Co-Author: David Stone
Cyber fraud has been increasing in volume and complexity, and escalating, posing a threat that directly challenges an organization’s financial health and reputation, highlighting the overlap between fraudulent activity and cybersecurity, and posing a persistent global challenge.
When referencing cyber fraud, we’re referring to situations where criminals exploit the Internet or another technology such as text messaging, to commit fraudulent activities involving the theft of money, data, or identity, or for the creation of counterfeit services such as malicious websites. Lost revenue and damaged customer relationships contribute to fraud’s hidden costs, along with the loss of trust, potential legal and regulatory penalties, and the operational allocation of resources toward combating fraud that divert the focus from growth and innovation.
Funds obtained through cyber fraud activities are a major revenue stream for organized crime, driving a dangerous and complex ecosystem where illicit activities intersect and fuel each other, creating a vicious cycle. For instance, the link between cybercrime and human trafficking is becoming more pronounced, with criminal networks often using trafficked workers or luring people into a scam compound in another country through job scams, and forcing them to perpetrate cyber fraud such as romance-baiting cryptocurrency scams, in order to generate revenues for organised crime.
These alarming trends highlight the ease with which criminals can exploit cybersecurity vulnerabilities, the sheer scale of online fraud, and its substantial financial impact on businesses. The financial toll of cyber fraud is staggering. The FBI noted that the cost of cyber fraud was $13.7 billion in 2024 in the US alone, a nearly 10 percent increase from 2023, and represented 83 percent of all financial losses reported to the FBI in 2024. Similarly, according to a recent report by the Bank Policy Institute, financial services firms are particularly impacted, with FTC data indicating that consumers reported losing $12.5 billion to fraud, constituting a 25% increase over the prior year. Despite these staggering numbers, the actual losses are estimated to be far higher.
This scenario is unlikely to improve absent preventative action. Currently, most enterprises’ efforts to combat cyber fraud are fragmented due to siloed data, systems and organizational structure. Further, organizations use various tools and platforms across different business divisions and departments which results in inconsistent rule application to isolated pockets of data, in turn limiting visibility and hindering comprehensive detection and prevention efforts. Thus, fraud programs in their current state are time consuming and resource intensive, and for the folks on the ground, can feel like playing an endless game of whack-a-mole.
A proactive, preventative mindset is crucial for a holistic defense against fraud. This strategic shift begins by gaining a deep understanding of the common fraudulent activities threatening your business, such as impersonation, phishing, and account takeovers (see Google’s regular Fraud & Scams Advisory, where we share observations on the most recent online scam trends, along with tips to help you stay safe). From there, it's essential to build a scalable risk assessment using a consistent framework, like FS-ISAC’s Cyber Fraud Prevention Framework, which ensures a common lexicon and a unified approach across your entire enterprise. The final piece involves meticulously mapping out the specific workflows where fraudulent activity is most likely to occur. By categorizing these activities into distinct phases, you can pinpoint the exact points where controls can be implemented to disrupt the threat—breaking the chain before a threat can escalate into a breach.
In parallel, consider the types of fraud-prevention capabilities that may already be available to support your fraud prevention efforts. Our recent paper on Tackling scams and fraud together, describes our efforts in this space, some of which are highlighted below as illustrative examples.
- Remove scams and fraudulent links, including phishing and executive impersonation, from Google Ads and Google Workspace services through the Financial Services Priority Flagger Program.
- Access 800M+ threat actor signals through the Global Signal Exchange. These signals are shared by Google and other accredited organizations from across different sectors such as tech, telecom, finance, and also law enforcement. This cross-sector collaboration not only accelerates investigations and takedowns, but also helps identify infrastructure which bad actors exploit.
- Combat scams across Google products and services using Safe Browsing, WebRisk (for enterprises), AI-powered warnings for Chrome on Android, spam protection on Google Messages, and Scam Detection for voice calls.
- Guard against account takeover through the Advanced Protection Program which safeguards users by requiring enhanced identity verification, and Cross Account Protection, which enables ongoing cooperation between platforms in the fight against abuse.
Though we continue to combat fraudulent practices through continued investment in enhancing our capabilities, as well as through other means such as litigation, we recognize that to truly move the needle, broader industry collaboration is needed. That’s why we’ve partnered with industry efforts through FS-ISAC, BPI, ABA, the Global Anti-Scams Alliance, Stop Scams UK, the GSMA Asia Pacific Cross-Sector Anti-Scam Taskforce (ACAST) and the National Elder Fraud Coordination Center to collectively drive fraud detection and prevention forward. Most recently, the U.S. government commended us for our efforts to combat fraud.
The escalating threat of cyber fraud demands a new strategic imperative. Continuing with a reactive, fragmented defense is no longer a viable option; the financial and reputational costs are too significant, and these fraudulent activities will only continue to proliferate. The path forward requires a unified, enterprise-wide strategy—one that moves beyond siloed departments and disparate tools to build a proactive defense model. It also hinges on educating and empowering users to protect themselves.