The U.S. Federal Trade Commission (FTC) released a staggering dataset that confirms what many defensive teams have long suspected: social engineering is no longer just a tactical entry point—it is a booming macroeconomic industry.
According to the FTC's latest report, consumers reported losing a record $3.5 billion to imposter scams, representing an increase of nearly three times the losses reported since 2020. Imposter scams now dominate the threat landscape, accounting for nearly one in three of all fraud reports filed. Overall, reported fraud losses across all categories reached an all-time high of $16 billion, marking a sharp 25% jump year-over-year.
For cybersecurity practitioners, vendors, and the general public, these numbers signal a profound shift in how digital trust is weaponized.
According to the FTC data, scammers are diversifying their methods across text, phone calls, email, social media, and malicious search engine results. However, the most destructive and costly schemes exploit automated urgency.
-
Bank and business impersonation: Losses to business impersonators reached nearly $1 billion, with the highest financial damage linked to fake bank alerts. Attackers send a simulated security alert warning to victims that their accounts are compromised, convincing them to immediately move money to a "secure account" to protect it.
-
Government impersonation: Reported losses to government impersonators spiked to about $920 million. This category was significantly driven by SMS text phishing campaigns spoofing local toll-road collection entities (threatening immediate vehicle registration suspensions or massive late fees).
For ordinary citizens and corporate employees, the psychological and financial toll is hitting a boiling point.
Scammers have shifted their focus away from technical hacks to psychological manipulation. By mimicking trusted authority figures—whether an IRS agent, a corporate IT support representative, or a bank fraud officer—they bypass standard skepticism. The FTC noted that because victims are entirely convinced they are cooperating with a protective measure, their individual losses are frequently "limited only by their available funds."
"Consumers derive enormous benefits from competitive markets built on truthful information. But fraud undermines that foundation, impeding the market process and preventing markets from operating efficiently," said Christopher Mufarrige, Director of the Bureau of Consumer Protection. "The FTC will use every tool available to combat one of the most pernicious forms of fraud—government and business impersonation—and to protect the integrity of the digital economy."
When a criminal organization successfully impersonates a brand to steal millions from consumers, the financial liability may legally rest with the victim or the bank, but the reputational damage lands squarely on the impersonated enterprise. Organizations can no longer treat consumer-side fraud as "not our network, not our problem." Brand protection is now a fundamental pillar of modern cybersecurity governance.
For the teams charged with defending enterprise perimeters and the vendors building the next generation of security tools, the FTC's data demands an operational pivot.
-
The perimeter must extend beyond the inbox: Traditional email security gateways are no longer enough. Because attackers are heavily leveraging multi-channel social engineering—pivoting rapidly to SMS (smishing), direct messaging on social media, and lookalike search engine ads—identity verification cannot rely entirely on a secure email gateway.
-
DMARC and brand protection are security imperatives: CISOs must prioritize strict enforcement of email authentication protocols like DMARC (Domain-based Message Authentication, Reporting, and Conformance), SPF, and DKIM to prevent domain spoofing. Concurrently, security teams must deploy continuous brand-monitoring services to proactively dismantle fraudulent lookalike domains and rogue social media accounts before they can be used in mass impersonation campaigns.
-
A shift in vendor value – behavioral AI vs. static indicators: For security vendors, the collapse of digital trust represents a massive market opportunity. The market is shifting away from static indicators of compromise (IOCs) toward behavioral AI capable of detecting anomalies in language pattern, communication tone, and transaction velocity. Tools that analyze the context of a text message or phone call to flag synthetic urgency will become essential components of the enterprise defense stack.
The FTC's midyear pulse proves that social engineering has fully scaled into a multi-billion-dollar enterprise threat. As the federal government ramps up enforcement through its updated Impersonation Rule (enabling the FTC to seek direct consumer redress and civil penalties against violators), organizations must meet them halfway.
Security teams can no longer build walls just around their data centers. They must actively defend their brand identities, their users, and the digital trust that keeps businesses operational.
We asked a few experts from cybersecurity solutions providers for their thoughts.
Patrick Harr, CEO at DataVisor, said:
-
"FTC's latest numbers show that imposter scams are evolving from mass outreach into highly-personalized financial crime. Fraudsters now have cheaper and better AI tools to create convincing messages, fake websites, cloned voices, and even deepfakes that make victims believe they are dealing with a trusted institution or person. That is especially dangerous in payments, because once a consumer is manipulated into authorizing the transfer, the transaction can look legitimate on the surface. Financial institutions need to look beyond static transaction rules and get better at detecting the warning signs earlier in the journey—suspicious behavior, recipient risk, mule-account linkages, and signals that a customer is being coached in real time."
Darren Guccione, CEO and Co-Founder at Keeper Security, said:
-
"The Federal Trade Commission's findings that Americans lost $3.5 billion to imposter scams last year, nearly triple the figure from 2020, are striking. The more instructive detail, however, is where those losses originated. Over $2.1 billion was traced back to social media platforms, and nearly one in three victims were first contacted through social channels. While it would be easy to view this as a consumer education problem, the reality is that this is an identity verification problem at an infrastructural scale."
-
"What makes impersonation attacks so effective is the authenticity of the interaction. AI-generated voice, realistic messaging, and convincing account impersonation have dramatically lowered the barrier to entry for fraudsters. The erosion of trust affects organizations as much as individuals. Business impersonation accounted for close to $1 billion in losses alone."
-
"Recent research revealed that 41% of IT leaders highlighted deepfakes as the top identity-based threat. Our research also shows that AI-driven social engineering is now among the top concerns for security leaders globally, cited by 35% of respondents. It underlines how identity has become the high-value attack surface and how impersonation has emerged as the preferred vector."
-
"Defense cannot rely on awareness alone. Phishing-resistant authentication, strong credential governance, and real-time monitoring for identity-based anomalies are now the foundational controls that make impersonation attacks substantially harder to execute successfully. The scale of the losses reported by the FTC reflects what happens when those controls are absent or inconsistently applied."
Jason Soroko, Senior Fellow at Sectigo, said:
-
"The 2025 Federal Trade Commission data reveals a shift in cybercrime. Impersonation has emerged as the preferred vector for attackers. Americans lost $3.5 billion to imposter scams in 2025, which represents a threefold increase since 2020. Fraudsters utilize texts, emails, and phone calls to reach targets. The schemes with the highest losses involve bank impersonators who prompt victims to transfer funds to secure their accounts. Business and government impersonators accounted for nearly $2 billion in losses, contributing to $16 billion in overall fraud."
-
"These figures underline how identity has become the high-value attack surface. Attackers bypass security perimeters by manipulating trust. Social platforms serve as a distribution channel for these operations. Victims reported $2.1 billion in losses originating from social media, an eightfold increase over five years. Facebook, WhatsApp, and Instagram facilitated a majority of these interactions. By exploiting authority, criminals access funds without breaching infrastructure."
Mika Aalto, Co-Founder and CEO at Hoxhunt, said:
-
"Impersonation scams are not new, but every year these attacks seem to undergo a metamorphosis that makes them harder to detect and resist, courtesy of rapidly evolving technological capabilities. Attackers can now combine AI-generated content, QR codes, social media impersonation, voice cloning, and even video deepfakes to create experiences that feel authentic across multiple channels and touch points in a complex attack chain. The technological barrier to executing these scams gets lower by the minute. Cybercrime, unfortunately, is a growth industry."
-
"The challenge is that we're entering an era where people can no longer rely on their eyes and ears alone to verify identity. A message may appear to come from a trusted brand, a phone call may sound like a legitimate authority, and a video meeting may appear to include a real person. At the same time, attackers are getting better at using social media to build credibility and establish relationships before attempting fraud."
-
"Criminals are still exploiting trust, authority, urgency, and opportunity. What's changing is their ability to deliver convincing impersonations at scale and across multiple touchpoints. That combination is making impersonation scams more believable, more personalized, and ultimately more successful than we've seen in the past."
To help the public spot imposter scams, Elder Justice Coordinating Council (EJCC) members launched the "Never EVER" campaign, which is aimed at promoting messaging on the key actions that government and businesses will never take. The campaign runs from June 15-26, in conjunction with World Elder Abuse Awareness Day. This first-of-its-kind public-private partnership includes participants from a wide range of organizations and is aimed at directing consumers to a website that includes information and resources to help them avoid imposter scams and what to do if they spot one.
