Advancing systemic defence: What cyber leaders say about fighting phishing and fraud

As cybercrime rapidly evolves, phishing and scams driven by artificial intelligence are now costing the global economy over $1 trillion annually – a staggering figure that underscores the need for a more systemic and coordinated response.

The World Economic Forum's Partnership against Cybercrime, in collaboration with the Institute for Security and Technology (IST), is advancing the “Systemic Defence” project, exploring how a multi-stakeholder, systemic approach can shift responsibility upstream and better defend against phishing and cyber-enabled fraud.

At the RSA Conference in May 2025, leaders from Paladin Global Institute, Microsoft, IST and the World Economic Forum came together to discuss this effort.

Rather than relying solely on end-user behaviour, they examined how a systemic approach can foster a safer, more trustworthy cyberspace. By shifting efforts upstream, this initiative seeks to proactively strengthen the digital environment and mitigate the technological vulnerabilities that enable criminal exploitation.

To dig deeper, we asked participating experts about the rise in phishing and cyber-enabled fraud and what can be done to stop it. Here’s what they shared:

Governments must strategically reshape market forces to place cybersecurity responsibility on those best positioned to reduce risk, shifting consequences away from the vulnerable while preserving innovation and competition. When I look at the US government’s $760 billion in annual procurement power, I see a strategic opportunity to reshape digital security at scale.

This isn't abstract strategy – it's practical market reality. When federal agencies demand technologies that are safe by default and secure by design, we create ripple effects throughout the digital ecosystem. When these technologies are battle-tested in critical environments – from cloud infrastructure to identity management systems – security features stop being expensive add-ons and start becoming standard expectations.

We need a pragmatic approach to enabling safe and secure infrastructure that includes both the imposition of liability but also grants incentives. Governments can impose liability on software providers for insecure software products; but also, establish grants to build security into critical technologies and leverage government procurement to improve accountability.

This system should reward providers who build in fundamental protections such as secure domain name systems, phishing-resistant multi-factor authentication and real-time fraud detection. These aren't cutting-edge innovations; they're table stakes for a functioning digital society.

Clear, industry-driven benchmarks for "secure infrastructure" that are both technically sound and operationally feasible are critical. The government must work with industry to ensure these benchmarks are not only technically sound but harmonized and seamlessly integrated into the digital ecosystem.

Despite billions spent on cybersecurity, phishing and cyber-enabled fraud aren’t just surviving – they’re thriving. Why? Because the fight against them is fundamentally flawed. We’ve built firewalls and filters but we’ve underestimated the most exploitable vulnerability of all: human nature.

Cybercriminals don’t need to hack machines when they can hack minds. They exploit trust, urgency, fear – and they’re getting frighteningly good at it. With AI-generated emails, deepfake voices and impersonated websites, phishing attacks today are nearly indistinguishable from the real thing. Users are told to “stay vigilant” but constant alerts blur real threats into background noise.

Our defences are reactive. We patch after breaches, blacklist after scams and train users after they’ve clicked. Criminals, meanwhile, are agile, anonymous and emboldened by weak international cooperation and outdated laws.

Cybercrime is cheap, global and high-reward. So what can we do about this? Here are 7-steps we must take as a community:

Prior to becoming an FBI special agent and getting involved in cyber investigations, I was a registered professional engineer working in the transportation field.

While pondering the internet’s inherent insecurity and profligate crime that it enables, a parallel from my previous vocation came to mind: roadways are designed and built to be inherently safe but not the internet.

Intuitive design features, such as geometry, signage and striping meet drivers’ expectations and help to avoid surprise; forgiving roadsides free of dangerous obstructions mitigate the consequences of error; and pedestrian-oriented development in urban areas reduces the opportunity for deadly conflicts between motor vehicles and pedestrians or bicyclists.

So how can we bring basic engineering principles to the internet’s core infrastructure so that users are safe and bad actors can’t prosper?

In our panel discussion, we discussed the importance of bringing trust and safety to the Domain Name System (DNS), opportunities to leverage the payment ecosystem, and ways identity initiatives, such as government-sponsored digital ID initiatives, might play a key role.

Too much is at stake and too many innocents are being victimized to stand on the sidelines. So pull out your slide rule and put on your hard hat; it’s long past time to make the core internet infrastructure secure by design.

In conclusion, the growing scale and impact of cyber-enabled fraud and phishing remain critical global challenges. The Forum’s Partnership against Cybercrime is committed to advancing systemic solutions that shift the burden away from users and toward more coordinated, upstream defences to better protect people online.