The Federal Trade Commission's 2025 consumer protection report contains one figure worth a second read: Americans lost $3.5 billion to imposter scams last year, nearly three times the 2020 total. Security leaders already understand that AI has accelerated social engineering at the enterprise level. What the FTC data adds is a ground-level performance benchmark: these attacks are working at volume, against people with no security training, no threat briefings, and no simulation experience. Hany Farid, a digital forensics expert and professor at UC Berkeley's School of Information who works with Fortune 500 executives and law enforcement on AI-enabled threats, put the enterprise exposure in plain terms during a 2026 lecture at Berkeley: "The enterprise is getting attacked at a scale that they have not seen before. And for every one of these that you see in the newspaper, I can tell you there's 10 of them that you don't — because people don't want to talk about it."
That context matters. The FTC's $3.5 billion figure measures how well these attacks perform when an adversary has unlimited volume, low cost, and no institutional resistance. Enterprise employees face the same attack architecture, with the added exposure of organizational access and higher-value targets. It also points directly to where the organizational leverage is for teams that are already investing in employee defense programs.
Reading the FTC Data Through an Enterprise Lens
Imposter scams follow a consistent architecture. An attacker establishes the identity of someone the target trusts: a government agency, a financial institution, a technology vendor, or a known colleague. From there, the campaign introduces urgency and requests an action, a credential verification, a payment, a data transfer. In 2025, this attack category produced the largest share of consumer fraud losses in the United States, with the growth rate accelerating sharply.The driver is AI, and it has changed the economics of impersonation in ways that affect enterprise environments directly. Producing a convincing phishing message once required time, research, and skill. Today, an attacker can pull open-source intelligence on an organization or individual, generate personalized content across email, SMS, and voice, and do it at a scale that was operationally impossible a few years ago. Voice cloning now requires seconds of audio. The output is persuasive enough to pass a quick judgment call by someone who has seen plenty of phishing attempts.
As Fred Heiding, a Research Fellow at Harvard Kennedy School's Belfer Center for Science and International Affairs, found in a peer-reviewed study of AI-automated attack chains: "AI-enhanced spear phishing models have proved capable of performing as well as or better than humans conducting the same operations manually in just a fraction of the time. All told, automating the attack chain may reduce spear phishing costs by up to 99 percent at scale."
The FTC's consumer losses track directly with this capability shift. Attacks have gotten harder to distinguish from legitimate communications, and that credibility gap is precisely what the numbers measure. Security teams that factor this into how they calibrate their employee programs are working from a more accurate model of the current environment.
The Channel Gap Most Programs Haven't Closed Yet
Most mature security awareness programs are built around email phishing. That made sense when email was the dominant attack channel, and the investment has paid off: email recognition rates at well-trained organizations are meaningfully higher than they were five years ago.
The FTC data reflects a more distributed picture. A significant portion of the impersonation campaigns in the report reached victims over the phone, via SMS, and in some cases through video. Enterprise attacks are following the same channel migration. The organizational defenses are often considerably thinner outside of email, and the simulation coverage that has trained employees to spot a suspicious link has not yet extended, at most companies, to a cloned voice or a personalized text.The Verizon 2026 Data Breach Investigations Report puts numbers to that exposure. Employees are roughly 40 percent more likely to fall for a phone-based attack than an email phish, a gap the report's authors attribute to the authority and real-time pressure those calls carry. The same report now tracks pretexting, meaning voice and chat-based impersonation, as its own separate category, accounting for 6 percent of all breach entry points.
Bruce Schneier, a Fellow and Lecturer at Harvard's Kennedy School and one of the field's most cited security researchers, documented a sophisticated multi-channel phone impersonation attack in 2025 and drew a conclusion that cuts through the technical framing: "It happens to smart people who know better. It could happen to you." The observation matters for program design. Susceptibility to voice and SMS attacks is less about employee awareness gaps and more about the structural advantage those channels carry for an attacker: live interaction, escalating pressure, and the absence of the visual cues employees have been trained to inspect in an email.
This is the most practical read of the FTC report for a security leader: the employee population that performs well on email phishing simulations is largely untested on voice, SMS, and AI-generated video scenarios. Those channels carry genuine risk, and the organizational muscle for recognizing and reporting threats across them is underdeveloped at most companies, even those with strong email-focused programs.
Three Areas Where Mature Programs Are Expanding
As Heiding noted in a May 2025 analysis published in Lawfare, "Unlike technical systems, the human brain cannot be easily patched to recognize deceptively realistic spear phishing emails and deepfake videos." That constraint defines both the challenge and the opportunity. The organizations making the most measurable progress on AI-powered social engineering are adjusting their programs in three consistent ways.
- Extending simulation coverage to voice and SMS. Organizations running simulations exclusively over email are measuring a subset of the employee risk surface. Adding voice and SMS scenarios exposes employees to the channels where AI-powered attacks are increasingly landing. A workforce that has fielded a simulated call from a cloned executive voice is better prepared to recognize the same attempt under a live attack, including the specific pressure patterns that make those calls effective.
- Updating training content on a cadence that matches how fast attack tactics change. AI-powered impersonation methods are evolving quickly enough that training developed eighteen months ago may no longer reflect what employees encounter. Programs that update content in response to current attack patterns, and that personalize scenarios to the employee's role and organizational context, consistently outperform static annual modules on detection outcomes. The content gap is often more significant than the coverage gap.
- Reinforcing reporting as a security contribution. One of the clearest indicators of a high-functioning security culture is the volume of employee-reported suspicious messages. An employee who flags a questionable voice call provides something the perimeter cannot: early signal about what is being attempted across channels that often have no technical controls. Organizations that make reporting easy, acknowledge it visibly, and treat it as a front-line contribution rather than a compliance behavior get earlier warning and faster response. The reporting culture is the feedback loop that keeps simulations and training aligned with current attacks.
These three elements build on each other. Broader simulation coverage creates channel familiarity. Current, role-relevant training builds retention. A strong reporting culture extends the organization's detection reach to every communication channel, including the ones that have not yet been locked down technically.
The Return on Preparedness
The FTC's $3.5 billion figure represents what these attacks cost when there is no structured preparation. Enterprise employees have access to training, simulation, and organizational support that most consumer fraud victims do not, and that gap is where security awareness investment produces its most measurable return. The organizations with the clearest advantage are those extending that preparation to the channels and attack types generating the next wave of losses: voice, SMS, and AI-generated video.
Contents
