Fighting Cyber-Enabled Fraud 2025

Introduction Cyber-enabled fraud continues to increase in scale and exact a heavy toll on individuals and organizations around the world. Phishing – including smishing, vishing and other varieties – while hardly a novelty, remains at the core of these threats. Despite significant public- and private-sector efforts to pursue offenders, while also promoting security and educating potential victims, phishing persists as a significant vector for scams, fraud and cyber intrusion. As a result, several policy- makers (see Box 1) have begun calling for a shift in the cybersecurity burden of protecting consumers from scams and fraud, away from those with fewer resources who face the downstream effects towards those further upstream who are in the best position to act at scale. The goal of such shifts is to enable implementation of systemic solutions that operate at scale.The growing scale and impact of cyber-enabled fraud and phishing are escalating to become one of today’s most pressing global challenges. National policy on shifting the burden BOX 1 Cyber risks for members of the public will be minimised by largely removing responsibilities for the security of digital products and services from small and medium-sized enterprises (SMEs) and individuals, and placing them with government, manufacturers and service suppliers. Netherlands Cybersecurity Strategy,1 p. 19 Today, end users bear too great a burden for mitigating cyber risks … The most capable and best-positioned actors in cyberspace must be better stewards of the digital ecosystem. US National Cybersecurity Strategy,2 p. 4 This strategy aims to remove as much of the burden of cyber security from citizens as possible ... and transfer the burden of cyber security risk away from end users and towards those best placed to manage it. UK National Cyber Strategy,3 pp.36 and 66 The internet ecosystem is composed of layers of digital infrastructure services upon which consumer-facing online services rely, all underpinned by the payments ecosystem (see Figure 1). Understanding these layers in terms of upstream and downstream positioning reveals distinct opportunities for intervention: –Upstream digital infrastructure services are those that supply foundational services upon which other companies and platforms build. These services include backbone internet service providers (backbone ISPs), the domain name system (DNS), public key infrastructure (PKI), web hosting and content delivery networks (CDNs). Because they often serve other businesses rather than end users directly, upstream providers may appear more distant from consumer harms; however, their actions to prevent fraud and abuse can have ecosystem-wide impact. –Downstream online consumer services are those positioned closer to end users, and thus such providers face more direct user-trust risks than those upstream. These services include “access” internet service providers (access ISPs) and mobile network operators, consumer- facing platforms and application providers. Because they interact directly with end users, harms and abuses are more visible to them, often incentivizing bundled security services and robust trust and safety practices. These interventions have an immediate impact on served end users. Fighting Cyber-Enabled Fraud: A Systemic Defence Approach 5