2025 Internet Crime Report: Nearly $21 Billion Lost | Phishing and AI Scams
The Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) has released the 2025 Internet Crime Report, documenting internet crimes reported to the IC3 last year.
While it’s good to see that phishing and spoofing reports declined marginally, they continue to be the most reported cybercrime, comprising 19% of the 1,008,597 total complaints—the highest number IC3 has ever logged.
In line with the highest number of reports came record-breaking losses totalling almost $21 billion, shattering the previous record in 2024 by 26%.
The increase in financial losses was fueled by investment fraud losses at $8,648,617,756 and business email compromise (BEC) losses at $3,046,598,558; combined,they comprise over half (56%) of the total internet crime losses in 2025.
Compound Threat: Phishing and BEC
Business Email Compromise is a type of socially-engineered spear phishing exploit that typically doesn’t depend on fraudulent links or malware for execution. Unlike high-volume phishing campaigns, BEC uses a highly targeted and personalized email, often from an executive, to trick employees into transferring funds or exposing credentials.
These emails usually originate with compromised email accounts, unprotected email domains, or domain spoofing. Phishing serves as the primary gateway, while BEC acts as the lethal, targeted execution.
Here’s an example of how phishing and BEC can work together for criminal gain:
- Luring the Victim: Cybercriminals send phishing emails to gain access to an account or network.
- Observation Stage: When bad actors gain access, they take time to watch email patterns and content, then prepare their BEC attack.
- The Attack: The intruders impersonate an executive, vendor, or internal department to trick a staff member into redirecting funds to a criminal bank account.
BEC, phishing, and spoofing combine to account for 21% of the overall reported crime types for a total of 216,329 complaints and an aggregated loss of over $3 billion.
IT security terms can be terribly technical. Our DMARC Dictionary helps you cut through the alphabet soup. Let us know if you have anything to add!
In 2025, losses reported to IC3 continued to climb, surpassing the $20 billion mark. Investment-related fraud was once again the largest component of these losses, followed by business email compromises and tech support scams. The FBI continues to disrupt and deter malicious cyber actors—and shift the cost from victims to our adversaries. One example was Operation Level Up, which countered crypto investment scams. This FBI-led initiative has reduced potential losses by more than $500 million since 2024.
—Jose A. Perez, Operations Director for Cyber and Criminal Branch, FBI
The Rise of Artificial Intelligence (AI)
With 22,364 complaints and $893,346,472 in losses, AI makes a raucous inaugural appearance in the Internet Crime Report this year. In BEC scams, chat generators can easily create a realistic, error-free, socially engineered email that impersonates a C-level employee or other staff members. As AI continues to be adopted at an increasing pace, often without guardrails, we can expect that this year’s report won’t be the last time we see a section dedicated to AI-enabled internet crime.
ICS’s 25th Anniversary
Now in its 25th year, the IC3 was established in 2000 to collect, analyze, and act upon internet-related crime complaints. It provides the public with a reporting mechanism to submit information to the FBI concerning cybercrime and to develop effective alliances with law enforcement and industry partners to help those who report. Information is analyzed and disseminated for investigative and intelligence purposes for law enforcement and for public awareness.
To help address increasing rate internet crime, the Cybersecurity and Infrastructure Security Agency (CISA) released an updated Cross-Sector Cybersecurity Performance Goals, “a baseline set of cybersecurity practices broadly applicable across critical infrastructure with known risk-reduction value.” In the performance goals, CISA recommends enabling SPF and DKIM and deploying DMARC with a p=reject policy, the culminating DMARC policy to secure domains from phishing exploits.
Likewise, in the #StopRansomware Guide published by CISA and the FBI, DMARC is a foundational defense against phishing, BEC, and domain spoofing. Because phishing and malicious emails are a primary attack vector for ransomware, they recommend DMARC to prevent threat actors from sending emails disguised as your organization.
Check out our list of evolving DMARC mandates and guidance across the globe.
The FBI reminds us to report suspected criminal internet activity to IC3. By reporting internet crime, victims are not only alerting law enforcement to the activity, but aiding in the fight against cybercrime.
How dmarcian can help
With a team of email security experts and a mission of making email and the internet more trustworthy through domain security, dmarcian is here to help fight phishing and spoofing. We can help assess your domains and provide the tools and expertise needed to implement and manage DMARC for the long haul.
Want to continue the conversation? Head over to the dmarcian Forum.
