The FBI Just Told You Exactly How Your Business Will Be Attacked. Did You Read It?

-

Threat Intelligence Financial Impact
May 2026  ·  8 min read

Every April the FBI releases its Internet Crime Complaint Center annual report — the most comprehensive government analysis of real cybercrime in the US. The 2024 report landed April 23, 2025. $16.6 billion in losses. 859,532 complaints. Five findings that apply directly to your business right now.

Every year in April, the FBI publishes the most authoritative cybercrime document available to any business owner in the United States. It's called the Internet Crime Complaint Center Annual Report — IC3 for short — and it contains 25 years of data on how Americans and American businesses are being attacked, how much they're losing, and which attack types are accelerating.

The 2024 report, released April 23, 2025, documented a record-breaking year. $16.6 billion in losses. 859,532 complaints. A 33% increase in losses from 2023. The average loss per incident jumped from $14,197 in 2023 to $19,372 in 2024 — meaning attacks aren't just more frequent, they're more financially devastating per event.

Most small business owners have never read it. Most have never heard of it. And the five findings most relevant to an SMB in 2026 are not the ones that made headlines.

$16.6B total reported cybercrime losses in 2024 — a record high, up 33% from 2023's $12.5 billion FBI IC3 Annual Report 2024
$19,372 average loss per complaint in 2024 — up from $14,197 in 2023. Attacks are more financially damaging per event. FBI IC3 Annual Report 2024
2,300+ cybercrime complaints received every single day in 2024 — not per week. Every day. FBI IC3 Annual Report 2024
These numbers represent only what was reported to the FBI. The IC3 acknowledges that many victims never file complaints — because they don't know how, don't think it will help, or are too embarrassed. The real figures are significantly higher. $16.6 billion is the floor, not the ceiling.

The five findings that matter most for your business

1

Phishing is still the #1 attack — and it's getting more effective, not less

193,407 complaints

Phishing and spoofing were the most reported cybercrime type in 2024 by a significant margin — 193,407 complaints, more than double the second-place category. The reason phishing leads every year isn't because defenders aren't trying. It's because phishing is getting harder to detect. 82.6% of phishing emails in 2026 now contain AI-generated content — polished prose, accurate context, no grammatical errors, and personalization that previously required hours of manual research.

The 193,000 complaints represent only the cases where someone knew they'd been phished and reported it. Phishing that successfully harvests credentials or initiates a wire transfer without the victim's awareness — the most damaging kind — doesn't generate a complaint. It generates a breach investigation 292 days later.

What this means for your business Email filtering that catches yesterday's phishing templates doesn't catch AI-generated phishing designed for your specific business. The defense that actually reduces click rates — behavioral simulation training, continuous monitoring, and credential monitoring that alerts you before a phished password is used — is what the data supports.
2

BEC cost $2.77 billion — second highest dollar loss of any crime type

21,442 complaints · $2.77B lost

Business email compromise was the 7th most complained-about crime type in 2024 — but the second most financially damaging, with $2.77 billion in reported losses. That gap between complaint volume and dollar loss is the most important signal in the entire report. The math is stark: 21,442 complaints averaging $129,000 each.

Over three years — 2022 through 2024 — BEC caused nearly $8.5 billion in reported losses to IC3 alone. 83% of all cybercrime losses in 2024 came from cyber-enabled fraud — BEC, phishing, spoofing, social engineering — not from malware or ransomware. The attacks winning in 2024 are not sophisticated technical exploits. They're emails that look legitimate and requests that seem urgent.

What this means for your business BEC targets the intersection of email access, financial authority, and time pressure — three things every SMB has. DMARC enforcement at p=reject blocks domain spoofing. MFA with number matching blocks account compromise. Both are free to implement and require no security team.
3

Ransomware complaints rose 9% — but the dollar figure dramatically understates the real cost

3,156 complaints · true cost uncounted

IC3 received 3,156 ransomware complaints in 2024 — an 11.7% increase from 2023. The top five ransomware variants were Akira, LockBit, RansomHub, FOG, and LYNX. The FBI explicitly flags that ransomware loss figures do not capture lost business, downtime, wages, equipment damage, or recovery costs — which represent the majority of actual financial impact.

IBM's 2025 data puts the average ransomware breach cost at over $5 million when all downstream costs are included — a figure the IC3 ransomware line item doesn't come close to capturing. Many organizations also report ransomware directly to local FBI field offices rather than IC3, meaning the complaint count significantly underrepresents actual incidents.

What this means for your business All five top ransomware variants in 2024 primarily gain access through compromised credentials or unpatched VPN vulnerabilities. Both are addressable with credential monitoring, MFA enforcement, and rapid patching. The most common ransomware entry point is not a zero-day — it's an open door you already know about.
4

The FBI recovered $561 million — but only 3.4% of total losses

$561M frozen · $16.6B lost

The FBI's Recovery Asset Team froze $561.6 million through the Financial Fraud Kill Chain in 2024, with a 66% success rate on escalated cases. That's meaningful progress — and 3.4% of the $16.6 billion lost. The gap between what the FBI can recover and what cybercriminals extract is the most honest statement in the report about what prevention is worth compared to recovery.

The Financial Fraud Kill Chain primarily handles BEC and works best when victims report immediately — within hours, not days. Funds moved to international accounts become nearly impossible to recover regardless of how quickly they're reported thereafter.

What this means for your business If you experience a BEC wire transfer, report to IC3 at ic3.gov immediately and call your bank the same hour. The Financial Fraud Kill Chain only works in the first window after a transfer. Your incident response plan should have the IC3 URL and your bank's fraud line as the first two items on the page.
5

The most targeted victim group includes your staff, your clients, and your business owners

Ages 30–59 filed most complaints

The 2024 IC3 report breaks down victims by age. The largest number of complaints came from people aged 30–59 — described by the FBI as "working professionals, business owners, and staff with financial access or approval authority." These are the people with the most access to business systems, financial workflows, and client data — and the most time pressure that makes them susceptible to social engineering.

People aged 60 and older suffered the highest total losses at nearly $4.8 billion — partly through personal scams, and partly through targeting of senior executives who have the highest financial authority. The FBI's findings align with Unit 42's 2026 research: the human with financial authority is the primary target, not the technical system.

What this means for your business Your finance team, CFO, and any employee who can authorize payments is the highest-value target in your organization. BEC attacks are specifically designed to reach them under time pressure. Email authentication, MFA, and behavioral awareness training should be prioritized for these roles above all others.
The number that puts everything in context: only 256,256 of the 859,532 complaints involved actual reported financial loss — about 30%. The other 70% represent attempted attacks that didn't complete. The businesses in that 70% didn't get lucky. They had something in place that stopped the attack. The FBI report is, at its core, a document about which defenses worked and which didn't. The businesses that read it as such will be in a different category next April.

The one stat the FBI buried that every SMB owner needs to see

On page 9 of the 2024 IC3 report, almost as a footnote, the FBI notes that cyber-enabled fraud — phishing, BEC, spoofing, social engineering — was responsible for 83% of all reported losses in 2024. $13.7 billion of the $16.6 billion total came from attacks that didn't require malware, didn't require a technical exploit, and didn't require a sophisticated attacker. They required a convincing email and an employee who clicked it, approved it, or wired money because of it.

The vast majority of what the FBI documented in 2024 is stoppable with the same five controls this series has covered: credential monitoring, DMARC enforcement, MFA with number matching, behavioral awareness training, and an incident response plan with the FBI's reporting URL already written in it.

The report is public. The URL is ic3.gov. The 2024 annual report is downloadable for free. Reading it takes about 20 minutes. The businesses that read it — that understand which attack types are accelerating, which victim profiles are being targeted, and what the FBI is and isn't able to recover — are the businesses that make better decisions about the five controls that determine whether they appear in next year's report.

Platforms like Veriti Spottr give SMBs a continuous view of the specific attack surface signals the IC3 report documents — exposed credentials that enable phishing follow-through, DMARC gaps that enable BEC spoofing, and open ports that enable ransomware deployment. The FBI report tells you what's happening across the country. Spottr tells you what's happening on your domain. Both pieces of information belong in the same security conversation.

📚 Credential Security Series — Read the full series

Part 1 → Your Password Policy Isn't Protecting You. Your Employees' Habits Are. Part 2 → Your Credentials Are Already For Sale. Here's How to Find Out in 60 Seconds. Part 3 → You Turned MFA On. Attackers Already Have Three Ways Around It. Part 4 → What Attackers Do With Your Data in the First 60 Minutes Part 5 → The 30-Minute Security Audit Every SMB Owner Should Do This Week Part 6 → The First 24 Hours After You Discover a Breach

See what the FBI report means for your specific domain — not the country. Veriti Spottr's beta is free.

Join the free beta →
VS
Veriti Spottr Team AI-powered cyber risk clarity for SMBs  ·  veritispottr.com

Comments

Post a Comment

Popular posts from this blog

Your Password Policy Isn't Protecting You. Your Employees' Habits Are.

-
Image
Thought Leadership Credential Risk May 2026  ·  8 min read 94% of leaked passwords are reused or duplicated. Employees reuse the same password an average of 13 times. And by 2026, nearly half of all successful cyberattacks on SMBs will originate from credential reuse. Most businesses have a password policy. Almost none have visibility into whether anyone follows it. Think about the password you use for your personal email. Now think about whether any of your employees use that same password — or a variation of it — to log into your business systems. You don't know. And that uncertainty is the problem. In 2024, a security researcher analyzed 19.03 billion leaked passwords from breach databases and found that only 6% were unique. The other 94% had been used before — on another account, at another company, in another breach. Every one of those reused credentials is a master key that attackers test systematically...
Read more

What Attackers Do With Your Data in the First 60 Minutes

-
Image
Thought Leadership Incident Response May 2026  ·  8 min read In 2025, the fastest attacks moved from stolen credential to complete data exfiltration in 72 minutes — 4x faster than the year before. Most businesses discover breaches 292 days later. Here is exactly what an attacker does in that window — and what it means for your business before anyone has noticed. At 11:43pm on a Tuesday, an automated tool tests a stolen credential against your email platform. It matches. A session token is issued. In the next 72 minutes — while you sleep, while your team sleeps, while your IT provider sleeps — a sequence of events unfolds that will take your business an average of 292 days to discover. This is not a hypothetical. The 2026 Unit 42 Global Incident Response Report — Palo Alto Networks' annual analysis drawn from hundreds of real-world breach investigations — found that the fastest 25% of attacks in 2025 reached full da...
Read more

Your Biggest Cyber Risk Isn't Outside Your Firewall. It's on Your Payroll.

-
Image
Thought Leadership Insider Threat May 2026  ·  8 min read Most small businesses invest in perimeter security and assume the threat is outside. The data tells a different story. The most financially damaging cyber incidents don't break through your defenses — they walk past them, using legitimate access your own employees already have. In May 2025, Coinbase discovered that cyber attackers had recruited a group of their own customer support agents — employees with legitimate system access — and bribed them to hand over customer data. The attackers then used that data to impersonate Coinbase representatives, manipulating customers into sending them cryptocurrency. When the attackers contacted Coinbase demanding a $20 million ransom, the company refused to pay. The total cost — including customer reimbursements, security upgrades, and regulatory response — ran significantly higher. Coinbase isn't a naive startup. They're one of...
Read more