TL;DR: The FBI Internet Crime Complaint Center (IC3) 2025 annual report - the headline data set behind every "AI scam is going up" story this year - logged a record $20.9 billion in reported losses, up 26% in a single year, per Malwarebytes coverage of the IC3 release. For the first time in roughly 25 years, the FBI broke AI out as its own crime category - 22,364 complaints and approximately $893 million in losses - and added the caveat that the number is "almost certainly higher" because victims rarely know AI was used against them. Government impersonation complaints nearly doubled year-over-year to 32,500, with $797 million in losses, per Nextgov. For NC small businesses, the report is the formal answer to a CFO question many have been asking: "How worried should we actually be about AI fraud?"
Key takeaway: $893 million in admitted AI losses + "almost certainly higher" + a doubling of government-impersonation scams = the threat model your AP clerk needs to be trained against is no longer "an email from the CEO asking for a wire" but "a phone call in the CEO's voice asking for a wire."
Need help building wire-fraud controls and AI-aware staff training? Preferred Data Corporation has run managed cybersecurity and managed IT for NC small businesses since 1987. Call (336) 886-3282 or request an AI fraud defense review.
What does the FBI IC3 2025 report actually say about AI fraud?
The FBI IC3 2025 annual report logs over one million complaints and $20.9 billion in reported losses - a 26% year-over-year increase - and for the first time in the program's ~25-year history, breaks "artificial intelligence" out as its own crime classification, per Malwarebytes. The AI category alone is 22,364 complaints and approximately $893 million in losses; the FBI notes the figure is undercounted because most victims do not know AI was involved.
| Metric | FBI IC3 2025 figure |
|---|---|
| Total complaints | Over 1 million |
| Total reported losses | $20.9 billion (up 26% YoY) |
| AI-category complaints | 22,364 (first-ever standalone category) |
| AI-category losses | ~$893 million |
| FBI caveat | "Almost certainly higher" - victims rarely know AI was used |
| Government impersonation complaints | ~32,500 (up from ~17,300 in 2024) |
| Government impersonation losses | $797 million (up from ~$405 million) |
| AI-powered BEC losses (2024 baseline) | $2.77 billion across 21,442 incidents |
For an NC small business, three numbers in this report do the heavy lifting:
- $893 million is the floor, not the ceiling. The FBI's own caveat is that victims rarely know AI was used - the AI voice on the phone sounded like the CEO, but the victim attributes the fraud to "I got a call from the CEO." The actual AI-fraud floor is meaningfully higher.
- Government impersonation doubled in one year. Per Nextgov, reported complaints rose from ~17,300 in 2024 to ~32,500 in 2025, with losses up from ~$405 million to ~$797 million. The "IRS / Social Security / state revenue agency calling about your business" lure is the highest-growth vector.
- AI-powered BEC is the biggest single-dollar loss line. Per the FBI's 2024 baseline (the most recent broken-out figure), $2.77 billion across 21,442 incidents - over $129,000 average per incident. SMBs land in the middle of that distribution.
Quotable definition: AI-powered Business Email Compromise (BEC) is fraud in which a generative model writes the lure email, a voice-cloning model places the follow-up phone call, and a deepfake video model joins the Zoom or Teams call that closes the wire. The financial controls - callback verification, dual approval, vendor master-file lock - are unchanged. The defeat-rate of those controls has dropped sharply.
Why does this matter for North Carolina small businesses specifically?
Because the FBI IC3 data is the most credible baseline an NC SMB CFO can cite when asking for a fraud-control budget. The NC SMB victim profile maps cleanly:
- A High Point manufacturer with a 4-person finance team receives a Teams call from "the CEO" - real voice, real cadence, real Zoom background - asking for an emergency $180,000 wire to a "new supplier" before the close-of-business deadline. The CEO is on a flight; the CFO is in a board meeting; the AP clerk decides to be helpful. No written callback policy = no defense.
- A Greensboro construction firm is targeted with an IRS impersonation call. "Your federal contractor status is at risk if outstanding 941 deposits are not reconciled today." The voice references real company details scraped from public 8-K filings and a recent press release. Per the FBI, this is the doubling category.
- A Charlotte regional law firm gets a partner's voice on a call requesting that an escrow disbursement be wired to a "client's new escrow agent" because of a hurricane-related title issue. The trust account is the highest-value target in an NC SMB.
- A Piedmont Triad medical practice has its practice manager phished by an "HHS OIG audit" call - voice-cloned and referencing real Medicare provider IDs - demanding electronic medical record extracts uploaded to a "secure portal." HIPAA breach + AI fraud + government impersonation in one incident.
Per the FBI IC3 PSA on generative AI fraud, criminals are using generative AI to write more convincing phishing messages, clone voices for vishing, and produce synthetic identity documents for "know your business" account takeovers. None of these techniques require a sophisticated attacker - the tools are commodity SaaS.
Key takeaway: The fraud playbook has not changed. The hit rate of the fraud playbook has changed dramatically because the lures are now individually tailored, the voices are real, and the supporting documents are AI-generated.
How does an NC SMB defend against AI-enabled fraud in 60 days?
Run an eight-step sequence inside 60 days. The sequence is designed for an NC SMB CFO with no dedicated fraud officer and a 4-10 person finance team.
- Write a callback verification policy (Day 0-7). Any wire, ACH change, vendor banking change, or release of payroll data over a defined threshold requires a callback to the requester at a number in the directory - not the number on the email or in the caller ID. Document the policy, sign it, distribute it, train against it.
- Set dual approval on all wires over a threshold (Day 0-14). Bank-side dual approval on outgoing wires above $25,000 (or a number that fits your SMB). The threshold is irrelevant if both approvers can be phished, but dual approval forces a second voice into the loop.
- Lock the vendor master file (Day 7-21). Vendor banking changes require a paper form, a notarized signature, and a callback to a known number for the vendor. Most BEC wire fraud routes through a banking-change request - close that vector.
- Train all finance, exec assistants, and AP staff on AI vishing (Day 0-30). Scripted training that includes a live demonstration of a voice clone (with consent) using a 30-second sample of an executive's voice. Once staff hear how good the clone is, the policy enforcement becomes self-sustaining.
- Roll out phishing-resistant MFA (Day 14-45). AI-enabled phishing still requires the attacker to capture credentials or sessions. Phishing-resistant MFA (FIDO2 / passkey) closes the most common entry vector.
- Tabletop the AI fraud scenario quarterly (Day 30-60). Walk the leadership team through a deepfake-CEO scenario - voice on a Teams call, urgency, dollar figure - and run the policy. Most policies break the first time they are exercised.
- Verify cyber insurance covers AI-enabled fraud (Day 14-45). Many SMB cyber policies exclude "social engineering" or "voluntary funds transfer" by default. AI-enabled fraud is exactly the carve-out. Read the policy with your broker; pay for the endorsement if needed.
- Report every attempt to IC3 (Day 0-ongoing). The FBI baseline is undercounted because most attempts go unreported. Reporting at ic3.gov takes 10 minutes and improves the next year's baseline that every CFO will cite.
| Control | Day-60 target | Why it matters |
|---|---|---|
| Written callback verification policy | 100% of wire / ACH / vendor banking change | Forces a second known voice into the loop |
| Bank-side dual approval on wires above threshold | All outgoing wires | Second human in the loop on the highest-value action |
| Vendor master-file lock | All vendor banking changes | Closes the BEC delivery vector |
| AI vishing training for finance + exec assistants + AP | 100% of finance-adjacent staff | Disrupts the highest-conversion delivery |
| Phishing-resistant MFA on finance + exec accounts | 100% of high-value identities | Closes the credential / session theft entry |
| Quarterly AI fraud tabletop | Drafted + executed | Surfaces broken policy before the real call |
| Cyber insurance endorsement for AI fraud | Reviewed + executed | Ensures the policy pays out when the controls fail |
| IC3 reporting on attempts | Every attempt | Improves the national baseline |
Key takeaway: Two controls together - callback verification policy + dual approval on wires - prevent the vast majority of AI-enabled fraud regardless of how good the voice clone is. The hard part is enforcing the policy when the voice on the phone sounds exactly like the CEO and says "this once, please."
How does Preferred Data Corporation help NC SMBs defend against AI-enabled fraud?
PDC has run managed cybersecurity, managed IT, and AI transformation for NC SMBs since 1987. For the FBI IC3 2025 wake-up call, PDC brings three things to the table:
- Written fraud-control policies + training: Callback verification, dual approval, vendor master-file lock, and a 60-minute live training that demonstrates a voice clone in a controlled setting so staff understand the threat is not theoretical.
- Identity hardening + Microsoft 365 BEC defense: Phishing-resistant MFA rollout, Conditional Access policies, Microsoft Defender for Office 365 anti-phishing tuning, and detection rules for the "auto-forwarding rule + new mailbox rule" pattern that follows a successful BEC.
- Tabletop + incident response retainer: Quarterly tabletop exercises, a documented incident response runbook for AI-fraud scenarios, and a 24/7 retainer for the first call when the wire has already been sent.
For NC manufacturers in High Point and Greensboro, construction firms across the Piedmont Triad, law firms with escrow accounts, and healthcare practices managing PHI - this is the 60-day cycle that turns the FBI's "almost certainly higher" admission into a near-zero loss rate.
Need help with a 60-day fraud-control program? Call (336) 886-3282 or book an AI fraud defense review.
Frequently Asked Questions
What does the FBI IC3 2025 report say about AI scams?
Per Malwarebytes coverage of the FBI release, the IC3 2025 annual report logged over $20.9 billion in total reported losses (up 26% year-over-year), broke out AI as its own crime category for the first time with 22,364 complaints and ~$893 million in losses, and added the caveat that the AI number is "almost certainly higher" because victims rarely know AI was involved.
How much did government impersonation scams grow in 2025?
Per Nextgov, recorded government impersonation complaints rose from ~17,300 in 2024 to ~32,500 in 2025 - nearly doubled. Reported losses rose from ~$405 million to ~$797 million. NC SMBs should treat IRS, SSA, and state-revenue impersonation calls as high-probability AI-enabled fraud attempts.
What is the single most effective control for AI-enabled fraud?
A written callback verification policy: any wire, ACH change, vendor banking change, or release of sensitive data above a defined threshold requires a callback to the requester at a number in the directory - not the number on the email or in the caller ID. Combined with bank-side dual approval on wires above a threshold, this control set defeats most AI-enabled fraud regardless of voice-clone quality.
Does my cyber insurance cover AI-enabled fraud losses?
Often not by default. Most SMB cyber policies carry exclusions or sub-limits for "social engineering" and "voluntary funds transfer." AI-enabled BEC and voice-clone CFO fraud fall squarely inside those carve-outs. Read your policy with your broker and pay for the social-engineering endorsement if you have not already.
How should an NC SMB report an attempted AI-enabled fraud?
Report to the FBI Internet Crime Complaint Center at ic3.gov - the report takes 10-15 minutes. If money was actually moved, also call your bank to attempt a recall, your local FBI field office (Charlotte for most NC SMBs), and the state attorney general's consumer protection division. Document every detail: caller phone number, exact words used, time stamps, voices you recognized.
What is voice cloning and how good is it now?
Voice cloning models can produce a convincing imitation of a target voice from as little as 3-30 seconds of audio - readily available from podcasts, earnings calls, conference talks, and LinkedIn videos. The output is good enough to fool a colleague over a phone call. Per the FBI IC3 voice-cloning PSA, the technology is now commodity SaaS available to any attacker.
Does PDC train our finance team on this specifically?
Yes - a 60-minute live training that includes a demonstrated voice clone (with consent) of an executive at the engaged company, a tabletop exercise walking through a deepfake-CEO call scenario, and a 90-day refresh cycle. Training is built into the 60-day fraud-control engagement.
Related Resources
- Managed Cybersecurity for NC Businesses - AI fraud defense controls
- Managed IT for NC Businesses - Microsoft 365 BEC hardening
- AI Transformation Services - AI fraud governance for NC SMBs
- Voice Cloning CEO Fraud / Vishing Defense
- AI Voice Cloning CFO Fraud
- Device Code Phishing 37x Surge: NC SMB MFA Defense
- Contact Preferred Data Corporation - 60-day AI fraud defense review