A new report published today by cybersecurity firm F-Secure puts a precise, disturbing number on just how bad the scam epidemic has become in America: in 2025, nearly 40 million Americans fell victim to scams — and financial losses doubled compared to the year before.
The F-Secure 2025 Scam Intelligence & Impacts Report, released May 19, 2026, draws on surveys of consumers across the United States and Europe, combined with F-Secure’s own threat intelligence data. The picture it paints is not a story of a problem that is improving. It is a story of a threat that has industrialized, automated, and accelerated far past the ability of most people to recognize it.
The Scale: A Scam Epidemic, Not a Scam Problem
The headline figure — nearly 40 million American victims in a single year — is staggering on its own. But the deeper data makes it more alarming.
56% of consumers said they encounter scam attempts at least once a month. For a significant portion of Americans, scam attempts are not occasional nuisances. They are a regular feature of daily digital life, arriving via text, phone call, email, social media, and increasingly through platforms people once considered safe.
Of those who were targeted, 52% lost money — meaning more than half of scam attempts that reach an actual human result in a financial loss. That conversion rate is a direct reflection of how effective modern scams have become.
The financial damage has also shifted upward. The highest-volume scam categories in 2025 were:
- Fake invoice fraud — 20% of reported scams
- Investment scams — 19%
- Banking and payment fraud — 11%
These are not low-effort “you’ve won a prize” emails. These are sophisticated, targeted operations designed to steal large amounts of money from people who have it. The era of the obvious scam — the misspelled email, the implausible lottery win — has largely given way to something far more dangerous.
The Confidence Gap: The Most Important Number in the Report
The most important finding in the F-Secure report may be this: 69% of people believe they can identify a scam. They are confident. They have read the warnings. They know to look for red flags.
And yet, 43% of those same people have fallen victim anyway.
This is what F-Secure calls the confidence gap — and it is arguably the core reason the scam industry is thriving. People who believe they are immune to fraud are precisely the population that fraud operations target most effectively. Overconfidence reduces vigilance. And modern scams are engineered to exploit exactly the moments when people feel most comfortable.
Laura Kankaala, Head of Threat Intelligence at F-Secure, put the problem plainly: “Scamming people online has never been easier than it is today. Cyber security for everyday citizens is not a challenge that time will solve.”
The data bears this out. The technologies that make scams easier to perpetrate — AI voice cloning, deepfake video, large language model-generated phishing messages — are not slowing down. They are getting cheaper, more accessible, and more convincing every month. The confidence gap is likely to widen, not narrow, in the absence of deliberate intervention.
How AI Has Changed the Scam Equation
The F-Secure report dedicates an entire chapter to what it calls the “four ways scammers are using artificial intelligence.” The picture it paints is of fraud that has crossed a threshold from craft to industry.
In AI-enhanced scams analyzed by F-Secure, 89% used AI for content generation — meaning the text, voice, or video that convinced a victim was not created by a human sitting at a keyboard. It was generated by a machine. The specific applications break down roughly as follows:
AI-generated phishing messages. Large language models can now produce phishing emails and text messages that are grammatically perfect, contextually relevant, and psychologically precise. The old tell of “look for spelling errors” no longer works reliably. AI-generated messages do not make spelling errors.
Voice cloning. Using as little as three seconds of audio — a voicemail, a public video, a social media post — modern AI can replicate a person’s voice convincingly enough to fool family members and colleagues. The FBI has documented cases in which victims paid tens of thousands of dollars in response to calls from voices they recognized as their children, their bosses, or their bankers.
Deepfake video. Video calls that appear to show a trusted person — an executive, a government official, a celebrity — are no longer technically difficult to produce. The Arup case, in which a finance employee transferred $25 million based on a fabricated video call, established that this attack vector works at the highest levels of corporate finance.
Personalized targeting. AI can scrape public data — social media profiles, professional directories, public records — to construct personalized attack scripts that include names, relationships, employers, and recent life events. A scam message that references your daughter’s college graduation or your recent home purchase is not a coincidence. It is data-driven targeting.
Megan Squire, Threat Intelligence Researcher at F-Secure, summarized the shift: “Scams are not small-time fraud anymore; they are industrialized, AI-powered, and psychologically manipulative.”
Who Is Most at Risk — and the Counterintuitive Answer
The common assumption about scam victims skews toward older adults — and older Americans do suffer enormous losses. The F-Secure report found that 60% of victims aged 65 to 74 reported a financial loss when targeted.
But the report contains a counterintuitive finding that deserves attention: young adults aged 18 to 34 face more than double the risk of being victimized compared to older adults.
This runs against most public awareness campaigns, which focus almost exclusively on protecting seniors. The explanation, in the data, appears to be exposure. Young adults are more active on digital platforms, more likely to engage with unfamiliar contacts, more likely to use new apps and services, and — critically — more likely to believe that scams are something that happens to less digitally sophisticated people. The confidence gap is, it seems, especially wide among people who grew up online.
The practical implication: scam awareness programs that treat young adults as a low-risk population are likely miscalibrated.
The Reporting Gap: Only 7% of Scams Are Reported
One of the most significant structural problems in the fraud landscape is that the data everyone works from — FTC reports, FBI IC3 complaints, state AG filings — captures only a fraction of actual harm.
The F-Secure report found that only 7% of scams are reported to authorities. The primary driver: stigma. Victims are frequently ashamed to disclose that they were deceived, particularly when the amounts lost are substantial. The shame operates as a suppressor of the very data that would inform better policy and law enforcement prioritization.
This means that when the FTC reports $3.5 billion in imposter scam losses, or the FBI IC3 reports $20.9 billion in total cybercrime losses, those numbers represent roughly one-fourteenth to one-twentieth of the actual damage. The real scale of the scam economy in America is almost certainly measured in the hundreds of billions of dollars annually.
What the Industry Is Doing About It
The F-Secure report was not written in a vacuum — it is also a market analysis. The data on consumer behavior reveals strong demand for scam protection products: 93% of consumers said cybersecurity offerings matter when choosing a provider, 82% factor security into provider selection decisions, and 51% are willing to pay specifically for scam protection.
Fredrik Torstensson, F-Secure’s Chief Partner Business Officer, framed it as a market opportunity: “We need to shift from blaming victims to building resilience. Scam defense [should be] as essential as internet access itself.”
The question of whether the cybersecurity industry’s offerings will keep pace with the AI-driven escalation in scam sophistication is not yet answered. What the data makes clear is that demand for solutions exists. The problem is not a lack of consumer interest in protection. It is the technical and psychological difficulty of building defenses against threats that adapt faster than awareness campaigns.
What You Can Do
The F-Secure report’s findings don’t lend themselves to a simple checklist — because the confidence gap means that people who think they are following the rules are still getting victimized. But the data does point to a few specific behaviors that reduce risk:
Reject the assumption that you are immune. The 43% figure — victims among people who believed they were not at risk — is the single most important data point in this report. Vigilance requires accepting that anyone can be targeted successfully under the right conditions.
Verify through a second channel. Any request involving money — a transfer, a payment, a purchase, a wire — should be verified by contacting the requester directly through a known, trusted channel, not through the same medium the request arrived in. This rule defeats a large proportion of AI-generated fraud.
Report every scam attempt. The 7% reporting rate means law enforcement and regulators are operating with profoundly incomplete data. Reporting a scam attempt — even if you lost nothing — at ftc.gov/complaint contributes to enforcement actions and policy responses that protect others.
Take the confidence gap seriously for the young people in your life. Young adults are not safer because they are more digitally fluent. They may be more exposed precisely because they are more digitally active and more likely to trust their own judgment.
The F-Secure report lands at a moment when the global data on scams points uniformly in one direction: worse, faster. The doubling of losses in a single year is not an anomaly. It is a trend. The question is whether the response — from individuals, providers, platforms, and governments — scales to meet it.
Report the scam at ftc.gov/complaint or call 1-877-382-4357.
