336-886-3282[email protected]
Preferred Data Logo
Schedule

FBI IC3: $20.9B Cybercrime Losses Hit Small Businesses Hard

FBI 2025 IC3 report: record $20.9B in cybercrime losses, up 26% YoY. Why NC small businesses are top targets and how to defend. Call (336) 886-3282.

Cover Image for FBI IC3: $20.9B Cybercrime Losses Hit Small Businesses Hard

The FBI's 2025 Internet Crime Report, released in April 2026, reveals that Americans reported $20.9 billion in cybercrime losses last year, a 26% year-over-year increase that broke through the $20 billion threshold for the first time in history. Small and mid-sized businesses absorbed a disproportionate share of those losses, with business email compromise (BEC) alone responsible for $3 billion in stolen funds.

The Internet Crime Complaint Center (IC3) received more than 1 million complaints in 2025, averaging over 3,000 each day, a 17.3% increase over the prior year. For North Carolina business owners, the message from federal investigators is unambiguous: the volume, sophistication, and financial impact of cybercrime now make basic defenses inadequate.

Key takeaway: According to the FBI's 2025 IC3 Annual Report, cybercrime losses rose 26% year-over-year to $20.9 billion in 2025. Business email compromise drove $3 billion in losses, tech support fraud added $2.1 billion, and ransomware continues to evolve. Small businesses face the same threat actors as Fortune 500s with a fraction of the security budget.

Worried your business is exposed? Preferred Data Corporation provides managed cybersecurity services for North Carolina small businesses. BBB A+ rated, founded in 1987. Call (336) 886-3282 or request a no-cost security assessment.

What does the FBI's 2025 IC3 report say?

The 2025 Internet Crime Report documents the highest losses in the IC3's 26-year history. Total reported losses reached $20.9 billion, a 26% increase over the $16.6 billion reported in 2024. The IC3 received approximately 1 million complaints, with phishing/spoofing, extortion, and personal data breaches leading by complaint count.

Cybercrime Category2025 Reported LossesTrend
Investment fraud$8.6 billionLargest single category
Business email compromise (BEC)$3.0 billionPersistent SMB threat
Tech support fraud$2.1 billionUp sharply YoY
Personal data breaches$1.3 billionTied to BEC and account takeover
RansomwareHundreds of millions trackedUnderreported per FBI

Three patterns matter most for small businesses:

  • BEC remains the most expensive direct attack on businesses. Between 2022 and 2024, IC3 recorded nearly $8.5 billion in cumulative BEC losses according to Nacha's reporting on the IC3 data.
  • Older Americans and small business operators report the highest per-victim losses. The same wire fraud techniques that drain consumer retirement accounts also drain business operating accounts.
  • Ransomware reporting is a fraction of actual incidents. The FBI publicly states that ransomware is "underreported" because many victims pay quietly.

Why are small businesses the FBI's top concern?

Small businesses are the FBI's top concern because they combine valuable data, weak defenses, and limited recovery resources. According to StationX's small business cybersecurity statistics, 88% of SMB breaches involved ransomware in 2025, compared to just 39% for large organizations.

Three structural realities create the gap:

Smaller security budgets, identical threats

The same ransomware affiliates targeting Fortune 500s also use automated scanners that test every internet-facing device. A 12-person law firm in High Point and a 12,000-person enterprise in Charlotte face the same initial-access brokers, the same phishing kits, and the same credential-stuffing botnets.

Limited internal expertise

Most small businesses do not employ a full-time information security officer. According to VikingCloud's 2026 SMB threat research, three in four SMBs say cyber incidents are the most likely event to negatively impact their business this year, yet only a minority have a documented incident response plan.

Recovery resources are thin

A single successful BEC wire fraud can cost a small business its operating capital. According to StrongDM's research, 60% of small businesses close within six months of a major cyber incident. The math is not abstract: average breach cost for businesses with under 500 employees runs $3.31 million, with downtime costs of $53,000 per hour.

Learn how PDC's managed cybersecurity services close these gaps.

What is business email compromise (BEC) and why is it so expensive?

Business email compromise is a fraud scheme in which attackers impersonate trusted contacts (executives, vendors, attorneys, or accountants) to trick employees into sending wire transfers, sharing sensitive data, or paying fraudulent invoices. According to the FBI's BEC resource center, BEC has become the costliest single category of business fraud reported to law enforcement.

The 2026 BEC playbook now blends three vectors:

  • Credential theft from info-stealer logs to access real mailboxes
  • AI-generated phishing emails that mimic writing style and reference real projects
  • Voice cloning and deepfake video to confirm "urgent" wire transfers, as documented by Fortune's coverage of deepfake CEO fraud

For NC manufacturers, construction firms, and professional services companies that routinely move five and six-figure wires, BEC has become the most direct path to material financial loss. Read our deeper analysis of deepfake fraud defense.

How can a small business defend against IC3-listed threats?

A small business defends against IC3-listed threats by layering identity controls, email security, endpoint detection, and tested response procedures. No single product stops every category. The FBI's 2025 report makes clear that the businesses absorbing the worst losses share preventable gaps.

Below is a prioritized defense roadmap mapped to the IC3's top loss categories.

1. Lock down identity and email

  • Phishing-resistant multi-factor authentication (MFA) on every email, VPN, and admin account. According to Microsoft research, MFA blocks 99.9% of automated account compromise attempts.
  • Conditional access policies that block sign-ins from impossible locations and risky devices.
  • Email authentication standards (SPF, DKIM, DMARC) to stop spoofed sender domains.
  • Mailbox audit logging retained for at least 180 days to detect post-compromise activity.

2. Build a wire transfer verification protocol

A documented two-channel verification process is the single most effective control against BEC. Require an out-of-band callback (not reply-all email) to a known number on file before any wire change request, vendor banking update, or transfer over a defined threshold. Train accounting staff that "urgent" is not a reason to skip the protocol; it is a reason to slow down.

3. Deploy modern endpoint detection and response (EDR)

Traditional antivirus does not stop fileless malware, living-off-the-land attacks, or AI-generated polymorphic payloads. EDR provides behavioral detection, automated containment, and forensic visibility. For NC businesses without 24/7 internal staff, managed detection and response (MDR) layered on top of EDR delivers continuous monitoring without hiring a full SOC team. Learn about PDC's endpoint protection services.

4. Tested, immutable backups

The 3-2-1-1-0 backup standard (three copies, two media, one off-site, one immutable, zero verified errors) determines whether a ransomware incident is a one-day inconvenience or a six-month closure. Restore tests every quarter are mandatory; a backup that has never been restored is not a backup.

Review PDC's backup and disaster recovery services.

5. Documented incident response plan with annual tabletop

A plan in a binder is not a plan. The businesses that survive BEC and ransomware rehearse the call tree, the legal notification timeline, the cyber insurance contact, and the IT containment steps. According to BDEmerson's small business research, most small businesses still lack a documented response plan.

6. Cyber insurance with control alignment

Cyber insurance carriers now require MFA, EDR, tested backups, and security awareness training as conditions of coverage. The same controls that satisfy underwriters dramatically reduce the chance of needing to file a claim. Read our guide to reducing cyber insurance premiums.

What should NC businesses do this week?

NC businesses should treat the IC3 report as a 30-day action trigger, not a news headline. The same threat actors documented by the FBI are scanning Piedmont Triad, Research Triangle, and Charlotte IP ranges right now.

Week 1: Baseline assessment

  • Inventory every internet-facing device (firewalls, VPN appliances, RMM tools, web servers)
  • Confirm MFA is enforced on all email, VPN, and admin accounts
  • Verify last successful backup restore test (if older than 90 days, schedule one)

Week 2: Identity hardening

  • Enable conditional access policies for risky sign-ins
  • Roll out phishing-resistant MFA (FIDO2 keys or app-based) for executives and finance staff
  • Review delegated mailbox permissions and inbox forwarding rules (a common BEC persistence trick)

Week 3: Endpoint and email

  • Audit EDR coverage; replace traditional AV on any unprotected endpoints
  • Configure email banner warnings for external messages and impersonation attempts
  • Test SPF, DKIM, DMARC records and move DMARC to quarantine or reject

Week 4: Response readiness

  • Update or create an incident response plan (FBI/CISA templates are a starting point)
  • Conduct a 60-minute tabletop exercise with leadership and IT
  • Schedule a third-party security assessment with a qualified MSP or MSSP

Worried about gaps? Preferred Data Corporation conducts cybersecurity assessments aligned to the IC3 threat landscape. We map your current controls to the attack categories driving 2025 losses and deliver a prioritized remediation plan. Call (336) 886-3282 or contact us.

Why partner with Preferred Data Corporation?

Preferred Data Corporation has protected North Carolina businesses since 1987. Our managed cybersecurity practice focuses on the threats the FBI documents, not generic checklists. PDC delivers:

  • 24/7 managed detection and response with EDR coverage
  • BEC and wire fraud monitoring with mailbox forensics
  • Tested, immutable backup and disaster recovery
  • Cyber insurance control alignment and policy review support
  • Documented incident response plans with quarterly tabletop exercises
  • On-site response within a 200-mile radius of High Point

We are not a national help desk reading from scripts. We are a North Carolina partner that understands manufacturing, construction, professional services, and the regulatory environments NC businesses operate in.

How much does it cost to defend a small business?

Comprehensive managed security for a typical 25-100 person NC business runs $75-$175 per user per month, depending on coverage tier. The math against the FBI numbers is simple:

  • A 50-person business spends $45,000-$105,000 per year on layered defense
  • Average small business breach cost: $3.31 million (per StrongDM)
  • Average BEC loss per incident reported to IC3: six figures
  • Cost of doing nothing: 60% of breached SMBs close within six months

The IC3 numbers are not abstract. They are the price tag attached to skipped MFA rollouts, untested backups, and "we'll get to it next quarter" plans.

Key takeaway: The FBI tracked $20.9 billion in cybercrime losses in 2025 because the controls that stop these attacks (MFA, EDR, tested backups, written response plans) are not yet standard at most small businesses. The cost to add them is a fraction of the cost of one incident.

About Preferred Data Corporation

Preferred Data Corporation (PDC) is a managed IT and cybersecurity provider headquartered at 1208 Eastchester Drive, Suite 131, High Point, NC 27265. Founded in 1987, PDC serves businesses across the Piedmont Triad, Research Triangle, and Charlotte regions with comprehensive cybersecurity, managed IT, cloud, and M&A advisory services.

Get a no-cost cybersecurity assessment:

  • Call <a href="tel:3368863282">(336) 886-3282</a>
  • Visit <a href="https://preferreddata.com/contact" target="_blank" rel="noopener noreferrer">preferreddata.com/contact</a>
  • Email <a href="mailto:[email protected]">[email protected]</a>

Frequently Asked Questions

What is the FBI IC3 and what does it track?

The Internet Crime Complaint Center (IC3) is the FBI's central reporting hub for internet-enabled crime. The annual report aggregates complaints from victims and partner agencies, then categorizes losses by crime type. The 2025 report (ic3.gov) tracked $20.9 billion in losses across 1 million complaints.

How can a small business report cybercrime to the FBI?

Any U.S. business can file a report at ic3.gov within minutes. For wire fraud and BEC specifically, the FBI's Recovery Asset Team (RAT) can sometimes recover funds if the loss is reported within 72 hours. Time matters; report first, investigate second.

What is the most common cyber attack on small businesses?

Phishing and credential theft are the most common entry points, while ransomware and BEC drive the largest dollar losses. According to Spacelift's 2026 SMB cybersecurity statistics, small and mid-sized businesses accounted for 70.5% of data breaches in 2025.

Does cyber insurance cover BEC and ransomware?

Most cyber insurance policies cover BEC and ransomware, but carriers increasingly require specific controls (MFA, EDR, tested backups, awareness training) as conditions of coverage. Failing to maintain those controls can void a claim. Review policy requirements with your broker and managed IT partner annually.

How quickly can a managed security provider get a small business protected?

A focused MSP can deliver foundational protections (MFA enforcement, EDR deployment, backup hardening, baseline policies) in 30 to 60 days for most NC small businesses. Full incident response plan, tabletop exercise, and 24/7 monitoring typically reaches steady state within 90 days. The first 30 days deliver the largest risk reduction.

Support