#59: EU finalizes new fraud rules, Cyber Monday retail fraud, AI-generated scam sites on the rise

As the holiday shopping season hits full stride, lawmakers and scammers are both stepping up. This week, the EU finalized sweeping new fraud rules that hold platforms and payment providers responsible for scam losses. In the US, Cyber Monday brought the usual spike in fraud warnings, including a wave of AI-powered shopping scams and delivery phishing campaigns.

Let’s get into it.

NATE'S TAKE - DECEMBER 2, 2025

Top Three This Week

1. EU finalizes sweeping fraud rules targeting banks and online platforms
2. Cyber Monday brings surge in retail fraud and fake delivery texts
3. AI-generated scam sites and brushing attacks are on the rise

1. EU finalizes sweeping fraud rules targeting banks and online platforms

The European Union has agreed on new legislation that holds both banks and online platforms accountable for fraud. Under the new rules:

• Payment providers will be liable for reimbursing customers if they fail to implement appropriate fraud prevention measures.
• Platforms that allow scam ads or listings to run without timely removal can also be held financially responsible for resulting fraud losses.
• Banks must offer human customer service, not just chatbots, and provide clearer disclosures around fees and charges.
• Payment providers will also be expected to improve fraud detection, freeze suspicious transactions, and ensure access to cash in rural areas.

The law is a major policy shift that closes a long-standing accountability gap between scam distribution and financial losses. Once formally adopted, it could set a new precedent for scam prevention globally.

ARTICLE: Payment services deal: More protection from online fraud and hidden fees

2. Cyber Monday brings surge in retail fraud and fake delivery texts

AAA warned that the holiday shopping rush increases exposure to scams as consumers move quickly to lock in limited-time deals. The most common threats include emails advertising extreme discounts that lead to spoofed retailer sites, fake delivery notifications sent by text message, and copycat charities using lookalike branding to solicit donations.

AAA advised consumers to check for HTTPS and a padlock symbol before entering payment details, avoid clicking links in unsolicited messages, and use a dedicated credit card for holiday purchases. Shoppers were also cautioned about fake package alerts designed to capture personal information.

For fraud fighters, these trends reflect how attackers rely on urgency, volume, and impersonation during peak retail periods. Monitoring sudden spikes in new domains, tightening controls around delivery-flow phishing, and coordinating with brand protection teams can reduce downstream account compromise and payment fraud throughout the season.

3. AI-generated scam sites and brushing attacks are on the rise

Security researchers reported a 250% increase in the creation of fake shopping websites in the lead-up to Cyber Monday. Many are now built using generative AI to closely mimic the look and feel of legitimate brands.

Another tactic gaining traction is the brushing scam. Consumers receive an unsolicited package—often a small item like a fake ring—with a QR code and instructions to register the item. Scanning the code or entering personal information can expose users to credential theft or account takeovers.

For fraud teams, this highlights the growing challenge of detecting highly realistic spoof sites and low-signal scams designed to slip past filters. Brand protection monitoring, takedown partnerships, and user education during peak shopping periods can help reduce downstream abuse. Keep an eye on how QR-based phishing evolves. It's becoming a preferred tactic for driving mobile-first account compromise.

===

That’s all for this week! For more insights, follow us on LinkedIn or X, and if you want to learn more about what we do, visit www.specprotected.com.

‍