Introduction: A Record Year, and Email Owns the Front Door
The FBI's Internet Crime Complaint Center (IC3) released its 2025 Internet Crime Report, and the headline number is staggering: $20.8 billion in reported losses, a 26% jump over 2024, built on more than one million complaints--the first time IC3 has crossed that threshold in a single year.
But the most important finding for anyone who manages an inbox isn't the total. It's the conclusion the report draws about how the money is lost. In the FBI's framing, social engineering, not technical exploitation, is now the primary driver of financial impact. Attackers didn't break in. They logged in, or they asked--by email.
The line that should change how you think about email
Investment fraud led losses at $8.6 billion. Business email compromise (BEC) came second at roughly $3 billion. Tech support scams added $2 billion. The common thread across the most damaging categories isn't a zero-day exploit--it's a convincing message to a human being.
The 2025 Numbers That Matter
FBI IC3 2025 Internet Crime Report
Reported losses and complaint data from the FBI's Internet Crime Complaint Center.
Business Email Compromise: The $3 Billion Email Problem
BEC is the purest example of why email is still the most dangerous surface in any organization. There's no malware, no exploit, no breached firewall. There's an email--often from a spoofed or compromised account--asking someone to wire money, change banking details, or approve an invoice. As we explained in the BDR spam problem and SpamGPT, the same AI tooling that mass-produces cold sales pitches also produces flawless, context-aware fraud.
The $3 billion in 2025 BEC losses didn't come from sloppy "Nigerian prince" emails. They came from messages that read like a real CFO, a real vendor, a real follow-up on a real thread--because attackers now scrape breach data and generate tailored language at scale. That's the data-breach-to-inbox pipeline in action, and the IC3 numbers are its receipts.
The New Line Item: AI-Enabled Crime
For the first time, the FBI broke out AI-enabled attacks as a distinct category--roughly $900 million in losses. That's notable not because the number is the largest (it isn't yet), but because it's now large enough and distinct enough to track separately. It confirms what we've been documenting all year: AI didn't just speed up content creation, it changed the economics of social engineering.
Why this category will only grow
When attackers can generate thousands of fluent, personalized variants of a single lure for pennies, the limiting factor stops being effort and becomes inbox access. The defense, accordingly, has to move from spotting bad grammar to assessing intent and trust. This is the over-half-of-spam-is-now-AI tipping point showing up in federal loss data.
"They Didn't Break In, They Logged In"
The most quoted observation from the 2025 cycle is that almost every major incident began with a person, not a flaw: a help desk agent talked out of a credential, an employee who surrendered a single sign-on token to a convincing email, a vendor whose inherited access was simply reused. The reporting on the April 2026 broadband provider breach and the Microsoft-tracked phishing campaign that hit 35,000 users across 26 countries tells the same story.
Email authentication--SPF, DKIM, DMARC--verifies who sent a message, not whether its intent is legitimate. As we covered in the 2026 email authentication crisis, a compromised-but-authenticated mailbox sails through every check. That's why the front door stays open.
What This Means for Your Inbox
The IC3 report is a macro confirmation of a micro reality: the message that costs you isn't the obvious scam--it's the well-written one that looks like it belongs. The defenses that work are the ones that evaluate intent and trust, not surface features:
- Detect unsolicited outreach by behavior, not keywords. This is the heuristic, intent-based approach Email Ferret is built on.
- Treat polish as a non-signal. Perfect grammar is now the norm for both real mail and AI-generated fraud, as we showed in 5 Signs an Email Was Written by AI.
- Verify high-risk requests out of band. Payment changes and credential resets should never be approved on the strength of an email alone.
- Reduce inbox surface area. Every unsolicited message routed away is one fewer chance for a human--or, increasingly, an AI assistant--to act on it.
Key Takeaways
- 1.The FBI's 2025 Internet Crime Report logged $20.8 billion in losses across more than 1 million complaints, up 26% year over year.
- 2.Business email compromise was the second-largest category at roughly $3 billion, and phishing or spoofing appeared in about one in five complaints.
- 3.AI-enabled attacks were tracked as their own category for the first time, accounting for about $900 million.
- 4.The report's core finding: social engineering, not technical exploitation, now drives the most financial damage--and email is the primary delivery channel.
- 5.Authentication verifies who sent a message, not its intent; defending the inbox requires intent-based detection of unsolicited and untrusted mail.
Frequently Asked Questions
How much did cybercrime cost in 2025 according to the FBI?
The FBI's Internet Crime Complaint Center (IC3) reported $20.8 billion in losses for 2025, a 26% increase over 2024, based on more than one million complaints--the first time IC3 surpassed a million complaints in a single year.
How much did business email compromise (BEC) cost in 2025?
BEC accounted for roughly $3 billion in reported losses in 2025, making it the second-largest category after investment fraud ($8.6 billion). Across 2022-2024, IC3 reported nearly $8.5 billion in cumulative BEC losses.
Did the FBI track AI-enabled cybercrime separately?
Yes. For the first time, the 2025 report broke out AI-enabled attacks as a distinct category, accounting for approximately $900 million in losses. This reflects how AI has changed the economics of phishing and social engineering.
Why doesn't email authentication stop these attacks?
SPF, DKIM, and DMARC verify who sent a message, not whether its intent is legitimate. A compromised but properly authenticated mailbox passes every check. Stopping these attacks requires intent-based detection that evaluates whether a message is unsolicited or untrustworthy regardless of how polished it looks.
Close the Front Door on AI Email Attacks
Email Ferret evaluates email by intent and trust, not surface features--so unsolicited and untrusted outreach never reaches your primary inbox. Explore our detection features or see pricing.
Related Articles
The Real Cost of Email Spam: $257 Billion and 3 Hours Every Week
Spam costs the global economy $257 billion a year and drains 3 hours per week from the average worker. Here's the full breakdown of what email spam actually costs.
Read moreFrom Data Breach to Inbox Attack: How Stolen Records Fuel the 2026 Phishing Pipeline
The Aflac breach exposed 26.5M records. Attackers weaponize stolen data for hyper-personalized phishing. Here's how to break the pipeline.
Read moreSpamGPT: AI Email Attacks Evolving and How to Defend
Learn how SpamGPT is transforming email attacks with AI-generated phishing and BEC. Discover how to detect and defend against these evolving threats.
Read more