Periods of instability change how people and organisations behave. Attention narrows, verification slips and decisions are made faster. Cyber criminals recognise these conditions and act on them. They do not need to understand the conflict itself. They focus on what it disrupts.
The Iran war has already produced that effect. In March 2026, Zscaler identified more than 8,000 newly registered domains linked to Middle East conflict terms. Many were tied to phishing sites, fake payment portals, donation scams and malware delivery pages. It shows how quickly attackers build infrastructure around a crisis.
Fraud moves first
Fraud campaigns often appear early. The FBI has repeatedly warned that criminals pivot to fake humanitarian appeals after wars and disasters. In December 2024, it highlighted the use of AI-generated images linked to conflicts to support fraudulent donation requests. The method relies on urgency. People act quickly, and verification falls away.
Phishing follows the same pattern. Researchers have identified fake government services, payment platforms and charity sites built around conflict narratives. In one Gaza-related case, a fraudulent charity operation targeted more than 200 individuals across dozens of organisations. The structure is familiar. The context creates the opening.
Exposure increases under pressure
Displacement increases exposure. UNHCR has warned that refugees and displaced communities face elevated cyber risks, including data theft and fraud linked to insecure networks and shared access. Limited infrastructure and reliance on public connectivity reduce basic safeguards.
Businesses experience a similar shift. Communication fragments, supply chains stretch and verification processes lose consistency. Criminals exploit that friction through invoice fraud, impersonation and targeted phishing. One compromised account can redirect payments or expose sensitive data.
Background noise and real risk
There are also loosely organised groups aligning with one side or another. Their actions tend to be visible – defaced websites, service disruptions, data leaks. Disruptive, though rarely sustained.
The more persistent threat comes from organised cyber criminals. They adjust quickly to changing conditions, refining messaging and targets to match the situation. The objective remains consistent: access, data or money.
Uncertainty creates the conditions, and attackers respond.