The global regulatory landscape is undergoing a profound transformation. The long-standing era of "consumer beware," where the burden of avoiding scams fell primarily on the individual, is rapidly ending. Across the world, from the FTC in the United States to the Payment Systems Regulator (PSR) in the UK, new regulations are directly holding organizations accountable for brand impersonation scams that target their customers.
For too long, the default response to mobile phishing and smishing attacks has centered on user education. However, as security leaders in high-value verticals (finance, telco, major tech platforms) know, the sheer sophistication of modern phishing kits combined with the intimate nature of the mobile channel makes detection nearly impossible for the average consumer.
Now, governments and regulators have reached the same conclusion.
We have arrived at a regulatory inflection point. Authorities are moving past voluntary requests for scam assistance and are beginning to mandate action, backing those mandates with significant financial liability. The responsibility is shifting from the victim to the brand whose identity is being weaponized, and the infrastructure facilitating the attack.
At WMC Global, we have monitored the evolution of mobile threats for decades. We view this regulatory shift not as a compliance burden, but as a crucial and necessary evolution in how organizations must approach External Attack Surface Management (EASM).
Here is an authoritative guide to the emerging regulatory landscape and what this means for your organization's required duty to police your brand and infrastructure outside your traditional firewall.
This shift is driven by the staggering financial volume of fraud. According to the Federal Trade Commission (FTC), U.S. consumers lost a staggering $10 billion to fraud in 2023 alone, with imposter scams remaining the top category.
Governments recognize that industrialized cybercrime operations have outmatched consumers. Consequently, regulatory bodies are establishing frameworks based on a concept of "Shared Responsibility," compelling the owners of the underlying infrastructure (banks, telcos, and tech platforms) to bear the costs of failure.
If your organization’s brand is used to lure victims, or if your infrastructure is used to facilitate the lure, you are now in the regulatory crosshairs.
Understanding these emerging frameworks is critical for CISOs and fraud leaders to justify the necessary tooling and budget for a proactive EASM strategy.
While banking liability bills are debated, the most immediate change comes from the FTC. After finalizing its Government and Business Impersonation Rule in 2024 to pursue impersonators, the FTC issued a Supplemental Notice of Proposed Rulemaking targeting third parties.
The Focus: The proposal is aimed at businesses that provide the "means and instrumentalities" for a scam.
What This Means for You: If your platform (such as payment processor, messaging gateway, VoIP service, or AI tool) is knowingly utilized by scammers to impersonate others, you could face FTC action. Neutrality as a mere infrastructure provider is no longer tenable; you have an active duty to police how your tools are weaponized.
The UK is pioneering the most aggressive financial liability approach for Authorized Push Payment (APP) fraud (where a victim is tricked into authorizing a payment to a fraudster).
The Mandate: Effective October 2024, the Payment Systems Regulator (PSR) mandates reimbursement to victims within five business days. The cost is split 50/50 between the sending bank and the receiving bank (where the mule account is held).
What This Means for You: If you are in financial services, you now have a direct financial incentive to monitor the integrity of your account holders, not just outgoing transactions. The assumption is that if a mule account is operating on your books, your Know Your Customer (KYC) and ongoing monitoring controls have failed, and you will share the financial burden.
Singapore’s Shared Responsibility Framework (SRF), effective December 2024, is a notable model for mobile-centric businesses as it explicitly pulls Telecommunications Operators into the liability chain.
The Structure: The SRF uses a "waterfall" approach. Banks are the first defense line, but if they fulfill their duties, liability can shift to the Telco. Telcos are now required to implement safeguards, such as blocking SMS messages with unverified alphanumeric sender IDs.
What This Means for You: If you are a Mobile Network Operator (MNO) and you fail to block a spoofed SMS that leads to a scam, you are liable for reimbursing the victim. This is a significant paradigm shift, demanding that telcos actively police the messaging traffic traversing their networks for brand impersonation attempts.
The true villain is the threat actor weaponizing your brand. However, this new regulatory reality means your organization risks becoming a secondary source of failure if it is not proactive.
These regulations clearly signal that reactive measures (waiting for a customer report to issue a takedown request) are no longer enough to meet your duty of care.
To protect your organization from liability and your customers from harm, you must adopt a proactive and dedicated posture toward External Attack Surface Management specifically tailored for brand impersonation.
This means moving beyond passive threat intelligence feeds to embrace active security and disruption. A robust brand protection strategy demands:
Pre-attack Detection: Identifying phishing kit deployments and fraudulent domain registrations before the smishing campaigns can launch.
Mobile-First Focus: Understanding how these attacks are designed to exploit the small-screen environment, where hidden URLs and user urgency are maximized.
Active Disruption: Moving past simple takedowns to actively disrupting the infrastructure used by these cybercrime networks.
The regulatory tide has turned. The responsibility for policing your brand identity in the wild now rests squarely on your shoulders. Your customers are facing increasingly sophisticated threats that they cannot stop alone. WMC Global understands the complexity of these global mandates and the industrialized nature of the mobile threat landscape. We provide the intelligence and expertise you need to understand where your organization is vulnerable, allowing you to establish the comprehensive, Active Disruption strategy that ensures your business is the hero that stops the threat, rather than the entity footing the bill for it.