FBI IC3 2025: $20.9B Lost — and What Your Team Can Do

Every year, the FBI's Internet Crime Complaint Center (IC3) publishes the closest thing the industry has to an official scoreboard for cybercrime. The 2025 edition is sobering: more than one million complaints and reported losses of nearly $20.9 billion — a 26% jump over the prior year. For anyone who has argued that security awareness is a "nice to have," the IC3 report is the counterargument in hard numbers.
The headline isn't just the total. It's how the money is being lost — overwhelmingly through schemes that target people and processes rather than firewalls.
Where the Money Goes
Business email compromise (BEC) remains one of the costliest categories, with roughly $3.04 billion in reported losses in the most recent figures — and nearly $55.5 billion over the past decade. A detail that should shape every finance team's controls: about 86% of BEC losses are sent via wire transfer or ACH, making them fast-moving and frequently unrecoverable by the time anyone notices.
BEC is deceptively simple. There's no malware to detect, no exploit to patch — just a convincing message (increasingly a convincing voice or video) that persuades an employee to send money or change payment details. It works because it targets a normal business process: paying an invoice, helping the boss, trusting a vendor.
AI Is Pouring Fuel on the Fire
The IC3 report explicitly flags artificial intelligence as an emerging enabler of these schemes. Chat generators now mimic executives' writing styles flawlessly, and voice cloning is being used to authorize fraudulent transfers over the phone. The reconnaissance and personalization that once took attackers weeks can now be automated in minutes, scaling BEC and pretexting to a degree we've never seen.
The barrier to a convincing impersonation has collapsed. Assume that a polished email, a familiar voice, and an urgent payment request can all be manufactured on demand.
The Human Layer Is the Control Plane
Read the IC3 categories together with the Verizon DBIR's finding that the human element features in 62% of breaches, and a clear theme emerges: the decisive control in most financial cybercrime is a person making a decision. A wire either gets verified or it doesn't. An MFA prompt either gets denied or approved. A suspicious email either gets reported or clicked.
That's actually good news, because human decisions are trainable and processes are fixable. You don't need to out-engineer the attackers — you need to make sure no single deceived employee can move money or hand over access unchecked.
What to Put in Place
- Out-of-band verification for payments. Any new payee or change to bank details must be confirmed via a known, independent channel — a callback to a verified number, never the details in the request.
- Dual authorization for high-value transfers. Two people, two approvals. A single fooled employee shouldn't be able to release funds.
- A fast, blameless reporting path. The sooner a suspicious request is flagged, the better the odds of clawing back an ACH or wire. One-click reporting tools turn employees into early-warning sensors.
- Role-based training for the targets. Finance, accounts payable, and executive assistants face the highest-value lures and deserve focused, recurring practice.
- Realistic simulations. Test BEC and payment-fraud scenarios — including voice and invoice-change lures — not just generic email phishing.
empowsec's phishing simulation and security awareness training platform is designed around this reality: multi-channel BEC and payment-fraud simulations, role-targeted campaigns for finance teams, and instant teachable-moment debriefs so a near-miss in a simulation prevents a real loss. Combined with sound payment controls, it turns the IC3's grim totals into a roadmap for exactly what to fix.
Key Takeaways
- The FBI IC3 2025 report records ~$20.9 billion in losses, up 26% — with BEC among the costliest categories.
- 86% of BEC losses move by wire or ACH, so fast verification and reporting are critical to recovery.
- AI is scaling BEC via flawless impersonation in text, voice, and video.
- The most effective defenses are human and procedural: out-of-band verification, dual authorization, fast reporting, and role-based training.
The full report and prevention guidance are available at the FBI Internet Crime Complaint Center.


