Imposter Scams Drain $3.5 B from U.S. Consumers in 2025, FTC Reports
What Happened — The U.S. Federal Trade Commission (FTC) disclosed that Americans lost $3.5 billion to imposter‑type scams in 2025—nearly three times the amount reported in 2020. Imposters pretended to be banks, government agencies, or other trusted entities across SMS, voice, email, social media, and search results, with bank‑impersonation alone accounting for roughly $1 billion of the loss.
Why It Matters for Compliance & Audit Readiness
- The attack pattern mirrors the “Phantom Hacker” multi‑stage social‑engineering flow that SOC 2 access‑control policies are designed to detect and mitigate.
- Continuous evidence of employee training, verification procedures, and incident response satisfies the SOC 2 CC6.1 (Logical Access) and CC6.2 (User Management) controls.
- Verisq’s Security Awareness Training capability provides audit‑ready documentation of program updates, phishing‑simulation results, and policy adoption—key artifacts for a defensible SOC 2 audit.
Who Is Affected — Financial services, government agencies, retail/e‑commerce, and any organization that handles consumer‑direct communications.
Recommended Actions
- Map the multi‑stage imposter scenario to SOC 2 CC6.1/CC6.2 controls and update your security‑awareness curriculum accordingly.
- Capture training completion, simulation metrics, and verification policy logs as continuous compliance evidence.
- Conduct periodic tabletop exercises that replicate the “Phantom Hacker” flow to test detection and response.
Source: Fortra Blog – Imposter scams cost Americans $3.5 B in 2025
Technical Notes
- Attack vectors: phishing via SMS (smishing), voice (vishing), email, social media, and search‑engine spoofing.
- No specific CVE; the threat leverages social‑engineering rather than software flaws.
- Primary data type compromised: financial credentials and personal identifiers used to authorize transfers.
Source: [Fortra Blog – same link]