Last week, the FBI’s Internet Crime Complaint Center (IC3) released its 25th annual report, and it paints a sobering picture of the cyber threat landscape in the United States. With record-breaking losses, increasingly sophisticated scams, and a growing number of victims, the report is a wake-up call for businesses of all sizes.

Below, we share the most important insights from the FBI’s Internet Crime Report 2024, highlight what’s changed since 2023, and explain the practical steps businesses should take now to stay protected from these threats. 

An historic year: $16.6 billion in reported losses

In 2024, the IC3 received over 859,000 complaints of internet-related crimes, marking a slight increase from 2023. But the bigger story lies in the financial damage. Reported losses reached an unprecedented $16.6 billion, a 33% increase over the $12.5 billion reported in 2023.

This jump in losses is particularly concerning because the total number of complaints didn’t increase at the same rate. That indicates scams are becoming both more effective and more expensive. For businesses, this highlights a need to not only increase security awareness and training for personnel, but also improve incident detection and response capabilities before attackers strike. Organizations with faster incident response times see 23% lower data breach costs compared to those that take more than 200 days to detect and contain a breach.   

This starts with implementing tools like endpoint detection and response (EDR) across your environment to identify suspicious activity as it happens. Automated alerts and monitoring across systems can help detect subtle indicators of compromise. Behavioral analytics adds an additional layer of protection by flagging unusual login behavior, file access, or privilege escalations that could indicate an attack in progress. 

These technical investments should be paired with regular training and tabletop exercises for your internal incident response team to ensure they can act swiftly and effectively when alerts are triggered.

Most common types of cybercrime: Phishing, extortion, and data breaches

Phishing and spoofing remained the top-reported cybercrime type in 2024, with over 193,000 complaints. Extortion came in second, with a staggering 86,000 complaints, marking an 80% increase over last year’s 48,000. Personal data breaches also remained high on the list, with nearly 65,000 complaints and over $1.45 billion in reported losses.

Social engineering tactics are often used as precursors to larger ransomware attacks. Businesses should implement email filtering technologies that go beyond basic spam rules, using machine learning and sandboxing to analyze message contents and behavior. Multifactor authentication (MFA) should also be enabled for all accounts, particularly those tied to sensitive systems. 

Equally important is employee readiness. Conducting simulated phishing campaigns is one of the most effective ways to reduce click rates and improve response times. Companies should also enforce strong password policies and offer password managers to reduce credential risk and simplify secure access.

Critical infrastructure is under attack

Ransomware continues to be one of the most dangerous threats to critical infrastructure. In 2024, IC3 received over 4,800 complaints from organizations across energy, healthcare, manufacturing, and finance sectors.

While the FBI took important steps to disrupt some of these groups, including offering decryption keys to victims, businesses supporting critical infrastructure or operating essential services must adopt a layered defense strategy: 

• Segment networks so that core systems are isolated from user workstations 
• Maintain regular, offline backups to ensure business continuity
• Quickly patch known vulnerabilities on VPNs and firewalls
• Deploy endpoint protection platforms with ransomware-specific defenses, including rollback capabilities
• Develop and test an incident response playbook specifically for ransomware that covers containment, recovery, communication, and legal notification requirements.

Cryptocurrency-related crime hit record highs

Cryptocurrency was used in 149,686 complaints in 2024, accounting for $9.3 billion in losses. This marks a 66% increase compared to 2023. Nearly one-third of these losses came from individuals over the age of 60, with “pig butchering” scams (relationship-based investment fraud) the most prevalent.

While most cryptocurrency fraud is consumer-facing, it has direct implications for businesses as well. Companies accepting crypto payments should implement cold and multisignature wallets as safer options for holding large balances. Security awareness programs should include examples of crypto-specific threats, including fake QR codes, fraudulent wallet apps, and impersonation attempts. Proactively monitoring mentions of your company across public crypto forums and dark web marketplaces can also help detect impersonation campaigns early.

Older adults are most vulnerable to fraud, but businesses still carry the risk

Individuals over 60 remain the most heavily targeted demographic, with over 147,000 complaints and $4.88 billion in losses. This is a 46% increase in complaints and a 43% increase in losses compared to 2023. 

While these scams often focus on personal accounts, businesses can’t afford to overlook them. Many of these tactics involve impersonation, tech support fraud, and investment schemes, all of which can be used as entry points into corporate environments when employee personal devices or credentials are compromised. 

Enforcing personal and professional boundaries is a key part of reducing organizational risk, and companies need to include personal digital hygiene in their security awareness training. Encouraging employees to apply best practices to their home devices, email accounts, and social media platforms helps limit crossover risk, especially for businesses that allow personal device use or work-from-home access. A strong mobile device management (MDM) program further reduces risk by enforcing encryption, antivirus, and patching requirements to keep company systems secure.

It’s also important to create a culture where employees feel comfortable reporting if they’ve fallen victim to a scam, even if it’s not work related. Early notification gives IT and compliance teams the best chance to contain potential fallout. The FBI’s Recovery Asset Team has proven that fast reporting works, successfully freezing over $560 million in stolen funds last year. 

Businesses must take note: when fraud is reported quickly, the chances of recovering funds significantly improve. Every organization should document and communicate its internal fraud reporting process, including who to contact and how to coordinate with law enforcement or financial institutions.

Practical steps for a stronger cybersecurity posture

This year’s IC3 data makes one thing clear: cybercriminals are evolving faster than many organizations can keep up. Attackers are targeting businesses with increasingly convincing social engineering tactics, leveraging new technologies, and taking advantage of personal vulnerabilities to gain corporate access.

To respond effectively, businesses need to think beyond basic security controls. A strong cybersecurity program should prioritize:

• Continuous monitoring for real-time visibility into control performance and proactive remediation for vulnerabilities, misconfigurations, and failing controls.
• Compliance automation to manage and scale compliance operations and reduce manual overhead
• Proactive risk management with periodic risk assessments, threat awareness, and clear remediation plans.
• Data security and social engineering awareness training, especially among high-risk groups like finance teams and executives.
• Strong access controls across all systems, especially for email, financial systems, and cloud applications.
• Incident response planning and regular tabletop exercises to prepare for real-world attack scenarios.
• Vendor and third-party risk management, particularly as supply chain attacks continue to rise.
• Secure data handling, encryption, and regular internal cybersecurity audits to protect sensitive information.

Building a resilient security posture for 2025 and beyond

As we move further into 2025, the data from the FBI’s report underscores the need for businesses to take a proactive approach to cybersecurity. The cost of inaction is steep, not just in dollars but in reputation, trust, and operational continuity.

Building a strong security posture means understanding where your vulnerabilities lie, putting the right controls in place, and preparing your teams to act quickly when something goes wrong. Whether you’re a startup, a mid-sized company, or a mature enterprise, now is the time to invest in the tools, training, and practices that can protect your organization from the threats outlined in the FBI’s latest report.

Our Cybersecurity Checklist for 2025 is designed to help you assess your current security posture, identify gaps, and protect your systems against the emerging threats outlined in this year’s FBI report. Download the checklist to strengthen your defenses, prioritize key improvements, and keep your business safe.