Cybercrime statistics show a clear shift in enterprise risk. Reported losses continue to rise, email remains central to financially damaging attacks, and AI is making social engineering more convincing at scale. For security leaders evaluating detection strategy, these numbers help explain why traditional inspection methods often struggle with modern email threats.

This article reviews current findings from the FBI and government threat intelligence sources, with a focus on the email-based threats that continue to drive major enterprise losses.

• Reported cybercrime losses hit $20.877 billion in 2025, and BEC remained one of the costliest reported crime types.

• AI-supported phishing accounted for more than 80% of observed social engineering activity in ENISA reporting.

• Legacy email security tools often struggle with socially engineered attacks that carry no malicious payloads, while SOC teams still lose time to false positives and manual triage.

• Abnormal's behavioral AI can help identify email threats based on identity and communication patterns rather than signatures or known indicators.

Cyber crime statistics from the FBI show that reported financial impact is still rising. According to the IC3 report, total reported cybercrime losses reached $20.877 billion in 2025. That marked a new threshold in reported annual losses and reinforced the broader pattern of rising impact.

These figures are still conservative. The IC3 report also notes that reported totals do not fully capture downstream business disruption, remediation effort, or broader organizational cost. For leaders building board-level business cases, the larger point is straightforward: reported loss is still rising, and the gap between visible incidents and full business impact remains significant.

That matters because budget conversations rarely happen in the abstract. Security programs need stronger ways to explain where exposure is growing and which control gaps now carry the most financial weight.

Email remains a primary entry point for cyberattacks and a major source of financial exposure, with threat actors consistently exploiting the inbox as both an initial access vector and a staging ground for fraud. The sections below examine two of the most consequential email-driven risks facing enterprises today: business email compromise and credential abuse.

The IC3 report mentioned earlier shows that BEC remained one of the costliest crime types reported to the FBI, and the FBI's BEC PSA documents cumulative BEC losses reported since IC3 inception.

The pattern matters because BEC does not depend on malware delivery. It relies on trust, timing, and message credibility. That makes it financially dangerous even when attackers avoid the indicators that many legacy controls are designed to inspect.

This section also helps frame why email risk extends beyond a single phishing message. When attackers gain access to trusted accounts or impersonate familiar business relationships, the resulting fraud can move quickly through normal approval paths.

The Verizon DBIR identifies credential abuse as the top initial access vector and notes that cloud email services are a major target in web application compromise. Those signals show why email matters beyond message delivery.

It is often where phishing starts, where attackers pursue account access, and where compromised trust turns into impersonation or financial fraud. For security leaders, that makes email security a broader identity and workflow problem, not just a content-filtering challenge.

Cybercrime statistics now reflect how AI is changing the scale and quality of social engineering. The ENISA report found that AI-supported phishing campaigns represented more than 80% of observed social engineering activity worldwide during the reporting period. The UK's National Cyber Security Centre, in its NCSC review, similarly notes that nation-state actors are using commercial LLMs for reconnaissance, social engineering, and post-breach data exfiltration.

The practical implication is clear. Attackers can produce more convincing language, personalize pretexts faster, and scale campaigns without relying on the grammatical mistakes or rigid templates that older content filters were built to catch.

As noted earlier in the FBI IC3 report, AI chat generators mimicking executives and voice cloning are active BEC enablers. While these campaigns may blend email with voice calls or video, the inbox remains a primary control point, and organizations need voice controls for non-email channels.

Cyber crime statistics continue to show that human behavior shapes breach outcomes. The DBIR report found that breaches involved a non-malicious human element, including social engineering and unintentional errors.

That finding helps explain why socially engineered threats continue to perform even in mature security environments. Attackers do not need to defeat infrastructure alone. They need to exploit routine business behavior such as trust in familiar senders, urgency around requests, and normal approval workflows.

For defenders, the challenge is speed and context.

• Trust in familiar senders can lower scrutiny.

• Urgent requests can trigger action before review.

• Normal approval workflows can mask malicious intent.

Detection has to keep pace with attacks that look legitimate enough to trigger action before a manual review process can catch up.

Legacy email gateway (SEG) controls often struggle when attacks look normal at the technical layer. Traditional controls were designed to identify known threats such as malicious attachments, suspicious URLs, and blocklisted domains. Modern BEC and vendor email compromise (VEC) attacks often evade those checks because they exploit trust rather than malware delivery.

Several structural factors contribute to the detection gap:

• No Payload to Scan: BEC and VEC messages often contain no links and no attachments, which leaves little for sandboxing or attachment analysis to inspect.

• Legitimate Account Use: As noted earlier in the FBI PSA, BEC is frequently executed through compromised legitimate accounts, not spoofed domains. That means authentication controls may still pass because the sending infrastructure is genuine.

• More Convincing Language: AI-generated text can reduce the obvious writing flaws and templated patterns that older content-analysis filters often rely on.

Message inspection still matters, but it often needs to be paired with analysis of sender identity, communication patterns, timing, and recipient behavior.

SOC alert fatigue makes email risk harder to contain because analysts lose time to noise and manual triage. As highlighted in the IC3 report mentioned earlier, SOC pressure is a core part of the detection problem: teams lose time to false positives, manual triage, and growing incident volume. That burden matters because email-related investigations compete directly with other urgent work inside the security queue.

When analysts spend too much time reviewing low-value alerts, they have less capacity to investigate the socially engineered message that creates financial impact. That is one reason detection quality matters as much as detection coverage.

The staffing gap noted earlier reinforces the same point. Security teams are being asked to evaluate a larger volume of more convincing threats without a matching increase in analyst capacity.

Abnormal is designed to strengthen email threat detection by adding behavioral context to existing controls. Traditional email security tools analyze messages at the point of delivery, checking against known indicators like sender reputation, URL blocklists, and attachment signatures. When attacks authenticate through legitimate infrastructure and use language that resembles normal business communication, those rule-based approaches often struggle to flag the threat.

Abnormal takes a different approach. Instead of matching against known bad indicators alone, Abnormal's behavioral AI is designed to model known good communication patterns across an organization's email environment. It analyzes identity signals, communication cadences, vendor interaction patterns, and recipient behavior to detect deviations that may indicate compromise or social engineering.

This means that when an email arrives requesting a change to wiring instructions outside typical business hours, from a vendor contact whose tone and formatting deviate from established patterns, Abnormal can help surface the threat based on behavioral context rather than a signature match. The platform is designed to detect the email and account-based components of BEC, VEC, credential phishing, and account takeover attacks while integrating with existing security infrastructure rather than replacing it.

These cyber crime statistics point to a clear shift in how organizations should evaluate email risk. Reported losses are rising, email remains central to financially damaging attacks, and AI is making social engineering easier to scale. At the same time, many costly attacks do not depend on malware or obvious technical indicators.

Security leaders evaluating email security posture can focus on three practical priorities:

• Quantify The Risk: Use FBI IC3 and Verizon DBIR findings to explain BEC, credential abuse, and account takeover exposure in business terms.

• Assess Detection Gaps: Evaluate whether current tools can identify threats that contain no malicious indicators and originate from trusted or compromised accounts.

• Add Behavioral Context: Layer behavioral detection alongside existing controls to help surface threats that signature-based systems may miss.

Recognized as a Leader in the Gartner® Magic Quadrant™ for Email Security Platforms, Abnormal deploys via API integration alongside Microsoft 365 and Google Workspace with no changes to mail flow or MX records required.

Book a demo to see how Abnormal's behavioral AI is designed to detect the email threats that traditional tools often overlook.