---
title: "$20M Phishing Bust, Pension Scam Alert, Booking Data Breach | DMARC Report"
description: "A phishing ring behind a $20M fraud operation has been busted. Plus, pension scam alerts and a major Booking.com data breach affecting customer records."
image: "https://dmarcreport.com/og/blog/20m-phishing-bust-pension-scam-alert-booking-data-breach.png"
canonical: "https://dmarcreport.com/blog/20m-phishing-bust-pension-scam-alert-booking-data-breach/"
---

Quick Answer

The cybersecurity landscape witnessed multiple impactful developments last week, capturing the attention of cyber experts as well as common users. A major global phishing operation worth $20 million got disrupted by the FBI and the Indonesian National Police. UK pensioners have been requested to stay on high alert against the Winter Fuel Payment scam.

Related: [Free DMARC Checker](/tools/dmarc-checker/) ·[How to Create an SPF Record](/tools/spf-record-generator/) ·[SPF Record Format](/blog/spf-format-checker-dos-and-donts-for-email-authentication/) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2F20m-phishing-bust-pension-scam-alert-booking-data-breach%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=%2420M%20Phishing%20Bust%2C%20Pension%20Scam%20Alert%2C%20Booking%20Data%20Breach&url=undefined%2Fblog%2F20m-phishing-bust-pension-scam-alert-booking-data-breach%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2F20m-phishing-bust-pension-scam-alert-booking-data-breach%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2F20m-phishing-bust-pension-scam-alert-booking-data-breach%2F&title=%2420M%20Phishing%20Bust%2C%20Pension%20Scam%20Alert%2C%20Booking%20Data%20Breach "Share on Reddit") [ ](mailto:?subject=%2420M%20Phishing%20Bust%2C%20Pension%20Scam%20Alert%2C%20Booking%20Data%20Breach&body=Check out this article: undefined%2Fblog%2F20m-phishing-bust-pension-scam-alert-booking-data-breach%2F "Share via Email") 

![cybersecurity news](https://media.mailhop.org/dmarcreport/images/2026/04/dmarc-record-1187.jpg) 

The cybersecurity landscape witnessed multiple impactful developments last week, capturing the attention of cyber experts as well as common users. A major global phishing operation worth **$20 million** got disrupted by the [FBI](https://www.cbc.ca/news/world/fbi-atlanta-fulton-raid-2020-election-9.7066096) and the Indonesian National Police. UK pensioners have been requested to stay on high alert against the Winter Fuel Payment scam. Booking.com, the popular **online travel agency**, was compromised, resulting in a customer data breach. iPhone users may receive malicious emails that appear to be Apple alerts.

## Global phishing syndicate linked to $20 million in attempted fraud, busted!

The FBI Atlanta Field Office and the [Indonesian National Police](https://en.wikipedia.org/wiki/Indonesian%5FNational%5FPolice) carried out a joint operation to disrupt a global phishing syndicate. The operation led to the successful seizure of the core infrastructure. They also managed to nab a key suspect.

![Global Phishing Disruption](https://media.mailhop.org/dmarcreport/images/2026/04/dmarc-check-6732.jpg) 

The phishing operation revolved around the W3LL phishing kit. This is one of the most popular phishing kits, worth [$500,](https://www.scworld.com/brief/global-phishing-operation-dismantled-over-20-million-in-fraud-attempted) that helped threat actors design credible fake login pages to harvest [sensitive data](https://industrialcyber.co/utilities-energy-power-water-waste/pickett-usa-breach-allegedly-exposes-sensitive-engineering-data-linked-to-us-utilities/) such as **passwords and usernames**. 

The phishing kit is just a small part of the notorious [cybercrime](https://thehackernews.com/2025/05/us-dismantles-danabot-malware-network.html) platform named W3LLSTORE. Between 2019 and 2023, the same platform facilitated the sale of 25K+ compromised accounts. Once they shut down the platform, the threat actors continued to operate via encrypted messaging. Between 2023 and 2024, the [W3LL phishing kit](https://www.virusbulletin.com/conference/vb2023/abstracts/w3ll-phishing-kit-tools-criminal-ecosystem-and-market-impact/) was used by cybercrooks extensively to target the UK, the US, and Australia. Technology, manufacturing, and **professional services** were the hardest hit.

## UK pensioners are facing the risk of a Winter Fuel Payment scam!

The Winter Fuel Payments are all set to begin this month in the UK. However, cybercrooks have been waiting for the same with eagerness. Experts have urged pensioners to stay **cautious against cyber fraud** related to [Winter Fuel Payments](https://www.gov.uk/government/news/pensioners-urged-to-be-alert-to-winter-fuel-payment-scams). 

![Beware: Winter Fuel Payment Scams](https://media.mailhop.org/dmarcreport/images/2026/04/what-is-dmarc-3920.jpg) 

Two million people will be repaying their winter 2025 payment since their annual income is higher than **$45,000**. The repayment is processed automatically.

Authorities and [cybersecurity](/blog/ai-powered-phishing-2025-how-intelligent-attacks-outsmart-cybersecurity-defenses/) experts believe that the [threat actors](https://cyberscoop.com/legislation-would-designate-critical-cyber-threat-actors-direct-sanctions-against-them/) can pretend to be HMRC people and try to connect with their targets through emails, calls, letters, and text messages. To stay safe and avoid being scammed, people are urged to use [GOV.](http://gov.uk)[U](http://gov.uk)[K](http://gov.uk) to verify whether or not their payment is going to be recovered. 

HMRC has also made it clear that they will not connect with people through text messages and emails for the repayment of the Winter Fuel Payment. Also, no one from [HMRC](https://www.investopedia.com/terms/h/hm-revenue-and-customs-hmrc.asp) will be requesting people to share their bank details.

## [Booking.com](http://booking.com) data breach compromises customer data!

Booking.com, the popular **online travel agency** known for its lucrative travel deals, has been targeted by threat actors. As a result of the [data breach](https://en.ilsole24ore.com/art/bookingcom-hacked-stolen-customer-information-AIMW6gUC), Booking.com’s customer data has been compromised. 

There’s still no clarity on which Booking.com systems have been compromised by the cybercrooks. One of their spokesperson stated that they “recently noticed suspicious activity affecting a number of reservations.” _A detailed investigation has found that customer data, including names, phone numbers, and addresses, may have been compromised._ They have confirmed that **customer financial data** has not been accessed yet.

[Booking.com](http://booking.com) believes that the cyber “issue” has been sorted. They are informing affected customers and assisting with their bookings.

Reddit is replete with **screenshots of alert emails** shared by Booking.com customers. Some customers even claim to have experienced [WhatsApp fraud](https://www.pandasecurity.com/en/mediacenter/whatsapp-scams/) attempts.

![Booking Data Breach Breakdown](https://media.mailhop.org/dmarcreport/images/2026/04/gmail-dmarc-9650.jpg) 

## iPhone users are once again vulnerable to a whole new phishing campaign

iPhone users may receive fake emails claiming to offer iCloud storage availability. This is a new phishing campaign that has been **targeting iPhone users** by sending [malicious emails](https://www.securitymagazine.com/articles/100687-the-last-six-months-shows-a-341-increase-in-malicious-emails). These emails will claim that the [iCloud storage](https://www.apple.com/newsroom/2023/09/apple-expands-the-power-of-icloud-with-new-icloud-plus-plans/) of the recipient is full, and that they are facing a serious threat of data loss. The idea is to create a sense of panic and urgency so that the targets click on the [malicious links](https://abcnews.com/Technology/hackers-embed-malicious-links-websites-stars-biel/story?id=8477614) to upgrade their storage.

These fake alerts have been smartly designed to target the global user base of iPhone. The core idea is to gain access to their banking details, passwords, and personal data. The [fake emails](https://www.usatoday.com/story/money/columnist/2023/09/21/ai-cyber-scams-security/70920106007/) often try to play with the emotions of the victims, threatening them with account suspension and **permanent data deletion warnings**.

The malicious link that is supposed to help the users upgrade their iCloud storage, in reality, directs the victims to [phishing websites](https://usaherald.com/ai-spear-phishing-attacks-surge-hackers-use-generative-ai-to-build-realistic-fake-sites/). These malicious websites are designed to capture the sensitive data of victims, such as [login credentials](https://www.fortinet.com/resources/cyberglossary/login-credentials) and payment details.

_To increase the element of credibility, the fake emails are signed off as “The iCloud Team.”_ Also, the overall structure and design of these phishing emails are quite similar to **Apple’s official branding**. 

![Global Cybersecurity Threats and Scams](https://media.mailhop.org/dmarcreport/images/2026/04/dmar-record-generator-8209.jpg) 

Experts have urged iPhone users to delete any suspicious emails and avoid sharing any sensitive data in reply to such phishing emails.Cybersecurity experts emphasize that implementing [DMARC](/), [DKIM](/what-is-dkim/), and [SPF](/what-is-spf/) is essential to **protect domains from spoofing** and strengthen [email authentication](/blog/why-email-security-matters-and-how-to-get-it-right/) against evolving cyber threats.

## Topics

[ DMARC ](/tags/dmarc/)[ email security ](/tags/email-security/)[ News ](/tags/news/)[ SPF ](/tags/spf/) 

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

[ Brad Slavin ](/authors/brad-slavin/) 

General Manager

Founder and General Manager of DuoCircle. Product strategy and commercial lead for DMARC Report's 2,000+ customer base.

[LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) 

## Take control of your DMARC reports

Turn raw XML into actionable dashboards. Start free - no credit card required.

[Start Free Trial](https://app.dmarcreport.com/) [Check Your DMARC Record](/tools/dmarc-checker/) 

## Related Articles

[  Uncategorized 12m  How can I start protecting my G Suite email from phishing with DMARC?  Jan 28, 2026 ](/blog/how-to-protect-g-suite-email-from-phishing-using-dmarc/)[  Uncategorized 11m  Trellix Source Breach, MOVEit Auth Bypass, DAEMON Trojan Attack  May 7, 2026 ](/blog/trellix-source-breach-moveit-auth-bypass-daemon-trojan-attack/)[  Uncategorized 8m  Best CRM Platforms for Email Marketing Success  May 12, 2026 ](/blog/best-crm-platforms-for-email-marketing-success/)[  Uncategorized 16m  Best DMARC Solutions for Healthcare Organizations in 2026  May 1, 2026 ](/blog/best-dmarc-solutions-for-healthcare-organizations-in-2026/)

```json
{"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"$20M Phishing Bust, Pension Scam Alert, Booking Data Breach","description":"A phishing ring behind a $20M fraud operation has been busted. Plus, pension scam alerts and a major Booking.com data breach affecting customer records.","url":"https://dmarcreport.com/blog/20m-phishing-bust-pension-scam-alert-booking-data-breach/","datePublished":"2026-04-15T20:03:13.000Z","dateModified":"2026-04-15T20:03:16.000Z","dateCreated":"2026-04-15T20:03:13.000Z","author":{"@type":"Person","@id":"https://dmarcreport.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://dmarcreport.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://dmarcreport.com/blog/20m-phishing-bust-pension-scam-alert-booking-data-breach/"},"articleSection":"uncategorized","keywords":"DMARC, email security, News, SPF","wordCount":844,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/dmarcreport/images/2026/04/dmarc-record-1187.jpg","caption":"cybersecurity news","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://dmarcreport.com/blog/"},{"@type":"ListItem","position":3,"name":"Uncategorized","item":"https://dmarcreport.com/uncategorized/"},{"@type":"ListItem","position":4,"name":"$20M Phishing Bust, Pension Scam Alert, Booking Data Breach","item":"https://dmarcreport.com/blog/20m-phishing-bust-pension-scam-alert-booking-data-breach/"}]}
```