Fighting Cyber-Enabled Fraud 2025

Funnull: A criminal proxy service BOX 3 In 2025, the United States Federal Bureau of Investigation (FBI) issued a cybersecurity advisory on Funnull, a criminally operated infrastructure service supporting large-scale cryptocurrency fraud and phishing campaigns.32 At the same time, the US Treasury’s Office of Foreign Assets Control (OFAC) announced sanctions on Funnull and its administrator for enabling hundreds of thousands of fraudulent sites involved in virtual currency investment scams by purchasing internet protocol (IP) addresses and registering hundreds of thousands of domains in bulk from major cloud service companies worldwide and selling them to cybercriminals to host scam platforms and other malicious web content.33,34 The case illustrates how illicit infrastructure can be purpose-built for abuse, mirroring the techniques available through legitimate services but dedicated entirely to criminal activity. Funnull’s takedown highlights the importance of targeting malicious infrastructure providers while also strengthening cooperation with legitimate intermediaries to prevent abuse. Text messaging and voice calls are a prominent and growing phishing vector: While email remains the primary phishing delivery mechanism, text messaging (smishing) and voice calls (vishing) have emerged as prominent and rapidly growing attack vectors. Fraudsters exploit SIM farms – devices that emulate large banks of cell phones – and “Cash for SMS” apps that rent unused messages to bypass legitimate channels and send scam messages at scale. The volume is immense: UK operators have blocked more than 1 billion suspected scam texts since 2023, while voice phishing attacks surged by 442% in 2024, driven by AI-powered social engineering.35,36 These attacks have affected 70% of organizations globally.37 Migration to internet- based protocols such as rich communication services (RCS) offers security improvements over traditional SMS, including verified sender identities and encryption in transit. However, implementation gaps have introduced new vulnerabilities. Attackers exploit inconsistent verification systems to spoof verified brands and bypass traditional SMS filters, taking advantage of the convergence of mobile and internet messaging to evade carrier-level controls.38 Regulatory approaches to smishing remain under development, with effective solutions, such as SMS inspection, needing to be reconciled with privacy requirements.39 Fighting Cyber-Enabled Fraud: A Systemic Defence Approach 10Cyber-enabled fraud is one of the most pressing threats facing the digital economy today. At Mastercard, we believe that a systemic defence approach – anchored in collaboration, threat intelligence and proactive controls – is essential to protecting consumers and businesses alike. As we work across the digital ecosystem to strengthen prevention, embed security-by- design and accelerate mitigation, we can raise the collective resilience of the digital infrastructure we all rely on. Johan Gerber, Global Head of Security Solutions, Mastercard