FTC: $2.1bn lost to social-media scams in 2025

The US Federal Trade Commission published its 2025 fraud sweep yesterday. Americans handed scammers $2.1 billion through social-media platforms — up from a rounding error in 2020, and now the single highest-yielding scam channel the agency tracks.

The headline is the bait. The detail underneath is what defenders should be reading.

Three things stand out from the report. Investment scams remain the biggest dollar sink: fake trading-mentor accounts on Instagram, TikTok and X funnelling victims into copycat brokerages and crypto rug-pulls. Romance scams are the slowest-burn and the most personal, with median losses over $2,000 per victim and a strong correlation between the over-50 cohort and Facebook. The fastest-growing category is brand impersonation — scammers buying paid ads against the legitimate brand’s own name and steering clicks to a convincing replica.

For people running enterprise security, this is a reminder that personal-account compromise is part of the corporate kill chain you actually need to model. The path is well-trodden: an employee’s social credential gets phished or stuffed; the attacker pivots into a personal email; pivots into the recovery flow on a corporate SaaS app; lands inside a BEC chain inside the company. For retail banks the chain runs the other way — a phished customer social account leads to identity hijack, then to deposit fraud against the retail estate.

The honest take: if your security-awareness programme still files “social media” under productivity rather than credential exposure, the FTC numbers are the inflection point that makes that argument hard to keep running. And if your monitoring stops at the corporate edge, you’re missing the part of the chain where most of the damage actually starts.