The Announcement
The Federal Trade Commission has reported that Americans lost $3.5 billion to imposter scams in 2025, nearly triple the losses recorded in 2020. Imposter scams ranked as the most reported fraud category last year, with roughly one in three fraud reports involving criminals posing as businesses, government agencies, or family members. The scale of this loss is not simply a consumer protection story. It points to a structural failure in how organizations protect the personal data that fuels these scams in the first place.
Our Analysis
The FTC’s figures are alarming on their own, but the more consequential threat runs deeper than the initial financial loss. According to Tomas Sinicki, scam protection expert and managing director at Coveron, “criminals who successfully impersonate banks, the IRS, or family members don’t just take the cash — they harvest victims’ personally identifiable information and can sell it on dark web marketplaces or use it themselves for further fraud.” That secondary market for stolen PII is what transforms a one-time scam into a years-long identity crisis.
The PII Exposure Problem Is an Enterprise Problem
This matters to enterprise IT leaders because the PII being harvested at scale does not appear out of thin air. It comes from data breaches, poorly governed cloud environments, and applications that handle sensitive personal information without adequate controls. ECI Research’s Enterprise Cloud Maturity report found that 90.8% of organizations store and process Personally Identifiable Information (PII), making data privacy a foundational operational requirement rather than an edge case. That is nearly every enterprise in the market, and it means nearly every enterprise is a potential upstream source of the data fueling imposter scams downstream.
The exposure risk compounds when governance practices lag behind infrastructure scale. ECI Research data shows that 61.3% of organizations operate between 6 and 20 cloud accounts or projects across AWS, Azure, and GCP, creating significant multi-cloud sprawl and governance complexity. When PII is distributed across that many accounts and projects, the likelihood that some of it is inadequately secured rises sharply. A Social Security number can sell for just a few dollars on dark web marketplaces, as Sinicki notes — meaning that even a modest data exposure event can seed fraud campaigns at meaningful scale.
What ITDMs Need to Hear
For IT decision-makers, the FTC report is a concrete signal that data governance is no longer separable from fraud liability. The cascade Sinicki describes — “a single grandparent scam can turn into years of fraudulent tax returns, opened credit accounts, and drained savings” — begins somewhere in an enterprise’s data estate. That linkage carries regulatory, reputational, and legal exposure that has not historically been priced into most organizations’ security investment models.
The implication is straightforward: organizations that manage PII at scale need to treat data governance as a continuous operational discipline, not an annual compliance checkbox. That includes dark web monitoring, rigorous identity and access controls, and the kind of layered defense posture Sinicki advocates. It also means investing in security tooling that operates at the data level, not just the perimeter.
ECI Research data reinforces that security investment intent is strong but unevenly applied. While 65% of organizations rank security and compliance as a top technology investment priority for the next 12 months (second only to AI projects, per ECI Research’s Scaling Cloud-Native Applications report), the gap between investment intent and mature execution remains wide in practice.
What Developers Need to Understand
For developers, the imposter scam epidemic is a reminder that application-level data handling has real-world downstream consequences. Every field that collects a Social Security number, date of birth, or account credential is a potential extraction point. Shift-left security practices matter here — scanning for data exposure risks early in the pipeline, applying least-privilege principles to data access, and treating PII as a first-class concern in code review are not compliance theater. They are direct interventions against the fraud supply chain.
The challenge is that behavioral barriers to security ownership persist across development teams. Fear of breaking production environments, lack of training, and unclear expectations all contribute to developer hesitancy. Closing those gaps requires tooling that makes secure data handling the path of least resistance, not an additional burden layered onto existing delivery pressure.
Looking Ahead
Regulation Will Force the Issue
The FTC’s reporting on imposter scam losses will almost certainly drive legislative and regulatory attention toward upstream data stewardship. Organizations that are currently reactive on PII governance should anticipate that posture becoming insufficient. Frameworks requiring demonstrable data minimization, breach notification timelines, and consumer remediation obligations are already expanding across U.S. states and international jurisdictions. Enterprises that build PII governance into their application lifecycle now will be better positioned when those requirements tighten.
The Dark Web Problem Is Not Going Away
Sinicki’s observation that compromised PII is sold continuously and exploited over extended periods means that the threat to individuals persists long after the original breach. For enterprises, this argues for investment in dark web monitoring as an operational capability, not just an incident-response afterthought. It also reinforces the case for identity theft protection services with fraud insurance components — products that are increasingly positioned as enterprise benefits rather than consumer add-ons. The market for these services will expand as the FTC’s numbers continue to climb, and vendors with credible monitoring infrastructure and proven fraud remediation workflows will be the ones ITDMs should be evaluating seriously.
Stay Ahead of Application Development Trends
Get weekly analyst insights, research notes, event coverage, and AppDevANGLE updates delivered directly to your inbox.
Subscribe for Weekly Insights
Join technology leaders, practitioners, and GTM teams following the trends shaping modern software delivery.
Looking for deeper research access?
Explore ECI Research reports, survey insights, and market analysis through the ECI Research Portal.
