Investment scams cost U.S. consumers billions in 2024
Financial scams are not going away. In fact, they’re scaling faster than ever. U.S. consumers lost $5.7 billion to investment scams in 2024. This is evolving into an industrial operation, feeding off economic volatility and exploiting people’s need for financial security.
These schemes don’t rely on brute force. Their strength is deception, taking advantage of people who genuinely want to build financial security. Cybercriminals craft polished online experiences that feel legitimate and urgent. Offers are time-sensitive. Websites are appealing. They use big names, think familiar brands and celebrities, to manufacture credibility.
C-suite leaders should care about this, because it erodes digital trust. Scammed individuals blame platforms. Platforms lose credibility. Every touchpoint in your digital ecosystem becomes a potential weak link if a user is tricked into believing bad actors are part of your brand’s world. That affects user retention, reputation, and margin.
It’s essential to recognize this is the result of a broken information environment moving faster than most security policies can catch up with.
Distinct tactics of reckless rabbit and ruthless rabbit
Two major actors are fueling the rise in these scams: Reckless Rabbit and Ruthless Rabbit. Both are names coined by Infoblox Threat Intelligence. These are operations with advanced infrastructure and intent.
Reckless Rabbit leans heavily on paid Facebook ads. They’re socially engineered campaigns that use fake celebrity endorsements and local content targeting to appear real, down to language and cultural relevance. They operate globally but tailor everything to look local. That increases engagement and conversions. To stay hidden, they generate massive volumes of subdomains that constantly respond with active pages. That clutters DNS visibility, making it harder to detect actual scam endpoints.
On the other side, Ruthless Rabbit takes a more infrastructure-driven approach. They manage their own cloaking service, essentially screening visitors before showing them scam content. That defeats automated bots and most security crawlers. They also spoof official news and brand sites like Meta or WhatsApp. If a landing page gets blocked, they simply cycle in the next one. Fast. Clean. Hard to trace.
What ties both groups together is their use of RDGAs, Registered Domain Generation Algorithms. Instead of generating random domains and hoping they slip past filters, RDGAs mean they actually register the domains. At scale. This makes blacklist approaches almost pointless, by the time a domain is flagged, hundreds more are live.
This matters to executives because these actors are effective. Their tech stacks are agile. Their targeting is precise. And the speed at which they recover from takedowns gives them an operational resilience many businesses don’t yet have. If your platform, brand, or user base is even tangentially related to finance or social reach, you’re already in the blast radius. It’s smarter to act now than react later.
The escalating challenge of RDGAs
Here’s what’s changed. Scam networks no longer just generate domain names at random and hope they dodge filters. That’s outdated. What we’re now seeing is the rise of Registered Domain Generation Algorithms, RDGAs. These systems create domains and register them proactively. That single shift makes scam operations more sustainable, harder to dismantle, and more agile.
This approach means bad actors control the infrastructure. Once a few domains are flagged and taken down, replacements are already live and propagating. The volume isn’t random, it’s engineered. They deploy new domains fast and on demand with minimal downtime across the entire network of fraudulent sites.
If your organization is operating in finance, tech, eCommerce, or any public-facing platform, then your systems interact with this landscape by default. These domains aren’t just targeting your customers; they might be spoofing your brand next. That’s reputation risk tied directly to operational exposure.
Security protocols need rethinking. Blacklists won’t keep up. Traditional web filtering and reactive takedown strategies won’t scale. A more effective defense starts with visibility. DNS-layer intelligence, pattern recognition, and automation have to become part of your operating system, not an optional plugin.
Infoblox has highlighted this shift as the key differentiator separating legacy scamming methods from today’s high-scale fraud. RDGA-driven attacks give scam networks resilience, redundancy, and reach. That changes the game.
Psychological manipulation through chaos and trust
Scam operations don’t rely only on tech, they depend on how humans think. That’s where they get real traction. According to Infoblox researchers, these frauds succeed because they hit two critical psychological points: chaos and trust.
Chaos is about timing. Economic instability gives scammers leverage. People feel uncertain about the future, and that triggers the search for high-return opportunities. Offers that promise fast earnings with low effort suddenly feel rational. That stress-based environment drives decision-making without due diligence.
Trust is engineered into the scam. Fake endorsements, proper branding, and professional design lower a person’s psychological defenses. These scams don’t appear sloppy, they’re precise. Victims don’t ignore red flags, they don’t see them. The visual cues, brand logos, and human faces used on these pages are all designed to create comfort and familiarity.
This model works at scale because it doesn’t need to fool everyone. It just needs to fool a small percent, and it does repeatedly. If you run a platform, oversee a brand, or manage any form of public presence, you’re part of the trust layer. When online trust is misused, customers hold legitimate companies accountable.
Executives need to think about security as a behavioral barrier. Cyber defense is partly education. Your people, employees, customers, partners, need to be prepared to identify this kind of psychological targeting. Investment in awareness keeps your business reputation intact because breaches in trust don’t always happen inside your firewall, they often start with a well-placed fake ad, dressed to convince.
The role of DNS monitoring in early scam detection
If you want early warnings, look at DNS traffic. Scam networks rely heavily on domain infrastructure, new domains, subdomains, dynamic URLs. That pattern creates activity in the DNS layer that’s hard to hide. Most traditional cybersecurity tools miss it because they’re focused too high in the stack. But DNS sits at the entry point of every connection. Monitoring there gives you leverage.
Infoblox research points out that DNS-related UDP traffic, specifically, can show telltale signs of RDGA-based scams. These aren’t random blips. They’re part of an operational pattern that lets you identify when a malicious domain network is gearing up, or pivoting. Once the pattern is recognized, defenders can map and disrupt scams before they mature.
Executives should see this as a high-value control point. DNS intelligence sits upstream from most detection systems. That means it can shut down access to scam infrastructure before users even reach the content layer. It’s proactive, not reactive.
Preventive measures for consumers and organizations
Solving this starts with making smarter decisions, both at the user level and across organizations. For individuals, the advice isn’t complicated: don’t trust investment opportunities pushed through unsolicited ads. Any appearance of legitimacy, from celebrity photos to financial jargon, should be subject to independent verification. Real opportunities don’t collapse under scrutiny; scams do.
Infoblox emphasizes this point. Fake endorsements are a huge red flag. If the offer comes through a random site or an ad-click, stop there. Going direct to official sources gives users control and reduces exposure to fraudulent content.
On the organizational side, the mandate goes deeper. You’re protecting internal systems and shielding your ecosystem. Deploying Protective DNS services backed by actionable threat intelligence is a critical step. This kind of control blocks access to malicious infrastructure before any user can interact with it. It also prevents brand impersonation sites from gaining traction inside your network.
For leadership, this is about building a layered approach. Education should run alongside automation. User training should evolve with scam tactics. And internal systems need to recognize and stop DNS-based threats before they scale. The tools exist today. What matters now is adoption.
Organizations that integrate these countermeasures into their baseline security architecture reduce fraud exposure, they maintain user trust, which, over time, is harder to rebuild than it is to protect.
Key highlights
- Investment scams are accelerating fast: U.S. consumers lost $5.7 billion in 2024 to investment scams, driven by economic pressure and digital manipulation. Leaders should treat fraud risk as a brand trust issue, not just a consumer problem.
- Two cybercrime groups are driving large-scale fraud: Reckless Rabbit and Ruthless Rabbit exploit ad platforms, fake endorsements, and spoofed websites to bypass detection. Executives should assess exposure across marketing, brand, and security touchpoints.
- RDGAs make scam networks highly resilient: Registered Domain Generation Algorithms allow scammers to rapidly scale and replace fraudulent domains. Security teams should prioritize DNS-level defenses and automation to anticipate infrastructure shifts.
- Scammers exploit urgency and familiarity: Fraud campaigns use economic fear and visual trust cues, like brand logos and public figures, to lower user defenses. Leaders should build internal education programs that equip teams and customers to spot psychological manipulation.
- DNS traffic offers early signs of fraud: Monitoring DNS-level activity, especially unusual UDP patterns, enables earlier detection of scam infrastructure. Organizations should treat DNS monitoring as a core layer of their threat intelligence strategy.
- Prevention requires education and technical control: Individuals should verify investment claims independently, while companies must deploy Protective DNS and block malicious domains proactively. Executives should integrate behavioral training and DNS security for full-spectrum defense.
