We are discussing within the company how to structure our response to digital scams and fraud, especially scams involving fake profiles on social media such as WhatsApp. Criminals create fake profiles via WhatsApp with unofficial numbers and contact consumers, obtaining their data and then fraudulently generating payment slips. How is this situation structured in your company? Is there a dedicated area for this? Is it under Information Security? And if it is under Information Security, to whom does the area report—directly to the board/council/senior management, or is it under the IT department?

Hi Ricardo,

From my perspective and experience, this function belongs in the CISO organization, likely with the Threat Intelligence team or an equivalent unit.

In our case, this topic sits within the CISO organisation. We have a dedicated Culture & Awareness team that is responsible for these types of issues, as well as broader awareness campaigns, training, and guidance for employees.

From my perspective, this work clearly belongs under CISO rather than generic IT, especially in a corporate environment. Besides Culture & Awareness, the CISO domain typically includes functions such as Threat Intelligence, Red Team, and Blue Team, which can all contribute to: analysing these types of scams and attack patterns, turning them into actionable alerts and playbooks for internal teams, and ultimately improving protection and awareness for both employees and clients.

So, in my opinion, this should be treated as Security work, not “just” IT work. For smaller or medium-sized companies, it may still sit under IT, but in larger organisations, I believe it should be organised under the CISO and report into senior management, rather than directly to the board or council.

In our organization, we don’t deal specifically with WhatsApp based scams, but we do see similar forms of digital fraud, including borrower targeted wire-fraud attempts, SMS gift-card scams, and growing concerns around deepfake enabled conference calls and impersonation phone calls.

IT Security plays the central investigative role in these cases proactively or when reported through other channels, using tooling, analysts, and threat intelligence sources to understand how the fraudulent activity was executed and to recommend technical and procedural controls that can prevent similar incidents. We work closely with our Legal and Compliance teams, who lead external actions such as platform takedowns, cease-and-desist efforts, reporting to state agencies or the FBI, and drafting notifications to customers or business partners when broader awareness is needed. IT Security also develops internal security-awareness training tailored to emerging threats when it makes sense to do so like these so our workforce can recognize and report fraudluant activity through the proper channels. This partnership model ensures both the technical and legal sides of scam response are addressed and helps keep our employees, customers, and business partners safe.

It terms of reporting structure, within our org IT Security reports to the Head of IT who reports to the Cheif Legal Officer and works closely with our Chief Compliance Officer and other exectuvie leadership.