The FBI’s 2025 Internet Crime Complaint Center (IC3) report just landed, and the headline number is hard to ignore: $20.877 billion in reported losses across more than 1 million complaints. That’s a 26% increase over 2024.

Here’s the read-out that matters for smaller businesses including what changed year-over-year, where AI showed up for the first time, and the three decisions worth making before Q3.

The 2025 FBI IC3 Annual Report shows cybercrime losses topped $20.877 billion, a 26% increase over 2024, across more than 1 million complaints. For smaller businesses, the biggest threats are Business Email Compromise ($3.05 billion in losses) and AI-enabled scams: the 2025 report added a dedicated section tracking $893 million in AI-related fraud.

$20.877 Billion in Losses, More than 1 Million Complaints

A few numbers worth understanding:

• $20.877 billion in total losses — up from $16.6 billion in 2024
• 1,008,597 complaints in 2025
• $20,699 average loss per complaint
• IC3 now averages roughly 3,000 complaints per day, up from a few thousand per month at its founding in 2000 — this is the 25th anniversary report

The one-line takeaway: cybercrime didn’t just go up. Losses outpaced complaint volume. Each incident is costing more, on average, than it did a year ago.

Where the Money Actually Went

The top loss categories in 2025, in order:

• Investment fraud: $8.65 billion — the single largest category. Skews older-individual, not small business, but it’s the dominant share of total losses.
• Business Email Compromise (BEC): $3.05 billion across 24,768 complaints. Where smaller businesses have the most exposure.
• Tech/customer support scams: $2.13 billion.
• Personal data breach: $1.31 billion.
• Ransomware: 3,611 complaints and $32.3 million in direct reported losses — the FBI flags this number as understated because it captures direct losses only, not downtime, recovery, or ransom paid outside reporting.

Cyber-enabled fraud — the umbrella category that covers BEC, investment, tech support, and similar scams — was responsible for 45% of all complaints and 85% of all losses.

If you’re a smaller business, the line that matters most is BEC. Three billion dollars vanished into payment-workflow scams, and almost none of it came from sophisticated zero-day attacks. It came from one person approving a wire change request without picking up the phone.

The New Story: AI in Cybercrime

The 2025 IC3 report introduced something the 2024 report didn’t have: a dedicated section on Artificial Intelligence (AI) Used in Cybercrime.

The numbers:

• 22,364 complaints referenced AI
• $893 million in associated losses
• Top AI-enabled categories by loss: Investment ($632M), BEC ($30M), Tech/Customer Support ($19.5M), Confidence/Romance ($19M)

Two things stand out for smaller businesses:

Voice cloning is real and operational. The FBI specifically calls it out: distress scams (“your CEO is calling, he needs the wire approved now”), grandparent scams (an extreme version of the same pattern), and family-emergency variants. 

AI doesn’t change what attackers want, it changes how well they can ask for it. Convincing phishing emails, plausible-sounding executives on the phone, social media profiles that look like real humans. AI scales personalization, and personalization is what beats the spam filter and the suspicious-employee instinct that have been your last line of defense.

That last point connects to a longer conversation we just published on how OrbitalFire thinks about AI internally: AI at OrbitalFire: An Inside Look at Our Strategy. The IC3 numbers above are the other side of that same conversation: what attackers do with AI, while you’re deciding what you do with it.

For the deeper take on AI-enabled small business fraud including deepfakes, voice clones, and a case study, see AI Scams and Deepfakes: The New Frontier of Small Business Fraud.

Three Considerations to Make Before Q3

1. Revisit BEC controls. Wire transfers, payment changes, vendor banking updates, payroll changes — anything that moves money or redirects it. We recommend you put in place two-channel verification (not “reply to the same email”) for any change above a defined threshold. Write down the threshold. Train the team. The IC3 data is unambiguous: BEC is where smaller businesses have the most exposure.

2. Take voice cloning seriously. Set a verification word, a call-back number, or both for finance and HR. Brief everyone with a payment-approval role. Tell them to expect a fraudulent voice call from “the CEO” or “the controller” sometime in 2026. Make it normal to hang up and call back on a known number.

3. Inventory your AI exposure. Where is AI already touching your business, and what’s it allowed to decide? Customer-facing chatbots, AI-assisted scheduling, AI-summarized email, AI in your finance or HR tools. The exposure isn’t theoretical — it’s already there. Naming it is step one.

If you’d rather not run that inventory alone, the OrbitalFire AI Readiness Assessment is built for it.

Small Doesn’t Mean Safe, and It Doesn’t Mean Panic Either

The IC3 report is alarming if you read only the totals. It’s useful if you read it the way the FBI actually intends — as evidence of where cybercriminals are spending their effort. The playbook for a smaller business hasn’t fundamentally changed since last year: verify before you pay, train before you click, audit your AI exposure, and plan for the threats that target your business model, not the headlines.

What changed is the urgency. AI made the convincing-fake easier to produce at scale. The Q2 timing of this report is a gift:  there’s time to review your policies and procedures before Q3.

How We Can Help

Not sure if your cybersecurity holds up against the 2025 IC3 numbers? Most smaller businesses aren’t.  Schedule a Cyber Reality Check and find out, or Download the Small Business Cybersecurity Readiness Checklist to get a quick overview of where your business stands.

Frequently Asked Questions

What did the 2025 FBI IC3 Report find?

The 2025 FBI Internet Crime Complaint Center (IC3) Annual Report logged 1,008,597 complaints and $20.877 billion in reported losses — a 26% jump over 2024. Investment fraud was the largest single category at $8.65 billion, followed by Business Email Compromise at $3.05 billion. The 2025 report added a dedicated section on AI-enabled cybercrime for the first time.

How much money did smaller businesses lose to BEC in 2025?

According to the 2025 IC3 Annual Report, Business Email Compromise (BEC) scams accounted for $3.05 billion in losses across roughly 24,768 complaints. BEC remains one of the biggest cybercrime threats to smaller businesses because the scams target payment workflows — wire transfers, vendor invoices, and payroll changes — that are often handled by one or two people.

What does the FBI say about AI in cybercrime?

The 2025 IC3 Annual Report introduced a new section dedicated to artificial intelligence in cybercrime, reporting 22,364 complaints and $893 million in losses with an AI nexus. The top AI-enabled categories by loss were investment fraud, BEC, tech support scams, and confidence/romance scams. Voice cloning was specifically called out in distress and “CEO voice” scams.

Why did cybercrime losses jump so much in 2025?

Two reasons stand out in the 2025 IC3 data: each individual scam cost more on average ($20,699 per complaint), and AI-enabled fraud added a new attack layer that scales personalization at low cost. Investment fraud was the largest loss category at $8.65 billion. Smaller businesses are most exposed through BEC, which targets payment workflows.

What should a smaller business do after reading the IC3 report?

Three steps before Q3: (1) revisit BEC controls — require two-channel verification for any payment change request, (2) train staff on AI-enabled scams, especially voice cloning and “CEO voice” tactics, and (3) inventory where AI already touches your business and what it’s allowed to decide. The playbook is the same as last year — the urgency is higher.