Imposter Scams: AI-Driven Fraud Costs Americans $3.5 Billion in 2025

5

Imposter Scams Cost Americans $3.5 Billion in 2025 as AI Supercharges Fraud

Americans lost $3.5 billion to imposter scams in 2025, according to new data from the Federal Trade Commission — nearly triple the losses recorded in 2020 as AI-powered fraud tools make deception easier and more convincing than ever.

The FTC figures expose a fraud landscape that has fundamentally shifted. Criminals are no longer relying on crude mass-outreach tactics. Instead, they are deploying sophisticated artificial intelligence tools to clone voices, fabricate websites, and generate deepfake video to manipulate victims into willingly handing over their money. The scale of the problem demands attention from individuals, businesses, and security leaders alike.


Social Media Emerges as the Dominant Fraud Battleground

Of the $3.5 billion in total losses, $2.1 billion originated from social media platforms — an eightfold increase over five years. Facebook, WhatsApp, and Instagram facilitated the majority of these interactions. Nearly one in three victims were first contacted through social channels.

Jason Soroko, Senior Fellow at Sectigo, described the findings as evidence of a meaningful strategic shift. "The 2025 FTC data reveals a shift in cybercrime," Soroko said. "Impersonation has emerged as the preferred vector for attackers."

The numbers break down into alarming categories:

  • Business impersonators accounted for $1 billion in losses
  • Government impersonators were responsible for $920 million
  • Together, those figures contribute to a reported $16 billion in overall fraud for the year

Darren Guccione, CEO and Co-Founder at Keeper Security, argued that framing this as a consumer education problem misses the deeper issue. "The reality is that this is an identity verification problem at an infrastructural scale," Guccione said. "What makes impersonation attacks so effective is the authenticity of the interaction."

Guccione pointed to his company's own research showing that 41% of IT leaders identified deepfakes as the top identity-based threat. An additional 35% of security leaders globally cited AI-driven social engineering as among their top concerns.

Understanding how these interactions are initiated is critical. Recognising the warning signs of social engineering attempts before they escalate remains one of the most practical defences available to individuals and organisations alike.


AI Tools Have Lowered the Barrier for Fraud at Scale

The technology enabling these scams is no longer exclusive to well-resourced criminal organisations. Fraudsters now have access to cheap and increasingly capable AI tools that produce convincing messages, cloned voices, and realistic deepfake video.

Patrick Harr, CEO at DataVisor, warned that the payments sector faces particular exposure. "Fraudsters now have cheaper and better AI tools to create convincing messages, fake websites, cloned voices, and even deepfakes that make victims believe they are dealing with a trusted institution or person," Harr said. "Once a consumer is manipulated into authorising the transfer, the transaction can look legitimate on the surface."

Harr urged financial institutions to move beyond static transaction rules and invest in detecting earlier warning signs — including suspicious behaviour patterns, recipient risk profiles, mule-account linkages, and signals that a customer is being coached in real time.

The Multi-Channel Deception Problem

Mika Aalto, Co-Founder and CEO at Hoxhunt, captured how rapidly the threat is evolving. "Attackers can now combine AI-generated content, QR codes, social media impersonation, voice cloning, and even video deepfakes to create experiences that feel authentic across multiple channels," Aalto said. He added a sobering note: "The technological barrier to executing these scams gets lower by the minute."

Aalto described the current moment as one where people can no longer rely on their eyes and ears alone to verify identity. A message may appear to come from a trusted brand. A phone call may sound like a legitimate authority. A video meeting may appear to include a real person — and there is no reliable visual cue to indicate otherwise. The stakes, in every one of these scenarios, involve your financial security and personal data.

Why Phishing Remains Central to Impersonation Fraud

Impersonation attacks frequently begin with a phishing attempt — whether via email, SMS, or direct message on social platforms. Understanding the full range of phishing attack methods used by cybercriminals today provides essential context for recognising how these scams are engineered and why they succeed at scale.


Defending Against Impersonation Requires Infrastructure, Not Just Awareness

Security experts were consistent in one message: awareness campaigns alone will not stop impersonation fraud at this scale. The losses reflect what happens when foundational controls are absent or inconsistently applied.

The Minimum Viable Defence for Organisations

Guccione outlined the baseline requirements for organisations facing this threat. "Phishing-resistant authentication, strong credential governance and real-time monitoring for identity-based anomalies are now the foundational controls that make impersonation attacks substantially harder to execute successfully," he said.

Soroko reinforced why the attack vector is so effective at bypassing traditional defences. "By exploiting authority, criminals access funds without breaching infrastructure," he said. Perimeter security alone cannot stop an attack that works by manipulating human trust rather than exploiting technical vulnerabilities.

Criminals Are Investing in Relationships, Not Just Technology

Aalto noted that criminals are refining not just their tools but their social strategies. Attackers are spending more time using social media to build credibility and establish relationships before attempting fraud — making the eventual deception harder to detect and resist. This longer, more deliberate approach to establishing false trust is one of the most significant developments in the current threat landscape.

For organisations looking to move beyond awareness and implement structural defences, understanding how to prevent social engineering attacks across your organisation provides a practical framework for reducing exposure at every level.

The tripling of losses since 2020 signals that the problem is accelerating. For individuals, businesses, and security teams, the 2025 FTC data serves as both a warning and a call to action. The Federal Trade Commission's consumer fraud reporting resources remain a critical tool for documenting incidents and contributing to the broader effort to track and disrupt these operations.

How readers can use this information:

  • Individuals should treat any unsolicited request to transfer funds — regardless of how legitimate the caller or message appears — as a potential impersonation scam and independently verify through official channels before acting.
  • Business and IT leaders can use these findings to prioritise phishing-resistant authentication and credential governance as baseline security investments rather than optional upgrades.
  • Security teams should audit whether their monitoring systems can detect behavioural anomalies earlier in the customer journey rather than relying solely on transaction-level rules that criminals are learning to evade.
You might also like