High-value BEC persistence and approval-phishing (Atlantic + Valencia + Ossian + Tycoon2FA + FBI stats)
Key Questions
What were the total online scam losses reported by the FBI IC3 in 2025?
The FBI IC3 reported $20.9 billion in total losses from online scams in 2025. Business Email Compromise (BEC) accounted for $3 billion of these losses, representing 14.6% in the finance sector.
How significant were AI-related scams in the FBI's 2025 cybercrime report?
The FBI documented 22,000 AI scams resulting in $893 million in losses. These scams are part of a broader surge in AI-powered threats like vishing and deepfakes.
What is the Wells Fargo deepfake incident involving Hong Kong?
Wells Fargo warned customers about a $25 million deepfake scam in Hong Kong. The incident involved AI-generated voices and faces used to impersonate executives and authorize fraudulent transfers.
What losses did TrustNFT document from email impersonation?
TrustNFT's white paper reported $2.9 billion in annual corporate losses from email impersonation. It highlights growing financial and brand liability risks from such attacks.
How common are deepfake invoice scams among finance professionals?
53% of finance professionals have encountered deepfake invoice scams, leading to $1.1 billion in losses. Tools like Beancount's audit trails are suggested to detect AI forgeries that fool humans.
What persistent BEC campaigns are mentioned in the highlight?
Campaigns like Atlantic, Valencia, Ossian, and Tycoon2FA demonstrate high-value BEC persistence. These involve ongoing tactics targeting finance sectors with hybrid AI-human methods.
What defenses are recommended against AI-powered BEC and deepfake attacks?
Defenses include KnowBe4 for training, Njordium and Abnormal for email security, Darktrace for AI detection, and Beancount for invoice verification. Breacher.ai reports 92% organizational vulnerability to these threats.
What is the trend in hybrid AI attacks like vishing and deepfakes?
Mandiant notes a surge in GenAI vishing by groups like Scattered Spider, using hybrid AI+human bank spoofs with Firebase IOCs targeting CFOs. New tactics combine email priming with AI voice deepfakes.
Persistence in Atlantic/Valencia/Ossian/Tycoon2FA; FBI IC3 2025 $20.9B total/$3B BEC losses (14.6% finance), 22k AI scams/$893M; Mandiant GenAI vishing surge (Scattered Spider); hybrid AI+human bank spoof (Firebase IOCs) vs CFO accounts; deepfake invoices hit 53% finance pros ($1.1B losses); new hybrid deepfake sims (email prime + AI voice); Wells Fargo $25M HK deepfake; TrustNFT $2.9B losses; Breacher.ai 92% org vuln; defenses KnowBe4/Njordium/Abnormal/Darktrace/Beancount.