AI, Scams

Why we’re still not doing April Fools’ Day

by Malwarebytes Labs | April 1, 2026
Banana peel that has been left on the floor

People lost an estimated $442 billion to scams last year worldwide, according to the Global Anti-Scam Alliance.

The scale of that is hard to picture, but people’s day-to-day scam experience is easier to recognize: Our research found that 44% of people say they encounter mobile scams every single day. Two in three say it’s hard to “tell apart a scam from the real thing” and only 15% strongly agree they could detect a scam.

A year ago, we said we were stepping away from April Fools’ Day. Not because we don’t like a joke, but because the jokes were starting to look too similar to the things people are already worried about.

A few people may have called us humorless. But a year on, we’re more certain than ever that it was the right call. We want to explain why, with a bit more data behind us this time.

It’s gotten worse, not better

When we wrote last year’s post, AI-assisted scams were an emerging threat. Now they’re the default. The broken English and obvious spelling mistakes that used to give scams away have been replaced by clean copy, polished websites, and messages that read as well as anything a real company would send.

Scammers’ tactics have also evolved. A year ago, the main AI scam story was voice cloning (fraudsters using an AI replica of a loved one’s voice to call a family member and claim they were in trouble). That’s still happening, but now we’re also seeing deepfake video calls from people posing as bank managers or job applicants, and AI-assisted scams that don’t just send a message, but reply in real time, adapting their responses and guiding victims step by step.

Put a well-executed April Fools’ campaign next to a modern phishing attempt and many of us will genuinely need to look twice. This year, scammers even used AI to clone our own site:

Fake Malwarebytes scam site

The problem with April 1

We’re conditioned to throw caution to the wind on April 1 and enjoy the joke. Too-good-to-be-true offers sit alongside meatball lipstick from IKEA, Birds Eye Waffholes and Yahoo’s Agricultural Interface in your inbox.

On any other day, you’d probably pause for a moment. On April 1, you click through to see what the joke is.

For scammers, nothing changes on April 1. They keep sending the same messages using the same tactics. The only difference is how people react to those messages on this one day of the year. In a campaign that sprays to millions of inboxes, it just takes a few more people to click the link that auto-downloads malware, fill in their login details to a fake site, or share the scam with friends and family thinking it’s all a bit of fun.

Sadly, none of this is hypothetical. In 2021, Deliveroo sent fake order confirmation emails to thousands of customers in France as an April Fools’ joke, stating they’d ordered 38 anchovy pizzas totaling €466. Customers flooded their banks reporting fraud. Deliveroo had to issue a public apology, acknowledging they should never have led people to believe, even as a joke, that their account data had been compromised.

Three years later, UK burger chain Gourmet Burger Kitchen sent a fake order confirmation email to its mailing list. Same joke. Same fallout. Customers were sent into a panic, cards were cancelled, and customer service was overwhelmed.

Both of those were genuine mistakes made by well-meaning marketing teams. They illustrate the problem precisely: a prank that looks like a scam causes real harm, regardless of the intent.

What a year of Scam Guard taught us

Scam Guard launched in June 2025 as a way for people to quickly double-check a message that feels… not obviously wrong, but not quite right either.

The data from our (almost) first year of Scam Guard is sobering. In roughly 15% of cases where someone stopped to check with Scam Guard, we prevented them from losing over $1,000 or from walking into something with serious personal consequences. One in seven people who paused to check were about to do something that would have cost them significantly.

Scams are now convincing enough that people aren’t sure. They’re suspicious enough that they stop to check. And often, they’re dangerous enough that a pause to check made all the difference.

And if everything looks like a joke on April 1, it’s harder to spot a scam.

If we say it’s real, it’s real

We stepped away from April Fools’ Day because we wanted to be a company you could trust completely, every day of the year. If we say something is fake, it’s fake. If we say something is real, it’s real. There’s already enough online that makes people second-guess themselves. We don’t need to add to it.

What to do on April 1, and every day after it

If you’re on the receiving end of an April Fools’ joke, the stakes are usually low. If you’re on the receiving end of a scam, they aren’t. On April 1, those two things are hardest to tell apart.

Here are some tips to follow every day to stay safe from jokes scams:

  • Watch out for a false sense of urgency. Scammers will often use time pressure to get you to click, fill in your personal data, or hand over money. If you feel like you’re being asked to act quickly, pause.
  • Is it too good to be true? Offers of big discounts or free stuff can be really tempting, but they’re often used as lures for scammers. The likelihood is that it is, indeed, too good to be true and should be avoided at all costs.
  • Have a family code word. Scammers are known to use an AI-generated voice of a loved one to trick a family member into handing over money. Come up with a code word in person that only you and your loved ones know and keep it a secret so you can ask for it if you receive such a phone call.
  • Verify through a different channel. If your bank calls unexpectedly, hang up and call them back on a number from their official website. If a friend sends you a link out of nowhere, text them separately to check it was really them. This one step catches a surprising number of scams.
  • Use a different password for every account. If you get your username and password stolen on one account you don’t want scammers to be able to use it on another. Password managers help you create complex passwords, and they remember them for you. 
  • Set up multi-factor authentication on every account you can. It’s not foolproof, but it does make it considerably harder for scammers.

If something feels off, check it. That’s what Scam Guard is there for.

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard. Submit a screenshot, paste suspicious content, or share a link, text or phone number, and we’ll tell you if it’s a scam or legit. Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.

About the author

Malwarebytes Labs

Malwarebytes Labs

LATEST ARTICLES

News
WhatsApp logo

WhatsApp on Windows users targeted in new campaign, warns Microsoft

April 1, 2026

Microsoft warns WhatsApp on Windows users about an ongoing campaign that tries to gain permanent access to your machine

AI
A laptop shows a screen of traded text messages between a user and an AI chatbot

Asking AI for personal advice is a bad idea, Stanford study shows

March 31, 2026

AI chatbots, including ChatGPT, Claude, and Gemini, were all too willing to validate and hype up their users, a new Stanford study showed.

News
The logo for the Axios HTTP client, which is just the word "AXIOS" written in purple

Axios supply chain attack chops away at npm trust

March 31, 2026

Developers using the axios package from npm may have downloaded a malicous version that drops a Remote Access Trojan

Contributors icon

Contributors

Threat Center icon

Threat Center

Podcasts icon

Podcast

Glossary icon

Glossary

Scams icon

Scams