Are You Defending the Right Battlefield?

For most organisations and even those in the Cyber security industry itself, they still imagine their digital adversary as a system intruder. Firewalls are hardened, endpoints instrumented, identities wrapped in layers of conditional access and on and on … Yet the majority of losses are not coming from breached systems, they are flowing through human manipulation, manipulation to pay in some shape or form for fear of something the adversary now holds over them.

The Office for National Statistics (ONS) consistently reports that fraud accounts for 40 – 45% of all crime experienced by individuals. Within cyber-enabled crime specifically, estimates from the National Crime Agency (NCA) and ONS indicate 80 – 90% of cyber-enabled offences are fraud-related. The remainder is primarily cyber-dependent crimes like ransomware, hacking or DDoS.

Put simply Cyber is now the dominant delivery mechanism for fraud at scale. Fraud has effectively become a digitally optimised business model, not a side-effect of cyber. Not elegant exploits but convincing narratives such as a supplier payment redirected, an executive impersonated, a customer nudged into authorising the loss themselves or the more blunt identity theft. The attacker does not need to break your defences if they can walk your processes past them.

This is the strategic misalignment. Organisations defend against intrusion, while adversaries monetise through deception. Security teams chase indicators of compromise while fraud actors optimise trust, timing and psychology increasingly with AI (see my piece on the announcment of Anthropic’s Claude Capybara, codenamed Mythos), to scale credibility and precision. See my piece ‘A Very Real Breach Symphony‘ for a graphic rendition of just such a motion.

The result is predictable. Millions invested in cyber controls, while losses accumulate quietly in finance ledgers under fraud or human error.

The battlefield has shifted. It now sits at the intersection of identity, payment and human decision-making or simply human process manipulation. Cybercrime is not primarily about breaking systems anymore, it is about manipulating people and processes to move money. Detection must extend beyond malware to intent; controls must anticipate manipulation not just intrusion. If your cyber strategy does not explicitly integrate fraud prevention, you are defending the wrong battlefield.

So the takeaway is, if your strategy stops at keeping attackers out, you may simply be ensuring they never need to come in at all.