- Expert quote: A new report out today describes the rise of scams as a "global conflict" and a "whole-of-society threat to America."
- Supporting data: Reported fraud losses increased 25% from 2023 to 2024, according to federal data.
- Forward look: As Congress faces down the expiration of a major cybersecurity law, a new report highlights consensus recommendations on new anti-scam policies.
Overview bullets generated by AI with editorial review
Cybersecurity Awareness Month arrives this week against a sobering backdrop: consumer losses from fraud have surged to $12.5 billion, a 25% increase in just one year. In response, the financial industry, consumer advocates and the federal government have rolled out a coordinated effort to fight back.
Throughout October, organizations from the American Bankers Association to the federal government's lead cybersecurity agency will be pushing new campaigns and security frameworks aimed at protecting both consumers and the nation's critical financial infrastructure.
Here are the most important developments to watch, from new anti-scam strategies to useful updated resources.
A major national strategy against scams is released
The biggest announcement to kick off Cybersecurity Awareness Month on Wednesday came from the Aspen Institute, which released
Members of the steering committee that developed the report represented JPMorgan Chase, Zelle, Block, Plaid, Amazon, Target and others.
Other members of the task force that developed the report included Bank of America, Citizens, Wells Fargo, Visa, Paypal, Transunion, the American Bankers Association and the Bank Policy Institute.
The 70-page strategy document functions as a blueprint for how companies, the U.S. government, and others can combat a problem that the report calls a "global conflict" and "whole-of-society threat to America."
The strategy document emphasizes that artificial intelligence and faster payment options are making scams more destructive and widespread. Financial services — including banking, payments, fintech, and crypto — are among the sectors scammers exploit.
The report urged government and corporate leaders to modernize legal frameworks and enhance incentives for action.
Duty of care in need of revamp
A critical component of the framework organized by the Aspen Institute is addressing the current ambiguity regarding the duty of care to suppress scam activity across sectors.
Because the report serves to document the consensus between various consumer advocates, banks and other stakeholders, it does not reach a conclusion on the core, nuanced subject of the duty of care (who should be liable) when a consumer is tricked into authorizing a payment to a fraudster.
However, the report does note that there is currently no clear or consistent duty of care to suppress scam activity across sectors targeted by scammers, such as telecommunications, digital platforms and financial services. This ambiguity creates tension, as companies fear undue liability if clear mandates are established
So, the strategy calls for Congress to normalize duties across sectors and enact good Samaritan liability protections for companies that act reasonably and in good faith against scams. These protections would help de-risk corporate participation in scam suppression efforts.
The report also cited the Australia Scams Prevention Framework as an international model, noting it provides a safe harbor protecting firms from liability when they take reasonable, proportionate and good-faith action to block suspected scams.
Corporate policies and other improvements
The strategy advocates that companies maintain robust anti-scam policies covering the entire scam lifecycle and ensure C-suite leaders own and review these policies regularly.
Financial institutions often serve as the primary point of contact for fraud victims, as seven in ten victims reported directly to their financial institutions.
As such, the report advocates that banks enhance their capabilities to detect suspicious activity and invest in private information exchanges with companies in other sectors. This involves improving reporting and recovery mechanisms, and sharing actionable scam intelligence with law enforcement agencies.
The strategy also calls for companies to continuously improve just-in-time warnings and interventions for customers and take reasonable steps against suspicious activity based on actionable scam intelligence.
Finally, the report recommended creating a single federal reporting portal, such as "stopscams.gov," so companies and victims can submit all scam information quickly, enabling data intake that is standardized and automated.
This system would distribute information automatically to relevant databases like the FBI's Internet Crime Complaint Center (IC3), FTC Sentinel, and FinCEN's Suspicious Activity Reports (SARs) system.
ABA relaunches two consumer protection campaigns
The ABA announced on Wednesday the relaunch of its consumer protection campaigns, #BanksNeverAskThat and #PracticeSafeChecks.
The sixth year of the #BanksNeverAskThat campaign introduces the new theme, "Snap Out of It!" This theme encourages people to trust their instincts and recognize suspicious messages, urgent requests or offers that seem too good to be true.
The campaign uses videos, quizzes and social media content to highlight common methods scammers use to impersonate banks. This content emphasizes that scammers often employ psychological tactics to earn trust and manipulate victims.
The ABA toolkit includes resources for banks including sample social media posts, branch and ATM signage, and new videos in both English and Spanish for registered banks.
The #PracticeSafeChecks campaign, now in its second year, returns with a new focus on small businesses, which often become targets due to the larger dollar amounts typically found on business checks.
The campaign suggests small businesses adopt digital payment options whenever possible. For safer check usage, the ABA recommends small businesses enroll in positive pay, which matches checks presented for payment against a list of authorized checks provided by the business, and other fraud prevention strategies.
The ABA also offers consumers tips on identifying phishing attempts across various channels, noting that real banks utilize spell check and will not use scare tactics or high-pressure language to encourage quick action.
CISA focuses on critical infrastructure resilience
The theme of building a cyber-strong America will organize the October campaign by the Cybersecurity and Infrastructure Security Agency (CISA), the federal lead for Cybersecurity Awareness Month.
Financial services is one of the 16 sectors designated by the U.S. as a part of the nation's critical infrastructure that provide vital services to Americans. Other sectors that get this designation include food and agriculture, energy, healthcare, water, information technology and transportation.
CISA emphasizes that organizations that own, operate or support critical infrastructure and the supply chain have an important role in cybersecurity. The agency provides no-cost information, services, and tools to guide organizations in implementing cybersecurity best practices.
CISA recommends four cybersecurity practices as the foundation of organizational security:
Teach employees to avoid phishing. Recognizing and reporting suspicious emails and links can prevent many types of cyberattack.
Require strong passwords. CISA advises strong passwords should be long (at least 16 characters), random, and unique and suggests using five to seven unrelated words as a passphrase (rather than a long string of random letters).
Require multifactor authentication (MFA). CISA suggests requiring MFA for users of all kinds to add an extra layer of security, making accounts significantly safer. The agency also recommends using phishing-resistant MFA, such as security keys or authenticator apps with number matching, where available.
Update business software. Organizations should promptly install security updates and patches when they are released because outdated software can contain exploitable flaws.
Many of these recommendations are actually requirements for banks. For example,
CISA encourages organizations to share cyber incident information with CISA and notes that early reporting helps protect other organizations and improves national defense.
CISA also advises organizations to encourage their partners, vendors, and customers to follow cybersecurity best practices. Again, for banks, this is more than a suggestion; federal and certain state regulations require financial institutions to engage third-party providers to conduct risk assessments.
Bank Policy Institute focuses on information sharing
The Bank Policy Institute (BPI) said in its announcement Wednesday that the financial services industry often sets the "gold standard" for cybersecurity and information-sharing, adhering to rigorous standards like the Gramm-Leach-Bliley Act, the FFIEC IT Examination Handbook, the Fair Credit Reporting Act and state and international data security laws.
Despite these sophisticated systems and significant investments, BPI acknowledged that cyberattacks continue to grow in scale and sophistication, fueled by hostile nation-states and complex criminal networks. Cyber threats remain a primary concern among bank leadership and regulatory agencies, according to the group.
BPI's executive vice president and head of its cybersecurity division, Heather Hogsett, said that the industry must work with government partners to maintain awareness of cyber incidents and vulnerabilities.
However, Hogsett also cautioned that the current state of cyber regulations often detracts from vital work, such as implementing next-generation technologies and responding to daily incidents. BPI has emphasized the need to streamline and align overlapping and duplicative regulatory reporting requirements.
To enhance defense, BPI also emphasized its support for preserving liability and antitrust protections to encourage intelligence sharing between banks and urged Congress to renew CISA 2015, a cybersecurity law that provides these protections, before its September 30 expiration.
