4 min read By Excello Mail Team

The FBI's 2025 Crime Report: Phishing Volume Barely Moved. Losses Grew 208% Anyway.

The FBI's Internet Crime Complaint Center logged nearly the same number of phishing and spoofing complaints in 2025 as in 2024, but losses jumped from $70 million to $215.8 million. Combined with BEC and government impersonation, email-based fraud crossed $4 billion. Here is what the data says about why volume-based defenses are no longer the measure that matters.

The FBI’s Internet Crime Complaint Center (IC3) released its 2025 Internet Crime Report in April, marking 25 years of tracking reported cybercrime in the United States. The topline number is stark on its own: 1,008,597 complaints and $20.877 billion in reported losses, a 26% increase over 2024 and the first year the complaint count has crossed one million. But the number that should matter most to anyone responsible for a domain’s email security is buried a few pages in, in the phishing and spoofing category.

Phishing and spoofing complaints moved from roughly 193,000 in 2024 to 191,561 in 2025. That is a decrease. Meanwhile, reported losses from those same complaints rose from $70 million to $215.8 million, a 208% increase in a single year and an eleven-fold increase from two years earlier. The number of attacks did not grow. The damage each attack does, did.

Three Categories, One Underlying Vector, Over $4 Billion

IC3 breaks financially motivated email fraud into several reporting categories, and three of them share the same underlying mechanism: convincing someone that a message is legitimate when it is not.

Business Email Compromise recorded 24,768 complaints and $3.046 billion in losses, making it the second-costliest crime category in the entire report, trailing only investment fraud. BEC has now cost reported victims roughly $8.5 billion over the last three years alone.

Phishing and spoofing, as noted, produced $215.8 million in losses on essentially flat complaint volume.

Government impersonation, a category IC3 tracks separately from phishing, saw complaints nearly double, from 17,367 to 32,424, while losses climbed from $405.6 million to $797.9 million.

Add the three together and email-based trust exploitation accounted for more than $4 billion in reported losses in 2025, up 46% from the year before. For the first time in the report’s history, IC3 also broke out artificial intelligence as its own category: 22,364 complaints and nearly $893 million in losses, with generative tools increasingly used to write the messages and clone the voices that make all three of the categories above more convincing.

Why Losses Outpaced Volume

A flat complaint count paired with a tripling of losses tells a specific story: attackers are not casting a wider net, they are getting better at converting the attempts they already make. That shift lines up with what threat intelligence teams have been reporting all year. Business email compromise increasingly starts with a compromised vendor account rather than a spoofed domain. Government impersonation campaigns borrow the credibility of real agency names and, in some documented cases, real compromised .gov infrastructure. AI-generated text and voice cloning remove the grammatical tells that used to make phishing easy to spot.

None of this makes domain authentication obsolete. It makes it necessary but no longer sufficient on its own, which is a different problem than the one most DMARC deployments were built to solve.

Where DMARC Enforcement Still Draws the Line

DMARC at a policy of p=reject closes exactly one of the doors these numbers describe: a message claiming to be from your domain that did not actually originate from your authorized infrastructure. For direct domain spoofing, that is a complete fix, and it is why every dollar figure in the IC3 report includes some fraction of victims who would not have been reachable if the impersonated organization enforced DMARC.

It does not close the other doors. A genuinely compromised vendor account passes SPF, DKIM, and DMARC because the sending domain is authenticating correctly; the fraud is in the account, not the DNS record. A government impersonation email sent from a look-alike domain that nobody has enforced against is a separate, related problem. An AI-written BEC message sent from a real, hijacked mailbox will sail through every authentication check ever designed, because there is nothing to authenticate against.

That is precisely why the IC3 numbers are worth reading as a system, not three isolated line items. Enforce DMARC to eliminate direct spoofing. Monitor DMARC aggregate and forensic reports continuously to catch anomalies in your authorized senders before they turn into six-figure incidents. And treat account compromise, not just domain spoofing, as the threat model that email authentication alone cannot fully close.

The Takeaway for Anyone Who Owns a Domain

A record that sits at p=none contributes nothing to next year’s version of this report. If your domain has never enforced a policy, or if you have not looked at your aggregate reports in months, you are one of the organizations whose exposure this data is measuring. The volume of attacks did not need to grow for the losses to. It only needed enough undefended domains and enough compromised accounts already in circulation, and both of those conditions are already met.


Reported losses from phishing, BEC, and impersonation fraud only go up when nobody is watching the authentication data. Sign up for free to Excello Mail and get continuous visibility into who is sending mail on your domain’s behalf, before it becomes next year’s IC3 statistic.