Podcasts
CISO Perspectives (Pro)
Ep 145
CISO Perspectives (Pro) 10.21.25
Ep 145 | 10.21.25

The changing face of fraud.

Show Notes
Transcript

Kim Jones: I am, by nature, a sheepdog in the way that Dave Grossman defined the term in his essay. I have an overly developed sense of justice and a need to keep bad things from happening to good people. This is why I soldiered for many years when there were lucrative opportunities to do other things, and why I chose cybersecurity when I hung up my army greens. So when a friend asked several years ago why security professionals do what they do, I told her what has since become known as my single mom at Walmart story. Picture a single mom shopping at Walmart. She is staying just above the poverty line simply through hard work, determination, and personal resolve. Her kids don't wear new clothes, but they are always neat and clean. Their bellies are never empty, if only through the three jobs she works. It's shopping day. She's clipped her coupons throughout the week and is trying to get her shopping done before she starts her third shift. The kids are tired but well behaved. Her cart is full. She goes up to the checkout counter and swipes her card, and the transaction is declined. She knows there should be money in her account but discovers to her horror that my systems have been hacked, and because of that, someone has stolen her data and stolen all of her money. Regardless of why you got into security, preventing fraud and its impacts on our constituents weighs heavily on us all. Despite our best efforts, the impacts of fraud and consumer scams continue to rise. According to the Federal Trade Commission's 2025 Data Book, consumers reported losing more than $12.5 billion, with a B, to fraud in 2024, which represents a 25% increase over the prior year. This number is not driven by an increase in fraud reports, which remains stable. Instead, the percentage of people who reported losing money to a fraud or scam increased by double digits. Fraud losses impact the bottom line of corporations and can undermine consumer trust in organizations. As individuals, we continue to feed the beast that we call the data-driven economy, often at the encouragement or even requirement of business entities. Everyone, whether consumers or cyber professionals, need to realize that the increased potential for fraud or scams should that data become exposed to bad actors. This threat is only exacerbated by the increased processing and analytic power represented by generative AI systems. CISOs must continue to learn how fraud can be limited via more innovative and accurate methods of establishing consumer identity, all without creating friction in the consumer experience. My Two Cents. [ Music ] Welcome back to CISO Perspectives. I'm Kim Jones, and I'm thrilled that you're here for this season's journey. Throughout this season, we will be exploring some of the most pressing problems facing our industry today and discussing with experts how we can better address them. Today, we are looking at fraud and how this long-standing problem has continued to evolve in recent years and how new technologies are primed to exacerbate this problem. Let's get into it. [ Music ] Mel Lanning has been a crusader in the nonprofit sector for over two decades. As Executive Director of the BBB Institute for Marketplace Trust, Mel has directed her passion at helping consumers and small businesses recognize, combat, and recover from fraud and scams. I sat down with Mel to discuss the trends that she is seeing in the fraud space and the impact of those trends.

Mel Lanning: Thank you. No. Before we get started, I just want to say that the views and opinions I express today are my own and do not necessarily reflect the opinion of the BBB Institute, the International Association of Better Business Bureaus, or independently owned and operated Better Business Bureaus.

 

Kim Jones: Fantastic. This will make sure you stay employed, which is a good thing. [laughter] So let's take this back to -- I like to bring things back to bare concepts and then build from there to make certain that when we all use terms, that we know what we're talking about and what we're not talking about. So you are an expert compared to most of the people who will be listening, and definitely compared to me, but in layman's terms, what's fraud?

 

Mel Lanning: Yeah, it's a great question, and actually, technically, fraud and scams -- which is what I focus on mostly are scams -- can be defined differently depending on who you speak to. So when I talk about scams, what I mean by that is somebody who is a criminal, who is doing some sort of scheme to steal your money or your identity or whatnot. And so, they may pretend to be somebody else. There may be all kinds of different tactics that they use, but they will convince you to take action, to pay them money. And then, there's fraud, which is very similar, and the difference with fraud is that, oftentimes, it's somebody taking money out of your account where you haven't actually given them permission to do that, so, yes.

 

Kim Jones: That's interesting. That's interesting. So fraud would require access to my monetary instruments, if you will, my checking account, my credit card, et cetera, that I am not giving them, that they are using to extract my money, et cetera; whereas a scam is convincing me to part with my money.

 

Mel Lanning: That's correct.

 

Kim Jones: I know the institution you work for and what it's designed to do. Talk to our listeners about what the Institute for Marketplace Trust does and who it represents within the community. Let's do a little education about that first, please.

 

Mel Lanning: Yeah, so the BBB Institute for Marketplace Trust is the 501(c)(3) educational foundation of the International Association of BBBs. And so, we are a nonprofit organization. So is the Better Business Bureau, by the way. It's a (c)(6) and has the same mission that we do, which is to foster marketplace trust. But the Institute does a lot of charitable work, and particularly, the biggest part of our portfolio is around scam prevention and educating people on how to protect themselves, creating tools to help them protect themselves, and so forth. And so, we have programs that are delivered by our network of BBBs. As many of you know, there are better business bureaus in all of your communities. And so, we work at the national level to create programs and resources that are then distributed by local BBBs in their local communities.

 

Kim Jones: Is the target for your education individuals or is it small businesses; is it both? Which is it?

 

Mel Lanning: It's both, for sure.

 

Kim Jones: Where are you seeing then the bulk of interest in the services that you provide? Are you seeing small businesses begin to rise to the occasion and recognize that they, themselves, are becoming bigger targets; or are you seeing individuals, or is that something you track?

 

Mel Lanning: So we get the bulk of our reports to our platform. So just another note, we have a platform called BBB Scam Tracker, and people are allowed to come in and report scams, and they can also, actually, search to find out if they're being targeted because we publish scam reports. So we do a lot research around that. And so, when you ask about data, that's where I'm referring as I'm going into looking at our research. And the bulk of our reports for scams come from individuals, for sure.

 

Kim Jones: Okay.

 

Mel Lanning: And we are trying to -- one of the focuses for us is to get out and understand a little bit better of what's happening because small businesses are definitely being targeted as well. I'm not sure they're reporting it as often as individuals are. And so, it's a matter of self-reporting, right? It can be a problem. It depends on who's reporting and that's what you know. And so, that's the other thing. When we look at what the full impact of scams are, it's hard to understand because we only know what's being reported. And we know there's a lot of people that never report scams when they're targeted.

 

Kim Jones: Based upon what you're seeing, is there any trend in terms of the types of scams that are being perpetrated, what are the top -- and again, I don't need you to go back into burying you through the data now. Just top of head, what are the top two or three scams that seem to be perpetrated here? And the follow-on to that, has there been any change in terms of those top two or three in the past X number of years?

 

Mel Lanning: Definitely. So we publish every year what's called the BBB Scam Tracker Risk Report. And it's essentially a full data, year over year, comparing what's happening with scams targeting both individuals and small businesses, and it actually has a list of what we call the riskiest scams. And so, that's how we differentiate what's having the biggest impact on people. So it's not just what's the volume of a specific, what's the most common, it's which scams are actually having the biggest impact on the public?

 

Kim Jones: So what are you seeing?

 

Mel Lanning: Yeah, and the way that we decide that is there's three things we're looking at. We're looking at, yes, the volume of a specific scam type. So for example, online purchase scams. Those are the scams where you go online; you buy something at a fake website; and it never arrives, so you're out the money that you spent. About 30% of what we get are online shopping scams. So that has the most volume or exposure, if you will. The second thing we look at is susceptibility, and that's the percentage of people who say they lost money when they're targeted by that specific scam type. So with online shopping scams, it's pretty high. It's like 80-some percent typically report if they ran into that website; they actually went ahead and they paid, and they lost their money. So it's pretty high. And then the third factor is median dollar loss. And that is, on average, how much do people lose when they did lose money to this scam type? And so, for online shopping scams, following up on that, it's pretty low. It's like 100 bucks. You know, so it's the impact, overall, over the last few years. Since the pandemic, that was one of our riskiest scams, just because it was hitting so many people and such a high percentage of people were losing money to them, but the overall loss is pretty low. It's not going to change your life. It's a volume-based attack. It's not trying to steal $100,000 from you. It's trying to steal $100 from 10,000 people. Exactly, exactly. But, however, the thing that you're asking about the change we've seen over the last few years, Kim, and that dropped to number four this year.

 

Kim Jones: Really? Okay.

 

Mel Lanning: Yeah, so while it's the most prevalent of the scam types we track, the impact is still the same, but the reason it dropped is because the scams that landed in the top three spots are just having a huge impact on people right now.

 

Kim Jones: And they are?

 

Mel Lanning: Yeah. Long story short, the riskiest scam this year is investment/cryptocurrency scams, and that was also riskiest last year. So this is the second year in a row we've seen that happen, and what happens there is that's a combination of a scammer basically promising to get you -- make you money at very little risk to no risk, which we know is not something that's true. There's no investment opportunity that comes with zero risk.

 

Kim Jones: Yep.

 

Mel Lanning: So it ranges from all kinds of different opportunities they offer you. They take your money, and they're going to make money for you. The cryptocurrency, we've sort of connected it. That was collected as separate scam type, but we found that over the last few years that most of the investment scams are crypto now. So a lot of what's happening is people are promising to help you make money in crypto. What they're doing is they're encouraging people to go onto fake platforms and put their money in. What happens is the money appears to be growing and people get very, very excited. And then, they start taking loans out. They start, you know, basically, investing those savings into it because they think I can actually retire early; I'm making all this money on it, not realizing that they're about to lose their life savings.

 

Kim Jones: So let me -- I want to take us a little bit off that tree branch just a little. I want to come back to talk about what the top two are, because I think it's important. Are we seeing a prevalence, or an uptick, in crypto scams? And again, I understand these are all opinions. I understand that opinions may or may not be fully supported by the data, but you have more data and looking at this closer than we are right now. We've begun to see, at least here in the States, a normalization, if you will, of crypto -- if not an encouragement around crypto -- given the changes in the regulatory framework and the encouragement from the executive branch of government here. Do we -- and this would -- and maybe the timing will help with this. Could this be a contributor? Do you think this is a contributor? Does the timing of this uptick indicate it might be a contributor or am I drawing false inferences, which I very well may be. What do you think?

 

Mel Lanning: I'm not sure. I think, so for our data, I would tell you there are more of them, but I don't think that's the reason it landed number one. It isn't because of the prevalence. It's because of the massive amount of money people are losing when they do. That's the reason that it's in -- and the other ones on our top three similar. And the other thing I would say on this is crypto is -- there's legitimate cryptocurrency platforms, right? The issue is this is brand new still. There's not as much regulation around it, and anytime that's the situation, scammers are going to come and take advantage of that, right? They're going to try to take advantage of the news. They're trying to take advantage of new technologies, particularly around areas where people may not fully understand how it works, and basically become impersonators to pretend like they know what they're doing and offer up this great opportunity for you. [ Music ] So the second-riskiest are employment scams, and these are hitting young people, particularly, although they're hitting all age groups, but it's -- the number one risk is for the younger age groups that we track. And what happens in this typically is somebody is looking for work, and they have an online interview with a really great potential. It's a job offer that often is remote work. It's great pay. It's low skills like anyone could do it kind of thing. And so, what happens is they get hired and they start work. And the traditional way that this has been perpetrated is the new employer, basically, will say, we are going to send you a check in the mail for office equipment or training or whatever it is that's needed. And as soon as it gets to the person that -- it comes FedEx. They make it look very official. That person is told to put it in their bank account. And then, very quickly, they're told transfer that to this other account, and that's the account that we'll be sending you your office equipment, or setting you up for your training, or whatever it is. Then one of the key things about this that I think is interesting is that young people -- I know I have teenagers who don't really know how checks work. They don't know that when you deposit it in the bank that it -- even though it's in your account, it hasn't cleared the other bank yet, and it might not be good, and it may come back out of your account. And so, what's happening is folks are transferring their own real funds before realizing that the bank --

 

Kim Jones: Before the check clears.

 

Mel Lanning: Yes.

 

Kim Jones: So the check itself is kited.

 

Mel Lanning: Yes.

 

Kim Jones: You send me a check for $1,000 that doesn't have anything backing it. I transfer you $1,000 out of my account that really exists. So that's now in your account and it's gone forever, and the check you sent me bounces in there, and I disappear as well.

 

Mel Lanning: Yes.

 

Kim Jones: Okay.

 

Mel Lanning: The other interesting thing about this, though, is that one thing about scammers is they change their tactics constantly, right? They're just figuring out -- like I said, they're using anything new that works. So one of the newer employment scams that we're seeing is now people are being hired to do online marketing where they go to a website and they're just checking things off, or whatever, and they're getting paid in crypto. And now, it's the same. It sort of takes you -- it's just a different way to onboard you into the same scam where you end up on these platforms and they're paying you in crypto and you start to see the money, and then you're putting your own money in.

 

Kim Jones: So you hire me to go review things online, or what have you. You agree to pay me in crypto. So you pay me in crypto within the environment, and I'm being asked to, what, transfer real money out instead to a business account? Is that what's happening, or what's happening?

 

Mel Lanning: Yeah, what's happening is people start to see the money grow. And so, they're like, wow, I have my own crypto account, and they're paying me and look at how quick it's growing. And so, they get excited to put their own money in to sort of start to make it. It's an investment scam, and it turns into that eventually.

 

Kim Jones: So we've got crypto scams. We have employment scams. We have a combination of employment scams using crypto. What's the third?

 

Mel Lanning: The third also can involve crypto as well. The third are romance/friendship scams, and you probably have all heard of these romance scams that have been going on.

 

Kim Jones: Talk us through it anyway, please.

 

Mel Lanning: Yeah, so typically, traditionally, what's happened is these are folks who reach out and fill a gap in somebody's life. You know, it's somebody who -- and the reason we changed the name is it used to just be romance scam. It's now romance/friendship scam because it doesn't always have to be a romantic encounter. It could be you just met your best friend, you know, and this is somebody who's there for you always. And so, these are really relationship scams, and they can start in a variety of different ways. A lot of times they start with a random text that's intentionally very vague, but it sounds like they know you. So it might be, hey, are you bringing the plates tonight or something really -- and so, the person is being nice to say you have the wrong thing, which just gives the opportunity for the scammer to start a conversation with the person. And before you know it, you've started a conversation with this person, and it's developed -- it develops into something. It can also happen with a direct message on a social media platform. It can happen on a dating website. It can happen on all kinds of social media where they just -- they connect with you and start a conversation, and what happens with a lot of folks is, and this can particularly happen if somebody is going through a major life change; they've lost their spouse; they've been through a divorce; you know, they're lonely in some way and this person suddenly is their best friend, and they're always there. I've talked to victims who say later, even after they realized it was a scam, how much they missed that person, and this person was the only one that was there for them. Whenever they needed them, they were always there. And so, they're relationship scams, and I say that because in some cases we find out later that this person texted throughout the day for weeks and months on end to build this relationship. So the idea is to build trust with this person, and eventually, if it's been gone on for months, this person, this is like your best friend. It's no longer this person you met online; it's, this is one of my best friends. And then, it turns into something else where traditionally it would be, you know, somebody who was overseas, and they're stuck in jail, and they need you to send money, or they're stuck in customs and they need you to send -- so there's always a reason, an urgent reason. I'll pay you back, but I need you to send me money. That's the traditional romance scam. It's evolved into the cryptocurrency scams. What we call -- unfortunately, the term law enforcement has used is "pig butchering."

 

Kim Jones: As I understand that term -- please, correct me if I am wrong -- it amounts to continuing to take different -- as when you butcher a pig or butcher any animal, continue to take different slices of meat and find different ways to actually utilize as many parts of the pig as you can. And in this case, it's the same thing: finding different ways to extract money from your target. Am I reading that correctly? Is that your understanding?

 

Mel Lanning: Yeah, I think --

 

Kim Jones: If not, please.

 

Mel Lanning: Yeah, I mean, I have had it described of just fattening up the pig for slaughter.

 

Kim Jones: Oh, okay.

 

Mel Lanning: So you get them to put more and more money in over time, until it's time to finally, like, steal the money.

 

Kim Jones: So in all three of your -- and I'm going to push a little bit -- and I understand that I'm pushing for opinion, and I understand that this opinion may not be supported by the data, but in all three of these scams, we're seeing crypto variants of this within the environment. First question is, are you seeing an increase in volume of reporting, you know, in recent years?

 

Mel Lanning: Of reporting specific scam types or just in general?

 

Kim Jones: Yes, in general.

 

Mel Lanning: I mean, I definitely think we've seen an increase in crypto scams in general. Like I said, the reason it's on our list is because of the impact and the amount of money people are losing, but I definitely am hearing it more over the last five years for sure. I think the exposure is still fairly low for straight-up crypto investment scams compared to other things like online shopping, but they have definitely gone up over the years.

 

Kim Jones: So I guess the next question that I would ask is -- we've talked about that for individuals as well -- talk to me about what you're seeing in small business, same priorities within small business, same types of scams targeting, different order in terms of priority against small business? Talk to me.

 

Mel Lanning: Yeah, so for small business, we're seeing things like phishing and social engineering. That's a big one for small businesses, trying to get employees to click a link and put ransomware or malware. And then, business email compromise is another one that's significant. And that's where somebody pretends to be your boss and sends you a text to say, I'm in a meeting and I can't talk right now, and I need you to wire this money to this account right away.

 

Kim Jones: I've got to ask, what are we doing wrong, so I can tell the younger CISOs that are out there listening to this, please be better than I am, because clearly I didn't get it right? What do we need to do differently or better?

 

Mel Lanning: I think, see, I can speak for small business, I guess, more than I can speak to anything else. And I think, for that audience, I think it's just this need for constant training for everyone. And, you know, I think tactics change constantly, even though phishing and, you know, BECs are still around. They're just -- I think you just have to remind staff constantly that this is an issue. And even for my job, I'm constantly in trainings to remind myself because I think, from the social engineering aspect of things, there's all these things you can do on the cyber end to try to do your multi-factor authentication and all this. But I think a lot of scammers are focused on the personal aspect, the human aspect, and trying to get to your employees. And that's why I say, I think, one of the big things is just, it isn't a once and done kind of training with your employees. That's the other thing. So number one, make sure any new employees are constantly updated and they're thinking about this stuff all the time, and then, just have regular trainings. You know, it's got to be something that you talk about quite a bit, especially for small businesses that don't have the resources that big companies might.

 

Kim Jones: Let's talk a little bit regarding expectation management out in the environment. I remain of the opinion, and again, I know this is a little bit outside your wheelhouse, that there's an expectation of perfection regarding stopping bad guys within cybersecurity. If we were doing our jobs right on my end of the fence, phishing would never happen, scammers would never succeed, et cetera. And I try and remind people that there's been law enforcement around for hundreds, if not thousands, of years in one form or fashion; yet, crime has not been eradicated. So is this a case of we need to expect that scammers will -- a scammer is going to scam, and people are going to be hit, and we probably need a different metric in terms of how we measure whether or not we are being successful or not. Am I being unrealistic or does that make sense to you, and -- talk to me?

 

Mel Lanning: I think it makes sense. I think those of us who are in this field and talk about scams all the time, it's really frustrating because it just continues to evolve and scammers evolve, and we evolve with it. So I think to your point, we've made a lot of changes, and we've done a lot of good to try to protect people. It's just that we're advancing at the same level with these scammers, right? So they're using the technology to scam people, and I guess my hope is that we can use AI to stop scammers. I'm hopeful that there's a way, and I don't know what that is, to sort of use AI to sort of detect in real time scams and try to help more. The one thing I am seeing in the work that I'm doing is you can't pin this on one organization or one segment of society, right? If we're going to solve this problem, we have to work with government agencies and businesses and big companies and non-profit organizations. We all have to be working together to figure this out.

 

Kim Jones: Okay. So let me push you for specificity, if possible. You are now a Supreme Ruler and Empress of the World for a Day, so you now have an opportunity to fix or solve this problem. What are the top three things that you would be doing or arm-twisting, encouraging, cajoling, et cetera, the world to do to help make it harder on the bad guys?

 

Mel Lanning: I don't know if I have three, but I would say that the top thing for me, I think, and there's work being done through the Aspen Institute with about 80 different organizations, including ours, to figure this out, and it includes companies; it includes non-profits; it includes government agencies. And the number one thing in the United States that they're looking at is a national fraud strategy that is driven by the government, because other countries are ahead of us in a lot of respects in terms of taking this issue on. And so, that's one thing I would love to see happen is there be -- and the thing is, I think what gets confusing is, yes, there are a lot of government agencies dealing with scams, and I could name off about 10 of them. The problem is, I think, that they're all kind of out there on their own doing it. I think there needs to be a unified strategy where you bring everyone together to figure this out, and I think that would -- that's the hope from this work that's being done right now. And this fall, I know they're going to be coming out with their recommendations for that.

 

Kim Jones: Fantastic. If there's one thing you'd want my audience to know and these listeners to know that we haven't talked about, what would that be?

 

Mel Lanning: Can I give it two, two things?

 

Kim Jones: Of course.

 

Mel Lanning: Sure. If you get targeted by a scam, please report it. That information is critically important to us, to everybody that's doing this. If we don't know what's happening, we can't warn people; we can't try to stop the scam in the future. And then, the other one is just to think about people who have been through this. If you know someone who has been scammed, think about how you react to them because there's a lot of shame for victims of financial fraud, and it's different than other crimes. We talk about it differently. We treat them differently, and it's something that can be incredibly embarrassing, but we know that these scammers are professional criminals. So we have to put the blame on the criminal, and not on the person, and not make them feel worse. So that's the other thing I would just say for anyone out there that knows somebody who's been through one of these scams, is to step back and think about how you handle it and how you help them.

 

Kim Jones: That was fantastic, and we will leave it there. Before I conclude, though, one question. Can anybody get access to the reports, et cetera, that your institute puts out?

 

Mel Lanning: Yes. They're all free on our website. If you go to bbbmarketplacetrust.org, there's a whole section on research, and all of our reports are available for free. Also, go to bbbscamtracker.org if you want to report scams or you want to search to find scams that have been published. That's another thing, if we could put it in a blog, because we estimate that we are able to help people avoid losing about $43 million last year alone by using Scam Tracker.

 

Kim Jones: We'll make sure that both those links end up in the blog, so as always, this was educational. You are always a joy to talk to, and let's not make it six months until we talk again. Thank you so much for giving us your time and your energy and your knowledge. We really appreciate it.

 

Mel Lanning: Thanks, Kim. [ Music ]

 

Kim Jones: And that's a wrap for today's episode. Thanks so much for tuning in and for your support as N2K Pro subscribers. Your continued support enables us to keep making shows like this one, and we couldn't do it without you. If you enjoyed today's conversation and are interested in learning more, please visit the CISO Perspectives page to read our accompanying blog post, which provides you with additional resources and analysis on today's topic. There's a link in the show notes. This episode was edited by Ethan Cook with content strategy provided by Ma'ayan Plaut, produced by Liz Stokes, executive produced by Jennifer Eiben, and mixing, sound design, and original music by Elliot Peltzman. I'm Kim Jones. See you next episode. [ Music ]

CISO Perspectives (Pro)
Podcast Info
HOST(S):
Kim Jones
Kim Jones is an intelligence, security, and risk management expert with nearly 40 years of experience in information security strategy, governance and compliance, and security operations. He has built, operated, and led security programs across industries, and is the principal architect of one of Arizona State University's cybersecurity education programs. Kim also teaches in SANS' leadership curriculum and UC Berkeley's MICS program. He holds a B.S. in Computer Science from West Point, an M.S. in Information Assurance from Norwich University, and CISM and CISSP certifications.
Schedule: Tuesdays (in season)
Creator: N2K CyberWire