Three in 10 fraud attempts targeting major retailers are now AI generated, according to estimates from deepfake detection firm Pindrop.

Why it matters: Heading into the holiday shopping season, scammers and hackers are using audio and video deepfakes to trick employees of corporate retailers and steal thousands of dollars per attack, on average.

The big picture: Cybercriminals are increasingly using deepfake technologies to impersonate loved ones, colleagues and — in this case — customers.

• Scammers are training AI-powered bots to call customer-service centers, report an issue with a recent order, and demand a refund, Pindrop CEO Vijay Balasubramaniyan told Axios.
• "These bots are probing all of these systems all over the world and figuring out which is the weakest link," Balasubramaniyan said.

By the numbers: One large retailer currently averages more than 1,000 AI-generated calls per day, according to Pindrop.

Zoom in: In a redacted audio recording shared with Axios of one of those bot calls to a customer service line, the deepfake is patchy, sounds a bit robotic, and doesn't respond to some questions the customer service agent asks.

• "My package is lost. Help me process the refund, thank you," the bot said at the very beginning of the call. It did not initially say the customer's name or even say "Hello."
• But the bot still was able to share a legitimate order number, the name of an actual customer, and the last four digits of the customer's phone number — so the agent processed the refund despite the signs of fraud.

Catch up quick: Deepfake impersonations are being used across the threat ecosystem.

• North Korean scammers have been using AI tools to change their faces and voices during job interviews across the Fortune 500.
• The FBI warned in May that scammers had used AI to impersonate senior U.S. officials in phone calls.

Threat level: These AI tools are only expected to get better.

• "The data shows that fraudsters are using these AI bots to essentially do this on steroids, do this 24/7, and these bots are so good at having conversations," Balasubramaniyan said.

Zoom out: Shoppers are also being inundated with deepfakes as they scroll social media for the best deals, Abhishek Karnik, head of threat research at McAfee, told Axios.

• Scammers are now using AI tools to create fake celebrity endorsements for products and stores, or to imitate the stores themselves.
• Apple, Amazon and several luxury brands are on McAfee's list of most-impersonated brands this shopping season.
• "It's incredible the pace at which things are progressing in this space," Karnik said.

The bottom line: Always verify any deals you see on social media on the actual retailer's website, experts say.

Major banks are scrambling to understand the fallout of a recent cyberattack on just one technology vendor.

Why it matters: The security of customers' sensitive information is hanging in the balance as large banks investigate how much hackers made off with.

Driving the news: The New York Times reported over the weekend that JPMorgan Chase, Citi and Morgan Stanley are among the banks that have been notified that client data may have been exposed in a recent cyberattack.

• SitusAMC, a vendor of hundreds of banks and other lenders, said Saturday it discovered a cyberattack on its networks on Nov. 12 that compromised some of its systems.
• The hackers may have stolen accounting records, legal agreements and bank customers' information, SitusAMC said, and "no encrypting malware was involved" in the attack.

What they're saying: FBI Director Kash Patel said in a statement, "While we are working closely with affected organizations and our partners to understand the extent of potential impact, we have identified no operational impact to banking services."

• "We remain committed to identifying those responsible and safeguarding the security of our critical infrastructure," he added.
• JPMorgan and Morgan Stanley declined to comment. Treasury's Office of the Comptroller of the Currency — which receives reports of cyberattacks from U.S. banks — also declined to comment.

Between the lines: SitusAMC helps banks and lenders process loan applications, meaning it handles a trove of highly sensitive information about customers who are applying for mortgages and other real estate loans.

• Every bank uses SitusAMC's tools to varying degrees, leaving some institutions more exposed than others.

The big picture: Attacks on major tech suppliers are one of the easiest ways for hackers to make off with large swaths of data with minimal effort.

• Hackers can leverage their access to a single company's networks to comb through hundreds of high-value customers' sensitive information — and subsequently leverage that information to extort victims.

What to watch: It's not yet clear how hackers broke into SitusAMC and how many customers were affected.

📲 Have information about the extent of the SitusAMC attack? Reach me confidentially on Signal: @SamSabin.01.

Clover Security has nabbed $36 million in funding from a slew of high-profile industry stalwarts, including Wiz co-founders Assaf Rappaport and Yinon Costica and executives from Cato Networks, Snyk, CrowdStrike, Palo Alto Networks, Atlassian and Google.

Why it matters: AI security startups need big names and major name recognition to gain traction in an increasingly crowded cybersecurity market.

Driving the news: Clover unveiled the new funding, led by Notable Capital and Team8, this morning in an announcement shared exclusively with Axios.

• Started in 2023, Clover provides agentic tools that help companies embed security throughout their products and ensure they remain secure during their lifecycle.

The big picture: Most companies approach security as an afterthought once they've built their latest software or product, Clover co-founder and CEO Alon Kollmann told Axios. That's left companies exposed to a deluge of security vulnerabilities.

Zoom in: Think of Clover as an automated product security engineer, Kollmann said.

• Clover plugs AI agents into developer platforms, like GitHub, Cursor and Slack, to predict and automatically detect security flaws in the tools employees are building.
• After Clover learns about the environment, it can be used to conduct regular design, security and architectural reviews of the software and products.

Yes, but: Customers decide how best to use Clover, including what internal data sources it can use.

The intrigue: Clover already counts dozens of companies across the banking, enterprise technology and fintech sectors as customers, including Fortune 500 companies.

• Customers include edtech company Udemy, insurer Lemonade and fintech servicer Plaid.

What's next: Over the next year, Kollmann wants to double Clover's headcount, which is currently around 40 employees.

• "We want to grow very quickly to meet the demand we're seeing," he said. "There's crazy potential to build something really big here."

A new feature on Elon Musk's social media platform X revealed that some prominent political accounts, including purported MAGA fans with thousands of followers, are seemingly being run from outside the U.S.

Why it matters: The feature underscores what intelligence officials and cybersecurity experts have long warned about: Inauthentic social media accounts can drive foreign influence campaigns.

Driving the news: X rolled out an "About This Account" feature over the weekend that displays where an account is based, with the disclaimer that the country or region can be affected by "recent travel or temporary relocation."

• However, the feature exposed several accounts as potentially dubious that have been purportedly pushing American ideals.

Zoom: Despite the American flag in its name and focus on the "Trump movement & American politics," an account sharing pro-Trump content to more than 50,000 followers appears to be based in Nigeria and was connected via the "Nigeria App Store."

• The feature says an account with the username @American is based in Pakistan.
• Several accounts that claimed to be Trump-supporting women with hashtags like "#MAGA" and "#Patriots" in their bios are actually based in Thailand, digital investigator Benjamin Strick pointed out. Several of those accounts appear to have since been taken down.
• An account promising insight on border czar Tom Homan's work is seemingly based in Eastern Europe. And another claiming to be the "Biggest Ivanka (News) Fanpage on X" also apparently connected via the Nigeria App Store.
• X did not respond to Axios' request for comment.

Catch up quick: The update was announced in October by X head of product Nikita Bier, who signaled the change was part of a broader push to enable users to verify the authenticity of content they were encountering on the platform.

Read the rest.

@ D.C.

👋🏻 The SEC is dropping its landmark case against SolarWinds and its top security leader. (Reuters)

☎️ The FCC voted to rescind telecom cybersecurity rules put in place after the Salt Typhoon hack. (Axios)

🧳 ICE has been using the Department of Homeland Security's cyber hiring system to boost its intake of cyber and tech talent. (Nextgov)

@ Industry

🛜 Cisco launched a new initiative, "Resilient Infrastructure," to raise awareness about legacy technology and insecure configurations and will soon completely remove historic, insecure settings for network equipment. (Wired)

💰 Comcast will pay a $1.5 million fine after a breach of a third-party debt collector exposed personal data belonging to 237,000 former and current customers. (Reuters)

@ Hackers and hacks

⚠️ A second wave of attacks targeting the npm registry has compromised hundreds of packages, security vendors say. (Hacker News)

👀 CrowdStrike says that an insider shared screenshots of its internal systems with hackers and that the screenshots were later shared on the Telegram channel for the Scattered Spider hacking group. (BleepingComputer)

🤖 Hackers have been targeting AI machines by exploiting a vulnerability in software that helps developers manage and assign power to AI projects, researchers say. (Forbes)

🏎️ In Formula One, the real race is the one happening in the data stream, Axios' Maxwell Millington wrote from the sidelines of this weekend's race in Las Vegas.

Why it matters: A compromised data stream doesn't just threaten privacy — it threatens race-day performance itself.

As one executive put it: "Performance is useless if you don't have security."

• "We put the highest level of security on that data and make sure it's consistent across the globe," Marcus Guerriero, Cato Networks' vice president of sales, told Axios.

The big picture: F1 teams move massive volumes of sensitive telemetry and engineering data, all of which must be processed, encrypted and transmitted in milliseconds.

• Teams say endpoint breaches are the entry point for most threats. Without strong network-level protection, a rival or bad actor could access design secrets or disrupt live operations.

What they're saying: Companies like AT&T, which supports Oracle Red Bull Racing, say if their systems can hold up under race-day pressure, they can protect anything from robot-driven manufacturing lines to financial-sector endpoints.

🏁 Read the rest.