The FBI’s 2025 Cybercrime Report Just Gave Small Businesses Another Reason to Get Serious About Cyber Risk

-

The FBI’s latest Internet Crime Complaint Center report shows a cybercrime landscape that is growing more costly, more fraud-driven, and increasingly shaped by AI. Small businesses should pay close attention.

The FBI’s 2025 Internet Crime Complaint Center (IC3) Annual Report offers one of the clearest yearly snapshots of cyber-enabled crime in the United States. The topline numbers alone are hard to ignore: IC3 received 1,008,597 complaints in 2025, with reported losses reaching $20.877 billion, up 26% from 2024. The average reported loss was $20,699. :contentReference[oaicite:0]{index=0}

That does not mean every complaint came from a small business. The report covers a broad population of victims. But the attack patterns highlighted in the report map directly to the same operational risks that hurt small and midsize businesses every day: phishing, business email compromise, tech support fraud, data breaches, ransomware, and increasingly believable AI-enabled scams. That is why SMB leaders should read this report not as distant national data, but as a practical warning. :contentReference[oaicite:1]{index=1}

Cyber-enabled fraud is where the money is being lost

One of the biggest takeaways from the report is that cyber-enabled fraud is driving most of the financial damage. IC3 says cyber-enabled fraud accounted for 452,868 complaints, $17.697 billion in losses, 45% of all complaints, and almost 85% of all reported losses in 2025. :contentReference[oaicite:2]{index=2}

For small businesses, that matters because many of the most damaging incidents do not start with a dramatic “hack.” They start with trust manipulation: a fake invoice, a spoofed executive message, a phony payment change, a compromised vendor email thread, or a support scam that convinces someone to hand over access or money. The FBI’s own crime-loss ranking reinforces that point. Investment fraud led reported losses at $8.649 billion, but business email compromise was next at $3.047 billion, followed by tech/customer support at $2.135 billion, personal data breach at $1.315 billion, and confidence/romance scams at $929 million. :contentReference[oaicite:3]{index=3}

Business email compromise is still one of the most expensive business threats

Small businesses sometimes underestimate business email compromise, or BEC, because it does not always look like malware or a traditional intrusion. It often looks like normal business activity. But the IC3 report shows BEC remained one of the most financially damaging crime types in 2025, with reported losses of more than $3 billion. :contentReference[oaicite:4]{index=4}

That is a major lesson for SMBs. Attackers do not need to break everything to cause serious damage. They often just need to impersonate the right person, enter the right payment conversation, or create enough urgency to get one employee to act before verifying. For smaller organizations with lean finance teams and fast-moving approvals, that kind of attack can be especially dangerous.

Phishing still matters because it feeds larger business losses

Phishing/spoofing produced the highest complaint count in the report at 191,561 complaints. Its direct reported dollar loss, $215.8 million, was lower than some other categories, but that should not lead businesses to dismiss it. Phishing often functions as the front door to bigger losses, including credential theft, account compromise, vendor fraud, and internal impersonation. :contentReference[oaicite:5]{index=5}

For SMBs, phishing remains one of the most practical threat categories to focus on because it crosses email, cloud accounts, payroll workflows, shared files, and third-party tools. One careless click does not always create the loss by itself. It often creates the access that makes the real loss possible later.

Ransomware is still painful, even when the loss figures understate the damage

IC3 received more than 3,600 ransomware complaints in 2025, with reported losses exceeding $32 million. But the report makes an important point: those adjusted losses often do not include lost business, downtime, wages, damaged files or equipment, or third-party remediation costs. Some organizations also do not report losses at all. In other words, the FBI explicitly warns that ransomware loss totals are artificially low. :contentReference[oaicite:6]{index=6}

That is especially important for small businesses. A smaller company may survive a modest wire fraud event or absorb a contained software issue. But operational downtime can hit much harder. If a business cannot access core systems, process orders, invoice customers, or serve clients for days, the damage quickly moves beyond the ransom itself. The IC3 report is a reminder that ransomware should be measured not only by extortion dollars, but by business interruption. :contentReference[oaicite:7]{index=7}

AI is making familiar scams more believable

One of the most relevant sections of the 2025 report for SMB leaders is the FBI’s discussion of AI used in cybercrime. IC3 logged 22,364 complaints with AI-related information in 2025, with adjusted losses exceeding $893 million. The report explains that AI enables the creation of convincing synthetic content, personalized conversations, and high-quality fake media that are becoming harder to detect and easier to produce. :contentReference[oaicite:8]{index=8}

The examples are directly relevant to business risk. The FBI notes that chat generators can quickly create official-sounding emails mimicking a company’s CEO or other officials, and that voice cloning can be used to request wire payments or employee information. The report says businesses reported losses over $30 million in 2025 to BEC scams involving AI. :contentReference[oaicite:9]{index=9}

For SMBs, this matters because AI does not need to invent a brand-new crime category to raise risk. It only needs to make familiar attacks faster, cheaper, and more convincing. Better phishing. Better impersonation. Better fraud scripts. Better fake urgency. That is enough to move the needle.

The real takeaway for small businesses is not complexity. It is exposure.

The FBI report covers many categories, age groups, and transaction types, but the practical lesson for SMBs is straightforward: the most damaging cyber risk often comes from ordinary business workflows that are easier to manipulate than leaders realize. Payments, approvals, customer communications, employee records, vendor relationships, shared files, and exposed accounts all sit inside the blast radius of the threats highlighted in the report. :contentReference[oaicite:10]{index=10}

Small businesses do not need to defend first against the most exotic attack imaginable. They need to get control of the attack paths that are already generating the most complaints and the most losses: phishing, spoofing, BEC, data exposure, tech-support manipulation, and ransomware-enabled disruption. That means stronger verification around payments and account changes, tighter identity and access controls, MFA on critical accounts, better external visibility, faster patching, employee training, and clearer response processes.

What SMBs should do next

  • Require out-of-band verification for wire transfers, vendor payment changes, payroll changes, and sensitive account requests.
  • Turn on MFA across email, admin accounts, cloud apps, finance tools, and remote access.
  • Review what internet-facing systems, portals, and cloud assets are exposed.
  • Train employees to slow down when requests involve urgency, secrecy, credentials, payments, or sensitive files.
  • Patch internet-facing systems quickly and reduce stale accounts and over-permissioned access.
  • Prepare for disruption, not just intrusion, with backups, recovery planning, and incident response basics.

The bottom line

The FBI’s 2025 IC3 report shows a cybercrime environment that is more expensive, more fraud-centric, and more influenced by AI-enabled deception than many businesses realize. For small businesses, the lesson is not to panic. It is to stop treating visibility, verification, and basic cyber hygiene as optional. The losses are real, the attack paths are familiar, and the cost of waiting keeps rising. :contentReference[oaicite:11]{index=11}

How Veriti Spottr Helps

Veriti Spottr helps small businesses identify cyber risk before attackers exploit it. By combining external visibility, security findings, business context, and prioritized guidance, Veriti Spottr helps organizations understand what attackers can see and what to fix first.

Visit Veriti Spottr

Follow Veriti Spottr

Get practical cybersecurity insights, SMB threat updates, and new blog posts.

Follow us on Twitter/X Follow us on LinkedIn

Comments

Post a Comment

Popular posts from this blog

Your Password Policy Isn't Protecting You. Your Employees' Habits Are.

-
Image
Thought Leadership Credential Risk May 2026  ·  8 min read 94% of leaked passwords are reused or duplicated. Employees reuse the same password an average of 13 times. And by 2026, nearly half of all successful cyberattacks on SMBs will originate from credential reuse. Most businesses have a password policy. Almost none have visibility into whether anyone follows it. Think about the password you use for your personal email. Now think about whether any of your employees use that same password — or a variation of it — to log into your business systems. You don't know. And that uncertainty is the problem. In 2024, a security researcher analyzed 19.03 billion leaked passwords from breach databases and found that only 6% were unique. The other 94% had been used before — on another account, at another company, in another breach. Every one of those reused credentials is a master key that attackers test systematically...
Read more

What Attackers Do With Your Data in the First 60 Minutes

-
Image
Thought Leadership Incident Response May 2026  ·  8 min read In 2025, the fastest attacks moved from stolen credential to complete data exfiltration in 72 minutes — 4x faster than the year before. Most businesses discover breaches 292 days later. Here is exactly what an attacker does in that window — and what it means for your business before anyone has noticed. At 11:43pm on a Tuesday, an automated tool tests a stolen credential against your email platform. It matches. A session token is issued. In the next 72 minutes — while you sleep, while your team sleeps, while your IT provider sleeps — a sequence of events unfolds that will take your business an average of 292 days to discover. This is not a hypothetical. The 2026 Unit 42 Global Incident Response Report — Palo Alto Networks' annual analysis drawn from hundreds of real-world breach investigations — found that the fastest 25% of attacks in 2025 reached full da...
Read more

Your Biggest Cyber Risk Isn't Outside Your Firewall. It's on Your Payroll.

-
Image
Thought Leadership Insider Threat May 2026  ·  8 min read Most small businesses invest in perimeter security and assume the threat is outside. The data tells a different story. The most financially damaging cyber incidents don't break through your defenses — they walk past them, using legitimate access your own employees already have. In May 2025, Coinbase discovered that cyber attackers had recruited a group of their own customer support agents — employees with legitimate system access — and bribed them to hand over customer data. The attackers then used that data to impersonate Coinbase representatives, manipulating customers into sending them cryptocurrency. When the attackers contacted Coinbase demanding a $20 million ransom, the company refused to pay. The total cost — including customer reimbursements, security upgrades, and regulatory response — ran significantly higher. Coinbase isn't a naive startup. They're one of...
Read more