scams. It described malvertising as a key first step that drives users towards follow-on fraud across social media and the wider web.
Gen also pointed to wider industry scrutiny of scam advertising. It cited reporting that referenced internal Meta documents. The reporting suggested scam and banned-goods advertising may represent roughly 10% of revenue, or about USD $16 billion.
Deepfake signals
Gen said it has introduced on-device detection on Windows for deepfake content used in scams. The company said early telemetry from this system showed YouTube accounted for the largest share of blocked AI scam videos, followed by Facebook and X.
It said the UK ranked among the top countries for blocked deepfake scam media in its early measurements. Gen said the blocked content linked most often to financial, investment, and cryptocurrency lures. It also said the detection occurred during playback rather than during downloads.
Identity and fraud
Gen reported growth in identity-related risks in the quarter. It said the number of breaches rose 176% quarter on quarter in its telemetry, with a rising trend across 2025.
The company also reported increased alerts tied to property-related records, unusual activity in everyday banking accounts, and new applications for instalment loans, leases, and retail credit. It also pointed to transaction-level anomalies on credit cards and loans.
Gen said its data aligned with external reporting that describes identity fraud as more layered than traditional credit misuse. It linked this shift to activity across property records, deposits, credit instruments, and scam-driven social engineering.
Cross-device tactics
Gen also described scams that move between desktop and mobile as attackers seek to exploit differences in user behaviour and device prompts. It said some campaigns began on desktop with fake tutorial pages and then pushed victims to scan the screen with a phone. Other campaigns moved from mobile to desktop.
The company highlighted "GhostPairing" attacks, which it said its research team first uncovered and named. Gen said victims entered a numeric code in WhatsApp on a phone and linked an attacker-controlled browser as a trusted device. It said this technique enabled rapid spread through contacts.
"Attackers leaned on familiar platforms, trusted interfaces, and automated persuasion, then scaled those tactics across devices and channels," said Stefnisson.
Gen said it expects scams to continue shifting across browsers, messaging apps, social platforms and money tools as attackers look for points of friction where users may act under time pressure or false reassurance.