The FBI’s $20 billion warning

The FBI's Internet Crime Complaint Center (IC3) 2025 Internet Crime Report is consistent across every major loss category: money and data are lost because a person made a decision they should not have. AI is making those decisions harder to get right. 

$20.877 billion

Reported losses to cyber-enabled crime in 2025 are up 26% year-over-year and are nearly 3x the 2021 figure.

Nearly 85 cents of every dollar lost was the result of cyber-enabled fraud. Not malware. Not zero-days. These are successful attacks where someone received something convincing and acted on it.

$3 billion that cleared every technical filter and human

Business email compromise (BEC) attacks often carry no payloads—no links to scan, no malicious domains to block. They exploit trust and urgency to convince a person to authorize a transfer. The loss happens in the moment of that decision.

Since the FBI began tracking BEC in 2015, the IC3 has recorded over $20 billion in reported losses. In 2025 alone, BEC accounted for $3.047 billion across 24,768 incidents—an average of $123,000 per case. A full 86% of those fraudulent payments moved via wire or ACH, passing every upstream control without triggering a single alert.

Signature-based detection assumes there is something to match against. BEC gives you nothing. The email is clean. The sender is plausible. The instruction looks like dozens that came before it.

Catching these attacks means understanding what normal communication looks like for a specific person, in a specific organization, and flagging when something deviates. That is a behavioral problem, not a pattern-matching one.

AI enters the IC3 Report for the first time

25 years of IC3 reporting and this year’s report is the first with a dedicated AI section. 22,364 complaints. $893 million in confirmed losses. Both explicitly flagged as undercounts.

Total investment fraud hit $8.6 billion. Only $632 million was flagged as AI-related. AI is not a standalone category. It is an accelerant already embedded across BEC, phishing, investment fraud, and romance scams. Voice cloning. Chat-generated impersonation emails. Deepfake verification calls. The $893 million is what victims self-identified. The real figure is distributed across the entire report.

What the IC3 data demands in 2026

The pattern is clear. Let’s say it again. Money and data are lost because someone received something convincing and acted on it. AI makes those attacks harder to spot and enables the criminals to operate at machine speed. Volume is not dropping. The gap between what legacy controls catch and what attackers send has never been wider.

Closing that gap requires behavioral detection that models communication norms, not just known-bad patterns. Layered controls that share intelligence across the email pipeline. Domain authentication that covers what happens outside your perimeter. Visibility into credential compromise and data movement before ransomware becomes ransomware. Human risk controls that intervene at the decision point, not after it. And coverage across collaboration tools, not just email.

That is the architecture Mimecast is built around. Behavioral AI for “clean” attacks. DMARC Analyzer and Brand Exploit Protect for the external perimeter. Account Takeover Protection and Incydr for credential and data movement risks. And the Human Risk Command Center to surface who is at risk right now and intervene before they reach the wrong decision. 

The FBI can count what was lost. It cannot count how many incidents played out inside a security program watching the wrong thing. The question for 2026 is whether you can see human and AI risk before it costs you.

Find out what your current controls are missing. Experience Mimecast’s free Proof of Value. Let us connect your environment and show you what is getting through. 

Start your free trial →