Scammers like to repackage tried-and-true schemes with new twists to attack the innocent.
Year after year, the descriptions and nuances change slightly, but many of the attack vectors look much the same as in years past. Often, it’s just the fraudsters repackaging an old scheme with a new bow. Everyone with an opinion publishes what they believe to be the top fraud attack vectors to watch out for.
Regardless of the size or segment of your business, or even if you are a consumer, fraudsters are looking for ways to penetrate your defenses and find a pathway to steal your money or data.
Here are the top 5 fraud predictions to look out for in 2025.
Business Email Compromise
Year after year, fraudsters successfully use variations of this attack method and the number of victims continue to increase. Whether it’s the executive, vendor or employee impersonation, the use of email communications to request the creation of a payment or a change in an existing payment is still working. It is extremely important that you and your employees maintain a cautious approach when acting on requests received via email. The use of artificial intelligence and large language models will make these emails even more difficult to detect. It’s unfortunate, but we just can’t trust the authenticity of email communications.
Many businesses have successfully implemented a call back control within their process to identify threats and stop these unauthorized requests. We call it STOP-CALL-CONFIRM. If you receive a request via email or text to originate a payment or change an existing payment, STOP your process, pick up the phone and CALL the requestor at a number you know (not the number in the email or text), and CONFIRM the request is legitimate. It’s a simple way to verify these requests and avoid becoming a victim.
Trusted Partner Impersonation
This attack vector involves the fraudster posing as a “Trusted Partner” to convince their victim to provide critical data and information to carry out the fraud. Fraudsters will attempt to obtain private information, such as log-in credentials, passwords and other sensitive information and convince you they are legitimate by spoofing the phone number of a trusted partner like your bank, investment advisor or credit card company.
Fraudsters may also create fraudulent websites or advertisements hidden behind the use of a victims search engine to access a legitimate site, like your banking platform. Fraudsters will pay to optimize these sites so they are the first thing that appears in your search. It’s best to never use your search engine to access a financial transaction platform and be leery of advertised sites. Always bookmark the correct URL for the platform or create a desktop shortcut for easy access.
The “Trusted Partner Impersonation” creates another opportunity for the use of artificial intelligence. Fraudsters create deep fake audio or video to sound even more convincing. They may ask you about a transaction on your account and offer assistance in removing the transaction – if you will provide your user ID and password to them. DON’T DO IT!
Your best defense is to hang up the phone and either log into your account and research the transaction yourself or contact the partner at a number you know to report the issue and ask for help. A great deal of the background information used by the fraudsters to perpetrate this scheme is obtained through social engineering. Be cautious about the information you post to your social media accounts and, when possible, utilize biometric authentication protocols, dual control and multi-factor authentication.
Check Fraud
The alteration of issued checks and the creation of counterfeit checks has become a plague on both businesses and consumers. Stopping this attack vector has become extremely difficult. Checks innocently placed in the mail have been intercepted in transit, altered and negotiated into accounts controlled by fraudsters. Fraudsters use dark web and other communications channels to train other criminals on how to steal, wash and deposit these payments.
Avoiding writing checks is the most simple and effective way to thwart this attack. For consumers, using your bill pay platform or paying by credit card may help. For businesses, utilizing services like Positive Pay with Payee Name Verification can assist in identifying altered checks, and converting your payments to a digital alternative may also help, but it is important to implement proper payment controls like dual control and least-privilege access. Businesses may also add services like Integrated Payables and CashflowIQ.
Ransomware
Companies, municipalities, school systems, hospitals and critical infrastructure providers continue to be targets, and news feeds are full of reports of organizations that have experienced a ransomware event. Many of the attacks are less about the ransom demand and payment than the acquisition of sensitive data. Fraudsters will monetize your data by selling it to other fraudsters on the dark web.
Make sure you have adequate and secure backups of your network and partition your sensitive data behind advanced protections. Continually educate your employees on the importance of caution and diligence around protecting your network. Avoid email attachments from unknown senders, accessing suspicious websites, and create processes to protect your network from unauthorized device access.
Scams, Scams, and More Scams
Fraudsters continue to find creative ways to convince us to provide sensitive information, make payments or otherwise take advantage of our good nature. Some include posing as a family member in trouble, fictitious charities, tech support problems, home repair, offers of prize winnings and an unheard-of lowest price on a hard-to-find product.
It pays to be suspicious and cautious before acting. A good rule of thumb is, always verify, and if it seems too good to be true it probably is.
Remember, businesses of all sizes and segments are at risk of becoming a victim. Education and awareness continue to be at the forefront of avoiding each of these situations. The more you educate yourself and your staff on how to identify potential fraud attacks, the greater your likelihood of avoiding becoming a victim.
