In the corporate world, substantial budgets, resources, and technical ingenuity are routinely dedicated to securing networks—hardening firewalls, fine-tuning endpoint detection, and monitoring cloud configurations. However, a new report from ScamZero forces a look at an equally devastating and rapidly evolving theater of conflict: the consumer and workforce fraud ecosystem.
The 2025-2026 Scam Report from ScamZero highlights a massive, sophisticated market that has evolved into a fully professionalized industry. While official federal repositories—such as the U.S. FTC's Consumer Sentinel Network or the FBI's Internet Crime Complaint Center (IC3)—paint a grim picture with record-breaking losses, ScamZero's research reveals that the actual damage represents an existential threat to broader economic stability.
The most shocking baseline metric established by ScamZero is the unreported fraud gap.
While the FTC noted around $12.5 billion in officially reported consumer fraud losses for 2024, ScamZero's comprehensive analytics place the estimated actual losses at a staggering $196 billion annually.
Why is this gap so massive? The report reveals that an estimated 93% to 98% of fraud victims never file a report with any government agency or law enforcement body. This non-reporting is driven by three distinct factors.
The psychological toll: Deep embarrassment and self-blame often silence victims, particularly when highly sophisticated, multi-stage social engineering is involved.
Friction in reporting: Many consumers encounter significant administrative friction—bouncing between local police departments, federal reporting forms, and their financial institutions without a clear path to resolution.
The long-tail discovery: A significant portion of victims do not realize they have been defrauded until months down the line, a trend particularly common in complex investment schemes or structured romance scams.
For operational and risk-management leaders, these statistics indicate that public databases represent merely the visible tip of a massive fraud iceberg.
[RELATED: Newcomers to Canada Are the Fraud Victims the Loss Ledger Keeps Missing]
For nearly two decades, organizations have trained employees and consumers to spot phishing and scams by looking for basic visual or textual indicators: poor grammar, spelling mistakes, awkward phrasing, or generic greetings. ScamZero's research confirms that AI has officially made traditional red flags practically invisible.
With the commercialization of underground tools like FraudGPT and "Scam-as-a-Service" kits on the dark web, the barrier to entry for criminal operations has collapsed. Anyone, regardless of technical proficiency, can deploy automated factories of highly-persuasive, sophisticated deception.
Typographical errors and layout flaws have disappeared. AI models allow scammers to instantly generate authoritative, contextually accurate communications at scale.
Leveraging the downstream impacts of massive corporate data breaches, scammers use AI to ingest historical compromise data. They craft individualized messages that seamlessly account for a victim's actual purchase history, localized writing styles, and regional interests.
High-fidelity voice cloning and synthetic video are no longer restricted to elite nation-state operations. They are now standard tools used to exploit identity vulnerabilities—impersonating corporate executives to bypass standard verification or spoofing family members to manufacture urgent financial crises.
The demographics of fraud are shifting rapidly, creating concentrated areas of catastrophic risk. ScamZero highlights a seven-fold increase in $100,000+ losses among older adults.
This demographic represents an existential risk because they hold concentrated retirement assets, home equity, and lifelong savings, making a single incident financially fatal. Scammers aggressively exploit the intersection of social isolation, trust in authority figures (such as Medicare, the IRS, or tech support), and available wealth.
Furthermore, social media has become ground zero for initiating these highly- damaging operations. The report tracks a nine-fold increase in social media-initiated fraud losses for seniors, driven by hyper-targeted advertising, malicious direct messages, and highly-coordinated investment platforms designed to look legitimate over months of sustained interaction.
If there is one definitive takeaway from ScamZero's research, it is the unforgiving math of recovery: only 4% of fraud victims ever recover any portion of their stolen funds.
Once a cross-border wire transfer, real-time payment network transaction, or cryptocurrency deposit is authorized by a manipulated user, the assets are generally permanently gone. The traditional reactive security model—investigating after the fact and trying to claw back funds—is structurally incapable of responding to machine-speed fraud. Therefore, defensive strategies must shift entirely to real-time prevention and continuous identity validation.
The ScamZero report confirms that user vulnerability is a core corporate and societal risk, meaning organizations can no longer ignore external fraud as an "out-of-scope" issue.
For financial institutions and credit unions: The crisis is directly commercial. When members or customers lose their life savings to a scam, the emotional and reputational fallout directly impacts trust in the institution, leading to surging regulatory complaints and customer attrition. Institutions are forced to implement real-time, behavioral anomaly detection at the exact point of transaction authorization.
For corporate workflows and help desks: Because scammers use AI to seamlessly mimic trusted workforce identities, organizations must completely abandon vocal or visual recognition as a valid metric of trust. Rigid verification protocols must be implemented for all critical interactions, such as password resets, multi-factor authentication (MFA) bypass requests, and remote onboarding.
For security awareness programs: Education frameworks must undergo a revolution. Continuing to tell people to "look for bad spelling" actively leaves them unprotected. Training must focus on helping users recognize psychological manipulation tactics—urgency, secrecy, fear, and isolation—rather than relying on technical anomalies that AI can now erase.
We asked a few experts from solution providers for their take on the report's findings.
Mika Aalto, Co-Founder and CEO at Hoxhunt, said:
"The biggest shift in cybersecurity over the past decade has been the ability for organizations to stop obsessing about security awareness compliance and start measurably improving online behaviors. For decades, the industry's answer to human behavior was fear-based monitoring and punitive, once-a-year-or-quarter compliance training. It doesn't work. To truly protect against insider risk, CISOs need to rely on behavioral science, positive reinforcement, and real-time visibility that give each person the right training at the right time."
"First, you need visibility into where the risk is actually happening, be it the sales department or at the browser layer. By deploying advanced training platforms and lightweight browser defenses, security teams can detect when an employee accesses an unapproved SaaS tool or handles data carelessly, and instantly deliver a positive, in-the-moment 'nudge' or micro-training without disrupting their workflow."
"Second, rethink your people as a security asset, not a liability. Believe in their abilities to recognize and report social engineering threats and give them the tools to do so. Focusing on and rewarding a few measurable core behaviors like threat reporting and MFA use establishes a cultural bedrock of secure behaviors. When an employee makes a mistake in training, like clicking a simulated phishing link or using an unsecured device, it shouldn't be a 'gotcha' moment; it should trigger automated, contextual training that serves as a constructive learning opportunity."
"By replacing fear and heavy-handed surveillance with fun, continuous learning and automated behavioral interventions, you don't just reduce the likelihood of negligence. You fundamentally transform your workforce into an active, intelligent human sensor network that catches the threats your technology misses."
Ram Varadarajan, CEO at Acalvio, said:
"If we look at the most recently documented fraud cases, scale and speed have been the key factors, and these two are completely intertwined within agentic AI attackers. AI has turned high-end cybercrime into a cheap monthly subscription, which means defenders can no longer count on attackers making rookie mistakes. Security teams are least prepared for this, the elimination of traditional skill barriers: when synthetic identity kits cost less than a coffee order and dark LLMs are generating polymorphic, adversarially-tuned malware on demand, the defender's traditional advantage of attackers making mistakes due to limited expertise evaporates fully."
"Since a three-second clip is all it takes to clone a voice, we have to stop trusting caller ID and start using 'secret-word' callbacks or separate apps to verify material requests. Out-of-band verification is key, combined with anomaly detection systems that flag unusual requests regardless of apparent sender authenticity. Behavioral context now matters more than identity verification alone. We also need to be aware of social-engineering from the AI itself. LLM-driven chatbots have been shown to be highly persuasive, particularly when they've been instrumented with additional contextual data. This is a brand new vector of risk: it's not just high-fidelity image or voice, it's high-fidelity persuasion. That supercharges social engineering attacks."
"The more AI technology develops, and the more broadly it's deployed, the larger the attack surface becomes. Therefore, defenders are going to have to augment signature-based detection with comprehensive behavioral analytics."
Jeremiah Clark, Chief Technology Officer at Fenix24, said:
"Traditional verification methods—things like callback procedures and email-based approvals—were designed for a world where impersonation was hard. That world is gone. When voice cloning needs 10 seconds of audio and deepfake video is commercially available, a phone call to 'confirm' a wire transfer request isn't the safety net it used to be."
"Organizations need to move toward out-of-band verification that doesn't rely on a single communication channel. If someone gets a request over email, verify over a completely separate channel using a pre-established, known-good contact method—not the phone number in the email signature. Multi-party approval workflows for high-risk actions like financial transactions or credential changes add another layer."
"On the technical side, organizations should be looking at anomaly detection on communication patterns, not just content. AI-generated phishing is getting past content-based filters because the content is genuinely well-crafted now. But behavioral signals—unusual timing, atypical request patterns, access from unexpected locations—are harder for attackers to fake convincingly, even with AI tools."
"The old approach of training employees to 'spot the phishing email' by looking for typos and bad grammar is basically obsolete. AI-generated content doesn't have those tells anymore. Training needs to shift from 'spot the fake' to 'verify everything unusual, regardless of how legitimate it looks.' Practically, that means establishing clear protocols that employees follow every time, not just when something feels off. Things like: never act on urgent financial requests without verification through a separate, pre-established channel; never trust caller ID or video appearance alone for sensitive authorizations. Build a culture where slowing down to verify isn't seen as being difficult—it's expected."
"Organizations should also run regular exercises using actual AI-generated content—synthetic voice, deepfake video, AI-written emails—so employees experience how convincing these attacks have become. Abstract awareness training doesn't create the same instinct as actually encountering a realistic simulation."
"Finally, the verification chain itself needs to be resilient. If the process for confirming an executive's request is to call them back, and their voice can be cloned, you need a second factor in that verification—like a pre-shared code word or an in-person confirmation for high-value actions."
Avery Moon, Chief Technology Officer at Pax8, said:
"Most systems are designed to give users access to the tools and data they need to do their jobs, which means a large portion of risk already exists within trusted identities. As organizations adopt more connected platforms and AI-driven workflows, that access expands, and often faster than governance and controls keep up. That's where we see issues emerge, whether it's misconfigured permissions, over-provisioned access, or unintended data exposure."
"The challenge is that these risks don't look like traditional attacks. They happen within normal system behavior, which makes them harder to detect with perimeter-focused security models."
"From a technology standpoint, the priority should be building security into the architecture itself: strong identity controls, clear data governance, and continuous visibility into how systems and users interact. When those foundations are in place, organizations are much better positioned to reduce risk, regardless of whether the threat originates inside or outside the network."
Dr. Adam Everspaugh, Cryptography Expert at Keeper Security, said:
"Traditional phishing attacks have long relied on human vigilance—spotting typos, unusual grammar, or strange phrasing—to detect deception. With AI, attackers can create flawless, personalized messages and replicate legitimate websites with alarming accuracy. These attacks will soon become virtually indistinguishable from genuine correspondence."
"The best defense against these attacks is the use of a password manager with a browser extension. When configured properly, a password manager can spot spoofed domains and false URLs before credentials are entered into a malicious website."
The $196 billion scam economy thrives on the fact that traditional defensive perimeters stop at the enterprise boundary. To counter an industrialized, AI-driven adversary, organizational defense must match criminal velocity. By treating fraud as a critical threat and deploying automated, real-time validation layers, enterprises and institutions can block the attack path before assets leave the ecosystem.