The FBI counted $20 billion of internet crime. Look where it actually was.

The FBI's Internet Crime Complaint Center, IC3, published its 2025 annual report a few weeks ago. Bruce Schneier flagged it as a useful data point. The summary, in numbers most readers can hold in their head:

Total reported losses: $20.877 billion across 1,008,597 complaints. A 26% increase on 2024.
Investment fraud: $8,648,617,756. The largest single category.
Business email compromise: $3,046,598,558 across 24,768 complaints. The largest enterprise-targeted category.
Ransomware: $32,320,000 across 3,611 reports. A 259% rise on 2024's $12.5 million, but still small by comparison.

The shape of those numbers is the bit worth dwelling on. Most UK SME boards budget against ransomware. Most UK SME losses, when they come, do not.

This filing covers what the IC3 data actually says, why ransomware looks small in it, and what an SME should rebalance against the real picture.

Why ransomware is small in this dataset

The first instinct on reading "ransomware was $32 million" is that the number must be wrong. We know from elsewhere that the global ransomware market is bigger than that.

The IC3 number is small for three structural reasons.

It is reported losses, not actual losses. Most ransomware victims pay the ransom, recover from backup, or absorb the cost without filing a complaint with the FBI. The number that lands in IC3 is the small fraction where a US victim wrote the cheque, then filed the report. The Recorded Future and ENISA estimates of the actual ransomware economy run into the tens of billions a year globally. The IC3 figure undercounts by orders of magnitude.

It is direct extortion, not consequential cost. The ransom payment is reported. The downtime, the legal costs, the customer churn, and the cyber-insurance excess are not in this number. The Splunk research we covered in the cloud bill shock filing puts global downtime cost in the hundreds of billions. Ransomware is one cause of that downtime, and the IC3 figure does not capture its share.

Investment fraud and BEC, by contrast, are well captured. Both are categories where the victim notices the loss almost immediately (their money has gone), has a high incentive to report (recovery sometimes depends on it), and where the loss is mostly the wire transfer itself. Those categories show up cleanly in IC3 data because the reporting mechanism is well-matched to the crime.

So the comparison is not "ransomware is 200 times smaller than investment fraud". It is "the bit of ransomware that ends up in IC3 is 200 times smaller, because the reporting mechanism captures different fractions of different crimes". The relative growth numbers are still useful (ransomware reports up 259%; investment fraud also up) but the absolute comparison across categories is not.

The IC3 report is most useful when read as a snapshot of where money is actually being lost to crimes that the victim noticed and reported. On that reading, investment fraud and business email compromise dominate. Ransomware is real but smaller than the conversation suggests.

Business email compromise: $3 billion the boring way

BEC is the category SMEs should treat with the seriousness they currently reserve for ransomware. Three billion dollars across 24,768 complaints is an average loss of around $123,000 per case. The median is much lower; the long tail is much higher.

The mechanism is well documented. An attacker takes control of, or successfully impersonates, an email account at a supplier, a customer, an employee, or a partner. They wait for an in-flight transaction (an invoice, a payroll change, a property deposit). They intervene with replacement bank details. The genuine party never sees the substitution. The money goes to the attacker. By the time anyone notices, the funds have moved through three accounts and are unrecoverable.

The defences against this are, almost without exception, process defences. We have written about the in-person version in when the IT guy turns up and isn't the IT guy. The email version uses the same logic.

Verify bank-detail changes out of band. A supplier's email saying "our bank details have changed, please pay to this new account" should be confirmed by a phone call to a number you already had. Not the number on the email. The number on the contract.

Treat unexpected urgency as a warning. "We need to pay this today, the CEO is on a plane and asked me to handle it" is the script. Every legitimate version of that request can wait an hour for verification.

Have a documented authorisation rule. Payments over a threshold need two people; payments to a new beneficiary need a verification call; payments outside normal hours need an explicit sign-off. Most SMEs have an unwritten version of these. Writing them down doubles the rate at which they are followed.

Lock down the email accounts that initiate payments. Strong MFA, ideally phishing-resistant. We covered this in MFA prompt bombing, or when the attacker just asks nicely. For an account that can authorise a wire transfer, push MFA is not adequate; passkeys or a hardware key are.

Investment fraud is mostly a consumer story

The $8.6 billion of investment fraud in the IC3 data is overwhelmingly individual victims, mostly tricked into "crypto investment" schemes with the romance-scam variant ("pig butchering") accounting for a large fraction. SMEs are not the primary target.

The cross-over point for SMEs is two-fold.

Staff are individual targets. A senior member of staff being slowly drained of their personal savings by a long-running romance-investment scam is the kind of thing that does not stay personal. It manifests at work as distraction, requests for advances, and, in the worst cases, the staff member being recruited as a money mule against their will. The brief to keep in mind is not "lecture staff on personal finance" but "have a known way for staff to ask for help when they realise they have been scammed". Most do not, because shame is the second part of the attack.

The company as the target. A finance director, particularly in a smaller firm, can be persuaded that an unsolicited investment opportunity is genuine. The same script that works on individuals also lands occasionally on small-business cash piles. The defence is the same as for BEC: out-of-band verification, written authorisation rules, time delays on new beneficiaries.

What is fast-growing and worth tracking

The IC3 data flags some category trends that are useful for setting next year's priorities.

AI-related crime, broken out for the first time. 22,000 complaints. Small in absolute terms; large in growth rate. The Schneier post quoted an FBI analyst saying "the AI companies like to say that today's AI is the worst AI you will ever use; what's also true is that these are the lowest number of AI complaints we are ever going to see". The category includes deepfake-enabled fraud, AI-generated phishing, and AI-powered investment scams. The growth curve is steep.

Ransomware reports up 259%. The reported-loss number is small but the report count is rising fast. The implication is not that ransomware losses are exploding, since most of the cost is invisible to this dataset, but that more victims are filing reports. That partly reflects a higher absolute rate of attacks; it also reflects better awareness of the IC3 reporting channel.

Tech-support scams remain large. Older adults remain the dominant victim group. For an SME this is mostly an HR-by-proxy issue: staff who are caring for older parents are likely to be exposed to the family side of this. The brief is the same as the romance-investment case: have a way to ask for help.

The numbers for the UK

The IC3 is a US dataset. The UK equivalent, Action Fraud, is widely considered underpowered. Cifas, which we covered in the insider fraud filing, captures some of the picture. The Annual Fraud Indicator, published by the National Crime Agency, is the closest UK equivalent and puts the UK's fraud loss at over £200 billion a year, including all categories. The shape of the loss, by category, looks roughly similar to the US: investment and authorised-push-payment fraud at the top, BEC and invoice fraud as the major enterprise category, ransomware reportable losses small but rising.

The translation for a UK SME is: a £20 billion US number scales to a few billion in the UK on population, and the proportions across categories are similar enough that the priorities transfer.

What an SME should actually do

Rebalance the defence portfolio against where money is actually being lost.

BEC controls first. Phishing-resistant MFA on the accounts that authorise payments. Written verification rules for new beneficiaries and bank-detail changes. A pre-agreed out-of-band channel for confirming urgent requests. None of these cost much. All of them prevent the loss category that hits SMEs hardest.

Backup and recovery second. Ransomware losses are smaller than the conversation suggests, but the downtime cost is real. A backup tested in the last six months, with the recovery time written down, is the floor. We covered this in the first five minutes of incident response.

Staff support third. A short brief, once a year, on investment fraud, romance scams, and tech-support scams. Crucially, a named person staff can go to when they have realised they were scammed, without judgement. The biggest loss multiplier in this category is the gap between "I realised something is wrong" and "I told someone", which is often weeks.

AI-related fraud, watching. The 22,000 IC3 complaints are the leading edge. Deepfake-enabled BEC, where a CFO is rung by an attacker using a clone of the CEO's voice, has already produced multi-million-dollar UK losses (Arup, in 2024). The right response is not to roll out an AI-detection tool. It is to extend the "verify out of band" rule from emails to voice calls. "I just spoke to the CEO" is no longer evidence; the call-back to the known number still is.

Why the shape matters

The deeper lesson is that the security industry, the trade press, and the procurement processes that flow from both are still calibrated to ransomware as the dominant threat. The IC3 data describes a world where BEC is bigger by dollar value and investment fraud, on individuals and increasingly on SMEs, is bigger still. The defences that work against ransomware (backup, endpoint detection, network segmentation) are largely useless against the categories that are growing fastest.

The defences that do work against BEC and investment fraud are mostly process and culture. They are cheap and unglamorous. They get cut first when budgets tighten. The IC3 data is the annual reminder that the cheap, unglamorous work is the work that catches the loss before it leaves the bank account.

How Steelwise can help

Writing the payment authorisation rules, drilling staff on out-of-band verification, and rebalancing the security spend toward BEC defence is the kind of practical work we do with clients. Get in touch.