In January, an HSBC customer was alerted that someone was trying to access her bank account. Calling the number in the message, the customer gave what she believed was an HSBC representative some personal details. Soon after, over $30,000 disappeared from her account.
Phishing attacks have exploded in recent years. In 2024, HSBC customers alone lost over $4 million to this one fraudulent campaign. No enterprise is immune to the threat of online fraud and trusted businesses have become prime targets for brand impersonation. Criminals exploit consumer familiarity with banks and online utilities to elicit payment details.
Fraudsters can be just as creative as the brands they imitate. They use multiple channels to attack consumers, including SMS (smishing), voice (vishing), and email. Modern technologies have also made it easier to launch phishing attacks, increasing the frequency and effectiveness of the attempts. So, why are brands facing a higher volume of online fraud, and how can they tackle these emerging threats?
Why are phishing attacks growing in scale? The rise of high-volume fraud.
Online fraud is a crime of opportunity, with infringers attacking as many consumers as possible through widespread campaigns. 2023 was a record year for phishing attacks, with nearly 5 million observed by the Anti-Phishing Working Group. One contributing factor is the increase in digital interactions between brands and consumers, which creates new avenues for fraud. As such, banking, telecom, and technology brands are prime targets, as they rely heavily on digital communications to connect with customers. Furthermore, customer login credentials, which are commonly stolen by criminals, can lead to multiple points of victimization if the credentials are reused across different platforms.
US consumers alone lost over $10 billion to fraud in 2023, with email-based attacks the most common threat.
Fraudsters hijack brand assets, including logos, to trick even cautious consumers into believing phishing emails are legitimate. Virtually no one is immune. Tech-savvy customers can still struggle to spot sophisticated phishing attacks, with social engineering tactics creating a sense of urgency. Of course, phishing attacks can impact both consumers and brands. Many brands are paying significant sums to compensate their customers, but the effects of fraud can be far-reaching, and not always so obvious. Customers may lose confidence in a brand after a phishing attack, and this intangible reputational damage can be challenging to both measure and rectify.
How are criminals switching up their strategies? Phone-based fraud has exploded.
Meanwhile, fraudsters are adapting their tactics. They increasingly target smartphones, exploiting the rise of mobile commerce and banking. Phishing attacks have diversified, with a surge in SMS-based scams, known as smishing. So why utilize text messages? Smartphones lack the sophisticated security filters that protect email accounts, making it easier for fraudsters to reach victims. Ultimately, there is little a recipient can do to determine whether a text message is legitimate. Voice-based fraud, or vishing, has also seen an alarming rise. OpSec observed a 260% increase in vishing incidents in Q4 of 2023 compared to the previous year. Leveraging artificial intelligence (AI), fraudsters can now mimic the voices of trusted colleagues or family members, making their scams far more convincing.
In Q2 of 2024, phone numbers accounted for 25% of all fraud-related assets identified by OpSec.
How are criminals turning to new technologies? The influence of AI and automation.
While AI offers powerful tools for brand protection, it also arms scammers with sophisticated new methods. For a start, deepfakes can be used to manipulate facial expressions in video material. Take the case of UK engineering firm Arup, which lost $26 million after an employee was impersonated via an AI-generated video call. AI can also analyze massive amounts of breached personal data, making phishing messages more targeted. Of course, infringers have other technologies at their disposal. Using tools like phish kits and automated deployments, attacks can be launched with a few clicks, increasing the scale and frequency of phishing campaigns. As such, brands must act quickly, tackling fraud before it harms consumers and threatens reputations.
According to the Harvard Business Review, 60% of consumers typically fall victim to AI-generated phishing attacks.
How are the rules changing around customer compensation? The impact of new regulations.
Regulators are also demanding that brands take action, with certain industries facing greater liability to refund customers. Updated in October 2024, the UK Payment Systems Regulator now mandates that banks and payment providers reimburse fraud victims up to $110,000 unless the customer acted with gross negligence. The US is also proposing a similar law, while the Indian telecoms regulator is demanding that service providers block all spam calls. While many of these regulations focus on specific industries, consumers may grow to expect the same treatment from other sectors.
So, how can brands tackle high-volume fraud?
The reality is clear: brands must act fast to stop fraud. Effective prevention starts with intelligence gathering and real-time enforcement to limit risk exposure. With phone-based fraud soaring, coverage will be required across all major channels to safeguard brands that face a high volume of threats. A robust response will also incorporate consumer and staff education, guiding users on how to spot sophisticated attacks. But fraudsters will continue to evolve their tactics. As such, brands may look to partner with industry specialists, who can monitor new threat signatures. By adopting a comprehensive strategy, brands can shut down fraud before it damages reputations and customer relationships.
OpSec offers a robust defense against brand imitation and fraud. Our platform ingests data from all critical channels globally for rapid detection and enforcement. Each day, we evaluate over 50 million URLs to identify fraudulent assets, while our calling automation tool processes thousands of phone numbers daily. Our process is consistent across 1 or 1,000 phishing attempts, providing reliable service no matter the size of the problem.
Ready to take action? Find out how OpSec can protect your brand and customers from high-volume fraud.