FBI IC3 Cybercrime Report 2026: The Complete Breakdown of $21 Billion Losses

The FBI's Internet Crime Complaint Center now receives roughly 3,000 complaints every single day, and its latest annual report puts the bill at $20.877 billion in reported losses for 2025, a 26% jump over the previous record and the first year complaints crossed the one million mark. Read that average loss figure again: $20,699 per complaint. That's not pocket change skimmed off a debit card. That's a used car, a semester of college, a down payment. And for the first time in the report's quarter-century history, the FBI carved out a dedicated section for artificial intelligence fraud, which by itself accounted for nearly $893 million in losses across 22,364 complaints. If you've been treating identity protection and digital financial security as a someday project, the numbers below make a strong case for moving it to this weekend.

One Million Complaints, $20.9 Billion Gone: The Headline Numbers

The Internet Crime Complaint Center, or IC3, logged 1,008,597 complaints for 2025, up from 859,532 the year before, an increase of roughly 17%. Reported losses climbed faster than complaint volume, from $16.6 billion to $20.877 billion. That gap matters. Scams aren't just multiplying; each one is extracting more money.

Cyber-enabled fraud did the heavy lifting. The FBI counted 452,868 fraud complaints totaling $17.697 billion, which works out to about 85% of every dollar lost. Phishing and spoofing led the complaint count at 191,561 filings, followed by extortion at 89,129, investment schemes at 72,984, and personal data breaches at 67,456. Ranked by dollars instead of volume, the order flips hard toward investment fraud.

Metric20242025Change
Total complaints859,5321,008,597+17.3%
Reported losses$16.6 billion$20.877 billion+26%
Average loss per complaint~$19,300$20,699+7%
Losses, victims 60+~$5.6 billion$7.7 billion+37%

Why the Real Damage Is Bigger Than the FBI's Figure

The report counts reported losses only. It does not estimate what victims never disclose, and the FBI itself notes that a large share of victims never file at all. Embarrassment keeps romance scam victims quiet. Businesses bury incidents to protect their reputation. Ransomware figures exclude downtime, lost contracts, and third-party cleanup costs, which routinely dwarf the ransom itself.

There's a longer arc here too. Over the past six years, the IC3 has taken in more than 5.2 million complaints representing over $70 billion in reported losses. In 2001, annual losses were measured in millions. Treat the $21 billion figure as a floor, not a measurement of the whole problem.

Where the Money Actually Went

Three categories account for the bulk of the damage, and none of them require the attacker to write a line of malicious code. They require a phone, a convincing story, and patience.

Crime type2025 reported lossesTypical payment method
Investment fraud$8.65 billionCryptocurrency
Business email compromise (BEC)$3.05 billionWire transfer
Tech support scams$2.13 billionWire, crypto, gift cards
Phishing / spoofing$215.8 millionCredential theft
Extortion$122 millionGift cards, crypto, P2P apps

Investment Fraud: $8.6 Billion and Still the Heavyweight

Investment fraud produced $8,648,617,756 in reported losses, close to half of all scam-related losses in the report. The playbook rarely changes. A stranger, or an account impersonating a friend, starts a conversation on a dating app, a text sent to a "wrong number," or a social platform. Weeks of friendly chat follow. Then comes the tip about a trading platform showing steady, impossible returns. The victim's dashboard shows gains because the dashboard is fiction; the platform is a shell built to display whatever number keeps deposits coming.

The withdrawal stage is where the trap closes. Victims are told they owe taxes or fees before funds can be released, so they send more money to recover money that no longer exists. Investment schemes generated 72,984 complaints, which means the average complaint in this category involved losses north of $118,000. No other category comes close to that per-victim figure.

Business Email Compromise: $3 Billion Stolen One Wire at a Time

BEC doesn't need malware. It needs a spoofed or hijacked email account and a plausible request: the CFO asking accounts payable to update a vendor's banking details, a title company sending "revised" closing instructions to a homebuyer. Losses hit $3,046,598,558 in 2025. One case in the report involved a city government office in Oregon wiring more than $6 million to a fraudulent account before the FBI's recovery team intervened.

The defense is procedural, not technical. Any request to change payment details gets verified by phone, using a number you already have on file, never one supplied in the email. Companies that enforce that one rule remove most of the BEC threat for free.

Tech Support Scams: $2.1 Billion Built on Fake Pop-Ups

Tech support fraud pulled in $2,134,675,818. It usually starts with a browser pop-up warning of a virus, complete with a toll-free number, or a call from someone claiming to be Microsoft, Apple, or your bank's fraud department. The script escalates: your accounts are compromised, your money must be moved to a "safe" account, and federal agents are standing by. A newer variant directs victims to withdraw cash and deposit it into a cryptocurrency ATM. Real tech companies do not call you, and no bank moves your money to safety by having you buy Bitcoin at a gas station kiosk.

Cryptocurrency: The $11 Billion Pipeline

Complaints involving cryptocurrency numbered 181,565 with losses topping $11 billion, up about 22% year over year. The average crypto complaint involved roughly $62,000. Crypto shows up across nearly every scam type for the same reason: transfers are fast, borderless, and effectively irreversible. A wire can sometimes be recalled. A crypto transaction, once confirmed, is gone.

Pig Butchering and the $7.2 Billion Crypto Investment Problem

Crypto investment fraud alone accounted for over $7.2 billion, making it the single most lucrative scheme in the entire report. Much of it traces back to industrial-scale fraud compounds overseas, where trafficked workers run hundreds of scripted conversations at once. The intimacy is manufactured, but the losses are personal: retirement accounts liquidated, home equity lines drained, 401(k) loans taken out to fund one more deposit.

Crypto ATMs and Recovery Scams: The Second Bite

Two sub-trends deserve their own line items. Losses tied to crypto ATM and kiosk deposits reached $389 million, a 58% increase, driven by scripts that walk panicked victims through feeding cash into a machine. And recovery scams, where fraudsters pose as investigators or law firms offering to retrieve stolen funds for an upfront fee, cost previous victims another $1.4 billion. Anyone who contacts you promising to recover your crypto losses for a fee is running the second act of the same play.

AI Fraud Gets Its Own Chapter: $893 Million in Losses

For the first time in its history, the report breaks out artificial intelligence as a category: 22,364 complaints and $893,346,472 in losses. The FBI describes voice clones of family members, fabricated identification documents, fake social profiles, and convincing videos of public figures endorsing investment platforms they've never heard of. Cloned-voice "family emergency" calls, the modern grandparent scam, accounted for about $5 million on their own.

The honest read is that AI isn't inventing new crimes; it's scaling old ones. Phishing emails no longer contain the spelling errors your training taught you to spot. A video call with your "CEO" can be a deepfake. The tell is no longer in the message quality. It's in the request itself: urgency, secrecy, and an unusual payment method. Verify through a second channel you initiated, every time. The FBI's own advice is to pause before acting, because pressure is the one ingredient every scam needs.

Americans Over 60 Lost $7.7 Billion

Victims over 60 filed 201,266 complaints and reported $7.7 billion in losses, up 37% from the prior year, the worst figures of any age group. Within that group, 12,444 people each lost more than $100,000. Older Americans hold the wealth, they answer the phone, and scammers know both things.

Losses among victims 60+Amount
Investment scams$3.5 billion
Tech support fraud$1.0 billion
Romance / confidence scams$584 million
Business email compromise$568 million

The 50-to-59 bracket wasn't far behind, with 124,820 complaints and $3.7 billion lost. Government impersonation runs through many of these cases: a caller claiming to be from the Social Security Administration, the IRS, or a court, insisting that an arrest can only be avoided by moving money immediately. No federal agency demands payment by gift card, wire, or crypto kiosk. None. That single fact, repeated at enough dinner tables, would erase a measurable slice of the $7.7 billion.

Phishing: Fewer Complaints, Triple the Losses

Here's the strangest data point in the report. Phishing and spoofing complaints actually dipped slightly, from 193,407 to 191,561, yet losses tripled from about $70 million to $215.8 million. Attacks are getting fewer clicks but better ones. Phishing-as-a-service kits and AI-written lures now produce messages tailored to your bank, your employer, and your recent purchases, and the credentials they harvest feed the bigger crimes upstream: account takeovers (a separate $262 million in losses), BEC, and identity theft. Phishing is the front door; the $8.6 billion in investment fraud is what happens after someone walks through it.

Ransomware Hit Hospitals Harder Than Any Other Sector

Ransomware generated 3,611 complaints and just over $32 million in direct reported losses, a number the FBI openly flags as artificially low since it excludes downtime, lost business, and remediation, and since many organizations report nothing at all. The variants named most often were Akira, Qilin, INC, Lynx, Sinobi, BianLian, Play, RansomHub, LockBit, DragonForce, SafePay, and Medusa, with the top five variants accounting for 56.8% of reported incidents.

Healthcare took the hardest hit among the sixteen critical infrastructure sectors: 460 ransomware incidents against 182 data breaches, roughly two and a half ransomware attacks for every breach. When a hospital's systems lock up, ambulances divert and surgeries slip. The FBI's guidance is unglamorous and correct: patch internet-facing systems first, segment networks, log traffic, deploy endpoint detection, and test backups before you need them.

California, Florida, Texas: Where the Losses Concentrated

Complaint volume tracks population, so the leaders are no surprise, but the dollar figures still land hard.

StateComplaintsReported losses
California22,157$1.4 billion
Florida17,147$709 million
Texas14,410$678 million

Per-capita risk doesn't respect state lines, though. The scam call originating in a compound in Southeast Asia dials Boise as easily as Miami.

What the FBI Clawed Back: Kill Chain, Level Up, Winter Shield

The report isn't purely grim. The Financial Fraud Kill Chain, the FBI's rapid-response process for freezing fraudulent wires, ran roughly 3,900 interventions and froze more than $679 million, a 58% success rate. Speed is everything here, which is why reporting within hours instead of days changes outcomes.

Operation Level Up takes the opposite approach: instead of waiting for complaints, the FBI identifies people currently being drained by crypto investment scams and calls them. Of the 3,780 victims notified in the report year, 78% had no idea they were being scammed. The initiative has now notified more than 8,000 victims and prevented over $500 million in losses since it began. A newer effort, Operation Winter Shield, focuses on hardening organizations before attacks land. None of this recovers most of the $21 billion, but it proves early reporting isn't a formality.

Digital Financial Security Moves That Actually Hold Up

Most identity protection advice is a listicle of things you already know. What the IC3 data supports is narrower and cheaper: freeze your credit at all three bureaus (free, and it blocks most new-account identity theft cold), turn on app-based or hardware-key multi-factor authentication for email and financial accounts, verify any payment-change request by calling a known number, and treat every unsolicited investment opportunity as fraud until proven otherwise. Real trade-offs, though, are where security decisions get made, so here are three drawn from patterns all over this report.

Decision One: The "Guaranteed Return" Platform vs. the Boring CD

A 64-year-old retiree in Mesa has $40,000 in cash savings. An online acquaintance of three months shows her a platform earning "3% weekly, guaranteed." Her bank offers a 12-month CD around 4% annually. The platform's implied return is over 150% a year, which no legitimate instrument on earth pays; the report's average crypto-scam victim lost $62,000 chasing exactly this math. The CD earns her about $1,600, insured. The trade-off isn't $1,600 versus $60,000 in gains. It's $1,600 versus a coin flip on her entire principal, weighted heavily toward zero.

Decision Two: Paid Identity Protection vs. a Free Credit Freeze

A dual-income family in Columbus weighs a $300-per-year family identity monitoring plan against freezing everyone's credit for free. The freeze prevents new fraudulent accounts, which monitoring only detects after the fact. Monitoring adds value mainly through dark-web alerts, recovery assistance, and insurance for out-of-pocket costs. Reasonable answer: freeze first, always, then buy monitoring only if the household has elevated exposure, say, data already leaked in a breach, or an elderly parent managing their own accounts. Paying $300 a year while leaving credit unfrozen is buying a smoke detector and skipping the extinguisher.

Decision Three: A 12-Person Business Weighs $4,000 Against a Wire Transfer

An HVAC contractor in Toledo with twelve employees can spend roughly $4,000 a year on hardware security keys, email authentication, and a written dual-verification rule for payment changes, or accept the risk. BEC losses ran $3 billion nationally, and small firms are preferred targets precisely because they lack controls. One diverted vendor payment of $45,000, unrecovered, equals eleven years of that security budget. The spend isn't insurance against a rare event; per this report, it's insurance against the second-costliest crime category in America.

How to Report to IC3.gov and Why the First 72 Hours Matter

If you're hit, file at ic3.gov immediately and contact your bank the same day. Document the scammer's names, contact methods, dates, payment channels, and destination accounts. The Kill Chain's $679 million in frozen funds went overwhelmingly to victims who reported fast, while wires that sit for a week are usually gone through three banks and two countries. Reporting also feeds the dataset that lets the FBI warn the next victim before the money moves; remember that 78% of the people Operation Level Up called had no idea anything was wrong.

A Few Personal Thoughts

Reading through this report, what stayed with me wasn't the $21 billion. It was the average loss of $20,699, because that's the size of a real household setback, and the detail that most victims contacted by the FBI didn't know they were victims yet. I've come to think the biggest vulnerability in digital financial security isn't weak passwords; it's the belief that recognizing a scam is an intelligence test. The people losing six figures aren't careless. They're targeted by professionals running a script refined against thousands of others, now with AI smoothing every rough edge. The habits that hold up are almost insultingly simple: slow down, verify through a channel you opened yourself, and accept that "guaranteed returns" is a complete sentence of warning. Boring beats clever here, and I find something almost reassuring in that.

Legal Disclaimer: This article is for general informational and educational purposes only and does not constitute financial, investment, legal, or tax advice. Statistics referenced are drawn from the FBI Internet Crime Complaint Center's most recent annual Internet Crime Report and related FBI publications; figures reflect reported losses and may not represent total actual losses. Nothing here should be relied upon as a recommendation to buy, sell, or hold any security or digital asset. Consult a licensed financial advisor, attorney, or tax professional regarding your individual circumstances. If you believe you are the victim of a crime, contact your financial institution, local law enforcement, and file a complaint at ic3.gov.

Yorumlar