2 hours ago
4
Your phone buzzes with a text from your bank: “Did you authorize a $2,400 transfer? Reply NO to stop it.” You reply, and seconds later a calm “fraud agent” calls, knows your name and the last four digits of your card, and walks you through “securing” your money by moving it into an account under the criminal’s control. No password was stolen, no malware installed. You handed over the money yourself, because everything looked and sounded real.
This is the new face of bank fraud and business is booming. Behind these scams sit organized adversaries: nation-state actors who treat theft as state revenue, criminal gangs running industrial-scale scam operations, and hacktivists out to embarrass institutions increasingly armed with AI that makes their lies cheap, fast, and tailored to you.
The problem: scams have gone industrial
Banks have spent decades hardening their vaults and networks, so attackers shifted to the softest target: the customer. Rather than breaking in, they trick people into transferring funds themselves. This is “authorized push payment” fraud where the victim approves the payment and it is far harder to claw back than a stolen card number. To hear how a typical scam call actually unfolds, watch the FTC’s short imposter-scam explainer.
With the age of AI, three key forces have turbocharged these threats. Payments now move instantly and irreversibly, so money is gone before anyone notices. Decades of data breaches let criminals buy your name, address, and account details cheaply, making their scripts eerily accurate. And generative AI has industrialized deception where more than half of fraud is now estimated to involve AI. A criminal can clone a familiar or family voice from seconds of audio, write flawless phishing emails in any language, and even deepfake a bank officer on a video call.
The people behind it are not lone hackers in hoodies. They range from sanctioned nation-state groups that steal to fund their governments, to criminal syndicates running scam centers staffed by trafficked workers, to hacktivists attacking banks to make a political point. For them, fraud is a scalable business and it is outrunning the banks, telcos, and Big Tech.
The real-world cost
The damage is measured in real households. The Federal Trade Commission reports Americans lost roughly $16 billion to fraud of all kinds in 2025 the highest on record and about 25% more than the year before. Imposter scams alone accounted for $3.5 billion, nearly tripling since 2020, and the single most lucrative version is the fake bank-security alert that convinces people to “protect” their savings by moving them.
These losses fall unevenly. Americans aged 50 and older reported $4.3 billion in losses in 2025, often life-altering sums drained from retirement accounts. The official numbers are almost certainly a fraction of reality, since many victims never report out of shame. Beyond the dollars, the human cost is real emptied college funds, missed mortgage payments, and a corrosive loss of trust in the financial system people rely on every day. One Florida couple lost $42,000 of their savings this way watch how it happened. In fact, this happens so often that Hollywood created an action movie about it with the Bee Keeper.
A National Security issue
Fraud and scams are not just a nuisance but far more dangerous. Fraud and scams in the United States have escalated into a national security issue because they are no longer isolated consumer crimes. They are large‑scale, foreign‑run operations that drain billions of dollars from the U.S. economy and undermine public trust in financial and digital systems. Federal agencies increasingly link these schemes to transnational criminal organizations, some of which also engage in human trafficking, money laundering, and other activities that threaten national stability. The financial impact is massive, with losses rivaling major illicit industries, and the proceeds often flowing to adversarial nations or criminal networks abroad.
The rules already on the books
The U.S. is not starting from zero. Along with the growth of the early Internet, in 1999 the Gramm-Leach-Bliley Act went into effect and its Safeguards Rule in requiring banks to protect customer data, and guidance from the Federal Financial Institutions Examination Council (FFIEC) pushes them toward stronger, multi-factor login security. The Bank Secrecy Act and anti-money-laundering rules, enforced by the Treasury’s FinCEN, require banks to flag suspicious transactions — a key tool for tracing stolen funds. New York’s Department of Financial Services Part 500 cybersecurity rule has become a de facto national standard.
Regulators are also targeting the scams themselves. The FTC’s Impersonation Rule, in force since April 2024, lets the agency go after fraudsters who pose as businesses or government agencies; in its first stretch it produced more than $70 million in consumer refunds. Voluntary frameworks like the NIST Cybersecurity Framework give institutions a common playbook.
The gap is not the absence of rules it is that attackers move faster than rules can be written, and that liability for scam losses remains murky when a customer is tricked into approving the payment. So, with all these rules and regulations, why are scams and fraud occurring faster?
The innovators fighting back
A fast-growing wave of companies is using the same AI that empowers criminals to stop them.
· Feedzai builds real-time systems that score billions of transactions as they happen, spotting the subtle patterns of a scam in under a second.
· Alloy helps banks and fintechs verify who is really opening an account, choking off the synthetic and stolen identities fraudsters depend on.
· Arkose Labs specializes in blocking automated bot attacks and account takeovers, while SEON, Lexus Nexus, and Sumsub offer identity-verification and fraud-screening tools that smaller banks and startups can plug in affordably.
· Netcraft is a company which doesn’t only detect scams but does something about it. It is very good at “take downs” of scam networks.
· Others are racing to build deepfake and voice-clone detection to catch fakes that fool the human ear and eye. Others get creative: UK carrier Virgin Media O2 built “Daisy,” a lifelike AI “granny” that answers scam calls and keeps fraudsters rambling for up to 40 minutes to tie them up so they have no time for real victims. Watch “Daisy” turn the tables on scam groups.
What unites all these is adaptive defense models that learn daily, because last month’s fraud pattern is already obsolete. All these point solutions are modeled on Intellectual Property that slows sharing. This model is not working.
What America should do
As scams become more sophisticated, especially with AI‑driven impersonation, deepfakes, and automated fraud, their ability to destabilize institutions, exploit citizens, and weaken economic resilience has pushed policymakers and security experts to treat fraud not just as a consumer protection problem, but as a strategic threat to national security. Staying safe will take coordinated effort. Everyone has a role.
Lawmakers and regulators
Fraud and scam laws in the United States, the United Kingdom, and Australia share the same objective: to protect consumers and disrupting criminal activity but each country approaches the problem with a very different regulatory philosophy.
In the U.S., the system is fragmented and enforcement‑driven, with no mandatory reimbursement for most scam victims and a heavy reliance on agencies like the FTC, CFPB, and FBI to pursue wrongdoing after the fact. By contrast, the U.K. has built the world’s most proactive framework, requiring banks to reimburse victims of authorized push‑payment scams, enforcing account‑name verification through Confirmation of Payee, and placing clear accountability on financial institutions to prevent fraud before it occurs. Australia sits between the two models, adopting U.K.‑style protections while expanding responsibility beyond banks to include telcos and digital platforms through its emerging Scams Prevention Framework. While the U.K. emphasizes consumer protection and the U.S. emphasizes enforcement, Australia is moving toward a shared‑liability, cross‑industry approach that recognizes scams as a systemic risk requiring coordinated prevention across the entire digital ecosystem.
A typical scam today uses several pieces of technology working together to make the criminal look real. It often starts with:
1. the scammer creating a fake website that looks almost identical to a bank or delivery company. They buy a cheap web address from a service like GoDaddy and change just one letter so most people won’t notice the difference.
2. Then they setup email accounts on services like Microsoft & Gmail to send out massive emails.
3. They use AI tools to scrape millions of social media profiles from Facebook, Instagram, etc. to collect data about YOU.
4. They use tools that let them fake a phone number (telco), so when they call you, your phone shows the name of your bank or a government agency.
5. After that, they send out text messages to iPhone and Android users that look official, things like “Your account is locked” or “You have a package waiting.” The link in the text takes you to the fake website, where the scammer collects your login details. If you call the number instead, it goes to a call center where the scammer pretends to be a bank employee.
All of this: fake websites, spoofed phone numbers, and realistic text messages works together to trick people into believing they’re talking to a trusted company when they’re actually dealing with a criminal.
What should the Critical Infrastructure do?
In the U.S., we have failed because we have not worked together across these technologies at scale & at the speed of AI. Why? Because we (collectively) do not have the incentives or requirements to do so. For the CEOs of these companies, they do not want to spend money & resources which do not drive revenue. Period.
There are glimpses of hope. A working model already exists:
· We have the Financial Services Information Sharing and Analysis Center (FS‑ISAC) is a global, nonprofit organization that helps protect banks and other financial institutions from cyberattacks by enabling them to quickly share information about threats. It was created in 1999 (26 years!) to strengthen the safety and resilience of the financial system by collecting, analyzing, and distributing timely intelligence about cyber and physical risks so that member institutions can defend themselves and their customers more effectively. I am hopeful that they new CEO, Valerie Abend will drive more effective solutions.
· In 2026, eight major carriers: AT&T, Verizon, T-Mobile and others just launched the Communications Cybersecurity Information Sharing and Analysis Center (C2 ISAC), chaired by longtime cyber expert, AT&T security chief Rich Baich, to share real-time threat intelligence across competitors. Because most scams ride phone and text networks before they ever reach a bank, telecom and banking defenses should connect through the same kind of collective-defense sharing. But the C2 ISAC cannot do this alone.
· In 2025, the Global Anti‑Scam Alliance (GASA) was formed to bring together governments, financial institutions, technology companies, law‑enforcement agencies, and consumer groups to fight scams on a global scale. GASA acts like a global “anti‑scam task force,” uniting experts and institutions so people everywhere are better protected from online fraud.
These have proven to not operate effectively to get ahead of scams and fraud. We need a better way – mandates of sharing, legal risks support, cross ISAC/intel which is tailored/aware, good native ML & AI models (not rules), and others working at speed and context with more transparent sharing.
In the meantime,
What should consumers do?
Treat any unexpected “urgent” message about your money as a warning sign, not a command. Banks will never ask you to move funds to “protect” them. Hang up and call the number on the back of your card. Turn on multi-factor authentication and agree on a private “safe word” with family so a cloned voice can’t fake an emergency. Report scams to ReportFraud.ftc.gov, even unsuccessful attempts, because the data helps train good AI/ML models to protect everyone.
What should all companies do?
Adopt adaptive, AI-native detection rather than yesterday’s rules, and design apps that help customers pause before they act. Investors should back the firms building deepfake detection and identity verification, and banks should partner with them quickly instead of waiting years to build in-house.
Conclusion:
With fast innovation, fraud & scams will not disappear, but it can be better contained. The criminals have industrialized deception; the answer is to industrialize defense with smarter rules, sharper technology, and a public that knows the warning signs.
The Cipher Brief is committed to publishing a range of perspectives on national security issues submitted by deeply experienced national security professionals. Opinions expressed are those of the author and do not represent the views or opinions of The Cipher Brief.
Have a perspective to share based on your experience in the national security field? Send it to Editor@thecipherbrief.com for publication consideration.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief
English (US) · 