惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Threatpost
aimingoo的专栏
aimingoo的专栏
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
T
Tailwind CSS Blog
J
Java Code Geeks
博客园_首页
Google Online Security Blog
Google Online Security Blog
Hugging Face - Blog
Hugging Face - Blog
C
CXSECURITY Database RSS Feed - CXSecurity.com
I
Intezer
P
Palo Alto Networks Blog
V
Vulnerabilities – Threatpost
雷峰网
雷峰网
O
OpenAI News
SecWiki News
SecWiki News
小众软件
小众软件
酷 壳 – CoolShell
酷 壳 – CoolShell
美团技术团队
N
News | PayPal Newsroom
Project Zero
Project Zero
Forbes - Security
Forbes - Security
IT之家
IT之家
A
Arctic Wolf
WordPress大学
WordPress大学
Jina AI
Jina AI
T
Tor Project blog
博客园 - 三生石上(FineUI控件)
S
Secure Thoughts
Google DeepMind News
Google DeepMind News
Attack and Defense Labs
Attack and Defense Labs
博客园 - 聂微东
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
P
Privacy International News Feed
Cloudbric
Cloudbric
G
GRAHAM CLULEY
博客园 - 叶小钗
H
Hacker News: Front Page
腾讯CDC
量子位
Help Net Security
Help Net Security
人人都是产品经理
人人都是产品经理
C
Cyber Attacks, Cyber Crime and Cyber Security
月光博客
月光博客
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
宝玉的分享
宝玉的分享
爱范儿
爱范儿
L
Lohrmann on Cybersecurity
Hacker News - Newest:
Hacker News - Newest: "LLM"
Recorded Future
Recorded Future
C
CERT Recently Published Vulnerability Notes

WeLiveSecurity

Supply chain dependencies: Have you checked your blind spot? As breakout time accelerates, prevention-first cybersecurity takes center stage Digital assets after death: Managing risks to your loved one’s digital estate This month in security with Tony Anscombe – March 2026 edition RSAC 2026 wrap-up – Week in security with Tony Anscombe A cunning predator: How Silver Fox preys on Japanese firms this tax season Virtual machines, virtually everywhere – but not all protected Cloud workload security: Mind the gaps Move fast and save things: A quick guide to recovering a hacked account EDR killers explained: Beyond the drivers Face value: What it takes to fool facial recognition Cyber fallout from the Iran war: What to have on your radar Sednit reloaded: Back in the trenches What cybersecurity actually does for your business How SMBs use threat research and MDR to build a defensive edge Protecting education: How MDR can tip the balance in favor of schools This month in security with Tony Anscombe – February 2026 edition Mobile app permissions (still) matter more than you may think Faking it on the phone: How to tell if a voice call is AI or not PromptSpy ushers in the era of Android threats using GenAI Is Poshmark safe? How to buy and sell without getting scammed Is it OK to let your children post selfies online? Naming and shaming: How ransomware groups tighten the screws on victims Taxing times: Top IRS scams to look out for in 2026 OfferUp scammers are out in force: Here’s what you should know A slippery slope: Beware of Winter Olympics scams and other cyberthreats This month in security with Tony Anscombe – January 2026 edition DynoWiper update: Technical analysis and attribution Love? Actually: Fake dating app used as lure in targeted spyware campaign in Pakistan Drowning in spam or scam emails lately? Here’s why ESET Research: Sandworm behind cyberattack on Poland’s power grid in late 2025 Children and chatbots: What parents should know Common Apple Pay scams, and how to stay safe Old habits die hard: 2025’s most common passwords were as predictable as ever Why LinkedIn is a hunting ground for threat actors – and how to protect yourself Is it time for internet services to adopt identity verification? Your information is on the dark web. What happens next? Credential stuffing: What it is and how to protect yourself This month in security with Tony Anscombe – December 2025 edition A brush with online fraud: What are brushing scams and how do I stay safe? Revisiting CVE‑2025‑50165: A critical flaw in Windows Imaging Component LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan ESET Threat Report H2 2025 Black Hat Europe 2025: Was that device designed to be on the internet at all? Black Hat Europe 2025: Reputation is currency – even in the ransomware economy Locks, SOCs and a cat in a box: What Schrödinger can teach us about cybersecurity Seeking symmetry during ATT&CK® season: How to harness today’s diverse analyst and tester landscape to paint a security masterpiece The biggest catch: How whaling attacks target top executives Phishing, privileges and passwords: Why identity is critical to improving cybersecurity posture MuddyWater: Snakes by the riverbank Oversharing is not caring: What’s at stake if your employees post too much online This month in security with Tony Anscombe – November 2025 edition What parents should know to protect their children from doxxing Influencers in the crosshairs: How cybercriminals are targeting content creators MDR is the answer – now, what’s the question? The OSINT playbook: Find your weak spots before attackers do PlushDaemon compromises network devices for adversary-in-the-middle attacks What if your romantic AI chatbot can’t keep a secret? Can password managers get hacked? Here’s what to know Why shadow AI could be your biggest security blind spot In memoriam: David Harley The who, where, and how of APT attacks in Q2 2025–Q3 2025 ESET APT Activity Report Q2 2025–Q3 2025 Sharing is scaring: The WhatsApp screen-sharing scam you didn’t see coming How social engineering really works | Unlocked 403 cybersecurity podcast (S2E6) Ground zero: 5 things to do after discovering a cyberattack This month in security with Tony Anscombe – October 2025 edition Fraud prevention: How to help older family members avoid scams Cybersecurity Awareness Month 2025: When seeing isn't believing Recruitment red flags: Can you spot a spy posing as a job seeker? How MDR can give MSPs the edge in a competitive market Cybersecurity Awareness Month 2025: Cyber risk thrives in the shadows Gotta fly: Lazarus targets the UAV sector SnakeStealer: How it preys on personal data – and how to stay safe Cybersecurity Awareness Month 2025: Building resilience against ransomware Minecraft mods: When ‘hacking’ your game becomes a security risk IT service desks: The security blind spot that may put your business at risk Cybersecurity Awareness Month 2025: Why software patching matters more than ever AI-aided malvertising: How chatbots can help spread scams How Uber seems to know where you are – even with restricted location permissions Cybersecurity Awareness Month 2025: Passwords alone are not enough The case for cybersecurity: Why successful businesses are built on protection Beware of threats lurking in booby-trapped PDF files Manufacturing under fire: Strengthening cyber-defenses amid surging threats New spyware campaigns target privacy-conscious Android users in the UAE Cybersecurity Awareness Month 2025: Knowledge is power This month in security with Tony Anscombe – September 2025 edition Roblox executors: It’s all fun and games until someone gets hacked DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception Watch out for SVG files booby-trapped with malware Gamaredon X Turla collab Small business, big risk: How SMBs can fight back against ransomware HybridPetya: A Petya/NotPetya copycat comes with a twist Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypass Are cybercriminals hacking your systems – or just logging in? Preventing business disruption and building cyber-resilience with MDR Under lock and key: Safeguarding business data with encryption GhostRedirector poisons Windows servers: Backdoors with a side of Potatoes This month in security with Tony Anscombe – August 2025 edition Don’t let “back to school” become “back to bullying”
Recovery scammers hit you when you’re down: Here’s how to avoid a ‘second strike’
Phil Muncaster · 2026-04-10 · via WeLiveSecurity

Scams

If you’ve been a victim of fraud, you’re likely already a lead on a ‘sucker list’ – and if you’re not careful, your ordeal may be about to get worse.

10 Apr 2026  •  , 5 min. read

Recovery scammers hit you when you’re down: Here’s how to avoid a second strike

The worst thing you can do after falling victim to fraud is let your guard down. Online scammers only care about one thing: making money, so when new opportunities arise to do just that, they take them. It doesn’t matter if it involves re-victimizing someone who has already been defrauded, raising false hopes and exploiting their desperation to get their stolen funds back. All while stealing even more from them.

Fortunately, many of these “recovery” or “refund” scams work the same way. Take some time out to understand what they look like, and you’ll stand a good chance of staying safe next time the fraudsters come knocking. Recently, we looked specifically at cryptocurrency recovery scams, but there’s more to these kind of ploys. Recovery fraud is an umbrella for several predatory tactics, all sharing a common goal: the “second strike.”

How does recovery fraud work?

These scams usually follow a tried-and-tested pattern. Fraudsters either buy “sucker lists” off other criminals or target victims of fraud they’ve just perpetrated. They impersonate specialist recovery service providers, consumer protection agencies, government officials, law enforcers, regulators, etc.

They know a lot about your case and promise to look into getting the funds back for an upfront fee. Or they may claim to already have the money and are either redistributing it to unhappy customers, or completing the paperwork to release reimbursement funds on behalf of the government or agency.

This is basically a kind of advance fee fraud. In the US in 2024 (the latest year for which figures are available) there were over 7,000 reported cases – which made scammers more than $102 million. Even these figures are likely to represent just the tip of the iceberg.

If you push back and ask the scammers to simply take their fee from the money they claim to have recovered (or will recover), they will typically make excuses as to why this isn’t possible. In an even more dangerous variation of the scheme, they may also ask for bank account/crypto  details to pay your refunded money into. This information could then be used for more serious account hijacking and financial fraud.

crypto-recovery-scams-1

crypto-recovery-scams-2

Examples of messages peddling cryptocurrency recovery services in discussion forums (click to enlarge)

What are sucker lists?

Cybercriminals and fraudsters often share information and knowledge to help each other succeed with their avaricious schemes. Sucker lists are a great example. They work almost like a list of marketing leads – except instead of potential customers, they contain the contact details of prospective victims.

Lists may vary in quality, but usually contain the names and contact details of individuals who have either fallen victim to fraud in the past, or who have previously replied to spam messages. They may even include details of the potential target’s demographic details and propensity to fall for particular scams or tactics.

Red flags to look out for

Watch out for these classic warning signs to stay clear of recovery fraud:

  • Bold claims: They’ll usually say either they have your funds and are waiting to return them, or they’ll “guarantee” that they can get your money back
  • Unsolicited contact: The scammers will get in touch out of the blue, with an email, social media message, text or even phone call
  • Upfront fee: They’ll request a charge upfront for recovering/returning your stolen funds. They might call this a “retainer fee,” a “processing fee,” an “administrative charge,” or something related to tax
  • Social engineering: They’ll put pressure on you, hoping to rush you into making a rash decision to pay them. They may claim, for example, that the funds are only available for reimbursement for a limited time
  • Impersonation: The scammers will claim to be working for a government or law enforcement agency, a specialist recovery firm, a bank’s fraud department or other “official” organization in order to build trust
  • Untraceable payments: They might ask you to pay them in unusual ways, such as cryptocurrency, gift cards or cash apps, which are harder to trace or seek reimbursement from
  • Webmail: They may send you an email using a regular Gmail address or similar, rather than a legitimate corporate email address

How to keep recovery fraudsters at bay

The good news is that it shouldn’t be hard to spot the warning signs of recovery fraud. But it’s not always the rational side of our brain that makes decisions. That’s what scammers are good at – exploiting our irrational thinking and desire to get our money back. The same emotional and psychological predisposition for being victimized that first got you into trouble is effectively being targeted again.

To ensure they don’t get the better of you a second time, never pay any upfront fees – especially to individuals who have contacted you out of the blue offering recovery services. Always verify who they say they are independently, by searching for their contact details online. In the UK, you can check the FCA Firm Checker to see if the fraudster’s purported company does offer the services it claims to.

Note the above red flags, and avoid sharing any personal details of being scammed online, as fraudsters continuously trawl the web looking for potential double-dip targets.

I’ve been scammed, now what?

If you’ve been victimized by recovery scammers, there are a limited set of options available to you. It’s always a good idea to report the incident – in the UK to Report Fraud and in the US to the FTC. This will help the authorities track the fraud landscape and improve their support to victims, as well as raise awareness so others don’t fall for the same tricks.

If you’ve made a payment via your bank, tell it ASAP. Monitor your account carefully for any unusual activity and freeze any relevant cards. If you’ve handed over more personal information to the fraudster, change the passwords on any relevant accounts, add multi-factor authentication (MFA) to bolster security, and expect potentially convincing phishing attacks in the future.

Remember: scammers are a persistent bunch. If you’ve been the victim of fraud in the past, expect another visit in the future.


Let us keep you
up to date

Sign up for our newsletters