Perplexity ignores robots.txt files on websites that say they do no want to be crawled.

Imagine putting up a no-trespassing sign for people walking their dogs, and then finding out that one person dresses up their Great Dane as a calf and walks it on your grounds.

Well that’s sort of what AI answer engine Perplexity has been doing, by evading the no-crawl directives of websites, according to Cloudflare.

The no-trespassing sign in this case would be a robots.txt file—a small text file placed on a website that tells search engines and other automated tools (often called “bots” or “crawlers”) which pages or sections of the site they are allowed to access and which parts they should not visit.

Cloudflare started an investigation after customers complained that Perplexity accessed their content despite the fact that they had disallowed Perplexity crawling activity in their robots.txt files. They had also created Web Application Firewall (WAF) rules to specifically block both of Perplexity’s declared crawlers: PerplexityBot and Perplexity-User.

So Cloudflare set up some test domains and queried Perplexity about them to see if it would return the information that it shouldn’t be able to access. What the researchers found was surprising, because it looks like Perplexity uses a very deliberate system to bypass the no-crawling directives.

The researchers discovered the use of a user-agent designed to impersonate Google Chrome on macOS (to look like a regular user) when their declared crawler was blocked. The User Agent String shows the website you’re visiting some basic information about your browser and operating system, so the site can provide an experience optimized for that setup. The Perplexity crawler camouflaged by this User Agent String used regularly changing IP-addresses outside of Perplexity’s official IP range, allowing it to successfully access the content it wasn’t supposed to.

I wondered Perplexity’s view on the whole thing, so I asked it whether it knew what a robots.txt file was for and why it was bad to ignore one. It returned the following:  

> Why is it wrong to ignore robots.txt?
> 
> *   Respect for Privacy and Security: Some parts of a website may contain private, sensitive, or unfinished content not meant for public search engines. Ignoring robots.txt can expose data that should remain private.
> *   Fair Resource Usage: Crawling websites takes up bandwidth and server resources. By telling robots where not to go, website owners can prevent wasteful use of these resources, ensuring the site runs smoothly for real users.
> *   Legal and Ethical Standards: Ignoring robots.txt can be considered unethical, and in certain circumstances, it might even break terms of service or data protection regulations depending on what information is accessed and how it’s used.
> *   Trust and Reputation: If a robot repeatedly ignores robots.txt, it can be banned or blacklisted by websites, and its reputation could suffer in the public and professional community.

The official reaction of Perplexity is somewhat different. It hides behind the difference between a regular bot and an AI agent that is on a quest for a user to answer a specific question.

> The bluster around this issue reveals that Cloudflare’s leadership is either dangerously misinformed on the basics of AI, or simply more flair than cloud. https://t.co/NgliGZCspP
> 
> — Perplexity (@perplexity\_ai) August 5, 2025

Perplexity reasons that:

> “Modern AI assistants work fundamentally differently from traditional web crawling. When you ask Perplexity a question that requires current information—say, “What are the latest reviews for that new restaurant?”—the AI doesn’t already have that information sitting in a database somewhere. Instead, it goes to the relevant websites, reads the content, and brings back a summary tailored to your specific question.
> 
> This is fundamentally different from traditional web crawling, in which crawlers systematically visit millions of pages to build massive databases, whether anyone asked for that specific information or not.”

Although I see Perplexity’s point, there is a big difference between crawling websites to gather as much information as you can and seeking to answer a specific question for one user, the decision whether a website owner wants to allow either is up to them. And there should be no need for sneaking around.

So why not create a User Agent String that tells website owners “this is just a short visit to find some specific information” to discern it from actual crawlers that siphon up every bit they can find, and then let the website owners decide whether they will allow them or not?

Either way, this discussion seems far from over, and with the rise of AI agents we will probably see problems arise that were not on the radar before we all started using AI.

**We don’t just report on data privacy—we help you remove your personal information**

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

 Perplexity AI ignores no-crawling rules on websites, crawls them anyway 

Google has patched 6 vulnerabilities in Android including two critical ones, one of which can compromise a device without the user needing to do anything.

Google has patched six vulnerabilities in Android, including two critical vulnerabilities in its August 2025 Android Security Bulletin. It also covers a critical vulnerability which could have allowed an attacker to execute code on a victim’s device without the victim needing to do anything at all.

Last month, Google skipped its monthly security update for the first time in almost ten years. Normally we’ll see dozens of vulnerabilities addressed each month so the skipping was both welcome and slightly worrying. All this while Google reported that its Artificial Intelligence (AI) Big Sleep system found 20 vulnerabilities in several open-source software.

The August updates are available for Android 13, 14, 15, and 16. Android vendors are notified of all issues at least a month before publication, however, this doesn’t always mean that the patches are available for all devices immediately.

You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for them yourself.

For most phones it works like this: Under **About phone** or **About device** you can tap on **Software updates** to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

If your Android phone shows patch level 2025-08-05 or later then you can consider the issues as fixed.

Keeping your device as up to date as possible protects you from known vulnerabilities and helps you to stay safe.

**Technical information**

The critical RCE vulnerability is tracked as CVE-2025-48530: a vulnerability in the Android System which could lead to remote code execution in combination with other bugs, with no additional execution privileges needed. User interaction is not needed for exploitation. This makes it a top priority patch–which only affects Android version 16–since it poses the risk of attackers being able to compromise affected devices silently.

The other critical vulnerability is tracked as CVE-2025-21479: unauthorized command execution in GPU micronode can cause memory corruption while executing specific sequence of commands.

A GPU micronode, is a small, specialized part within the Graphics Processing Unit (GPU) that handles specific tasks related to processing and rendering graphics on the Android device. It’s a critical component for making the visuals work smoothly and correctly.

Researchers recently discovered serious vulnerabilities in the GPU micronode of Qualcomm’s Adreno GPUs, which power billions of Android devices. Qualcomm has identified three such vulnerabilities and this patch fixes the second one they warned about.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Critical Android vulnerabilities patched—update as soon as you can 

A 24-year-old woman who allegedly advertised her services on social media has been arrested for her part in a "tap-in" scam.

Would you give a complete stranger your credit card in return for the promise of easy money? No, neither would we. But apparently well over a hundred people did. Hillsborough County Sheriff’s Office arrested 24 year-old Janetcilize Martinez in Tampa, FL, for allegedly using willing participants’ bank accounts to commit fraud.

Police are calling this a ‘tap-in’ scam. It’s not uncommon, and it works like this:

1.  The scammer advertises for people who want to make fast, easy money by providing access to their bank account. The scammer often describes what they’re going to do, up to and including step four, and offers a cut of the proceeds.
2.  The participant (actually the victim) hands over their debit card or other access credentials.
3.  The scammer uses this access to deposit a fraudulent check into the participant’s account.
4.  The scammer then cashes out the money before the bank realizes that it’s a fraud.
5.  This is the step the scammer omits to tell the victim. The check bounces and the victim is on the hook for the stolen money.

Another term for what these ‘tap-in’ scammers are doing is a third-party version of check kiting. Check kiters write themselves bad checks from another bank account, depositing them, and then picking up the money.

Hundreds of people on TikTok and X did this last year after being told of an apparent “infinite money glitch” at Chase Bank, which wasn’t one at all. They were just taking advantage of the standard fund availability window to collect money on fraudulent checks.

**Why check-kiting works (temporarily)**

Check-kiting frauds like these depend on fast access to cash from deposited checks. By law, banks in the US have to make $275 of the deposited funds available within one business day, with the rest available within two business days.

Banks can only put a further hold on currency if the account is new, there’s a pattern of overdrawn activity, the check has been redeposited, there’s reasonable cause to believe that the funds aren’t collectible, or the check exceeds $6,725.

**The obvious downside of check kiting**

Ultimately, if you write yourself a fraudulent check, the bank will inevitably realize when the check doesn’t clear and will take the balance out of your account.

This is why those who thought they’d take advantage of the Chase ‘glitch’ ended up with a negative balance. In reality, they were using theft to give themselves an illegal loan. Doing so can result in you losing your account or even facing criminal charges.

Martinez, who someone reported to police anonymously, allegedly advertised these tap-in services on social media, posting pictures of cash and withdrawal receipts.

When detectives showed up at her residence with a warrant on July 29, they found 117 credit cards belonging to other people, tools for creating counterfeit credit cards, nearly $7,000 in cash, cannabis and associated paraphernalia, and a semi-automatic weapon.

_Image courtesy of Image courtesy of Hillsborough County Sheriff’s Office._

She now faces the following charges:

*   Possession of credit card making equipment
*   Unlawful possession of personal identification of another (five or more)
*   Fraudulent use of personal information
*   Possession of drug paraphernalia
*   Possession of cannabis (more than 20 grams)
*   Possession of cannabis with intent to sell, manufacture, or deliver

Martinez has not yet been found guilty of this crime. She has been given bond release pending trial, but is being held without bond in another case, reporters for Fox 13 said.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Alleged &#8216;tap-in&#8217; scammer advertised services on social media 

Receiving an unexpected package in the post is not always a pleasant surprise.

Receiving an unexpected package in the post is not always a pleasant surprise. The FBI has warned the public about unsolicited packages containing a QR code which leads to a website aimed at stealing personal data or downloading malware to the victim’s device.

The packages are often shipped without sender information, only the QR code. This is a deliberate tactic of the cybercriminals who hope that the lack of information will encourage more people to scan the code.

These packages are a modern variant of brushing scams. In brushing scams, vendors send packages containing merchandise to unsuspecting recipients, and then use the recipient’s information to post positive reviews about their products or business.

The use of QR codes is the new element in this scam. Using QR codes in items sent in the post offers the criminals a few advantages. Firstly, people may not expect to end up with their device infected by something as non-technical as a physical letter. Secondly, QR codes are typically read by mobile devices, which—unfortunately—still get overlooked when it comes to installing security software.

As we reported in our “Tap. Swipe. Scam” mobile scam report, 66% of people have scanned a QR code to purchase something. With legitimate businesses employing the use of QR codes, it’s something people are becoming very used to doing.

What many people don’t realize, or remember too late, is that scanning a QR code without the proper safety measures is like clicking a link, with one caveat. With links, we can actually check where they are leading to before we click. However, with QR codes it’s impossible for most people to discern a malicious code from a legitimate one.

**How to protect yourself from brushing scams**

*   If you receive a package you didn’t order and it contains a QR code, do not scan it. Scanning can lead you to fake websites designed to steal your personal or financial information, or even install malware on your device.
*   Legitimate businesses almost always include a return address. Treat any mystery package without sender or return information with extra caution.
*   If you end up on a site asking for personal or financial information after scanning a QR code, do not enter that information. In the hands of scammers it can be used to defraud you.
*   Make sure your device is on the most up to date version. Cybercriminals will take advantage of recently discovered vulnerabilities that people are yet to update and protect themselves against.
*   When scanning QR codes use an app that displays the URL before opening the link. This makes it easier to establish whether it’s safe to follow the link.
*   Use up-to-date and active mobile protection, preferably one that includes web protection.
*   Use two-factor authentication (2FA) wherever you can to make it harder for scammers to access your accounts if they do get hold of your login details.
*   Secure your identity. If your information appears to have been used for a scam, consider freezing your credit, changing passwords, and monitoring bank and online accounts for suspicious activity. Or consider using Identity Theft Protection.
*   Report any brushing scams to the FBI at ic3.gov. Be sure to include as much information as possible, such as the name of the person or company that contacted you; the methods of communication used, including websites, emails, and telephone numbers; and any applications you may have downloaded or provided permissions to on your device.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Unexpected snail mail packages are being sent with scammy QR codes, warns FBI 

A list of topics we covered in the week of July 28 to August 3 of 2025

August 1, 2025 - OpenAI removed a short-lived experiment that allowed ChatGPT users to make their conversations discoverable by search engines

July 31, 2025 - The Trump Administration is working with 60 companies on a plan to have Americans voluntarily upload their healthcare and medical data.

July 31, 2025 - A Florida correctional institution leaked the names, email addresses, and telephone numbers of visitors to the facility to every inmate.

July 31, 2025 - Scammers are using texts that appear to have been sent to a wrong number to get targets to engage in a conversation.

July 30, 2025 - Apple has released important security updates for iOS and iPadOS patching 29 vulnerabilities, mostly in WebKit.

 A week in security (July 28 &#8211; August 3) 

An Ohio man lost $27,000 after an Apple ID scam text hit his phone. The strangest part? It happened at his doorstep.

You’ve probably heard about people scamming from halfway around the world, but sometimes they turn up at your door.

That’s what happened in May, when 67 year-old Robert Wise of Ohio received a text telling him that his Apple ID had been compromised. It had been used at an Apple store for a $213 purchase, the text message said.

The scam text received by Robert Wise, as shown to 10 WBNS

After calling the number on the phone, a man identifying himself as John Cooper said that thieves had racked up a total of $27,000 in charges in his name. Unless Wise withdrew $27,000 from his account immediately, it would be drained, the man said.

As you’ve probably already guessed, there had been no $27,000 theft. At least, not yet. According to local news reports, the man at the other end of the line tried to get Wise to deposit the money into a bitcoin machine to send him the funds.

Robert Wise speaks to 10 WBNS

When Wise tried and failed to do that, the crook said he’d send someone to collect the money in person. This is where 42 year-old Liwei Zhang turned up at the victim’s door and Wise handed the money over.

All might have been well save for the thief’s greed. Zhang arranged to come back and collect more money from Wise, who by this time had finally grown suspicious and called the sheriff. The sheriff told Wise to keep the criminal engaged and they managed to catch the thief at the scene.

Zhang, a Chinese national who was in the country on a business visa, now faces charges of theft, identity fraud and telecommunications fraud. He told law enforcement officers that he was just a middleman, and “felt that he was doing this revolving criminal activity”.

This isn’t an isolated case. Last month, officers in Kentucky arrested a Canadian citizen, Jia Hua Liu. Liu, who was in the US, had targeted multiple elderly victims with scams and then turned up at their homes to collect money. He had collected over $300,000 in total.

Last year, 21 year-old Tejaskumar Patel was arrested after collecting gold bars from a Florida resident. The victim, a retired marine, had been told he needed to pay to free himself from arrest warrants (which were fake). Officers only caught Patel after coming back for more gold, because the victim had called the police.

There are plenty of cases like these. Scamming this way is a reliable last resort for thieves because it will often be easier to collect cash personally from non-tech-savvy people rather than getting them to successfully make a bitcoin transaction.

However, the scammers also place themselves in great personal danger if a victim gets suspicious. Especially if they’re greedy enough to push their luck and come back for more.

Protecting yourself is simple:

*   Be on the lookout for telltale signs that a text is a scam. These include slight language errors and a sense of urgency.
*   Don’t respond directly to any text messages telling you about scams or making legal threats.
*   If the texts have you worried, verify them independently by calling the organization they’re supposed to be from. Use a number obtained independently to ensure you’re calling the right place, and don’t use the number in the text. If the organization can’t verify a text, it’s a scam.
*   Never send money to a stranger or give them money in person. No legitimate organization should ever ask for cash at the door, unless they’re wearing Girl Scout vests and come bearing cookies. If you’re spending $27,000 on Girl Scout cookies, you have bigger problems.
*   If you’re truly stumped about a text message and want some immediate, AI-assisted help, 24/7, try Malwarebytes Scam Guard for free.

Unfortunately, many elderly victims are more vulnerable to scams, as data shows, and may not heed such advice. That’s why it’s important to check in regularly with elderly friends or family to ensure that they aren’t involved in any such transactions.

Liu failed to scam $70,000 from some potential victims because their family members had found out what was going on and intervened. When scams targeting the elderly are so common, it’s important that someone has their back.

**We don’t just report on scans—we help detect them**

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

 Apple ID scam leads to $27,000 in-person theft of Ohio man 

OpenAI removed a short-lived experiment that allowed ChatGPT users to make their conversations discoverable by search engines

A little-known ChatGPT “feature” is now gone. It could be a good thing.

On X, OpenAI Chief Information Security Officer Dane Stuckey announced that OpenAI “removed a feature from ChatGPT that allowed users to make their conversations discoverable by search engines, such as Google.” Stuckey called the whole thing a “short-lived experiment to help people discover useful conversations.”

The feature was entirely opt-in, meaning users had to make certain selections to participate, including “picking a chat to share, then by clicking a checkbox for it to be shared with search engines.”

As Stuckey explained for why the company rolled back the experiment:

> Ultimately we think this feature introduced too many opportunities for folks to accidentally share things they didn’t intend to, so we’re removing the option. We’re also working to remove indexed content from the relevant search engines. This change is rolling out to all users through tomorrow morning.
> 
> Security and privacy are paramount for us, and we’ll keep working to maximally reflect that in our products and features.”

I was unable to find out when the option was officially introduced, which, I guess, might be a reason for the following uproar, as there was no big announcement.

But, such an announcement might have have helped users make informed decisions. The absence of this guidance or of any firm information about the feature during its short-lived life also highlights the way Artificial Intelligence (AI) companies view their users. As a commenter said:

> “The friction for sharing potential private information should be greater than a checkbox or not exist at all.”

Many users are conditioned to check checkboxes before being able to use something new, and they don’t read EULAs and other warnings. They just rapidly tick every box they think they need to tick to get to the result they have in mind as fast as possible.

Even though this attempt might have had the right intention, we are reminded of other leaked private conversations, whether they were caused by a bug, or not a bug. Either way, it does not help efforts to get the general public to trust AI chatbots.

Many people confide deeply personal secrets to chatbots and seek support for issues that could typically require hours of professional counseling.

OpenAI removed the option that allowed conversations with ChatGPT to be indexed, so newly shared chats will not appear in search results going forward. Still, OpenAI warns that some conversations already indexed may remain visible temporarily because of search engine caching, even as they work to have this content removed.

**Tips to use AI chatbots safer**

Besides the obvious (but often ignored) advice of reading any warnings and privacy policies before using these apps, there are some additional precautions and habits that can help keep your personal conversations private:

*   Don’t share without knowing all the consequences and implications.
*   Anonymize your input. Don’t use (real) names or other Personally Identifiable Information (PII) in your conversations.
*   Don’t share sensitive work or client data.
*   Use up-to-date active anti-malware protection.
*   Limit the data you provide and delete it when possible.

In short, trust an AI chatbot with your private info the same way you would trust a “blabbermouth”—not a whole lot.

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

 OpenAI kills “short-lived experiment” where ChatGPT chats could be found on Google 

The Trump Administration is working with 60 companies on a plan to have Americans voluntarily upload their healthcare and medical data.

US President Donald Trump announced a loose plan Wednesday to allow Americans to voluntarily upload and port their medical records across hospitals, clinics, technology companies, and health apps, with broad participation from Google, Apple, OpenAI, Amazon, and more.

While the system could help Americans connect disparate pieces of health data currently siloed behind separate companies and healthcare providers, some privacy experts have warned that the data’s segmentation is in fact paramount to its privacy.

“\[This\] private health tracking system w/ Big Tech should worry all Americans,” said Georgetown University professor Lawrence Gostin, who also serves as the Director of the World Health Organization Collaborating Center on National and Global Health Law.

> “There are few privacy safeguards. Medical records are personal \[and\] intimate. Health records might be shared with insurers, businesses, ICE, \[and\] law enforcement.”

But, according to the Trump Administration, being able to more easily share this data is a boon to Americans who want to, say, directly hand their personal Apple Health data to their doctor, or approve certain weight loss providers, like Noom, to obtain access to their medical records.

A total of 60 companies have signed onto the effort, ranging from traditional healthcare insurers such as UnitedHealth to artificial intelligence developers such as Anthropic and OpenAI. The latter group’s participation is part of the Trump Administration’s efforts to roll out AI chatbots that can steer Americans into healthier recommendations for daily living—a goal pushed by Health and Human Services Secretary Robert F. Kennedy following a recent visit to Indonesia.

“There are other apps in Indonesia that allow you to choose good foods when you go to the grocery store and turn your app on on your phone and get information,” Kennedy said at a televised event Wednesday. “Now, if you have your medical records, you can get personalized advice, and that allows you to get better advice about a better alternative.”

Still, the prospect of increasing the accessibility of healthcare data creates new risks.

First, while it is unknown if participating companies can store a person’s data, their access to the new database could make them highly attractive targets for cybercriminals who want to abuse that access to ransack Americans’ sensitive information. Already, third-party companies that support healthcare providers are at high risk for cyberattacks—a reality that nearly gridlocked two ambulance operators after a shared technology provider was attacked.

Further, it’s far too common for companies that already handle medical data to expose private information, like when a radiological imaging provider failed to protect tens of thousands of patient files.  

Second, there is also the question about whether the data will be used in new, privacy-invasive ways to track Americans. Already, Americans’ browsing habits, online searches, clicks, scrolls, opened emails, and shopping wish lists are mined for advertising revenue. As warned by Jeff Chester, executive director for the Center for Digital Democracy in speaking with the AP:

> “This scheme is an open door for the further use and monetization of sensitive and personal health information.”

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Trump Administration and Big Tech want you to share your health data 

A Florida correctional institution leaked the names, email addresses, and telephone numbers of visitors to the facility to every inmate.

The Everglades Correctional Institution (ECI) in Miami-Dade County has leaked the names, email addresses, and telephone numbers of visitors to the facility to every inmate.

The inmates received an email last week sent by a staff member that included the personal information of the visitors. Inmates can access their emails through secure tablets or kiosks at the facility. It is unclear yet whether it was an accidental or deliberate leak.

Those affected by this data breach feel frightened and infuriated, especially the women. That reaction is perfectly understandable: Imagine discovering that someone shared your contact details with every inmate in a correctional institution.

Madeline Donate, who regularly visits her husband at the prison, told the Florida Phoenix:

> “It’s kind of disturbing when you think about it. The privacy aspect of this is concerning. This is how other inmates get information and can sometimes extort family members and things like that. It’s concerning.”

Another visitor, Jan Thompson, spoke of her fears:

> “What if there’s some inmate that doesn’t like another inmate? And he tells his family, ‘Okay, here’s his wife’s phone number. Call her and tell her if she doesn’t pay and put $500 on my book, I’m going to have her husband stabbed and killed.’ What’s stopping them from doing that?”

The way this came about demands an explanation. During the COVID-19 pandemic, a policy was introduced where visitors had to fill out an application form every time they intend to visit. Before the introduction of that policy, a visitor—once approved– could just show up during visitation hours. While the policy made sense at the time, the underlying protocols have long been discarded, but the policy was left in place.

Patrice Kelly says she had already removed most of her digital footprint from the internet after having a problem with a stalker in her immediate past. Now her personal contact information has been released to every other inmate at ECI.

She stated:

> “Unfortunately, people in Florida that are at that institution now have my information. I don’t live in Florida anymore, so that’s a good thing. It only takes somebody saying, this is where this person lives.”

Denise Rock, executive director of the prisoner advocacy group Florida Cares, said her organization’s main concern is not with the institution but the visitation process, which she said is duplicative and led to the data breach.

> “We urge the department to discontinue requiring already-approved visitors to register and release their private information each time they do so.”

The Florida Department of Corrections has not commented publicly about the incident.

**Advice**

Remaining cautious and proactive helps limit the risk of further exposure or harm resulting from this data breach. When additional details become available about how the breach occurred or what steps the Department of Corrections is taking, there might be more tailored recommendations available.

Some tips that might be helpful:

*   Be cautious when receiving any unexpected communications (calls, messages, emails) from unknown numbers or individuals who reference your personal connection to an incarcerated person. Do not engage in conversations before confirming the source through other channels.
*   If you receive any harassment, threats, or inappropriate contact from current or former inmates, notify prison authorities immediately and consider reporting to the police.
*   Reach out to the Florida Department of Corrections to request removal or restriction of your contact details from visitation records where feasible, and ask what steps they are taking to prevent further incidents.
*   Do not share further personal information. Avoid sharing additional personal details publicly on social media or online directories that could be linked to your exposed information. You can check what information is already out there about you by using our free Digital Footprint Scanner.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Prison visitor details shared with all inmates at correctional facility 

Scammers are using texts that appear to have been sent to a wrong number to get targets to engage in a conversation.

_A special thanks to all the people at Malwarebytes and ThreatDown for sharing the text messages they received from scammers._

Many of us have received texts like these. Often super short, some flirty, some with a business tone, or sometimes just a simple ‘hello.’

You don’t know the sender, and they look like an honest mistake. But they’re not. All the messages are carefully crafted to seem plausible—so you don’t immediately feel suspicious—and short—to trigger your curiosity.

The intention of these messages are to get you to be confused enough that you will reply, perhaps by saying they have the wrong number.

Here are some of the messages our team has received recently:

**1\. The one-word text**

**2\. The “who are you again?” text**

**3\. The “tempting” text**

Sometimes these involve inviting you for fun activities on the weekend, like a BBQ or some beach time. Sometimes, it’s just a dinner suggestion:  

**4\. The business text**  

**5\. The “OMG i just woke up” text**  

These are just some examples, but we’ve seen so many more.

As soon as you reply, the scammer will initiate a friendly conversation. Their end goal will be to gain your trust and develop the relationship into a costly romance or investment scam.

From their end at least, some of my co-workers told them to go phish elsewhere.

However funny, we don’t recommend engaging with scammers in this or any other way. Here’s why:

**Why you should never respond**

*   Responding confirms your number is active.
*   It flags you as someone who reads texts and might engage.
*   The scammer may sell or share your number.
*   Some groups build long-term “mark profiles” for future scams. Even though you think you’re only providing them with little to none information, scammers often track who replies, how they reply, and how easily they engage. That data becomes part of a “mark profile”, a digital dossier on you that might include your phone number, the time of response (which suggests your schedule or time zone), and any other information you share.

**What you should do instead of replying**

*   Don’t reply, not even to be helpful. Don’t engage in conversation, even if they seem friendly.
*   Never click on links.
*   Block the number.
*   Report the message to your carrier (In the US, most carriers support forwarding spam texts to 7726).
*   Share examples (anonymized) to help others. One way to do this is to use Malwarebytes Scam Guard, which also helps you assess if a message is a scam or not.

**We don’t just report on scans—we help detect them**

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

Source

Malwarebytes