Security budgets keep climbing. So do fraud losses. The disconnect reveals a fundamental mismatch between where organizations invest and where attackers actually operate.
Every year, organizations spend more on cybersecurity—and every year, fraud losses climb higher. It’s not that the investments are wasted, exactly, but rather that they’re concentrated in places where modern attackers have largely stopped looking. The enterprise security stack has become formidable at protecting networks, endpoints, and internal systems. Meanwhile, attackers have simply moved outside the perimeter, targeting customers, impersonating brands, and operating in digital spaces that traditional security tools were never designed to monitor.
The numbers tell a story of escalating asymmetry. U.S. consumers reported losing $12.5 billion to fraud in 2024, a 25% increase from the prior year, and those figures capture only reported incidents, which the FTC estimates represent a fraction of actual losses. At the same time, enterprise security budgets have grown 17% year-over-year, with mid-sized organizations increasing spending by 11%. Boards receive regular threat briefings, and the language of cyber risk has thoroughly penetrated the corporate lexicon..
Yet the losses keep mounting, which suggests something more fundamental than inadequate investment. Organizations have built sophisticated defenses against certain threats while remaining largely blind to others.
The external threat blind spot
Most security programs concentrate on protecting assets within organizational boundaries: networks, endpoints, cloud infrastructure, and the data that flows between them. This focus makes intuitive sense because these are the assets security teams directly control, and breaches of internal systems carry clear regulatory and reputational consequences.
But the focus creates a substantial blind spot around threats that originate and often execute entirely outside those boundaries. Brand impersonation happens on domains the organization doesn’t own, phishing campaigns target customers using infrastructure that never touches corporate systems, and executive impersonation occurs through social media accounts that security teams have no authority to manage. Fraudulent mobile applications distribute through third-party stores that exist beyond organizational oversight.
These external threats damage organizations just as surely as breaches of internal systems. Customers who lose money to impersonation scams blame the brand, not the criminals, and reputation suffers regardless of where the fraud originated. Yet most enterprises lack systematic visibility into these external attack surfaces. Security operations centers monitor internal telemetry in real time while remaining unaware of phishing sites harvesting customer credentials under their brand’s logo.
The detection and response gap
Even when organizations attempt to address external threats, the operational model often doesn’t match the speed at which attacks unfold.
According to IBM research, organizations take an average of 207 days to identify a data breach, a figure that has improved only marginally despite billions in security investments. For external threats like phishing campaigns, the timeline is even more compressed on the attacker’s side: half of all phishing victims fall prey within 24 hours of campaign launch, with many compromised in the first hour.
Traditional approaches to brand protection operate on cycles measured in days or weeks, with manual monitoring, periodic sweeps, and human-driven takedown requests. This cadence made sense when creating a convincing phishing site required meaningful effort. Against AI-powered fraud operations that can spin up sophisticated impersonation campaigns in minutes, the mismatch has become untenable.
Business email compromise illustrates the gap vividly. The FBI reports that BEC attacks have accumulated over $8.5 billion in losses over the past three years, making them among the most financially damaging cyber threats. Yet many organizations still treat BEC primarily as an email security problem, focusing on filtering and user training rather than monitoring the external infrastructure—lookalike domains, compromised vendor accounts, and reconnaissance on professional networks—that enables these attacks. Our analysis of LinkedIn as a fraud platform explores how attackers use professional networks to research targets and build the contextual knowledge that makes BEC attempts convincing.
The coordination problem
Addressing external threats requires capabilities that often don’t exist within traditional security organizations, or that span multiple departments without clear ownership.
Brand protection may sit with legal or marketing, viewing impersonation primarily through a trademark lens rather than a security one. Social media management resides with communications teams who lack security expertise. Customer service handles fraud complaints reactively without feeding intelligence back to security operations. Executive protection, if it exists at all, focuses on physical security rather than digital impersonation.
This fragmentation creates gaps that attackers exploit readily. A coordinated impersonation campaign might simultaneously target customers through fake websites, employees through LinkedIn spear phishing, and partners through spoofed domains, but each component gets handled by a different team using different tools on different timelines. The attacker sees one campaign; the defending organization sees three separate incidents with no one connecting the dots.
The most sophisticated fraud operations deliberately exploit these coordination failures. Fraud-as-a-service platforms provide infrastructure that appears legitimate to any single defensive perspective while the overall pattern reveals malicious intent. Catching these operations requires visibility across domains, social platforms, app stores, and dark web forums simultaneously, a capability few enterprises have built.
The investment paradox
Security leaders face a difficult reality: the threats capturing board attention and budget often differ from the threats actually causing losses.
Ransomware dominates headlines and board discussions, driving investments in endpoint protection, backup systems, and incident response capabilities. These investments matter—ransomware is genuinely dangerous. But the $12.5 billion in consumer fraud losses dwarf ransomware payments, and much of that fraud involves brand impersonation that enterprises have limited visibility into.
The paradox extends to measurement. Organizations track traditional security metrics obsessively (time to patch, detection rates, compliance scores) while often lacking basic visibility into how many phishing sites are operating under their brand, how many fake social profiles impersonate their executives, or how many customers receive fraudulent communications claiming to represent them.
This measurement gap perpetuates the investment imbalance. What gets measured gets managed; what remains invisible receives neither attention nor resources. Security teams optimize for the threats they can see while external fraud grows unchecked in their blind spots.
Closing the gap
Addressing the fraud gap requires expanding the definition of what security teams are responsible for detecting and defending against.
Establish external visibility. Organizations need systematic monitoring of their external attack surface: domains that impersonate their brand, social profiles that claim executive affiliation, app store listings that misrepresent their products, and dark web discussions that target their customers. This visibility must be continuous rather than periodic, and integrated with security operations rather than siloed in marketing or legal.
Accelerate response capabilities. Detection without response accomplishes little. Takedown capabilities need to operate at speeds measured in hours rather than days, with established relationships and automated processes that can remove fraudulent infrastructure before campaigns reach their full potential.
Integrate across functions. Brand protection, customer security, executive protection, and traditional security operations need shared visibility, coordinated response, and unified strategy. The artificial boundaries between these functions create exactly the gaps attackers target.
Measure what matters. Organizations should track external threat metrics with the same rigor applied to internal security: time to detect impersonation campaigns, dwell time before takedown, customer exposure to fraudulent sites, and credential harvesting volume targeting their brand.
The Bottom Line
The fraud gap represents more than a security problem—it reflects an outdated mental model of what security teams are responsible for protecting. Organizations built defenses around assets they directly control while attackers shifted to targeting customers, brands, and reputations through external channels.
Closing the gap requires acknowledging that the perimeter-focused security model, however sophisticated, leaves substantial brand-related risks unaddressed. The enterprises adapting successfully aren’t just investing more in traditional security; they’re expanding their definition of what security means to include the external attack surface where modern fraud actually operates.
Key Takeaways
The FTC reports U.S. consumers lost $12.5 billion to fraud in 2024, a 25% increase from the prior year. The percentage of fraud reports involving financial losses rose from 27% to 38%, indicating attacks are becoming more successful.
According to IBM research, organizations take an average of 207 days to identify a data breach. For external threats like phishing, the timeline is far shorter on the attacker’s side; half of victims fall prey within 24 hours of campaign launch.
The FBI reports business email compromise attacks have accumulated over $8.5 billion in losses over the past three years, making them among the most financially damaging cyber threats despite being preventable with proper external visibility.
Most security programs focus on protecting internal assets: networks, endpoints, and data within organizational boundaries. External threats like brand impersonation, customer-targeted phishing, and social media fraud operate entirely outside these boundaries, creating blind spots that attackers exploit.
Organizations need continuous external visibility across domains, social platforms, and dark web forums; accelerated takedown capabilities measured in hours rather than days; cross-functional coordination between security, legal, marketing, and customer service; and metrics that track external threats with the same rigor as internal security.
