Cybercrime Losses Are Soaring: Here Are Three Takeaways for Security Leaders

Phil Muncaster dissects the latest FBI Internet Crime Report to understand the key threats facing CISOs, and how they can respond

The FBI is often thought of as a purely domestic US law enforcement agency. In fact, its remit is far broader: to safeguard national security by tackling terrorism, espionage and “major criminal threats”. When these threats are digital in nature, they rarely respect traditional jurisdictional boundaries. Over 100,000 cybercrime complaints recorded by the FBI last year came from the UK; more than any other country.

That’s why the agency’s Internet Crime Report series is a useful tool for the data-hungry CISO. Its findings help inform the FBI’s own cybercrime-fighting efforts. So why shouldn’t it also be a source of threat intelligence for corporate security leaders? With global losses surging 33% annually to exceed $16bn (£12bn) last year, there’s plenty to dissect.

From phishing to BEC

Although the report includes complaints to the FBI made by members of the public as well as businesses, we’ll stick to the crimes most relevant to the latter. That means steering largely clear of the runaway leader as most costly cybercrime type of the past three years: investment fraud. It made scammers over $6.5bn last year off the back of 48,000 cases.

The most common crime type in 2024, however, was phishing (193,407). Although complaints were down 35% annually, it remains the undisputed favourite of threat actors as a means to deliver infostealers and other malware, harvest credentials and achieve initial access. Yet in terms of total losses, it’s way down the field, with just $70m. That may be because cybercrime revenue made from phishing tends to be indirect. A spear-phishing email that leads to business email compromise (BEC) or a data breach, for example, would probably have related losses marked down under these other categories.

“Most breaches stem from exploitation of human trust.”

On that note, BEC remains the second highest grosser for cybercriminals, who amassed nearly $2.8bn from what are almost exclusively corporate victims. The good news is that, while complaint count was virtually unchanged year-on-year (YoY), losses in the category slumped 6%. That may be down in part to the sterling work of the International Financial Fraud Kill Chain – a global network of law enforcement agencies and financial institutions that aims to freeze funds wired by fraud victims. It apparently stopped over $550m in stolen BEC funds reaching threat actors last year.

Data breaches in 2024 can be divided into incidents involving highly regulated personal data, and those which didn’t. The volume of personal data breaches jumped 16% YoY to 64,882, and related losses leapt 95% to nearly $1.5bn. However, breaches of other data resulted in far fewer losses ($365m, down 32% YoY), and a 14% annual decline in the number of complaints, to just 3,204.

Ransomware is a tricky one to judge in terms of losses, as the FBI doesn’t include “lost business, time, wages, files, or equipment, or any third-party remediation services acquired by an entity”. Additionally, some victim organisations don’t report any loss amount, which drags the overall rate down. However, we do know that complaints were up 12% to 3,156 for the year. According to the FBI, it remains the “most pervasive” threat to critical national infrastructure (CNI), where complaints rose 9% YoY. In fact, the Bureau’s Internet Crime Complaint Center (IC3) received more than 4,800 complaints from CNI organisations in 2024 – most of which were ransomware and data breaches.

The growth of employment fraud

Employment fraud is worthy of special mention. It may not account for a particularly large slice of the estimated $16.6bn lost to cybercrime last year, but the $264m stolen by scammers in 2024 represents a massive 276% annual increase, while complaint count surged 30% YoY to just over 20,000.

This could come from either victims tricked into handing over personal information and fees to fake employers, or companies being scammed by fake employees. The latter threat has been amplified in recent months by both Google and Microsoft, who have warned that AI is making it easier for North Korean IT workers to create fake profiles and evade HR filters.

“I encourage employees to think about how the security controls we teach apply personally.” Randolph Barr

There’s a triple threat here. Once employed, the remote staff are being paid a wage which ultimately goes to fund Pyongyang’s missile programme. But because they have privileged access rights, they can also steal sensitive IP and other data, and/or hold it to ransom. The threat is harder to deal with than it sounds: even security awareness training specialist KnowBe4 was caught out.

What CISOs can do

Assured Intelligence reached out to CISOs and security experts to understand what organisations can do to mitigate the above risks. Three themes stood out:

• Secure the user

Cequence CISO, Randolph Barr, describes humans as “the most persistent challenge” of his career. He says most breaches stem from exploitation of human trust, something that’s increasingly easy to do thanks to AI-powered deepfakes and social engineering. CISOs must therefore ensure security awareness campaigns are fit for purpose.

“One of the most successful feedback points I’ve received during awareness campaigns in multiple organisations was when I reframed the message: I emphasised that security training isn’t just about protecting the company – it’s about protecting you, your family, and your home life,” he tells Assured Intelligence.

“I encouraged employees to think about how the security controls we teach apply personally: securing home networks, teaching children about phishing, safeguarding personal financial accounts. Especially in today’s hybrid work environment, where professional and personal lives increasingly blend, these lessons are critical. An action taken at home could easily impact corporate systems, and vice versa.”

Such programmes should be complemented by advanced technology capable of “detecting behavioural anomalies, verifying authenticity, and reducing the burden on users to be the last line of defence,” Barr adds.

• Tackle employment fraud

Bojan Simic, CEO of security firm HYPR, says his company recently experienced attempted employment fraud first hand when a prospective hire failed a series of checks at onboarding.

“CISOs should implement a rigorous identity verification process for all employees and contractors. They should use a multi-factor approach to ensure authenticity, including device authentication, location checks, document validation, and peer or manager attestations,” he tells Assured Intelligence.

“Strengthen partnerships between HR and IT teams to enforce consistent and ongoing verification of employees.” Bojan Simic

“It’s also important to foster a culture where identity security goes beyond traditional identity management. Make it a fundamental part of the organisation’s security philosophy. And strengthen partnerships between HR and IT teams to enforce consistent and ongoing verification measures for employees and contractors.”

Security leaders could also consider setting up monthly, quarterly or even fortnightly identity checks, especially for contractors, Simic adds.

• Layer up defences to combat BEC

Former FBI agent and Arctic Wolf CISO, Adam Marrè, argues that there are several key steps to mitigating BEC. These start with better access controls, including MFA.

“This can help stop attackers from gaining access to systems in the first place. Ensuring your organisation’s identity and access structure is secure at every point can prevent unauthorised access to important assets or communications which could help a BEC attack succeed,” he tells Assured Intelligence.

“Next, deploy a monitoring platform which integrates with your email security. A major issue in modern cybersecurity is that organisations rely on too many siloed tools. Because BEC attacks often evade traditional security tools, organisations need monitoring software that can ingest and correlate data from different parts of the environment.”

The final piece of the puzzle is security awareness training, with BEC-specific simulation exercises, Marrè adds.

“This helps harden your human attack surface, reducing the risk of a successful attack given human risk accounts for the vast majority of root causes of BEC attacks,” he concludes.

If ever there was a common thread that united all the cybercrimes listed in the FBI report, it’s human-shaped risk.