FBI IC3 2025 report: Email fraud is now a $4 billion problem

Executive summary: The FBI’s IC3 logged over one million complaints and $20.8 billion in losses in 2025. Across three crime categories that exploit trust in email (BEC, phishing, and government impersonation) losses exceeded $4 billion, up 46% from 2024. AI is making each attack harder to detect, and Red Sift’s own regional research shows most US organizations still aren’t protected.

Key takeaways:

• BEC losses hit $3.04 billion, phishing losses grew 208% year over year, and government impersonation doubled to $797.9 million
• Combined, email-origin fraud accounts for roughly 19% of all reported cybercrime losses
• AI-related complaints crossed 22,000, with $893 million in associated losses
• Red Sift’s DMARC compliance research found that only 35-44% of top organizations across the US Northeast, Mid-Atlantic, and Southwest have reached full enforcement

The FBI’s Internet Crime Complaint Center released its 2025 annual report last week, marking 25 years of cybercrime data collection. The headline: over one million complaints, $20.8 billion in losses, and a 26% year-over-year increase.

Most coverage will focus on investment fraud ($8.6 billion) or cryptocurrency ($11.3 billion). Those numbers are real. But they can distract from a pattern that maps directly to email infrastructure.

Add up BEC ($3.04 billion), phishing and spoofing ($215.8 million), and government impersonation ($797.9 million) and you get over $4 billion in losses tied to crimes that exploit trust in email. That’s roughly 19% of all IC3-reported losses, from attack types that email authentication protocols like DMARC (Domain-based Message Authentication, Reporting and Conformance) are built to prevent.

BEC crossed $3 billion again. The three-year trend tells the story: $2.94B (2023), $2.77B (2024), $3.04B (2025). The 2024 dip was short-lived. Per-complaint losses average over $122,000, and 86% of BEC funds move via wire transfer or ACH, meaning these attacks are landing inside real financial workflows.

Phishing losses grew 208% while volume stayed flat. Complaint count barely moved (193K to 191K), but losses jumped from $70 million to $215.8 million. Zoom out two years and it’s an 11x increase from $18.7 million. Each phishing attack is doing more damage. The assumption that phishing is high-volume, low-value no longer holds.

Government impersonation nearly doubled. Complaints grew from 17,367 to 32,424 and losses jumped from $405.6 million to $797.9 million. These scams spoof government agency domains and sender identities. When a domain lacks DMARC enforcement at p=reject, attackers can send emails that look legitimate to the recipient.

The IC3 tracked AI as a complaint descriptor for the first time in a meaningful way. The result: 22,364 complaints and $893 million in losses. Across email-specific categories, the AI overlay is growing:

• BEC with AI involvement: $30.2 million
• Confidence and romance scams: $19 million
• Phishing: $10.2 million
• Government impersonation: $7 million

The report describes specific techniques: AI chat generators drafting emails that match a CEO’s writing style, voice cloning providing phone confirmation that matches a spoofed sender. When the email looks right and the voice on the phone matches, human detection fails.

That’s the point. Training employees to spot awkward phrasing was never a complete defense. When AI eliminates those tells, technical controls become the last reliable line. DMARC, SPF (Sender Policy Framework), and DKIM (DomainKeys Identified Mail) verify whether a sender is authorized to use a domain. They don’t care how convincing the email sounds.

The IC3 data shows the scale of the problem. Red Sift’s own research shows the gap in defenses.

Over the past two months, Red Sift analyzed nearly 2,000 domains belonging to top organizations across three US regions. The findings:

• Only 35% of Northeast organizations have reached full DMARC enforcement across seven states
• Only 44% of Mid-Atlantic organizations block spoofed email at the domain level
• Only 40% of Southwest organizations have implemented p=reject

That means the majority of large US organizations are still exposed to the exact attack types driving $4 billion in IC3-reported losses.

The IC3’s Recovery Asset Team froze $679 million across 3,900 incidents in 2025 with a 58% success rate. That’s meaningful, but it’s recovery after the fact. The cheaper intervention happens before the fraudulent email lands.

Check your domain’s email authentication status for free with Red Sift Investigate to see where you stand. If you’re not at DMARC enforcement, Red Sift OnDMARC gets organizations to p=reject in 6-8 weeks with automated SPF and DKIM configuration, dynamic sender discovery, and ongoing monitoring.

A $4 billion problem growing 46% a year and accelerated by AI is not a problem that gets smaller by waiting.