By Ryan Windt | Head of Growth Marketing | Updated April 2026
Every April, the FBI’s Internet Crime Complaint Center publishes its annual report on cybercrime losses across the United States. Every year, the numbers get worse. The 2025 IC3 Annual Report is no exception, and this year the numbers crossed a threshold that nobody in the industry wanted to see.
Total reported losses reached $20.877 billion in 2025, a 26% increase over the $16.6 billion reported for 2024. For the first time in the IC3’s 25-year history, complaints surpassed one million in a single year. The FBI now averages nearly 3,000 complaints per day.
Those are not abstract statistics. They represent businesses that lost payroll to a fraudulent wire transfer. Hospitals that paid ransom to restore patient records. Small business owners who had their email accounts compromised and spent months in litigation with vendors over redirected payments. And for the first time, they represent losses tied directly to artificial intelligence, a category the IC3 added to its reporting framework this year because the volume of AI-enabled crime is no longer anecdotal.
This post breaks down what the 2025 IC3 report actually says, what it means for businesses buying or carrying cyber insurance, and what the data tells us about where the real financial risk sits.
The Numbers at a Glance
| Category | 2025 Figure |
|---|---|
| Total reported losses | $20.877 billion |
| Year-over-year increase | 26% |
| Total complaints received | 1,008,597 |
| Complaints per day (average) | ~3,000 |
| Investment fraud losses | $8.65 billion |
| Business email compromise losses | $3.05 billion |
| Tech support scam losses | $2.1 billion |
| Losses tied to AI-enabled crime | $893 million |
| Ransomware complaints | 3,611 |
| Ransomware reported losses | $32 million (direct only) |
| Losses reported by adults 60+ | $7.748 billion |
| 5-year cumulative losses (2021 to 2025) | $71.3 billion |
One important caveat on the ransomware figure: the $32 million captures only what victims reported directly to IC3. It does not include business interruption losses, third-party remediation costs, or ransom payments that were never reported. Actual ransomware-related losses to businesses are orders of magnitude higher when you account for downtime, recovery, and reputational damage. For a deeper look at why downtime now drives more financial damage than the ransom payment itself, see our post on business interruption as the largest driver of cyber losses.
What Is Actually Driving the Losses
The 2025 report makes the composition of losses clearer than ever. The biggest losses are not coming from sophisticated zero-day exploits or nation-state intrusions. They are coming from fraud, specifically fraud that uses technology to scale and personalize attacks that have been around for decades.
Investment fraud: $8.65 billion. Cryptocurrency-linked investment scams accounted for over $7.2 billion of that total. The playbook is consistent: victims are contacted through social media or messaging apps, drawn into a relationship with a fraudulent “investment advisor,” and gradually convinced to move funds into platforms the attacker controls. AI is now accelerating this by generating convincing fake profiles, synthetic conversations, and deepfake video content at scale.
Business email compromise: $3.05 billion. BEC held the number two spot in total losses. The mechanism is straightforward: an attacker gains access to a business email account, or creates a convincing impersonation, and uses it to redirect wire transfers, authorize fraudulent invoices, or manipulate payroll. Wire transfers remain the primary payment method in BEC cases, which is why financial institutions are increasingly requiring cyber insurance as a condition of commercial banking relationships. For a detailed breakdown of how this coverage works and what sublimits to watch for, see our post on business email compromise and cyber insurance.
Tech support scams: $2.1 billion. Tech support fraud grew significantly in 2025. Victims receive unsolicited contact, a pop-up warning, an email, or a phone call, claiming their device or account has been compromised. They are then walked through steps that give the attacker remote access or directed to transfer funds to “secure” them. Small businesses are frequently targeted because their employees may not have the same level of security awareness training as enterprise staff.
AI-enabled crime: $893 million (first year tracked). This is the category that changes the calculus going forward. The IC3 added an AI section to its annual report for the first time in 2025 because 22,364 complaints specifically cited AI as a component of the crime. The reported losses were $893 million, but that figure almost certainly understates the real number since many victims do not know that AI was involved in the scam targeting them. AI investment fraud alone accounted for $632 million of the total, with AI-enabled BEC contributing more than $30 million.
Why the AI Angle Matters for Cyber Insurance
The emergence of AI as a documented loss driver has direct implications for how cyber insurance policies are written and how claims are evaluated.
Social engineering at industrial scale. AI allows attackers to generate highly personalized phishing emails, deepfake audio impersonating executives, and synthetic video content at volumes and quality levels that were not possible two years ago. The result is that the “human element” attack surface, meaning the employee who gets a call from someone who sounds exactly like their CFO asking for an urgent wire, is now exponentially harder to defend against through awareness training alone. For a full breakdown of how phishing-initiated losses translate to insurance claims, see our post on how cyber insurance protects against phishing attacks.
Coverage questions are still evolving. Most cyber policies cover social engineering and funds transfer fraud through specific endorsements or sublimits. As AI-enabled attacks blur the line between technical intrusion and social manipulation, the coverage question becomes: was this a cyber event or a fraud event? The answer determines which policy responds and at what limit. Businesses that have not explicitly reviewed their social engineering coverage sublimits are carrying more uninsured exposure than they realize. Our post on social engineering and funds transfer fraud coverage explains what to look for and what questions to ask before you bind or renew.
The documentation standard is rising. As AI makes attacks more convincing, underwriters are tightening the controls they require before binding coverage. MFA, EDR, email security controls, and incident response planning are not optional for businesses that want to avoid sublimits, exclusions, or declinations at renewal. Our MFA implementation guide and EDR and cyber insurance post cover what carriers are specifically verifying today.
What the Data Says About Small Business Exposure
The IC3 report does not break out losses specifically by business size, but the aggregate data makes the small business exposure clear. The most common and highest-loss attack types, BEC, phishing, social engineering, and tech support fraud, are disproportionately effective against organizations without dedicated security staff, mature security controls, and in-house incident response capability.
Small businesses are not incidental targets. They are preferred targets precisely because the combination of real assets, sensitive data, and limited defenses produces reliable returns for attackers running industrialized operations.
The average loss per complaint across all IC3 reporters in 2025 was roughly $20,700. That figure includes large enterprise losses that skew the average upward. For small businesses specifically, the cost of a single BEC incident, covering forensics, legal review, notification, and potential regulatory exposure, typically runs between $120,000 and $1.24 million when fully accounted. For a business without cyber insurance, that is an existential event.
For a full breakdown of how these risks translate to small business coverage decisions, including what a policy costs and what underwriters want to see, see our post on cyber insurance for small businesses.
What the Ransomware Numbers Are and Are Not Telling You
The IC3 reported 3,611 ransomware complaints with $32 million in direct losses in 2025. That number is almost always cited out of context, so it is worth being precise about what it means.
The $32 million reflects only losses that victims chose to report directly to the FBI and attributed specifically to ransomware. It does not capture business interruption losses from downtime, third-party forensic and remediation costs, ransom payments made outside formal reporting channels, revenue lost during recovery periods, or increased insurance premiums following an incident.
Industry loss studies consistently put the fully-loaded cost of a ransomware event at multiples of the direct payment. The top ransomware variants by complaint volume in 2025 were Akira, Qilin, INC Ransom/Lynx/Sinobi, BianLian, and Play. Healthcare and public health remained the most-targeted critical infrastructure sector, with 182 data breaches and 460 ransomware attacks reported.
For businesses evaluating whether their cyber policy would actually perform in a ransomware scenario, the most important questions are whether business interruption is included, what the waiting period is, and whether ransomware extortion coverage sits at the full policy limit or a sublimit. Our post on cyber insurance exclusions covers the most common gaps that surface at claim time.
The Five-Year Trend Is the Real Story
Annual figures get the headlines, but the trajectory is what should inform business risk decisions.
| Year | Reported Losses |
|---|---|
| 2021 | ~$6.9 billion |
| 2022 | ~$10.3 billion |
| 2023 | ~$12.5 billion |
| 2024 | $16.6 billion |
| 2025 | $20.877 billion |
Cumulative losses over this five-year period surpassed $71.3 billion. The compound growth rate is not slowing. Complaint volume crossed one million for the first time. AI is entering the loss data as a discrete category. None of those trends reverse on their own.
Businesses that treat cyber risk as a compliance checkbox rather than a financial exposure are consistently surprised by the outcomes. The businesses that use this data to inform coverage decisions, what limits they carry, what sublimits they negotiate, what controls they document before renewal, are in a fundamentally different position when an incident happens.
What This Means If You Are Buying or Renewing Cyber Insurance in 2026
Review your BEC and social engineering sublimits. BEC at $3 billion in reported losses is not a niche risk. If your policy caps social engineering or funds transfer fraud coverage at $250,000 on a $2 million policy, you are underinsured for the most likely high-dollar claim you will ever face. Ask your underwriter explicitly what sublimit applies and what it would take to raise it.
Treat the AI angle as a coverage question, not just a threat briefing. As AI-enabled social engineering grows, the line between a “cyber event” and a “fraud event” will be contested more often at claim time. Understand how your policy defines covered causes of loss and whether deepfake-assisted BEC would be covered under your current form.
Document your controls before renewal. Underwriters are using the IC3 data to justify tighter underwriting requirements. Businesses that can demonstrate MFA on all accounts, EDR deployed on all endpoints, tested backups, and a written incident response plan are qualifying for materially better terms than those that cannot. Our cyber insurance renewal checklist walks through exactly what to prepare and how to present it.
Use the data in your own business case. If you are an MSP making the case to a client that they need cyber insurance, or a CFO presenting the risk to a board, the 2025 IC3 report is the most current authoritative source available. For MSPs specifically, our post on how to talk to clients about cyber insurance covers how to frame this data in a client conversation without it reading as fear-based selling.
How SeedPod Cyber Approaches This
SeedPod Cyber is a direct cyber insurance underwriter. We see the claims data behind reports like this one, the BEC losses, the ransomware recoveries, the business interruption calculations, and we build coverage around what actually happens, not just what the application checklist covers.
If the 2025 IC3 report raises questions about whether your current coverage is adequate for the risk environment you are actually operating in, contact SeedPod Cyber for a policy review. We can typically turn a quote around in under 24 hours, and 8 out of 10 businesses that get a quote from us bind the policy.
You can also learn more about coverage options for your business or explore our coverages page for a full breakdown of what a well-structured policy includes.
Related reading:
- Business Email Compromise and Cyber Insurance: What’s Covered
- Social Engineering and Funds Transfer Fraud Coverage
- Business Interruption Is Now the Largest Driver of Cyber Losses
- Cyber Insurance for Small Businesses
- Cyber Insurance Renewal Checklist
- How MSPs Should Talk to Clients About Cyber Insurance