The FBI’s Internet Crime Complaint Center (IC3) just released its 2025 Annual Report, and the numbers are striking. Cybercrime losses reported by Americans topped $20.8 billion last year, a 26% jump from 2024. For the first time, the IC3 crossed the one-million-complaint threshold in a single year, averaging nearly 3,000 reports per day! For businesses, the message is hard to ignore: the threat landscape isn’t stabilizing. It’s accelerating.
Here’s a breakdown of what the report reveals and what it means for your organization.
The Big Picture: $20.8 Billion in Losses
Total reported losses climbed from $16.6 billion in 2024 to $20.8 billion in 2025. Investment fraud led all categories at $8.6 billion in losses, followed by Business Email Compromise (BEC) at $3 billion, and tech/customer support scams at $2.1 billion. Cyber-enabled fraud (crimes where technology is the primary weapon) accounted for 85% of all reported losses, totaling $17.7 billion.
These aren’t just statistics. Behind every dollar is a business that wired funds to the wrong account, a hospital locked out of patient records, or an employee who clicked one convincing email and compromised the totality of their company’s data. Yikes!
Business Email Compromise: Still Devastating, Still Growing
BEC remains one of the most financially damaging threats facing organizations of all sizes. Attackers compromise or impersonate email accounts to redirect wire transfers, manipulate invoices, or harvest credentials. BEC schemes work because they exploit human trust rather than technical vulnerabilities. Reported losses hit $3 billion in 2025. And that figure is almost certainly an undercount, since many incidents go unreported.
Generative AI tools allow attackers to craft hyper-convincing emails at scale, tailor language to specific individuals, and even clone executives’ voices. In 2025, businesses reported over $30 million in losses tied to BEC scams with a confirmed AI component. If your email security and verification protocols haven’t been updated recently, they’re almost certainly already behind, and dangerously so.
Ransomware: The Costs Go Far Beyond the Ransom
The reported ransomware complaints in 2025 generated losses exceeding $32 million. This is a jaw-dropping 259% increase from the prior year. But here’s the critical caveat the FBI itself acknowledges: those figures don’t include downtime, forensic costs, legal exposure, or reputational damage. The real cost of a ransomware incident is typically several times the ransom demanded. Talk about adding insult to injury!
Sixty-three new ransomware variants were identified in 2025 alone, averaging more than five per month. The sectors hit hardest included healthcare, critical manufacturing, and government facilities. But legal services, engineering firms, and general contractors also showed up prominently among non-critical-sector victims. No industry is immune.
AI Is Now a Cybercrime Tool
For the first time, the IC3’s annual report includes a dedicated section on artificial intelligence in cybercrime. In 2025, IC3 received more than 22,000 AI-related complaints with adjusted losses exceeding $893 million. Criminals are using AI for everything from generating convincing phishing emails and fake social media profiles to cloning voices for “grandparent scams” and creating deepfake videos of executives. Investment scams with a confirmed AI component accounted for $632 million in losses alone.
The practical implication for businesses: detection methods built around spotting poor grammar, unusual phrasing, or low-quality impersonations are increasingly obsolete. AI-generated fraud looks and sounds legitimate.
What Should IT Leaders Take Away?
The 2025 internet crime report isn’t just a crime log; it’s a risk map. A few themes stand out for organizations reviewing their security posture:
- Email verification and BEC controls need to account for AI-enhanced impersonation. Multi-factor authentication and out-of-band confirmation for wire transfers are non-negotiable baselines.
- Ransomware preparedness means more than backups. It means tested incident response plans, network segmentation, and endpoint detection tools that catch lateral movement before encryption begins.
- Employee training has to evolve beyond “don’t click suspicious links.” Today’s attacks are contextual, convincing, and personalized.
- Patch management and access controls remain among the most effective and cost-efficient defenses available, yet they’re consistently underprioritized.
The FBI’s Recovery Asset Team froze $679 million in fraudulent transfers in 2025, representing a 58% success rate. But that success depends almost entirely on victims reporting immediately. The best outcome, of course, is prevention.
The 2025 internet crime report makes one thing clear: cybercriminals are organized, well-funded, and increasingly sophisticated. The question for every IT leader isn’t whether their organization is a potential target because it most certainly is. The question is: Are my defenses keeping pace with today’s ever-evolving threats?
If you’d like to talk through what the current threat landscape means for your organization’s security posture, the team at Emerge is eager to engage.