There’s a question that circulates endlessly through every fraud conference, LinkedIn threads, and panel discussions. What’s the biggest fraud threat facing organizations right now? You already know the answer, because it’s always the same answer, delivered with the same misplaced confidence, almost like a reflex. AI. Of course, it’s AI.

Nobody ever mentions the telephone. Which is how my organization and it’s customers get attacked multiple times every day. Yeah, the phone. Scammers are calling the business, pretending to be customers, and calling our customers to pretend to be the business. Classic social engineering, zero sophistication required, and highly effective.

And I pay attention enough to know that’s the correct answer for a lot of organizations, too. But the telephone doesn’t trend, so here we are.

Fine. Let’s say the answer is AI. The problem isn’t the answer, and it’s probably more correct than not. It’s what happens immediately afterward when someone asks the inevitable follow-up: Can you give me an example? Panic. What you usually get is something vague about phishing emails and voice cloning. Sure, but that’s not an answer so much as a category, and categories don’t hold up when someone actually pushes back.

Google recently filed a lawsuit against a Chinese cybercrime network operating under the name Outsider Enterprise, alleging the group used Google’s own Gemini AI to automate a phishing campaign at genuinely impressive scale. The network operated primarily through Telegram, offered phishing-as-a-service to other criminals, and provided nearly 300 ready-to-deploy templates along with instructions on how to use Gemini to generate convincing fake websites impersonating Google, YouTube, and the New York E-ZPass system, among others. Google identified roughly 9,000 fraudulent sites and over a million malicious URLs tied to the campaign. The group sent more than 2.5 million scam text messages to Android users.

And the FBI and its partners, including Google, just took the operation offline.

The lawsuit itself is worth a moment’s attention. Google isn’t the first to take this approach, as Microsoft, Cloudflare, and others have pursued civil litigation against cybercrime actors who abused their platforms. It’s an interesting strategy, and the practical ceiling is obvious. Bringing meaningful legal consequences against a criminal operating out of China, North Korea, or Russia is less a law-enforcement action and more a very expensive message. Whether anyone receives it is another question entirely.

So, the next time someone asks us to name the biggest fraud threat and expects us to perform the AI genuflection, we can do better than a generic response. Say Outsider Enterprise. Explain what they built, how they used it, and what it produced. Answer like someone who actually follows this space, not like someone who learned the buzzword and stopped there.

Read the complaint here: https://fingfx.thomsonreuters.com/gfx/legaldocs/byvrdoelzve/GOOGLE%20SCAMMER%20LAWSUIT%20outsidercomplaint.pdf

It’s really well written and worth your time to read. Among other nuggets, on page 20, they explain the process for bypassing MFA.

Ok… let’s go!

At least 13 federal agencies work on countering scams and each one largely works independent of the others. Eight of these agencies receive complaints about scams, which can lead to confusion and frustration for Americans who want to report a scam. For example, an American who has been targeted by a tax-related scam could potentially report the scam to the FBI’s internet crimes website, the Federal Trade Commission’s fraud reporting website, the IRS’s tax fraud and scams reporting website, or by contacting the Treasury Inspector General for Tax Administration. The federal government needs a comprehensive, unified plan to deal with scams, and the American people deserve a clear, easy way to report scams and get connected with help.

U.S. Senators Hassan from Florida and Scott from Florida introduced the “reportscams.gov Act” which aims to consolidate the fraud-fighting efforts of the federal government. https://www.hassan.senate.gov/imo/media/doc/reportscamsgovonepager.pdf

The News

This question is being asked more often and with greater urgency—are anti-money laundering (AML) efforts justifiable given their costs? AML frameworks face increased criticism for high compliance costs, generating unused data, raising privacy concerns, and lacking clear evidence of effectiveness in preventing illicit transactions. Recent studies indicate that high compliance rates do not always correlate with reduced illegal activity. In this article, the authors examine the future of AML efforts. https://www.theregreview.org/2026/06/13/seminar-are-anti-money-laundering-regulations-effective-and-worth-the-cost/

Is this the end of “burner phones”? The FCC has proposed new rules intended to combat robocalls by requiring phone carriers to collect extensive personal data, including government ID, physical addresses, and alternative phone numbers, before activating service. https://docs.fcc.gov/public/attachments/DOC-421309A1.pdf

The FBI has initiated “Operation Riptide,” a nationwide effort to break down cybercrime networks by targeting the criminals, their infrastructure, and financial systems, especially following over $20 billion in losses from more than 1 million cybercrime complaints last year. https://www.fbi.gov/video-repository/operation-riptide-060926.mp4/view

An international law enforcement operation dismantled a popular money-laundering service known as ‘AudiA6’, believed to have laundered over EUR 336 million from 2022 to 2025. The service, associated with the ‘Dark2Web’ forum, was investigated by US and Polish authorities in collaboration with international partners. https://www.europol.europa.eu/media-press/newsroom/news/ransomware-gangs-cut-eur-336-million-audia6-crypto-laundering-pipeline

The Bank Policy Institute urged federal regulators to clarify oversight of stablecoin transactions after issuance. Current AML rules fail to adequately impose compliance obligations on DeFi firms, certain crypto custodians, and exchanges. https://www.pymnts.com/cpi-posts/banking-groups-pitch-anti-money-laundering-rules-for-stablecoins/

The U.S. government tells Anthropic to hit the brakes on their latest release. https://www.anthropic.com/news/fable-mythos-access

Feedback

Send Feedback to matt(at)threatswithoutborders.com

A vote that actually matters

A long time ago, I watched a guy turn a hotel room key card into a working Visa card. Before you shrug, this was well before card fraud became a punchline in every breach notification email and the fear of every ATM user. To a young detective freshly assigned to financial crimes, seeing this done was like watching magic.

That guy was Steve Lenderman. And now he’s running for President of the International Association of Financial Crime Investigators. Not the Delaware Valley Chapter, which he’s led for the past seven years. The whole organization.

Regular Tw/oB readers know my opinion on the IAFCI as an organization has been, well, complicated. That’s a diplomatic way of saying the past few years of leadership have been disappointing.

Which is exactly why this endorsement isn’t a formality. It’s a correction.

You’d be hard-pressed to find anyone more committed to fraud and financial crime prevention than Steve. He’s held leadership roles simultaneously in the IAFCI Delaware Valley Chapter, the Delaware chapter of ACFE, and the Delaware Fraud Working Group. That’s not resume padding, that’s someone who actually shows up.

I served as a Vice President under Steve for four of his seven years leading the Del-Val chapter. I can tell you firsthand that he is the embodiment of getting shit done. Not performative leadership. Not committee theater. Actual results.

IAFCI members receive ballots this week, including Steve’s full credentials. I’m not going to rehash them here.

What I will say is this: if five years of Threats Without Borders has earned me any credibility with you (there must be some reason you’re still reading), then take this for what it’s worth. The IAFCI needs forward-thinking and action-oriented leadership. I’m voting for Steve Lenderman. I hope you will, too.

dfir

The team at Unit 42 highlights a new macOS artifact, App.MenuItem, that logs user menu selections, providing granular data on user intent and actions across the operating system. https://unit42.paloaltonetworks.com/new-macos-artifact-discovered/

Share Threats Without Borders

Cool Jobs

Fraud Countermeasures Specialist - Veriff. https://www.veriff.com/careers/position/8590317002

Cool Tools

Remove the background from an image. https://www.remove.bg/

How loud is your workspace? In-browser decibel meter. https://noisedecibelmeter.com/

Irrelevant

Paul Graham explains how to become a billionaire (and why all these eat-the-rich politicians are so wrong). https://paulgraham.com/earn.html

Sign Off

I don’t understand football soccer. One of the happiest days of my early parenting was when my youngest son said he was done with it. Needless to say, I could not care less about the World Cup tournament. But I am completely enthralled with the abject glee of the foreign soccer fans currently visiting America to see the games. Everything from the beauty of our natural resources to the kindness of our people to the sheer excess of our eateries has created must-see social media content. A group of Norwegians tasting a brisket sandwich at Buc-ee's, or the Germans experiencing a Waffle House at 1 am, is absolutely heart-warming!

Matt

Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.

Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.