FBI Cybercrime Report: Losses Hit Record $20.88 Billion as AI-Powered Fraud and BEC Attacks Surge

The economics of cybercrime are accelerating at a pace that is beginning to outstrip enterprise defenses. According to the FBI’s Internet Crime Complaint Center (IC3) 2025 Annual Report, total reported losses reached $20.88 billion, a 26 percent increase year over year, signaling a structural shift in how cybercriminal operations scale, target, and monetize victims.

More than one million complaints were filed in 2025, underscoring the growing frequency of attacks and the widening attack surface created by always-connected digital environments. The report paints a clear picture. Cybercrime is no longer opportunistic. It is targeted, operationally mature, and increasingly powered by artificial intelligence.

Investment Fraud and BEC Dominate Cyber Losses

Two attack categories accounted for the majority of financial damage in 2025: investment fraud and Business Email Compromise (BEC). These methods continue to outperform other cybercrime techniques because they directly manipulate human trust rather than relying solely on technical exploitation.

BEC alone generated over $3 billion in losses, representing 14.6 percent of total reported damages. These attacks typically involve threat actors impersonating executives or trusted vendors to redirect payments, often through convincing email threads or urgent financial requests.

Investment fraud remains the top revenue driver for cybercriminals, fueled by social engineering campaigns that exploit financial urgency, market hype, and perceived authority.

AI-Enabled Cybercrime Moves Into the Mainstream

For the first time, the IC3 report formally tracks AI-enabled cybercrime as a distinct category. In 2025, the FBI recorded 22,364 complaints tied to AI-driven scams, resulting in more than $893 million in losses.

This shift reflects a broader transformation in the threat landscape. Attackers are now leveraging generative AI, voice cloning, and deepfake technologies to create highly convincing impersonation campaigns. These tools significantly reduce the effort required to execute targeted attacks while increasing their success rate.

BEC campaigns in particular have evolved. AI-generated emails, synthetic voice messages, and realistic impersonations of executives are making it increasingly difficult for employees to distinguish legitimate communications from fraudulent ones.

The Human Attack Surface Is Now the Primary Target

The FBI report highlights a critical trend. Cybercriminals are increasingly focusing on the human layer of security rather than traditional infrastructure vulnerabilities.

Executives, high-net-worth individuals, and their families are emerging as high-value targets. Personal devices, home networks, and digital identities are often less protected than corporate systems, creating an entry point for broader organizational compromise.

BlackCloak’s internal research reinforces this exposure:

• 87 percent of new clients had no security protections on personal mobile devices or tablets

• 100 percent of assessed households had credentials exposed on the dark web

• 39 percent had active malware or unsecured home networks at the time of onboarding

• More than half of organizations believe an executive’s family member could be the initial breach vector

  
  

These findings suggest that enterprise security strategies are lagging behind attacker behavior, which increasingly blends personal and professional digital environments.

Cyber-Enabled Fraud Drives the Majority of Losses

Cyber-enabled fraud accounted for 85 percent of all reported losses in 2025, totaling $17.7 billion. This category includes schemes involving financial theft, identity compromise, and counterfeit services delivered through digital channels.

Tech support scams also remain a significant contributor, with nearly 48,000 complaints resulting in $2.1 billion in losses. These campaigns often rely on impersonation tactics similar to BEC, reinforcing the broader trend of trust-based exploitation.

Executive Risk Reaches a New Threshold

The report signals a shift in enterprise risk models. Attackers are no longer focused solely on breaching systems. They are targeting decision-makers directly, using publicly available information to craft highly personalized attacks.

Dr. Chris Pierson, Founder and CEO of BlackCloak, said the findings reflect a growing gap between attacker capability and enterprise preparedness.

“The IC3 report alerts us to a pervasive reality that we can’t afford to ignore: highly motivated threat actors know where the gaps in security exist for enterprises and Family Offices and are actively exploiting them at an accelerated rate."

“The rise of AI-enabled cybercrime and scams, deepfake impersonations, phishing and ransomware attacks, and identity theft demonstrates the consequences of an ever-growing digital risk environment. This latest report underscores the critical importance of safeguarding the personal digital lives of executives and high-net-worth individuals through a comprehensive approach, and further fuels the BlackCloak team’s passion and purpose in our work every day.”

Pierson emphasized the complexity of the evolving threat landscape.

"The IC3 report alerts us to a pervasive reality that we can’t afford to ignore: highly motivated threat actors know where the gaps in security exist for enterprises and family offices and are actively exploiting them at an accelerated rate. The rise of AI-enabled cybercrime, deepfake impersonations, phishing, ransomware, and identity theft reflects an increasingly complex digital risk environment—and underscores the need to safeguard the personal digital lives of executives and high-net-worth individuals.”

A Turning Point for Cybersecurity Strategy

The 2025 IC3 report marks a turning point in cybersecurity. The convergence of AI, social engineering, and personal digital exposure is redefining how attacks are executed and where defenses must be applied.

Traditional perimeter-based security models are proving insufficient against adversaries who target identity, trust, and behavior. As cybercriminals continue to operationalize AI at scale, organizations face mounting pressure to extend security beyond corporate networks and into the personal digital ecosystems of their most valuable people.

The data is clear. Cybercrime is no longer just an IT problem. It is a business risk, a personal risk, and increasingly, a systemic one.