How Are Organised Crime Groups Using Social Media to Commit Fraud?

Key takeaways

• Approximately $2.1 billion was lost to social media scams in 2025, an eightfold increase since 2020.

• Criminal networks use legitimate advertising infrastructure on platforms such as Facebook, Instagram, and TikTok to reach victims at scale.

• A technique known as Cloaking lets fraudulent ads pass automated platform review while serving different content to legitimate users.

• Telegram operates as a criminal marketplace where fraud tutorials, bulk messaging, and account sales are all openly listed.

• Around 72% of UK fraud cases in 2025 were linked to identity fraud, with stolen personally identifiable information (PII) used to bypass standard verification.

• Younger recruits are deliberately compartmentalised within networks, protecting leadership from exposure.

Social media was the costliest fraud contact method in 2025. According to the Federal Trade Commission (FTC), nearly 30% US-based individuals who reported losing money to a scam said it started on a social media platform. Alongside this, total reported losses reportedly reached $2.1 billion. In the UK, Cifas recorded more than 444,000 fraud cases in 2025. This was the highest number of cases in a single year, with fraud now accounting for 45% of all crime in England and Wales.

The picture is no better globally. INTERPOL's 2026 Global Financial Fraud Threat Assessment estimated that financial fraud cost the global economy $442 billion in 2025, with fraud-related notices and diffusions rising by54% since 2024. The report concludes that fraud is no longer a peripheral threat, it sits at the centre of poly criminality and intersects with organised crime, human trafficking, and cybercrime.

These numbers reflect deliberate, systematic exploitation of the infrastructure which billions of people use every day. When assessing UK-specific organised crime methodologies, CYJAX analysts observed directly how criminal networks have industrialised their use of social media as a core operational layer.

How criminal networks exploit legitimate advertising infrastructure

Organised crime groups have largely moved beyond dark web forums. Platforms like Facebook, Instagram, and TikTok now serve as their storefronts, recruitment pipelines, and coordination channels. As such, the legitimate advertising infrastructure brands rely on is the same infrastructure these groups exploit to reach victims.

A pattern CYJAX has consistently observed in the UK involves investment fraud built on impersonation. Threat actors purchase ad placements that mimic major media outlets, presenting fabricated breaking news stories involving government officials or senior banking figures. These are then used to funnel viewers toward fake investment schemes. In early June 2026, CYJAX identified an influx of AI-generated advertisements on X (formerly Twitter) which featured deepfake videos of well-known public figures in fictitious confrontations. Each one redirected to a fabricated news article promoting an investment opportunity. The technical barrier to producing this content is now negligible, and AI-enhanced fraud is 4.5 times more profitable than traditional methods.

To evade detection, criminal groups use a technique known as cloaking. This is where the content shown to an automated ad review system differs from that which is shown to a legitimate user. Meta's ad review system sees a seemingly legitimate landing page but the user who clicks the same ad is redirected to a phishing page or investment scam. CYJAX observed cloaking guides being sold openly on criminal forums for as little as $149, with sellers offering step-by-step instructions for running fraudulent campaigns across Facebook, Instagram, and TikTok while bypassing AI moderation.

Telegram as an operational backbone

While Facebook and Instagram-based fraud is the most visible to everyday users, Telegram has become the operational backbone for many UK criminal networks. Interconnected channels are used to forward fraudulent content across the network, increasing reach and building the perception of a trusted community. Threat actors share screenshots of successful outcomes, banking statements, cancelled loan letters, and refund confirmations, as proof of legitimacy to recruit collaborators and attract customers.

CYJAX has observed a notable rise in paid private channels, which involve groups with capped membership numbers and a joining fee. These are designed to contain operational methods within a vetted community and reduce the risk of leaks. Within these groups, fraud techniques are shared and refined in near real time.

The commercialisation of Telegram as an advertising platform has also matured. CYJAX identified listings for bulk messaging campaigns at approximately $35 for 1,000 messages, $160 for 5,000, and $300 for 10,000, as well as pinned channel placements priced from $10 per day to $150 per month. Threat actors are, in effect, running advertising operations within the platform itself.

Younger recruits and the compartmentalisation model

CYJAX has documented the deliberate recruitment of younger individuals into fraud operations through social media. Younger recruits require lower financial incentives, are often unaware of the legal consequences of participation, and are more susceptible to manipulation. Social media environments that normalise luxury lifestyles and rapid financial gain create a ready audience for criminal recruiters framing fraud as a low-risk income opportunity.

The operational logic is equally calculated. Established threat actors provide recruits with only the minimum information required for a specific task, such as opening bank accounts, forwarding goods, or transferring funds. This compartmentalisation means that if a recruit is identified by law enforcement, the network's methods, contacts, and infrastructure remain intact. The NCA's 2025 fraud assessment confirmed that money mule recruitment remains a persistent social media threat, with Cifas recording over 22,000 money mule cases in 2025 alone. This is not a safeguarding issue in isolation; it is a structural feature of how organised crime scales its workforce.

Stolen identities and data as a profile

Approximately 72% of all UK fraud cases in 2025 were linked to identity fraud and facility takeover, with SIM swap attacks increasing up to 38% year-on-year. What drives this is the sheer depth and usability of stolen data in criminal hands.

Threat actors do not simply steal a name and a card number. Through data breaches, phishing campaigns, and illicit marketplaces, they compile what amounts to a profile on an individual. This can feature a victim’s full name, address history, date of birth, financial account details, device identifiers, and biometric data in some cases. Subsequently, this profile is sufficiently complete to pass basic identity verification checks on platforms that rely primarily on document validation. This is because the information submitted is genuine, it belongs to a real person. Traditional validation becomes insufficient when the attacker presents legitimate data which they are illicitly using.

CYJAX also observed that criminal groups trade verified, high-follower social media accounts as assets. Instagram pages with hundreds of thousands of followers have been listed openly on Telegram. As an example, a 478,000-follower account in the finance and motivation niche was listed for $4,500. Established accounts carry algorithmic credibility that newly created fraudulent profiles cannot replicate, giving criminal networks a ready-built audience for fraudulent content.

What organisations can do

• Monitor for brand and executive impersonation across advertising networks. Systematic, intelligence-led monitoring of fraudulent ad content using organisational branding or executive names performs significantly better than reactive takedown requests, particularly on Facebook, Instagram, and X, where the deepfake investment scam pattern is most active.

• Move beyond document-only identity verification. Where fraud networks pass KYC checks using stolen PII, the vulnerability is reliance on document validation alone. Layering in behavioural signals, device fingerprinting, geolocation consistency, and transaction pattern analysis, substantially reduces threat actor’s ability to pass verification with credentials they do not own.

• Treat Telegram as a source of threat intelligence. Public and semi-public Telegram channels carry early-warning signals about emerging fraud methods, recruitment activity, and UK-targeted fraud tutorials. This activity is not hidden; it is visible to analysts with the tooling to monitor it systematically.

• Address money mule recruitment in fraud communications. Recruitment of younger people into mule activity happens on the same platforms they use daily. Financial services organisations should ensure that fraud awareness content addresses the risk of users unknowingly becoming part of a criminal network, not only the risk of becoming a victim.

How CYJAX can help

CYJAX provides financial institutions, banks, and regulated organisations with continuous digital intelligence across the open, deep, and dark web. This includes systematic monitoring of the Telegram channels, criminal forums, and social media ecosystems where fraud methods are developed, shared, and commercialised.

Our analysts work directly with clients to identify threats targeting their sector, their brand, and their customers, providing the intelligence needed to act before fraud reaches the customer layer rather than after. If you would like to understand your current exposure or explore how CYJAX can support your fraud and threat intelligence function, get in touch with our team.