FBI: $21B Cybercrime Losses in 2025 on Record 1M IC3 Complaints

Americans lost $20.877 billion to cybercrime in 2025 — a 26% increase from the $16.6 billion recorded in 2024 — according to the FBI's annual Internet Crime Complaint Center report published in April 2026. For the first time in the IC3's 25-year history, total complaints exceeded one million in a single year: 1,008,597 complaints were filed. Both records broke the previous year's records.

The report tracks reported losses, not estimated total losses. Cybercrime is systematically underreported — the FBI consistently notes that a significant portion of victims never file a complaint. The $21 billion figure is a floor, not a ceiling.

The $8.6 Billion Investment Scam Epidemic

Investment scams were the single largest loss category in 2025 at $8.6 billion — by far the most expensive category and the one growing fastest. These are primarily "pig butchering" operations: long-con fraud schemes where attackers build trust over weeks or months before directing victims into fake cryptocurrency investment platforms that show fabricated profits until the final extraction.

The mechanics have been industrialized. Most operations run from scam compounds in Southeast Asia — Cambodia, Myanmar, Laos — where trafficked workers are forced to operate the social engineering campaigns at scale. AI voice and video tools have made the impersonation layer significantly more convincing in recent years. Victims often cannot distinguish between a human contact and an AI-generated persona maintained by a script-following operator.

The FBI specifically flagged that AI tools lowered the barrier to creating convincing fake identities, fabricated investment dashboards, and synthetic voice calls. This is the category where AI-assisted cybercrime has had the most measurable financial impact.

Business Email Compromise: $3 Billion, One Transfer at a Time

Business email compromise (BEC) losses totalled approximately $3 billion in 2025. BEC is structurally different from most cybercrime: it does not require malware, exploits, or technical access. It requires a convincing email, usually impersonating a CFO, CEO, or external vendor, instructing the finance team to transfer funds to an attacker-controlled account.

The target is almost always a wire transfer or ACH payment. The attack works because finance teams are trained to execute payment instructions from senior executives, and the email looks legitimate. Modern BEC operations now use AI to clone executive writing styles from public communications — earnings calls, press releases, LinkedIn posts — making the impersonation harder to detect.

For developers building internal tools or finance platforms, BEC is the threat model you are most likely to encounter. Multi-step payment authorization workflows, out-of-band verification for unusual transfers, and anomaly detection on wire instruction patterns are the practical defenses.

AI Cybercrime Tracked for the First Time: $900 Million

The 2025 IC3 report is the first edition to categorize AI-related cybercrime as a distinct reporting category. In its inaugural year of tracking, AI-assisted cybercrime generated nearly $900 million in reported losses. The categories involved include AI-generated phishing at scale, deepfake video fraud (impersonating executives in video calls to authorize transfers), synthetic audio fraud, and AI-assisted social engineering for credential theft.

The $900 million represents reported losses in explicitly AI-attributed cases. The actual AI involvement in overall cybercrime losses is substantially higher — AI tools are increasingly used across investment scams, BEC, and technical attacks without victims or investigators flagging the AI element specifically.

The FBI is building the methodology for better AI attribution in future reports. By the 2026 IC3 report (covering 2026 losses), the AI-attributable category is expected to be significantly larger.

This connects directly to what CrowdStrike documented in its 2026 Global Threat Report: AI is compressing attack timelines and lowering the skill floor for executing sophisticated fraud. For context on the attacker-side AI capabilities, see CrowdStrike 2026: AI Cuts Cyberattack Breakout Time to 29 Minutes.

Healthcare: 460 Ransomware Incidents vs 182 Data Breaches

The sector breakdown reveals a structural imbalance in critical infrastructure attacks. Healthcare and public health recorded 460 ransomware incidents against only 182 traditional data breaches — ransomware is 2.5x more common than data exfiltration in the most targeted critical infrastructure sector.

Healthcare is the highest-value ransomware target because of three factors: the time-sensitivity of medical data (a hospital cannot wait days to restore access to patient records), the underinvestment in security relative to revenue, and the regulatory pressure to pay quickly to avoid HIPAA violations from extended data exposure.

The average ransomware demand in healthcare exceeded $2 million in 2025, with some major health system attacks generating demands in the tens of millions. The FBI strongly advises against payment but acknowledges that many organizations pay because the alternative — extended operational disruption — creates patient safety risks.

What This Means for Developers

Three direct implications:

Stop treating BEC as an email security problem. The attack vector is human behavior, not email infrastructure. SPF/DKIM/DMARC stops spoofed domains but does not stop compromised or lookalike accounts. Multi-step approval for large transfers and out-of-band verification are the only reliable defenses.

AI-generated phishing is now indistinguishable from human-written phishing at scale. Training employees to "spot bad grammar" is obsolete. AI-generated spear phishing emails are grammatically perfect, contextually accurate, and personalized to the recipient's known professional context. Security awareness training needs to shift from "spot errors" to "verify through a second channel before acting."

If you build in healthcare, ransomware response is a product requirement. Immutable backups, network segmentation that isolates clinical systems from administrative networks, and tested restoration procedures are not optional enhancements — they are the minimum viable security architecture for any system that processes patient data.

Use the site's Email Spoof Checker to audit SPF/DKIM/DMARC on domains you control — a baseline step, though BEC defense still requires process controls beyond email authentication.

Key Takeaways

• $20.877 billion in US cybercrime losses in 2025 — up 26% from $16.6B in 2024
• 1,008,597 complaints — first time IC3 exceeded one million in a year
• Investment scams: $8.6 billion — largest category, driven by AI-assisted pig butchering operations
• BEC: $3 billion — impersonation of executives for wire transfer fraud
• AI cybercrime: $900 million — first year FBI tracked this as a separate category
• Healthcare: 460 ransomware incidents vs 182 data breaches — ransomware 2.5x more common than data exfiltration
• For developers: AI-generated phishing has made "spot the error" training obsolete; BEC requires process-level controls, not email filters; healthcare systems require tested ransomware restoration as a baseline
• What to watch: 2026 IC3 report (expected April 2027) for AI cybercrime category growth

Sources

• FBI: Americans lost a record $21 billion to cybercrime in 2025 — BleepingComputer
• FBI IC3 2025 report: Nearly $21 billion lost, phishing and AI scams — dmarcian
• Cybercrime losses break $20 billion mark — Help Net Security
• Why cybercrime losses hit $21 billion in 2025 — Barracuda Networks