The FBI Just Released Their 2025 Cybercrime Report — The Numbers Are Worse Than You Think

The Federal Bureau of Investigation released their annual cybercrime report this week, and the numbers are staggering. Total reported losses exceeded $12.5 billion in 2024. That is not a typo. Twelve and a half billion dollars lost to cybercrime in a single year.

The Headline Numbers

The FBI received over 880,000 complaints through their Internet Crime Complaint Center. This represents a significant increase from previous years, driven partly by increased awareness and reporting, but primarily by the sheer volume of attacks.

The largest category of loss was investment fraud at $4.5 billion. Cryptocurrency scams, Ponzi schemes disguised as trading platforms, and fraudulent investment opportunities drained billions from victims. The rise of cryptocurrency has made these scams easier to execute and harder to trace.

Business email compromise came in second at $2.9 billion. These attacks target organizations by compromising or spoofing executive email accounts to request fraudulent wire transfers. The sophistication of these attacks has increased dramatically. Attackers now research targets extensively, mimic writing styles, and time requests to coincide with legitimate business activities.

Ransomware losses were reported at $59 million, but this number is almost certainly underreported. Many organizations do not report ransomware attacks to the FBI. Some pay quietly and move on. The true cost of ransomware is likely in the hundreds of millions or higher.

Why This Matters for Small Teams

You might think these numbers only matter for large corporations with millions to lose. You would be wrong. Business email compromise hits companies of all sizes. The median loss is $50,000, enough to seriously damage a small business or bootstrapped startup.

Small businesses are actually more vulnerable than large ones. They lack dedicated security teams. They lack sophisticated email filtering. They lack the training programs that teach employees to spot phishing. Attackers know this and target accordingly.

The Patterns

Email remains the primary attack vector. Despite years of security awareness training, phishing works. Social engineering beats technical security. The biggest losses come from tricking people, not hacking systems.

Cryptocurrency has become the preferred payment method for criminals. It is pseudonymous, irreversible, and difficult to trace. Once cryptocurrency leaves your wallet, it is gone.

The attacks are getting more sophisticated. Generic phishing emails are being replaced by highly targeted spear phishing. Attackers research their targets. They craft convincing messages. They time their attacks carefully.

What You Should Do

Verify large transfers. Any wire transfer over $10,000 should require voice verification. Do not rely on email alone. Call the recipient using a known phone number, not one from the email.

Train your team. Security awareness is not a one-time event. New attack patterns emerge constantly. Regular training keeps security top of mind.

Use MFA everywhere. Multi-factor authentication stops most credential-based attacks. Enable it on email, banking, cloud services, and anywhere else it is available.

Have a response plan. Know who to call before you need them. Have contact information for your bank, cyber insurance provider, and law enforcement. The first hours after an attack are critical.

Consider cyber insurance. The FBI report shows the costs are real. Cyber insurance can help cover losses, forensic investigation, legal fees, and recovery costs.

The Bottom Line

The $12.5 billion figure is a wake-up call. Cybercrime is not a theoretical threat. It is a real business risk with real financial consequences. The question is not whether you will be targeted. It is whether you will be ready when you are.