Lilly’s phone started ringing, waking her up from a nap. She answered it and was suddenly thrust into a nightmarish scenario.

On the other end of the call, a man whose voice she didn’t recognize told her that he had been in a car crash with her mother and was now holding her against her will in the back of his truck. Lilly could hear her mom’s voice during the call, telling her, “I don’t know what’s going to happen to me.”

Lilly, whose full name isn’t being reported to protect her identity, was directed to drive to a nearby gas station and give her caller $15,000 for the release of her mom. She frantically drove there while the caller insisted she stay on the phone with him the whole time.

Then, just as suddenly as she found herself in this situation, everything changed — as if a lightbulb had flicked on in her head.

“I’m scared, Lilly. You need to help me,” her mother’s voice said.

“That’s when I hung up the phone,” Lilly explained. “I knew my mom would never say anything like that to me. She wouldn’t put me in that situation.”

Lilly then reached out to her mother and sister directly. She eventually found out that her mom hadn’t been in a car crash and was completely safe. The caller had used a deepfake clone of her voice to trick Lilly into thinking the whole elaborate scheme was real.

This story, part of Mastercard’s new documentary series “Anatomy of a scam,” highlights how fraud and scams have become far more professional, widespread and sophisticated in just the past few years. Cybercriminals are tapping into new technologies, including generative AI and deepfake voice tools, and using just about any communication platform — texts, phone calls, email, video chats, social media and dating apps — to reach potential victims. Scams can now crop up anywhere, and as connected devices and internet services reach deeper into our lives, consumers will need to become far more vigilant.

By some estimates, cybercrime has grown into a multi-trillion-dollar industry. In the U.S. alone, the FBI said there were 859,532 internet crime complaints in 2023, the most recent year reported, rising to $16 billion in losses — up 33% from the year before.

But the good guys aren’t just sitting back and letting it happen. Companies across a multitude of industries are investing in new technologies to thwart these attacks, and governments are stepping up their game, too.

“We’re going to fight this. We have the tools, we have the means, we have the smartest people, we have all the capabilities, and everybody’s on board,” said Ilya Volovik, who leads the Payment Fraud Intelligence team at Recorded Future, a threat intelligence company acquired by Mastercard a year ago. “There’s not a single person you can ask that hasn’t been affected by it or just irritated by it or had their time wasted by it. This really has gotten out of hand, and we will defeat this.”

For the series, Mastercard’s team talked to cybersecurity, telecommunications and financial services experts in New York, Florida, California, Virginia and London to understand the tactics cybercriminals use today and how people can avoid being scammed.

Our team visited Tampa, Florida, to meet Volovik and Andrei Barysevich, another cybersecurity experts at Recorded Future.

Volovik, a U.S. Air Force vet, previously worked in the Manhattan District Attorney’s Office Cyber Intelligence Unit, where he helped investigate financial crimes and Eastern European hackers. Barysevich was a consultant and analyst for the FBI and co-founded a fraud intelligence company called Gemini Advisory.

Volovik described how ransomware — an attack in which criminals will freeze an organization’s computer systems or steal their data, stopping the attack only in exchange for a ransom — used to be a much more complicated and manual process. Threat actors needed to do coding work to identify vulnerabilities in a system and build encryption tools. Today there’s something called ransomware as a service (RaaS), signifying that ransomware tools have become so common that they have their own corporate-sounding buzzword. RaaS tools include automated software and control panels that make these attacks far easier to pull off, especially for criminals who aren’t tech-savvy coders. On the dark web, easy-to-use kits and how-to guides for different kinds of scams can also be found.

Cybercrime has grown into a profession and an industry, with hacker groups and call centers running various kinds of scams at a far greater scale than could be achieved even five years ago.

Using these new tools, hackers can cast a wide net at minimal cost and see how potential victims respond to them. In some cases, they don’t discriminate by focusing on specific demographics, knowing that anyone is a potential victim. Some might send thousands of broad-based scam messages a day, and even if only a tiny fraction result in a successful theft, the scam can be profitable and help fund more scams in the future.

“There is so much money to be made doing cybercrime,” Barysevich said.

In other cases, they can use social media to get very targeted, sharing fake offers for popular products to the exact types of consumers who are most likely to want them. Or, as in Lilly’s case, they could research specifics about one potential victim — including their hobbies, job, family and colleagues — and curate a scam attack.

Next we went to the U.S. Secret Service headquarters in Washington, D.C., one of the most critical nerve centers for national law enforcement. Illustrating the danger, longevity and continual changes of the mission, the building includes a wall of honor for fallen Secret Service members that dates back to 1902, with one of the earliest entries memorializing operative Joseph A. Walker, who was murdered while conducting a land fraud investigation.

We met Krzysztof “Kris” Bossowski, assistant special agent in charge of cyber policy and a former software test engineer with more than 20 years’ experience at the Secret Service.

“In the last three years, we saw a giant shift from hackers going after business — which is partly because the businesses have stepped up their cybersecurity posture — to now going more after U.S. citizens,” he said.

Bossowski cautioned consumers to avoid doing two things: engaging with strangers online or on calls and sharing too much personal information about themselves on social media, especially if it’s shared publicly.

“What may sound pretty innocent, where somebody sends a message that looks like they inadvertently sent it to the wrong person, is really a tactic to try to get the person to start talking to them,” he said. “And once they start talking to them, the conversation keeps going, and little by little they’re able to start pulling them into the script.”

Eva Velasquez, CEO of the nonprofit Identity Theft Resource Center, agreed that people always need to be more vigilant online.

“I always remind people, if you didn’t initiate that contact — whether it’s through email, phone, text message — go to the source and verify,” she said. “The reality is everyone is vulnerable, just differently.”

While many experts we spoke to stressed the importance of verifying information online, consumers readily admit that they are still susceptible to common scammer ploys. In a recent global survey from Mastercard and the Harris Poll, nearly half of consumers admitted that they’re likely to ignore security warnings and other red flags if they find a popular item online that’s deeply discounted.

“Think about why you’re making your payment. Are you being pushed into making a payment? Are you making a payment because you have FOMO because this deal feels too good to be true?” said Simon Collins, Mastercard’s chief franchise officer. “Personally, what I do is, if I’m not sure, I just pause, take a step away, maybe grab a coffee. Just think about it.”

That will give you time to do more research on a site, search for it online and check for reviews and other third-party data points. Scammers often thrive on that sense of urgency or fear of missing out, so short-circuiting it can help a lot, these experts told us.

That is, in a way, how Lilly got herself out of her scam call. Once she realized something was off, she disengaged from the call and sought out other proof to verify what was really happening.

Still, she said she recognized that the threat has only grown over the years: “This can happen to anybody.”