I am used to repeating some pretty big numbers when talking about the financial impact of cybercrimes. When you look into the data, it is pretty easy to start talking about tens of billions of dollars.
I occasionally come across figures that are in the hundreds of billions of dollars in damage across multiple years globally. So, imagine my surprise when I learned the U.S. Federal Trade Commission (FTC) said Americans lost $158.3B in 2023, one year, to scammers, and that annual figure is getting worse.
I learned this recently while watching Kathy Stokes, AARP’s Director of Fraud Prevention Program division, present at Casper College’s Rocky Mountain Cybersecurity Symposium in Casper, WY.
$158B is over $433M a day stolen…just from U.S. citizens.
At first, I thought Stokes had to have her figures wrong. She was obviously accidentally misstating a multi-year figure for a single year or talking about global figures instead of for only U.S. individuals.
Nope, she was not.
In fact, the figure of $158.3B in U.S. fraud a year was just repeated by Senator Chuck Grassley in the recent U.S. Senate Judiciary Committee meeting on June 17th.
It was, in turn, taken from the FTC’s October 18, 2024, report, see pages 2 and 28. It is an estimated figure, and it involves scams of all types and not just cybersecurity crime (although the vast majority of scams now involve cyber in some way).
Of course, not everyone is successfully scammed each year. The FTC calculates that “only” 8% of Americans, or just under 21 million citizens, are successfully scammed each year. It equates to 57,000 Americans successfully scammed each day, and if the total amount of fraud was divided by those Americans, it would equate to over $17,000 per citizen per year. Ouch!
The FTC previously reported annual scams as costing “only” tens of billions of dollars each year, but after adjusting for “under-reporting” (only 2% of victims reported their loss to the FTC) last year, the new estimated figure of $158.3B is now the official figure. Prior years’ estimates were also updated. Each year it is worse than the last.
The number one scam overall was investment scams, where a victim was tricked by someone they gave too much trust into making a fraudulent investment. These scams often occur when a scammer sends what the recipient thinks is an errant SMS message intended for someone else. “Hey, are you there?” or something like that. I get a few of these a week through SMS, and at least one a week on X and LinkedIn. Sometimes it is the only message I receive.
The recipient usually responds to the sender to tell them that they sent the message to the wrong person and the scammer uses the kind reply as a way to strike up a longer conversation. That conversation can lead to a false sense of a real relationship, romantic or otherwise. The unearned trust is then used to trick the victim into sending money for some purported “sure thing”…usually a cryptocurrency scam…and the victim never sees their money again.
Fake jobs and fake employers are another growing area for scams. KnowBe4 has written a ton about both. It is getting tougher for people looking for work to find real employers and for companies looking for employees to find real employees. The scammers often advertise on legitimate employment sites, social media sites like LinkedIn, or place ads on official websites.
Scams included fake vendors, who claimed to be selling something, often for a “great price”, who then never delivered the goods. Tech support scams, where the scammer posed as Microsoft or some other recognizable brand-new technology vendor were very common. They call the victim, claiming to have proactively found a problem they want to help with. All the victim does is lose money.
Romance scams are rampant, especially with AI-enabled deepfakes allowing scammers to create new images and videos of fraudulent paramours, all while carrying on rich and vibrant conversations. Fake check scams, government imposters, business imposters, fraudulent vacation and travel schemes, and fake prizes and sweepstakes rounded out the top scam types.
Surprisingly, according to the FTC, younger people were more likely to be successfully scammed than older people. But older people (60 and older) were more likely to lose more money. Older people often have more money than younger people. Most people lost money due to online scams, but higher individual losses occurred from scams done over the phone.
Without a doubt, there are a lot of victims losing a lot of money.
What Can You Do?
First, realize that anyone can be scammed. Anyone. You. Me. Anyone. You can be perfect in your life in avoiding scams, and then in a moment, become one of the 8% of citizens successfully compromised that year.
All it takes is the right scam at the right moment in your life. Whether or not you are susceptible to a scam has nothing to do with intelligence. Doctors, lawyers, law enforcement, and even Nobel-prize-winning scientists are successfully scammed.
My co-worker, Anna Collard, has identified dozens of traits that impact how likely we all may be to fall for a particular scam, including our current workload, how sleep deprived we are, mindfulness, and even sheer coincidence. Anna often shares that she “failed” a simulated phishing scam claiming to be from Uber simply because she was stepping into an Uber at the time.
The scams can be pretty convincing. The scammers can have confidential information about you and your life, originate from valid email addresses, and involve a professional-sounding infrastructure that rivals their real-world components. Add to those issues the constantly improving AI-enabled deepfakes, and it is a recipe for even more successful scam attacks.
KnowBe4 specializes in Human Risk Management, otherwise known as HRM. HRM involves a myriad of offerings, including technical defenses to prevent bad things from getting to people, behavior changing, and education. A big part of HRM is security awareness training. Make sure the people in your life…yourself…your co-workers, your family and friends, are aware of social engineering scams, how prolific they are, and understand the different forms (e.g., email phishing, social media scams, voice call phishing, SMS phishing, etc.).
So, share stories of scams so that people are aware of the different forms these scams can take.
It can’t hurt to involve an automated system, like KnowBe4 offers, to do the awareness education and testing at scale. It can’t hurt to use an AI-enabled HRM system to let the AI do the heavy lifting.
But if I had only one minute to teach people about how to avoid scams, it would be this:
If a message arrives unexpectedly and asks you to do something you have never done before (at least for that requestor), research the request using an alternate trusted method before performing. Here is how I represent that statement graphically:
Any message containing these two traits is at far higher risk of being a social engineering scam than other messages. Not every scam meets these criteria, but 99% do.
I do not care how the message arrives. It could be in email, an SMS, a WhatsApp message, in social media, in a work chat channel, a phone call…it could even be in person. If the message arrives and you were not expecting it…that is already one of two risky traits.
Second, the request is asking you to do something you have not done before. Usually, the request is passed along with text or audio indicating you need to do the requested action RIGHT NOW! It claims that if you do not follow the instructions, some type of harm, usually financial, will befall you or your company. You or your employer will be charged money you/they do not owe, lose money you/they could otherwise be earning, or miss out on some easy cash payout.
There are so many outlier scam messages that try to motivate you in different ways, such as your child being kidnapped, a blooming romance, you missing out on getting a wanted vaccine, or some patriotic call to duty. There are so many ways to motivate people to respond to a message that I just leave out that part of the scam puzzle.
I keep it simple.
If a message arrives unexpectedly and asks you to do something you have never done before, slow down and research it better before performing the requested action.
Scams are not rare. Scams are everywhere. But there are many ways we can educate and fight against them to keep ourselves, our co-workers, and family and friends safer.
