Gen has released its Q4 2025 Gen Threat Report, looking at trends from October through December. The report reveals how cybercrime in late 2025 increasingly relied on ordinary digital actions rather than sophisticated exploits. Across browsers, social feeds, messaging apps, and money tools, the most damaging attacks succeeded when people completed the final step themselves: clicking a link, scanning a QR code, approving a device pairing, or entering a verification code. Scams continued to be a key problem, with 41 scams blocked every second, on average, in 2025.
In New Zealand, scammers’ activity increased significantly during the holiday season, when people typically spend more time online. E-shop scams surged by 271%, alongside an 82% rise in Scam-Yourself attacks. Remote access trojan (RAT) attacks also grew by 82%.
“Increasingly throughout 2025, scams did not announce themselves as threats. They blended into everyday digital routines,” said Siggi Stefnisson, Cyber Safety CTO at Gen. “Attackers leaned on familiar platforms, trusted interfaces, and automated persuasion, then scaled those tactics across devices and channels.”
Scams showed up where people already spend their time online: in social feeds and videos. Globally, fake online shops dominated during the holiday season with over 45 million blocked fake shop attacks in Q4, more than half of all fake shop attacks blocked in 2025 and a more than 62% increase from the same period in 2024. These fake shops also accounted for 65%1 of all threats blocked on social media, and were heavily concentrated on Facebook and YouTube, where most risky shopping clicks began. Phishing spread more broadly across platforms, led by Facebook (77%), followed by YouTube (13%) and Reddit (4%). For consumers, scam delivery increasingly felt indistinguishable from ordinary ads, posts, and videos until the moment money, credentials, or remote access were requested.
Gen telemetry also showed that malvertising – fake advertisements – was the top cyberthreat to individuals in 2025, accounting for 41% of all attacks and serving as the first click leading to many scams across social media and the Internet at large.
In New Zealand, malvertising attacks in Q4, specifically push notifications, increased by an additional 51%, compared with 10% increase in Q3. This aligns with recent reporting citing internal Meta documents suggesting scam and banned-goods advertising may represent roughly 10% of revenue (about $16 billion).
Scam-Yourself attacks surged, but the marked uptick (152%) occurred in fake tutorial scams. These are YouTube tutorials and step-by-step guides on other sites that claim to offer free downloads or cracked software. Following the instructions or guide installs malware that’s disguised as a helpful tool. Additionally, fake computer and mobile scans also saw a 57% increase in detections.
“Kiwis are known for their No8 Wire mentality, and it seems that scammers have stumbled upon it,” says Mark Gorrie, VP APAC at Gen. “When scammers find a weak point, they’ll exploit it. Unfortunately, this means that New Zealanders will need to be vigilant with DIY videos or guides that direct them to download or install anything – for the foreseeable future.”
Gen introduced on-device detection on Windows focused on the intersection of manipulated media and scam intent. Early telemetry showed that YouTube accounted for the largest share of blocked AI scam videos, followed by Facebook and X. Most blocked content was tied to financial, investment, and cryptocurrency lures, and was intercepted during playback, not downloads.
In Q4, Gen saw scams increasingly move back and forth between devices, using people to carry the attack across platforms. Some campaigns started on desktop with fake tutorial pages, then pushed victims to scan the screen with their phone, shifting the next steps onto mobile where permissions, sideloading, or verification were more likely. Others moved in the opposite direction. In GhostPairing attacks, first uncovered and named by Gen Threat Labs, victims entered a numeric code in WhatsApp on their phone, unknowingly linking an attacker-controlled browser as a trusted device and enabling rapid spread through contacts. Together, these patterns showed how modern scams crossed device boundaries to scale quickly and stay invisible.
As 2025 closed, Gen’s Q4 data showed that the attack surface had become continuous across browsers, chats, social platforms, and money apps. The most damaging incidents began with small, familiar actions performed under time pressure or false reassurance.
