The sobering truth of the FBI's 2025 Internet Crime Complaint Center Report

The FBI’s Internet Crime Complaint Center (IC3) released its 2025 Annual Report and the figures are sobering. Overall, total reported losses from cyber enabled crime reached $20.877 billion in 2025 -- a 26% increase from the previous year. For organizations navigating their cyber risk posture, two threat categories deserve particular attention: business email compromise (BEC) and ransomware. Together, these digital threats represent a persistent, well-resourced, and increasingly sophisticated assault on U.S. businesses, critical infrastructure, and financial systems.

Business Email Compromise: A costly scheme

BECs remain one of the most financially devastating threats to organizations of any size. In 2025, BECs generated $3.046 billion in reported losses, making it the most financially destructive enterprise-targeted cyber threat in the United States, and the second-highest loss category behind investment fraud.

The mechanics of a BEC are deceptively simple and lethally effective. Threat actors compromise or impersonate email accounts and other channels of communication through social engineering or technical intrusions, then redirect wire transfers or harvest credentials for further exploitation.

AI is also sharpening the threat by lowering the skill threshold for threat actors trying to orchestrate BEC attacks. Threat actors can now leverage generative AI tools to aid in everything from creating emails at scale to impersonating leadership and vendors more effectively. In 2025, businesses reported over $30 million in losses from BEC scams with a confirmed AI nexus.

Taking into account BEC scams with and without an AI nexus, 24,768 BEC complaints were received in 2025. This represents a climb from the previous two years, which held somewhat steady in 2023 and 2024 at 21,489 and 21,442, respectively. This trajectory matters because BECs reflect a threat that organizations have had years to study and still have not contained. The techniques are well documented, the warning signs are understood, and, in the case of wire or ACH transfers, the financial controls that defeat them are not technically complex. Yet the losses continue to grow, which suggests the gap is not informational, but operational. It shows organizations are still susceptible to an adversary that is patient, adaptive, and who leverages available tools to be materially more capable with each passing year.

Ransomware: The increasing nightmare  

In the past few years, ransomware attacks have become increasingly newsworthy. At its core, ransomware is a type of malicious software designed to block access to a computer system until money is paid. Common schemes include copying and exfiltrating an organization’s data before encrypting the data left behind. This technique puts pressure on organizations in two ways. First, to restore their data to a usable format and second to protect their data from being released to the world. Within the IC3 Annual Report, the ransomware picture is more nuanced and arguably more alarming.

In 2025, IC3 received 3,611 ransomware reports, an upward trend from the 3,156 received in 2024 and the 2,825 received in 2023. What the rising volume does demonstrate is the breadth and velocity of ransomware threats. Although the top ten reported ransomware variants accounted for 56% of reported ransomware incidents and 49.8% of total reported losses from ransomware attacks, IC3 identified sixty-three new ransomware variants in 2025. That is an average of 5.25 new variants per month. The top reported ransomware variants include:

  1. Akira
  2. Qilin
  3. /Lynx/Sinobi
  4. BianLian
  5. Play
  6. Ransomhub
  7. Lockbit
  8. Dragonforce
  9. SAFEPAY
  10. Medusa

These top-reported ransomware variants had the most impact on Critical Sectors such as healthcare and public health, critical manufacturing, financial services, and government facilities. This sectoral targeting is not coincidental, rather it illustrates how threat actors may prey on organizations with a low tolerance for operational downtime in the hopes of quick payouts. Hospitals that cannot easily divert patients, manufacturers operating within just-in-time supply chains, or utilities managing continuous infrastructure are considered so vital to the country that their incapacitation would have debilitating effects.  

Alarmingly, this year’s IC3 annual report registered ransomware losses in 2025 at $32.320 million. That is a 259% increase in reported losses from the previous year’s $12.473 million. Even so, those numbers are almost certainly a significant undercount. On its face, the $32 million in losses does not account for the costliest elements of a ransomware attack: the days or weeks of operational downtimes, the required forensics, the legal exposure, and the reputational damage to an organization. Moreover, some entities do not report any losses to the FBI, significantly reducing the actual total losses.

The compounding nature of ransomware costs is what makes the reported loss figures so misleading as a risk management benchmark. A $32 million aggregate loss figure invites executives to size ransomware as a bounded, manageable financial risk. It is neither. Even when a ransom is paid, it is followed by weeks of degraded operations, forensic investigations, the regulatory notification process, litigation from affected customers or partners, and reputational damage that cannot be captured on a balance sheet.

Mitigation strategies to reduce impact

The data within the IC3 report reflects a consistent and uncomfortable truth: incident frequency and loss amounts are growing.

A ransomware attack that causes ten days of operational shutdown generates losses that are orders of magnitude larger than a ransom demand when accounting for regulatory notification obligations, litigation exposure, or the reputational cost of public exposure. A BEC wire transfer that releases before internal controls are made aware of it becomes unrecoverable in most circumstances. Neither outcome is made materially better by what happens after the fact, but both outcomes can be made materially better with preparation.

Pre-incident preparation means having tested, documented incident response plans that assign clear roles before a crisis requires someone to invent them under pressure. It means network segmentation, multi-factor authentication deployed consistently, not selectively, and it means updated software and firmware.  

On the other hand, when an incident occurs, an established response plan sets the tone for containment, restoration, and regulatory or public scrutiny.  It means offline, encrypted, and regularly validated backups that make a ransomware encryption event survivable without a ransom payment. It means delineating contacts and a reporting chain to escalate issues based on their severity. It also means knowing who to call and deploy, because the right contacts can reduce your response time, lessen your financial burden, and ensure experts are called in immediately to take you from defense to offense.

When in doubt, businesses should consult with trusted external legal counsel for guidance on ensuring proper steps are taken in preparation for or when responding to a cyberattack. If you have any questions regarding your company’s position and potential for improvement or for assistance responding to an incident, reach out to McDonald Hopkins’ national Data Privacy and Cybersecurity practice group.

Jump to Page

McDonald Hopkins uses cookies on our website to enhance user experience and analyze website traffic. Third parties may also use cookies in connection with our website for social media, advertising and analytics and other purposes. By continuing to browse our website, you agree to our use of cookies as detailed in our updated Privacy Policy and our Terms of Use.

scullery23