Security leaders are discovering that the threats commanding board attention have shifted—and their defensive playbooks haven’t caught up.
There’s a particular kind of wisdom that emerges only from collective experience: insights that can’t be derived from threat reports or vendor briefings, but only from the accumulated lessons of practitioners who’ve encountered real attacks against real organizations. When security leaders gather to discuss what keeps them up at night, a consistent theme has emerged over the past two years: the threats commanding attention have shifted in ways that legacy security programs weren’t designed to address.
Ransomware and data breaches remain serious concerns, but the conversation increasingly turns to threats that occur outside traditional security perimeters: brand impersonation, executive targeting, and fraud campaigns that exploit organizational trust rather than technical vulnerabilities. According to Proofpoint’s 2024 Voice of the CISO report, three-quarters of CISOs now identify human error as the leading cybersecurity risk. The biggest perceived threats have evolved: ransomware (41%) and malware (38%) edge out email fraud (36%) and business email compromise in terms of concern, but BEC remains the category with the highest per-incident financial impact.
The leaders making progress against impersonation fraud share common approaches and hard-learned lessons that others can apply without paying the same tuition in losses.
Impersonation has become a strategic concern
IT leaders increasingly recognize that impersonation attacks target something more fundamental than systems or data—they target organizational trust itself.
The dynamics play out across multiple dimensions. Attackers who impersonate your brand to steal from customers transform the trust you spent years building into a weapon against the people who believed in you. Executive impersonation that authorizes fraudulent wire transfers exploits the authority structures that make organizations function. Fake job postings bearing your company name turn candidates who should be your future employees into fraud victims. Each scenario attacks trust from a different angle, but all share a common characteristic: the damage extends beyond immediate financial losses into relationships that may never fully recover.
The World Economic Forum’s 2025 Global Cybersecurity Outlook places cyber-enabled fraud alongside ransomware as a top organizational threat. This framing matters because it elevates impersonation from a nuisance to a board-level risk, positioning it alongside threats that already command executive attention and budget allocation.
Security leaders report that framing impersonation as a trust and reputation risk, rather than purely a technical security issue, helps secure resources and cross-functional support. The business impact of eroded customer trust often exceeds the direct financial losses from fraud incidents, and articulating that connection changes how leadership perceives the threat.
The challenge appears in Gartner’s CISO priority research: cyber resilience has become the top priority for 2025, reflecting recognition that security must integrate with business operations rather than operating as an isolated function. Building resilience against impersonation requires coordination across security, legal, marketing, customer service, and executive functions; each of which holds pieces of the puzzle but rarely shares them systematically.
IT leaders describe building “impersonation response teams” that can detect emerging threats across technical and non-technical channels, assess business impact and prioritize response, execute takedowns through appropriate legal and platform mechanisms, communicate with affected customers and stakeholders, and learn from incidents to improve prevention. This cross-functional approach ensures that impersonation threats don’t fall into organizational seams where no single function feels ownership, precisely the gaps that attackers have learned to exploit.
Human error isn't the problem—it's the attack surface
The statistic that human error causes 74% of successful breaches often leads to an unfortunate conclusion: that better training will solve the problem. IT leaders are discovering the limitations of this approach firsthand.
According to Deloitte research, 51.6% of companies reported an increase in deepfake-related attacks, including extortion attempts. When attackers can convincingly impersonate executives via voice or video, training employees to “verify unusual requests” becomes insufficient; the verification itself can be fooled, as the Arup incident demonstrated when an employee who requested a video call to verify an unusual request found himself speaking with AI-generated deepfakes of the CFO and several colleagues.
The leaders making progress have shifted from blaming human error to reducing human exposure. This means implementing verification protocols that don’t depend on voices, faces, or email addresses that can be impersonated: code words, out-of-band confirmation through pre-established channels, multi-person authorization for sensitive actions. It means intercepting attacks before they reach employees by monitoring for and removing impersonation infrastructure: fake websites, fraudulent social profiles, and spoofed domains.
Perhaps most importantly, it means accepting that sophisticated attacks will fool trained people. The goal isn’t eliminating human vulnerability but reducing the frequency with which that vulnerability gets tested.
External visibility has become essential
CISOs increasingly recognize that protecting internal systems is necessary but insufficient for fraud defense, a realization that challenges assumptions built into most security programs.
CSC’s CISO Outlook 2025 report found that cybersquatting, domain hijacking, and domain-based attacks rank among the top cyber threats, with these concerns projected to escalate as attackers leverage AI capabilities. An overwhelming majority of surveyed CISOs anticipate a surge in cyber attacks over the next three years, and many are discovering that their current visibility doesn’t extend to where those attacks will originate.
This recognition is driving investment in external threat intelligence capabilities that provide visibility into domain registrations that may be used for impersonation campaigns, dark web activity discussing targeting of specific organizations, social media accounts impersonating the organization or its executives, phishing infrastructure using the organization’s brand, and mobile applications unauthorized but bearing organizational branding.
IT leaders report that external visibility often reveals attack preparation before campaigns launch, enabling preemptive action rather than reactive response, a fundamentally different security posture than waiting for attacks to reach users.
Collaboration across functions is required
Impersonation fraud doesn’t respect organizational boundaries, and effective defense requires collaboration that crosses traditional silos in ways that many organizations find uncomfortable.
The challenge appears in Gartner’s CISO priority research: cyber resilience has become the top priority for 2025, reflecting recognition that security must integrate with business operations rather than operating as an isolated function. Building resilience against impersonation requires coordination across security, legal, marketing, customer service, and executive functions; each of which holds pieces of the puzzle but rarely shares them systematically.
IT leaders describe building “impersonation response teams” that can detect emerging threats across technical and non-technical channels, assess business impact and prioritize response, execute takedowns through appropriate legal and platform mechanisms, communicate with affected customers and stakeholders, and learn from incidents to improve prevention. This cross-functional approach ensures that impersonation threats don’t fall into organizational seams where no single function feels ownership, precisely the gaps that attackers have learned to exploit.
Speed has become the critical metric
The realization that phishing campaigns reach peak effectiveness within hours of launch has transformed how IT leaders think about response.
When half of victims fall prey within 24 hours, and many within the first hour, the difference between a nine-hour response and a two-hour response isn’t marginal improvement—it’s potentially a 75% reduction in victim count. This math has made time-to-takedown a primary metric for impersonation defense effectiveness, displacing traditional metrics that measured detection without accounting for the speed of subsequent action.
Leaders optimizing for speed report focusing on automated detection that identifies threats as they emerge rather than after customer complaints surface, pre-established relationships with platforms and registrars that accelerate takedown requests, documented playbooks that eliminate decision-making delays during incidents, and 24/7 coverage that prevents threats from compounding overnight or over weekends.
The investment in speed reflects a calculation that becomes inescapable once you’ve seen it in action: every hour of exposure translates to victims who might have been protected.
The Bottom Line
IT leaders learning from impersonation fraud share a common evolution in thinking. They’ve moved from viewing impersonation as a nuisance to recognizing it as a strategic threat. They’ve shifted from blaming human error to reducing human exposure. They’ve expanded visibility from internal systems to external attack surfaces. They’ve built cross-functional teams rather than siloed responses. And they’ve made speed the primary success metric.
These lessons cost billions of dollars in collective fraud losses to learn. Organizations that can absorb them without paying that tuition will be better positioned to protect their customers, their brands, and their bottom lines from threats that continue to grow more sophisticated each year.
For practical examples of how IT leaders at investment firms have applied these principles, including specific attack stories and actionable recommendations, see our companion piece on insights from a recent IT leaders panel discussion.
Key Takeaways
According to Proofpoint’s 2024 Voice of the CISO report, three-quarters of CISOs identify human error as the leading cybersecurity risk. The top perceived threats are ransomware attacks (41%), malware (38%), and email fraud (36%).
Impersonation attacks target organizational trust rather than just systems or data. The World Economic Forum’s 2025 Global Cybersecurity Outlook places cyber-enabled fraud alongside ransomware as a top organizational threat, elevating it to strategic importance.
Leaders are shifting from training-focused approaches to reducing human exposure. This includes verification protocols that don’t depend on elements that can be impersonated, intercepting attacks before they reach employees, and accepting that sophisticated attacks will fool even trained people.
These lessons cost billions of dollars in collective fraud losses to learn. Organizations that can absorb them without paying that tuition will be better positioned to protect their customers, their brands, and their bottom lines from threats that continue to grow more sophisticated each year.
For practical examples of how IT leaders at investment firms have applied these principles, including specific attack stories and actionable recommendations, see our companion piece on insights from a recent IT leaders panel discussion.
IT leaders are investing in visibility into domain registrations, dark web activity, social media impersonation, phishing infrastructure using their brand, and unauthorized mobile applications. External visibility often reveals attack preparation before campaigns launch.
These lessons cost billions of dollars in collective fraud losses to learn. Organizations that can absorb them without paying that tuition will be better positioned to protect their customers, their brands, and their bottom lines from threats that continue to grow more sophisticated each year.
For practical examples of how IT leaders at investment firms have applied these principles, including specific attack stories and actionable recommendations, see our companion piece on insights from a recent IT leaders panel discussion.
Half of phishing victims fall prey within 24 hours, many within the first hour. The difference between a nine-hour response and a two-hour response can mean a 75% reduction in victim count, making time-to-takedown the primary effectiveness metric.
