Article Read Time
The FBI’s Internet Crime Complaint Center (IC3) released its 2025 Annual Report this week, and the numbers are impossible to ignore. For the first time in the agency’s 25-year history of tracking cybercrime, the IC3 received more than one million complaints in a single year, 1,008,597 to be exact. Total losses hit a record $20.87 billion, a 26% jump from 2024’s $16.6 billion. To put that in perspective, cybercrime losses have grown nearly 400% since 2020.
Internet crime isn’t abstract national news. These losses are happening to organizations just like yours, city offices, county agencies, small businesses, and nonprofits. Here’s what the report tells us and, more importantly, what it means for you.
Business Email Compromise: The Top Internet Crime Threat to Organizations Like Yours
Business Email Compromise (BEC) remains the most financially destructive cybercrime targeting organizations, accounting for $3.046 billion in losses in 2025. That’s nearly $8.5 billion over just the past three years combined. BEC scams work by tricking employees into wiring money, changing vendor payment information, or handing over credentials — all based on a convincing email that appears to come from a trusted source like a boss, vendor, or government agency.
What makes BEC especially dangerous right now is the use of artificial intelligence. The 2025 report marks the first year the IC3 formally tracked AI-enabled fraud, which generated $893 million in losses from more than 22,000 complaints. Attackers are now using deepfaked audio and video, voice cloning, and fake identification documents to make their impersonation attempts far more convincing. A fraudulent wire authorization that used to require a decent forgery now requires just a short audio sample of a director’s or city manager’s voice.
For local governments and small businesses, this means your staff needs to know that even a phone call or a video message confirming a financial request isn’t automatically trustworthy. Verification should occur through a known, independent channel, not by calling back the number provided in the suspicious message.
Ransomware Losses Jumped 259% in a Single Year
While ransomware complaints grew modestly (from 3,156 to 3,611), the financial damage exploded, up 259% to $32.32 million in reported losses. The IC3 identified 63 new ransomware variants in 2025, which works out to more than five new strains per month. Every single one of the 16 critical infrastructure sectors identified by the federal government was targeted, including healthcare, manufacturing, financial services, and government.
Local governments are a particularly attractive target. Attackers know that municipalities often run on lean IT budgets, rely on older systems, and face public pressure to restore services quickly, making them more likely to pay ransom. Small businesses face similar pressure: when your systems go down, so does your revenue.
The best protection against ransomware remains the same as it has always been: keep systems patched and updated, maintain offline backups tested regularly, limit access so employees only reach the systems they actually need, and have an incident response plan documented before you need it.
Internet Crime: Investment Fraud, and Cryptocurrency Scams: Watch Out for Your People
Investment fraud was the single largest loss category in 2025, at $8.65 billion, driven by cryptocurrency scams and so-called “pig butchering” schemes, in which victims are cultivated over weeks or months before being defrauded. Cryptocurrency fraud overall totaled more than $11 billion.
Your employees and elected officials are targets too. Scammers don’t just go after businesses in their official capacity; they target individuals. A council member who loses their personal savings to a crypto investment scam may become a much weaker link in your organization’s security posture. Financial wellness education and awareness are part of your cybersecurity strategy, whether you think of it that way or not.
Small Businesses Are in the Crosshairs and Falling Behind
One of the most sobering statistics in this year’s report isn’t from the Internet Crime Report itself, but from the broader landscape it describes: 81% of small businesses reported a security breach or data breach in the past year. Even more alarming, only 38.4% of small business leaders felt “very prepared” for a cyberattack in 2025, down sharply from 56.5% in 2024.
That is a gap that attackers will continue to exploit. If your business doesn’t have basic controls in place, such as multi-factor authentication, employee training, endpoint protection, a backup and recovery plan, you are statistically likely to experience an incident. The question is whether you’ll be able to recover from it.
What to Do Right Now
The 2025 IC3 report is a clear signal that the threat environment is intensifying. Here are the most actionable steps for local governments and small businesses:
Train your people. Most successful attacks begin with a human being making a mistake. Regular, realistic training on phishing, BEC, and social engineering is your highest-return security investment.
Enable multi-factor authentication everywhere. On email, remote access, financial systems, and anywhere else credentials are used. This single control stops a large percentage of attacks in their tracks.
Verify financial requests independently. Establish a policy that any change to payment information or any wire transfer above a set threshold requires voice confirmation via a known, verified number, not one supplied in the request.
Test your backups. Having a backup is only half the job. Knowing it works and knowing how to restore from it is the other half.
Report incidents. If your organization is victimized, file a complaint at ic3.gov. Reporting helps law enforcement identify patterns, disrupt criminal networks, and protect other organizations from the same attacks.
The internet crime ecosystem is sophisticated, well-funded, and growing, but you don’t have to face it alone. Commonwealth Sentinel was built specifically to stand alongside local governments, small businesses, and nonprofits in Kentucky as they navigate this threat landscape.
We understand your budget constraints, your operational realities, and the unique risks that come with serving your community. Whether you’re taking your first steps toward a stronger security posture or looking to shore up gaps you already know exist, we’re here to help you build defenses that work in the real world. The numbers in this report are alarming, but they’re also a roadmap for where attention is needed most. Let’s put that roadmap to work together.
To learn more about how we can help protect your organization, call Commonwealth Sentinel today. Contact us at (502) 234-5554