2024 FBI IC3 Report: Business Email Compromise Remains a Multi-Billion Dollar Threat

Today, the FBI Internet Crime Complaint Center (IC3) released its 2024 Internet Crime Report, a comprehensive look at cybercrime trends over the past year. With total reported losses surpassing $16.6 billion—the highest total ever recorded and a 33% increase over 2023—the data paints a clear picture: cybercriminals are more aggressive, more sophisticated, and more successful than ever.

However, while the threat landscape continues to evolve, some of the most damaging attacks are stubbornly familiar. Here are the most notable insights for security teams and defenders navigating another record-breaking year of cybercrime.

Of the $16.6 billion in financial damages reported to the FBI IC3 last year, more than 17% were directly attributable to business email compromise (BEC). In 2024 alone, BEC losses totaled $2.77 billion across 21,442 reported incidents.

The consistency of BEC highlights just how effective these socially-engineered attacks are. Threat actors don’t need malware or exploits; they rely on impersonation, urgency, and trust to trick employees into wiring money or disclosing sensitive information. It’s a low-tech con with high-reward results, and it’s still working.

Since its initial inclusion in the 2015 IC3 report, losses due to BEC have skyrocketed by more than 1025%, totaling $17.1 billion over the last decade. Though the report did show a modest 6% dip in losses year over year, the IC3 data reveals no signs that attackers are moving on from BEC anytime soon.

For the second year in a row, investment fraud was the costliest crime category tracked by the IC3, with reported losses totaling $6.57 billion. Complaint volume also rose sharply, increasing 21% year-over-year.

Investment fraud is nothing new. Indeed, Ponzi schemes have been around for over a century. But the increasing pervasiveness of cryptocurrencies throughout the past few years has caused the financial impact of investment scams to skyrocket. Cryptocurrency investment fraud, also known as “pig butchering”, accounted for $5.8 billion in damages across 41,557 complaints.

A sophisticated social engineering scam, pig butchering involves tricking targets into making large investments over several weeks or months through fraudulent crypto platforms that simulate real returns. Once the bad actor has “fattened up the pig” (i.e., convinced the target to deposit all of their money into the account), they move forward with “butchering”—withdrawing the funds, closing the account, and blocking the target.

Given how frequently cryptocurrency is used to facilitate investment fraud, it’s no surprise that crypto has become one of the most common threads across nearly every major cybercrime category.

The IC3 doesn’t classify cryptocurrency-related activity as a specific crime type. Instead, it’s tracked as a descriptor, a medium or tool used to facilitate other cybercrimes. Still, crypto persists as a central element in the modern fraud ecosystem, and the volume and value of complaints involving this technology are staggering.

In 2024, IC3 logged 149,686 cryptocurrency-related complaints, with total reported costs exceeding $9.3 billion—a 66% increase over 2023. Criminals exploited crypto in nearly every major crime category tracked, making the takeaway clear: if a fraud involves a financial transfer, there’s a good chance cryptocurrency is part of the picture.

Phishing remains the most reported cybercrime, with 193,407 complaints logged in 2024. And while this represents a decrease in volume from previous years, the reported financial impact jumped to $70 million, nearly quadrupling from the previous year.

And while phishing doesn’t top the charts in losses, it serves as a gateway for more serious threats. An email account acts as the hub for just about everything the average professional needs to do their job. Employees use their email to log into applications, link business accounts, and reset passwords. This means if a threat actor steals login credentials via a successful phishing attack, they can use those to compromise the employee’s email account and gain access to nearly every other account that he or she has within the entire application ecosystem.

Traditional filters can catch basic phishing attempts, but more advanced campaigns—those that rely on urgency, legitimacy, and emotional manipulation—bypass legacy defenses with ease, landing in inboxes and deceiving employees.

The FBI IC3’s latest report makes one thing apparent: the most effective cyberattacks aren’t always the flashiest. Attackers continue to rely on proven social engineering tactics that exploit human behavior and evade legacy defenses.

What has changed is the scale. With more than $16.6 billion in reported losses, cybercrime has never been more profitable. The growing use of cryptocurrency has accelerated the speed and complexity of financial fraud, while increasingly convincing phishing messages are giving attackers easy access to accounts, credentials, and corporate systems. These aren’t edge cases; they’re everyday realities for organizations of all sizes.

Organizations must recognize that the most effective defense is one that adapts as fast as attackers do. Responding to these threats requires an approach rooted in behavior-based detection, continuous learning, and intelligent automation.

Finally, although the IC3 report once again makes limited mention of “artificial intelligence” or “AI,” beyond articles referenced in the appendix, I doubt this trend will endure much longer, as the impact of AI on cybercrime will become progressively undeniable.

If the IC3 report proves anything, it’s that cybercriminals don’t need to reinvent the wheel. They just need to refine what already works. BEC and phishing continue to succeed because they exploit human nature. Investment fraud thrives because people trust what looks legitimate. And cryptocurrency makes it easier than ever to move—and lose—money in the blink of an eye.

Security awareness is important, but the real difference-maker is technology. Organizations relying on legacy defenses are simply outmatched. Stopping modern attacks requires a modern approach, one that uses behavioral AI to detect intent, flag abnormal activity, and adapt to changing attacker tactics in real time. This is what ultimately stops these socially-engineered threats before they can reach end users

Until more organizations replace outdated SEG-based solutions with AI-native detection systems, we can expect cybercrime losses to keep climbing.

See for yourself how Abnormal AI provides comprehensive email protection against attacks that exploit human behavior. Schedule a demo today.