#45: Gemini fights bots, TikTok gets cloned, and Scams Hit 73% of all adults

The lines between trusted experiences and scams keep getting blurrier. This week, we’re looking at what happens when attack surfaces go where most detection doesn’t: into your calendar, your ad funnel, and your storefront.

Let’s get into it.

NATE'S TAKE - AUGUST 18, 2025

Top Three This Week

1. The Majority of U.S. Adults Have Been Scammed. Now What?
2. Google Quietly Turned Gemini on the Ad Fraud Problem
3. 15,000+ Fake TikTok Shop Domains and Counting

1. The Majority of U.S. Adults Have Been Scammed. Now What?

A new Pew study found that nearly 3 in 4 U.S. adults have experienced some kind of online scam and that number’s rising fast. What’s behind it? More attacks happening in places users don’t expect: calendar invites, authenticator apps, and HTML email attachments.

Calendar phishing is when a fake Zoom invite shows up in your calendar (without approval), tricks you into clicking for “details,” and silently redirects to malware or credential phishers. MFA fatigue is also on the rise. Attackers will send push notifications nonstop until someone approves out of habit or frustration. And HTML attachments are still a top delivery vector for info-stealing malware.

These work because the experience feels familiar, embedded, and frictionless. That’s the same pattern we see in fraudulent checkout flows and refund abuse: weaponized convenience.

If you're protecting users, don't just look at what was clicked, look at how the interaction was delivered. Was the channel expected? Was trust implied? Does your detection logic account for the attack being the flow itself?

The threat model has moved. Make sure your detection has, too.

2. Google Quietly Turned Gemini on the Ad Fraud Problem

Google’s been quietly using its Gemini AI models to fight invalid traffic (IVT) and it’s working. In a pilot from late 2023 to late 2024, they cut mobile IVT by 40%, targeting things like hidden ads, accidental clicks, and deceptive placements that force interaction.

Gemini navigates apps and websites like a user would: clicking, scrolling, taking screenshots, and flagging ads that violate policy but look fine to the naked eye. Paired with traditional ML, it spots ad fraud upstream, before impressions are served or bids are placed.

The takeaway isn’t that Google is fighting fraud with AI, it’s how they’re doing it. Not with static rules. Not with traffic scoring. But with contextual agents that can simulate real behavior and understand intent.

This is the same challenge fraud teams face every day: bad actors using clean sessions, smart automation, and trusted platforms to blend in. If your stack is still reacting to signals in isolation, you're behind. You don’t just need more data, you need better context.

3. 15,000+ Fake TikTok Shop Domains and Counting

Researchers just uncovered a massive scam targeting TikTok Shop users, complete with 15,000+ fake domains, AI-generated influencer content, phishing pages, and trojanized apps. The campaign, dubbed FraudOnTok, mimics everything from product listings to affiliate dashboards, tricking users and creators alike into handing over credentials, depositing crypto, or downloading malware-laced TikTok knockoffs.

The malware (SparkKitty) goes deep. Once installed, it uses OCR to scan screenshots for crypto wallet seed phrases, harvests login tokens, and bypasses standard app security. It even manipulates OAuth login flows to capture Google session tokens. This isn’t just phishing, it’s a full-blown software supply chain attack targeting the edge of commerce.

This is what social commerce fraud looks like now. TikTok, Facebook, and Instagram aren’t just ad channels anymore, they’re the storefronts. And that makes scams like this incredibly hard to detect if you’re only looking inside your own app.

The surface area is growing and trust is being weaponized at every step. Don’t assume fraud stops at your borders. It starts wherever your brand shows up.

===

That’s all for this week! For more insights, follow us on LinkedIn or X, and if you want to learn more about what we do, visit www.specprotected.com.

‍