While most Americans worry about identity theft and fraud, many overlook the significant threat posed by scam calls and phishing messages, which remain a primary vector for cybercriminals to steal personal data.

  • 91% of Americans are concerned about cybercrime scams, but awareness of scam calls as a risk is lacking.
  • Criminals increasingly target individuals with social engineering over direct device exploitation.
  • Effective defense requires focus on human vulnerabilities alongside technical safeguards.

Threat signal

Cybercriminals are shifting tactics from targeting devices directly to exploiting individuals via scam calls, phishing emails, and deceptive login pages. This change highlights the evolving nature of cyber threats, which increasingly rely on social engineering to gain access to sensitive data rather than relying solely on technical exploits.

The NordVPN survey reveals that scam calls are experienced daily by nearly half of Americans, yet many individuals do not recognize these interactions as precursors to identity theft or fraud. This misalignment between perceived and actual threats suggests that attackers are finding success by exploiting human trust and urgency, making scam calls a critical risk vector.

Operator exposure

Organizations and security teams should recognize that the weakest cybersecurity link is often the end user. Employees and customers faced with scam calls or phishing attempts can inadvertently compromise their identities or organizational credentials if they fall for social engineering tactics.

This operator exposure extends to cloud services, identity management, and software supply chains where stolen credentials obtained through scams may enable unauthorized access and further exploitation. Awareness and mitigation of this risk environment are essential to reduce the likelihood of data breaches and ransomware attacks initiated via compromised identities.

What teams should watch

Security teams need to prioritize user-awareness training that specifically addresses social engineering threats such as scam calls and phishing attempts. Emphasizing skepticism toward urgent or pressured communications can help users pause before responding, disrupting attacker timelines.

Technical teams should leverage available platform features like call screening on mobile devices and implement multi-factor authentication to reduce the impact of stolen credentials. Incorporating monitoring for unusual login attempts and suspicious activity related to identity can further protect against downstream consequences of scam-based intrusions.

Source assisted: This briefing began from a discovered source item from CNET News. Open the original source.
How SignalDesk reports: feeds and outside sources are used for discovery. Public briefings are edited to add context, buyer relevance and attribution before they are published. Read the standards

Related briefings

OpenAI Discloses Credential Theft in TanStack NPM Supply Chain Attack US CISA Issues Emergency Alert for Critical Cisco SD-WAN Zero-Day Vulnerability Microsoft Exchange Server Vulnerability Enables Script Execution via OWA Emails