FBI Documents Record $21 Billion in Cybercrime Losses for 2025
The Federal Bureau of Investigation released its annual Internet Crime Report on April 7, 2026, revealing that American victims lost nearly $21 billion to cyber-enabled crimes throughout 2025. This staggering figure represents one of the highest annual totals ever recorded by the FBI's Internet Crime Complaint Center (IC3), marking a troubling escalation in the financial impact of cybercriminal activities targeting U.S. individuals and organizations.
The report identifies four primary attack vectors responsible for the majority of these losses: investment scams, business email compromise (BEC) schemes, technical support fraud, and large-scale data breaches. Investment fraud alone accounted for billions in losses, with cybercriminals exploiting everything from cryptocurrency schemes to fake trading platforms that promised unrealistic returns to unsuspecting victims.
Business email compromise attacks continued their devastating impact on American enterprises, with the FBI documenting thousands of incidents where attackers infiltrated corporate email systems to redirect wire transfers and manipulate financial transactions. These sophisticated social engineering attacks often target finance departments and executives, using compromised email accounts to authorize fraudulent payments that can reach millions of dollars per incident.
Technical support fraud schemes also contributed significantly to the total, with scammers impersonating legitimate technology companies to gain remote access to victims' computers and financial accounts. The CISA Known Exploited Vulnerabilities catalog has documented numerous cases where attackers leveraged unpatched systems to facilitate these scams, emphasizing the critical importance of timely security updates.
The FBI's data collection methodology involves analyzing reports submitted to IC3 throughout 2025, cross-referencing financial institution reports, and coordinating with international law enforcement agencies to track cross-border cybercrime operations. The bureau noted that the actual losses may be even higher, as many victims never report cybercrimes due to embarrassment, lack of awareness about reporting mechanisms, or concerns about business reputation.
Widespread Impact Across All Demographics and Sectors
The $21 billion in losses affected victims across all age groups, geographic regions, and economic sectors, though certain demographics faced disproportionate targeting. Older Americans, particularly those aged 60 and above, continued to be prime targets for technical support fraud and investment scams, losing an average of $35,000 per incident according to the FBI's analysis. These victims often possess substantial retirement savings and may be less familiar with modern cybersecurity threats.
Small and medium-sized businesses bore the brunt of business email compromise attacks, with the FBI documenting over 15,000 BEC incidents targeting companies with fewer than 500 employees. These organizations often lack dedicated cybersecurity teams and sophisticated email filtering systems, making them vulnerable to well-crafted phishing campaigns that bypass basic security measures.
The healthcare sector experienced particularly severe impacts, with ransomware attacks and data breaches affecting hospitals, clinics, and medical practices nationwide. The FBI reported that healthcare organizations paid an estimated $2.3 billion in ransom demands and recovery costs during 2025, often choosing to pay attackers rather than risk patient safety during extended system outages.
Financial services companies, despite having robust security infrastructure, still faced significant losses from sophisticated attacks targeting customer accounts and internal systems. The report indicates that even institutions with advanced fraud detection systems struggled against evolving attack techniques that exploited zero-day vulnerabilities and social engineering tactics.
FBI Recommends Multi-Layered Defense Strategy
The FBI's report emphasizes that preventing these massive financial losses requires a comprehensive approach combining technical controls, user education, and incident response planning. Organizations should implement multi-factor authentication across all systems, particularly for email accounts and financial applications that handle wire transfers or sensitive customer data. The Microsoft Security Response Center provides detailed guidance on securing enterprise email systems against BEC attacks.
For investment fraud prevention, the FBI recommends that individuals verify any investment opportunity through official regulatory databases before committing funds. The Securities and Exchange Commission maintains public records of registered investment advisors, and the Commodity Futures Trading Commission tracks legitimate commodity trading platforms. Victims should be particularly wary of unsolicited investment offers received through social media, email, or cold calls.
Technical support fraud can be prevented by establishing clear protocols for legitimate technical assistance. Organizations should train employees never to provide remote access to unsolicited callers claiming to represent technology companies. Microsoft, Apple, and other major technology vendors do not initiate unsolicited support calls, and legitimate technical support always requires the customer to initiate contact through official channels.
The FBI also recommends implementing robust backup and recovery procedures to mitigate ransomware impacts. Organizations should maintain offline backups that cannot be accessed through network connections, test recovery procedures regularly, and develop incident response plans that include law enforcement notification protocols. The bureau's IC3 provides a streamlined reporting mechanism that helps track cybercrime trends and can assist in recovery efforts when reported promptly.
Financial institutions and businesses should implement real-time fraud monitoring systems that flag unusual transaction patterns, particularly international wire transfers or changes to payment routing information. The FBI notes that many BEC attacks succeed because organizations lack adequate verification procedures for financial transactions initiated through email communications.
