336-886-3282[email protected]
Preferred Data Logo
Schedule

FBI IC3 2025 Report: $20.9B Cybercrime Losses Hit NC Businesses

FBI's 2025 Internet Crime Report shows $20.9B in losses, up 26%. Learn what NC businesses must do to defend against AI-fueled fraud. Call (336) 886-3282.

Cover Image for FBI IC3 2025 Report: $20.9B Cybercrime Losses Hit NC Businesses

TL;DR: The FBI's 2025 Internet Crime Report, released in April 2026, recorded $20.9 billion in losses across more than 1 million complaints, a 26% increase year-over-year. Business email compromise alone drove $3 billion in losses, and AI-facilitated fraud, tracked separately for the first time, accounted for nearly $893 million across 22,000+ complaints. North Carolina businesses, especially small and mid-sized firms in manufacturing, construction, and professional services, are squarely in the target zone.

Critical takeaway: Cybercrime is no longer a peripheral business risk; it is a core P&L item. With AI-driven scams growing faster than every other fraud category, your defenses must adapt at the same speed your attackers do. Preferred Data Corporation has been protecting NC businesses since 1987.

Worried about your business's cyber risk? Contact Preferred Data Corporation at (336) 886-3282 for a no-obligation cybersecurity assessment. Serving High Point, Greensboro, Charlotte, Raleigh, Winston-Salem, and the entire Piedmont Triad.

What Did the FBI's 2025 Internet Crime Report Reveal?

The FBI Internet Crime Complaint Center (IC3) reported $20.9 billion in losses for 2025, a 26% jump from the prior year. The report logged more than 1 million complaints, up from approximately 859,000 in 2024, and for the first time included a dedicated section on AI-facilitated fraud. The takeaway for North Carolina business owners is direct: every category of cybercrime that touches commercial operations is growing at double-digit rates.

Three categories drove the largest dollar losses:

  1. Investment fraud: the single largest category by reported losses
  2. Business email compromise (BEC): approximately $3 billion in losses
  3. Tech and customer support fraud: approximately $2.1 billion in losses

For NC small and mid-sized businesses, the BEC and tech support categories are the most operationally relevant. Both categories disproportionately target SMBs because attackers know smaller firms typically lack the dedicated security operations, layered email defenses, and out-of-band verification controls common in enterprise environments.

FBI IC3 Category2025 Reported LossesWhy It Matters to NC Businesses
Total cybercrime losses$20.9 billion26% YoY increase
Business email compromise$3.0 billionTargets accounts payable, payroll, vendor payments
Tech/customer support scams$2.1 billionOften impersonates Microsoft, banks, IT providers
Personal data breaches$1.3 billionDrives downstream identity and account takeover fraud
AI-facilitated fraud (new)~$893 million22,000+ complaints; growing fastest of any category

How Has AI Changed the Cybercrime Landscape?

AI-facilitated fraud was added as a dedicated reporting category in 2025 because it became too large to ignore. The IC3 logged 22,000+ AI-related complaints and almost $893 million in losses in a single year. Independent research tracking generative AI fraud reports a 1,210% surge in AI-driven scams compared to roughly 195% growth in traditional fraud over the same period.

For business owners in High Point, Charlotte, Greensboro, Raleigh, and across the Piedmont Triad, the practical impact is that the same AI tools that make legitimate marketing copy faster also make phishing emails faster, voice clones cheaper, and deepfake video calls easier. Three patterns dominate the casework:

  • Voice cloning of executives, used to authorize wire transfers in real time during phone calls
  • Deepfake video conferencing, where a "CFO" on a Zoom call is actually an AI-generated face and voice (the documented Arup case lost $25.6 million across 15 wire transfers from a single fake video call)
  • AI-written spear phishing that scrapes LinkedIn, public filings, and press releases to produce messages indistinguishable from a real vendor or partner

The defensive implication is that signature-based filters and "look for typos" training are no longer enough. Modern AI-generated phishing has perfect grammar, accurate context, and convincing pretexts.

Which Crimes Hit Small Businesses Hardest?

Business email compromise and tech support fraud cause the most damage for North Carolina SMBs because they exploit two universal SMB realities: limited segregation of duties on payments, and trust placed in inbound "tech help" calls. The $3 billion BEC total in the IC3 report consistently traces back to a few repeating playbooks:

  1. Vendor payment redirection. Attackers compromise an upstream vendor's mailbox, monitor for invoices, and email the buyer with "updated" ACH/wire instructions
  2. Executive impersonation. A spoofed or compromised CEO/CFO email asks a controller to wire funds for a "confidential acquisition"
  3. Payroll diversion. Attackers email HR pretending to be an employee changing direct deposit
  4. W-2 and tax data theft. Attackers request bulk W-2 data for "the auditor," then file fraudulent returns

Tech support scams add another vector: a pop-up or call claims your computer is infected, the "technician" gains remote access, and money is then drained from online banking. Because 88% of SMB breaches in 2025 involved ransomware or extortion according to the Verizon DBIR, and the average ransomware payment rose to $3.6 million in 2025, an unpaid invoice is rarely the last cost; the same compromise often ends in encryption and downtime.

Why Are NC Businesses Such Attractive Targets?

North Carolina hosts a dense concentration of manufacturing, construction, defense supply-chain, and professional services firms. Attackers prefer this profile because these companies move large dollar amounts via ACH and wire, depend on tightly scheduled production or project timelines, and often operate with lean IT staff. The IC3 data lines up with what we see on the ground in High Point, Greensboro, Charlotte, Raleigh, Winston-Salem, and across the Triad:

  • Tight production schedules mean ransomware downtime is more painful per hour than for larger enterprises
  • Long-tenured vendor relationships make spoofed-vendor BEC easier to execute
  • Distributed jobsites give attackers more endpoints, more public Wi-Fi, and more shared credentials to attack
  • Compliance pressure (CMMC, HIPAA, GLBA, NC G.S. 75-65 breach notification) compounds the financial cost of every incident

Across our managed IT and cybersecurity clients, the businesses that survive an attempted attack share a pattern: layered email security, verified payment changes, EDR on every endpoint, immutable backups, and an actual incident response plan rehearsed at least annually.

Want to see where your business stands? Take the free cybersecurity assessment or call (336) 886-3282.

What Concrete Defenses Should Every NC SMB Have in 2026?

After the 2025 IC3 numbers, "we use a spam filter and antivirus" is no longer a credible defense. Every NC business should be able to answer "yes" to all of the following:

  1. Out-of-band verification for payments. Any change to bank, ACH, or wire instructions requires a phone call to a known number, not a number from the email
  2. Multi-factor authentication on every account that matters. Microsoft research shows MFA blocks 99.9% of automated attacks
  3. Email authentication enforced. SPF, DKIM, and DMARC at policy reject, not none
  4. EDR or MDR on every endpoint. Behavior-based detection, not signature antivirus
  5. Immutable, offsite backups. Tested restore at least quarterly
  6. Written incident response plan with named owners, contact tree, and legal/insurance escalation
  7. Annual employee training that includes deepfake voice and video examples, not just typo phishing
  8. Vendor risk reviews for any third party that touches your finance or production data
  9. Cyber insurance that meets your contractual and regulatory obligations
  10. 24/7 monitoring through a SOC or managed security provider, because attackers do not work 9-to-5

For a deeper walkthrough, see our guides on business email compromise, EDR vs. antivirus, and cybersecurity essentials for SMBs.

How Should NC Businesses Report Cybercrime to the FBI?

If your business has been targeted, every minute matters because BEC and wire fraud have a narrow recovery window. The FBI's Financial Fraud Kill Chain can sometimes claw back funds if reported within 72 hours, but realistically the success rate climbs with hours, not days. The reporting workflow:

  1. File an IC3 complaint immediately at ic3.gov
  2. Call your bank's fraud line to begin a recall request on outgoing wires/ACH
  3. Notify your cyber insurance carrier before engaging external responders, as most policies require it
  4. Engage an incident response provider (or your managed IT partner) to preserve evidence and contain the breach
  5. Comply with NC G.S. 75-65 if any NC resident's personal information was exposed; notify the NC Attorney General's Consumer Protection Division without unreasonable delay

Preferred Data Corporation has been protecting North Carolina businesses since 1987, which means we have walked clients through every generation of cybercrime, from the first phishing emails to today's AI-driven deepfake fraud. Our managed cybersecurity services bundle the controls listed above into a single subscription so SMBs do not have to vendor-manage 8 different tools. Our managed IT services keep the underlying infrastructure patched and monitored 24/7. Our backup and disaster recovery practice ensures you can restore without paying a ransom.

For manufacturers and construction firms across the Piedmont Triad and I-85 corridor, we add OT-aware monitoring, jobsite connectivity hardening, and vendor risk programs tuned to your supply chain. With BBB A+ accreditation, an average client tenure of over 20 years, and on-site response within 200 miles of High Point, we are the partner NC business owners trust when the stakes are real.

Ready to act on the FBI's findings? Contact Preferred Data at (336) 886-3282 or visit our contact page to schedule a security review.

Frequently Asked Questions

How much did cybercrime cost U.S. businesses and consumers in 2025?

The FBI IC3 reported $20.9 billion in losses in 2025 across more than 1 million complaints, a 26% increase from 2024. Business email compromise alone accounted for $3 billion, and AI-facilitated fraud added nearly $893 million across 22,000+ complaints.

What is business email compromise (BEC)?

BEC is a fraud scheme in which an attacker, using a spoofed or compromised email account, impersonates an executive, vendor, or trusted party to trick an employee into sending money or sensitive data. BEC drove $3 billion in reported losses in the FBI's 2025 IC3 report.

Why are small businesses targeted more than large enterprises?

Attackers favor SMBs because they typically have weaker email authentication, fewer payment verification controls, less-mature endpoint detection, and limited 24/7 monitoring. According to the Verizon 2026 DBIR, 88% of SMB breaches involve ransomware or extortion, compared to 39% at large enterprises.

Where do I report a cybercrime against my business?

Report cybercrime to the FBI at ic3.gov. For wire fraud, also call your bank's fraud line immediately to start a recall. If NC residents' personal information was exposed, notify the NC Attorney General's Consumer Protection Division and follow NC G.S. 75-65.

How fast must I report a wire fraud to recover funds?

The FBI's Financial Fraud Kill Chain works best within 72 hours of the fraudulent wire, and recovery odds drop sharply each day after. Calling your bank within minutes of discovery materially improves the chance of a successful recall.

What is AI-facilitated fraud?

AI-facilitated fraud uses generative AI to create realistic phishing emails, deepfake voice calls, deepfake video conferences, and synthetic identities. The FBI tracked 22,000+ AI-related complaints and nearly $893 million in losses in 2025 alone, growing far faster than non-AI fraud categories.

How much does an NC business cybersecurity program typically cost?

Costs vary by size, industry, and compliance scope, but managed cybersecurity for an SMB usually runs from a few hundred to a few thousand dollars per month. That investment is small compared to the average breach impact reported by the FBI and DBIR. Call Preferred Data at (336) 886-3282 for a tailored estimate.

Does cyber insurance cover BEC and wire fraud losses?

Many cyber insurance policies cover BEC and social engineering fraud, but coverage limits, sub-limits, and verification requirements vary widely. Most carriers require MFA, EDR, and documented payment verification controls. Review your policy with your broker before assuming you are covered.

Support