r/TrustRacer

couldn’t stop thinking about it because the files looked incredibly professional.

proper stamps. signatures. audit references. even QR codes.

the strange thing about supply chain verification is that most fake documentation doesn’t look fake at all.

it looks slightly too complete.

feels similar to phishing emails getting more dangerous once they stopped having spelling mistakes.

brands like Nike, H&M, and Zara now talk constantly about traceability and supplier mapping, and i’m starting to understand why.

the real risk probably isn’t missing data anymore.

it’s confidently trusting bad data.

what’s the first thing people internally flag now when supplier paperwork looks “too perfect”?

already resolved booking went through the platform, everything is fine.

what i can't stop thinking about is how convincing it felt. host has been on Airbnb since 2019, 47 reviews, 4.91 stars. said Zelle would save us both the platform fee and that they do it with "most guests."

my gut said no and i listened. looked it up after Airbnb explicitly prohibits off-platform payments and says you lose all AirCover protection the moment you pay outside the system. up to $3M in coverage, gone.

the "okay no problem" response when i declined actually unsettled me more than the request itself. apparently that's exactly what these scams do drop it immediately when you push back.

what's the tell people actually use to catch this before it even gets to the conversation?

No malware. No zero-day exploit. No sophisticated technical attack.

In early May 2026, Cushman & Wakefield, one of the four largest commercial real estate firms on the planet, confirmed that a single vishing call gave attackers full access to their Salesforce environment.

Vishing = voice phishing. Someone called. An employee picked up. Access handed over.

ShinyHunters claimed to have pulled more than 500,000 records containing personal data and internal corporate information. When ransom negotiations stalled, they published 50 gigabytes of stolen data. The same week, a second group, Qilin currently considered the world's most prolific ransomware gang, independently listed Cushman & Wakefield on its own leak site.

Two separate criminal groups. One phone call.

How the attack unfolded

ShinyHunters claimed the initial breach on May 1. They set a ransom deadline of May 6. When no payment came, they released the full dataset publicly.

On May 12, Have I Been Pwned officially indexed the breach, 310,400 accounts confirmed exposed. Names, job titles, email addresses, phone numbers, physical addresses. Business contact data for current and former clients across 60+ countries.

Days later, a class action lawsuit landed in the Southern District of New York. The lead plaintiff said the breach triggered a flood of scam emails, calls, and texts, causing anxiety and sleep disruption. Cushman called the lawsuit "baseless" and described the incident as "limited in scope."

310,000 people whose data is now permanently public might disagree on the definition of limited.

The part that makes this worse

This dual-claim scenario is becoming a pattern in 2026. Initial Access Brokers sell compromised credentials to multiple buyers, meaning a single social engineering success can trigger parallel extortion campaigns from completely unrelated criminal groups.

One employee. One call. Two ransomware gangs. Fifty gigabytes of client data. A class action suit. All of it moving simultaneously before the company's security team had finished their morning coffee.

ShinyHunters has pulled the same playbook before, Ticketmaster, AT&T, Santander Bank. Their consistent use of vishing to bypass technical defenses points to one conclusion: even organizations with strong perimeter security fall when attackers go around the technology and call a human instead.

What this actually means for you

Most companies spend their security budget on firewalls, endpoint protection, and threat detection software. Almost none of it defends against a convincing phone call to someone in sales who thinks they're talking to IT support.

1. If someone calls claiming to be internal IT, vendor support, or "security team" and asks for credentials or system access, hang up and call back on a verified number. Always.
2. Check haveibeenpwned.com. The Cushman breach was indexed there on May 12, if your email or phone was in their Salesforce, you're already in circulation.
3. Any business contact you had with Cushman & Wakefield is now a warm lead for targeted spear-phishing. Expect emails that reference real details about your property or contract.
4. If your company uses Salesforce, or any CRM, ask whether staff can grant third-party access over the phone without a secondary verification step. If the answer is yes, that's the gap.

The attackers didn't need to be clever. They needed to be patient and convincing on a five-minute call.

"Make the right decision, don't be the next headline," ShinyHunters wrote in their ransom note to Cushman & Wakefield. They didn't. Now 310,000 people are dealing with the consequences.

How does your company verify identity on inbound calls from "IT support"?

You sign up for a free trial, and the cancel button is buried under three menus and a guilt-trip screen ("Are you sure? You'll lose everything!").

Or you try to delete an account only to find the option hidden behind a wall of confusing toggles. Or a countdown timer screams at you that a hotel deal expires in 4 minutes, and it resets the moment you refresh the page.

Dark patterns are everywhere. The question is: does spotting them actually change anything?

What I personally do

When I notice one, I usually:

• Close the app/site and use a competitor
• Occasionally report it, but to whom? That part is always unclear

Can governments force companies to stop? Yes, and it's working, slowly.

Here are real cases where regulatory or public pressure led to consequences:

1. The FTC ordered Epic Games to refund $245 million to customers after finding that the design layout of Fortnite, characterized by counterintuitive, inconsistent, and confusing button placements, facilitated inadvertent charges with a single button press. Epic also strategically relocated and minimized the "cancel purchase" button and designed a lengthy refund process.

2. Ireland's Data Protection Commission fined TikTok €345 million in 2023 for using dark patterns to steer minors toward public account settings, breaching the GDPR's requirements for fairness and transparency. It was one of the first major decisions in which a regulator explicitly labeled UX practices as dark patterns in violation of legal standards.

3. The FTC filed a complaint against Amazon for allegedly misleading consumers into paying for an Amazon Prime subscription, alleging that Amazon had placed significant terms such as auto-renewal at the bottom of the page and made it difficult to cancel the subscription through a long, drawn-out process.

4. When Meta announced plans to use EU user data to train its AI systems in 2024, critics noted the opt-out process was buried behind misleading email notifications, redirects, and hidden forms. Following mounting regulatory and public pressure, the Irish Data Protection Commission intervened, leading Meta to pause its plans for EU/EEA users. Outside the EU? Meta proceeded as planned.

5. The FTC required Credit Karma to pay $3 million after they deployed dark patterns to misrepresent that consumers were "pre-approved" for credit card offers. The damages were sent to over 50,000 consumers who were misled.

The "vote with your wallet" instinct feels right but often pointless when the company has no real competition. What do you actually do?

The apps had names like "Call History of Any Number." One of them was published under the developer name "Indian gov.in", no connection to the Indian government whatsoever.

The pitch was simple: enter any phone number, pay a subscription, get their call logs, SMS records, and WhatsApp history. The offer was technically impossible, no Android app can pull someone else's private records on demand. The apps contained no code capable of retrieving real data and requested none of the permissions that would require.

What victims actually received: randomly generated phone numbers matched with hardcoded names, call times, and durations, all invented before a single user ever downloaded the app. AARP

The numbers:

28 separate apps, 7.3 million cumulative downloads, subscriptions priced between $6 and $80

ESET reported the apps to Google on December 16, 2025, all have since been removed

Victims who paid through third-party UPI apps or entered card details inside the app directly cannot get refunds through Google, they have to chase the payment provider or the developer themselves

The part worth sitting with: the warning signs were visible the entire time. Negative reviews accusing the apps of fraud were sitting right on the store pages, next to what appeared to be fake positive reviews. People paid anyway. The apps didn't need sophisticated hacking tools. They needed a familiar-looking listing, a believable name, and a payment prompt.Some apps showed partial fake results upfront to build credibility, then charged for "the full history." Others sent fake email-style push notifications claiming the report was ready, tapping the alert opened a subscription screen. Doing More Today

Google Play is supposed to be the safer option. These apps lived there for months.

What to check right now:

Open Google Play → tap your profile → Payments and subscriptions → Subscriptions. If anything looks unfamiliar, cancel and request a refund immediately.

Never trust an app that promises access to someone else's private data. That functionality does not exist on Android for any legitimate app.

Negative reviews are worth reading before you pay for anything. The red flags were public, users just scrolled past them.

If you paid via UPI or entered card details inside an app rather than through Google Play billing, contact your bank directly. Google cannot help you there.

7.3 million downloads. The scam didn't break into the Play Store. It walked in through the front door and stayed for months.

What other apps on your phone are you actually sure about?

This isn't a hypothetical. It's a benchmark result published last year, and the people deploying AI into critical infrastructure are still moving forward anyway.

A 2025 evaluation of 40 AI models found that all but four were more likely to give a confident, incorrect answer than a correct one on difficult questions. Not uncertain. Not flagged for review. Confidently wrong, delivered in the same authoritative tone as a correct answer.

That's the actual problem. Not that AI makes mistakes. Every system does. The problem is that when an AI model lacks certainty, it has no mechanism to recognize that, it generates the most probable response based on training data patterns whether that response is accurate or not.

In a chatbot, that's annoying. In a system managing access controls for a hospital network or a water treatment facility, it's a different category of risk.

Where this is already happening

AI is now embedded in incident response, network configuration, vulnerability triage, and access management across critical sectors. In network infrastructure, errors or unexpected behaviors can lead to outages or security exposures, and the organization's fault tolerance for AI-driven mistakes is rarely defined before deployment.

When AI provides an inaccurate answer and mechanisms aren't in place to catch it, the implications can reach beyond a single enterprise to critical infrastructure and entire nations. Unfixed errors compound over time.

The issue gets worse because of how humans respond to confident outputs. Operators under pressure don't re-verify answers that sound certain. That's not negligence, it's how cognition works under load. Attackers already exploit this in social engineering. AI hallucinations create the same vulnerability from the inside.

And it's not just accidents. Operations like Salt Typhoon have specifically targeted critical infrastructure, and insiders warn that AI models themselves can exhibit manipulative behaviors under adversarial conditions.

The scale of the exposure

In March 2026, Iranian drones struck Amazon Web Services facilities in the UAE and Bahrain, the first time commercial hyperscale data centers became explicit kinetic targets in modern conflict. Digital infrastructure is now physically contested.

Meanwhile the systems running on that infrastructure are making confident wrong calls at a rate nobody has publicly accepted accountability for.

What actually reduces the risk:

1. No AI output should trigger a sensitive action, infrastructure change, access update, incident response, without human sign-off. The review requirement applies whether the output looks right or wrong. Models sound equally confident in both cases.

2. Treat AI-generated security recommendations the same way you'd treat an anonymous tip. Useful starting point. Requires verification before action.

3. Audit the training data feeding your AI tools. AI hallucinations often trace back to outdated records, biased datasets, and inaccurate information baked in at the training stage. Garbage in, confident garbage out.

4. Define fault tolerance before deployment, not after the first incident. What's the acceptable error rate for an AI making firewall decisions? Most organizations haven't answered that question.

We spent years worrying about AI being used against us by attackers. The less discussed version is AI being trusted too much by defenders, and failing at the exact moment it matters.

What decisions in your organization are already being made by AI without a human in the loop? Are you afraid that more and more decisions will be made not by humans but by AI?

That number sounds like a win. Read past it.

Crypto-related fraud reached $17 billion in 2025, a 30% increase from the year before. Binance stopped $10.5 billion of it. Which means several billion still got through, on one exchange alone.

The raw numbers:

• 22.9 million scam and phishing attempts intercepted in Q1 2026 alone, $1.98 billion in user funds protected in a single quarter.
• AI now powers 57% of Binance's fraud controls, cutting card fraud rates 60–70% below industry benchmarks.
• Smart contract exploits now cost attackers as little as $1.22 per contract, down 22% month-over-month. Advanced AI models hit a 72.2% success rate in attack scenarios.
• Binance's own research: AI is currently 2x better at exploitation than detection. AI,enabled scams are 4.5x more profitable than traditional ones.

Let that last point sit. The defenders built better AI. The attackers built faster AI.

What the attack side actually looks like now

76% of AI-driven scams now fall within the highest tier for both scale and severity, deepfakes, voice cloning, phishing bots, and impersonation schemes running across messaging platforms simultaneously.

This isn't a hacker at a keyboard anymore. It's automated infrastructure that generates fake identities, writes personalized messages in any language, mimics real support agents, and tests thousands of attack variations before you see a single one.

AI-enabled crypto scams surged 500% in 2025, according to TRM Labs. About 65% of crypto incidents investigated that year involved impersonation, phishing, or compromised devices — not smart contract exploits. The code is fine. The humans aren't.

The part Binance didn't lead with

Binance recovered $12.8 million across 48,000 fraud cases in 2025, a 41% year-over-year increase. That sounds like progress. It's also 48,000 people who got hit first.

Recovery after the fact is not the same as not losing the money. Most victims don't get $12.8 million split between them. They get weeks of back-and-forth with support and, in many cases, nothing.

What you can actually control:

1. Withdrawal address whitelisting, lock where your funds can go even if your account is taken over. Most exchanges offer it. Most users never turn it on.
2. Never trust an inbound message from "support." Go to the official site directly. Always.
3. Binance flagged that 12% of third-party tools submitted to its marketplace were risky,treat any browser extension or trading bot touching your account as a potential threat until proven otherwise.
4. Binance recently rolled out a withdrawal lockdown feature specifically to counter wrench attacks,physical coercion attempts. If you hold significant crypto, enable it.

AI stopped $10.5 billion. AI also made the $17 billion in losses possible in the first place.

Which side do you think is moving faster?

Source: Binance Blog / The Block / Decrypt, May 2026

kept assuming it was one of those freemium traps. confusing cancellation, surprise charges, the usual.

finally just checked properly. BBB profile clean, cancellation is straightforward, no pattern of billing complaints anywhere. took maybe 20 minutes total and i felt a bit silly after.

the thing i realized: i had no actual process. i was either trusting things by default or being vaguely suspicious without verifying either way. neither is a real approach.

what does your actual checklist look like before you hand over payment info to a new app or subscription?

A meta-analysis of 143 studies covering nearly 1.1 million adolescents, published in JAMA Pediatrics (August 2024), found a statistically significant link between social media use and depression and anxiety in teens.

The U.S. Surgeon General's advisory puts the threshold bluntly: kids who spend more than three hours a day on social media face double the risk of mental health problems, including depression and anxiety.

That's the "why." The legislative response has been explosive.

• Half of the U.S. now mandates age verification for social media or adult content. Nine states saw their laws take effect in 2025 alone.
• Australia banned under-16s from social media entirely, effective December 2025.
• Indonesia followed in March 2026, becoming the first country in Southeast Asia to enforce a social media ban for children under 16.
• The EU is considering a minimum age of 16 for social media access EU-wide.

Here's the problem: the verification itself is a joke

Every major platformб Instagram, TikTok, Snapchat, Facebook, Discordб has had a minimum age of 13 for years. Despite that, nearly 40% of children aged 8–12 in the US use some form of social media.

Why? Because the verification is self-declared. Children of all ages can completely bypass age verification by simply lying about their age at signup. Researchers at Lero (Science Foundation Ireland) found that if a user initially provides an age of 16, none of the major apps require proof of age.

The workarounds kids use are creative and getting more sophisticated:

• If an app asks for a live selfie, some users submit a photo of a hyper-realistic video game character, games like GTA V or The Last of Us are popular choices.
• Others photograph an actor on screen to pass facial recognition.
• Speech recognition? Easily bypassed by playing a voice recording of an adult.
• The oldest trick: just type in a different birthday.

That's the entire system on most platforms.

Even stricter verification creates a new problem: it requires collecting government IDs or biometrics. If leaked, items like government IDs or selfies could lead to identity fraud. Since verification tends to apply to all users, not just minors, there are wider social concerns around surveillance and misuse of personal data.

The EFF frames it more bluntly: age verification measures censor the internet and burden access to online speech. They undermine the fundamental speech rights of adults and young people alike, create new barriers to internet access, and put at risk all internet users' privacy, anonymity, and security.

Courts broadly agree: district courts have almost uniformly enjoined these laws for violating the First Amendment.

Should we protect kids from social media?

Yes. But how? The honest answer is that no single intervention works cleanly. But the evidence points toward a layered approach:

1. Design regulation, not just access gating. California's SB 976 is more targeted than most laws: it bans algorithmic "addictive feeds" for minors without parental consent, not social media wholesale. This targets the mechanism of harm (infinite scroll, engagement optimization) rather than treating all social media as equally dangerous.
2. Ongoing verification, not just at signup. Age verification should be a continuous process that doesn't terminate after sign-up, to catch users who lied initially and to counteract evasion. Hard to implement, but more defensible than one-time ID checks.
3. Device-level controls. Providing mechanisms that deter a user from installing an app on a device on which they have previously declared themselves to be underage is currently the most sensible and hardest-to-circumvent solution. If your age is on file at the OS/app store level, lying per-app becomes harder.
4. Platform liability. The legal pressure is starting to work. In March 2026, a California jury found Meta and YouTube negligent in their deliberate design of addictive platforms for children. More than 40 state attorneys general have filed similar lawsuits against Meta. Financial consequences change design incentives faster than compliance checkboxes.
5. Parental involvement with realistic expectations. Laws in Virginia and Nebraska give parents tools to cap screen time and monitor settings. Useful, but also easy to circumvent when a kid has a second device or a friend's account.

The uncomfortable truth

We have a genuine harm, a broken fix, and a civil liberties dilemma all stacked on top of each other. Age verification as currently implemented is mostly security theater. But the alternative, doing nothing while evidence of adolescent mental health damage accumulates, isn't defensible either.

The most honest frame: the pattern that holds is "design and dose, not blanket harm". The same teen on the same platform can have a healthy or unhealthy relationship with it, depending on hours, content, and which features dominate the feed.

Policy that ignores that nuance will keep producing laws that get blocked in court, while kids keep lying about their birthday.

What's you opinion on how to protect kids from bad influence of social media?

Social proof is supposed to be the gold standard of trust-building. BrightLocal's 2023 survey found that 79% of consumers trust online reviews as much as personal recommendations!

Businesses built entire growth strategies on it. And that's exactly why it's being systematically destroyed.

The problem isn't that social proof doesn't work, it's that it works too well! So scammers industrialized it.

A few data points worth sitting with:

1. Amazon fake reviews: Fakespot (now owned by Mozilla) analyzed millions of Amazon listings and flagged roughly 42% of reviews as unreliable in some product categories.
2. The FTC noticed: in 2023, the FTC finalized a rule explicitly banning fake reviews, AI-generated testimonials, and paid endorsements without disclosure, a signal of how normalized the practice became.
3. Video is no longer safe either: Deepfake video testimonials are already appearing in scam funnels. Synthesis tools are cheap enough that a convincing "customer story" costs almost nothing to fabricate.

So we're at a point where the most persuasive trust signal is also the most exploitable one.

What does this mean for legitimate businesses?

A few directions I see being tested:

1. Verified purchase gates

Reviews tied to confirmed transactions (Amazon, Trustpilot's verified badges). Harder to fake, but not impossible.

2. Specificity as a proxy for authenticity

Real reviews tend to include product-specific details, timelines, complaints. Generic five-star praise reads as synthetic now.

3. Third-party audit trails

Some SaaS companies are leaning on G2 or Capterra precisely because the review process has friction that farms can't easily bypass at scale.

4. Community proof over testimonial proof

Active Discord servers, public Slack communities, observable conversations. Hard to fake at volume.

My actual question for the community:

Has social proof already crossed the threshold where it's net-negative as a trust signal for informed buyers? And if yes, what replaces it?

Curious whether anyone here has data on conversion rates from "verified" vs. unverified reviews, or has seen deepfake testimonials in the wild.