The FBI's 2025 Cybercrime Report Is Out — And Every Canadian Business Should Read It
$21 billion lost. Over one million complaints. Business email compromise up to $3 billion. And for the first time ever, AI-enabled fraud gets its own category. Here's what the FBI's 2025 Internet Crime Report means for small businesses in Ontario.
Every year the FBI's Internet Crime Complaint Center publishes its annual report on the state of cybercrime. It's one of the most authoritative documents in cybersecurity — built from over a million real complaints filed by real victims across the United States. The 2025 edition was released this week. The numbers are the worst on record.
Americans lost nearly $21 billion to cyber-enabled crime in 2025 — a 26% jump from 2024. The IC3 received more than one million complaints for the first time in its 25-year history, averaging close to 3,000 every single day. And for the first time ever, the report added a dedicated section for AI-enabled fraud, which racked up $893 million in losses in its first year of being formally tracked.
While these are U.S. figures, the attack methods, tools, and criminal networks behind them are global. Canadian businesses — particularly small and medium businesses in Ontario — face the exact same threat landscape. Here's what the report tells us and what it means for your business right now.
The 5 biggest findings from the FBI's 2025 report
BEC — where attackers impersonate a trusted person or organisation to trick someone into transferring money or sharing credentials — was the second largest source of cybercrime losses in 2025. These attacks don't require malware or technical sophistication. They require a convincing email and a moment of trust. A supplier sends an "updated bank account" for future payments. Your CEO sends an "urgent wire transfer request" while travelling. A vendor emails a revised invoice. One click. Funds gone.
For the first time in its 25-year history, the FBI's report included a dedicated section on AI-enabled fraud — and the numbers are already alarming. These schemes involved voice cloning to impersonate executives and family members, deepfake videos used in investment scams, fake profiles built with AI-generated images, and forged documents that pass visual inspection. Businesses lost more than $30 million to AI-generated BEC scams alone. This is year one of formal tracking. It will not get smaller.
The FBI received over 3,600 ransomware complaints in 2025, representing more than $32 million in reported losses — a significant jump from 2024. Every one of the 16 critical infrastructure sectors reported ransomware attacks. The most heavily targeted? Healthcare, manufacturing, financial services, government, and IT. Sixty-three new ransomware variants emerged last year, meaning the threat continues to evolve faster than most organisations can keep up.
Nearly 48,000 complaints involved criminals posing as IT support representatives — from Microsoft, from Apple, from banks, or from IT companies the victim already uses. These scams often start with a pop-up warning or a cold call claiming there's a problem with the victim's computer or account. They end with remote access granted and accounts or funds drained. Small businesses are a prime target because the "IT support call" carries authority employees don't typically question.
In 2020, total reported cybercrime losses were $4.2 billion. In 2025, they hit $20.9 billion. That's a 400% increase in five years — and cumulative losses over that period surpassed $71 billion. The trajectory is not flattening. Every indicator in the report points toward continued escalation, accelerated by AI tools making attacks faster, cheaper, and more convincing.
"AI-enabled synthetic content is becoming increasingly difficult to detect and easier to make, which allows criminal actors to potentially conduct successful fraud schemes against individuals, businesses, and financial institutions." — FBI IC3 2025 Annual Report
What this means for Ontario businesses specifically
The FBI report covers U.S. victims, but the criminal networks running these operations are international. Business email compromise attacks don't check borders. Ransomware variants don't distinguish between American and Canadian targets. The phishing infrastructure behind tech support fraud runs globally. Every attack method detailed in this report is actively being used against Canadian small and medium businesses right now.
What makes this report particularly relevant for smaller Ontario businesses is the BEC figure. $3 billion stolen through email impersonation — the most low-tech, high-impact form of cybercrime there is. No malware required. No hacking. Just a convincing email at the right moment, to the right person, when nobody stops to verify.
✦ A supplier emails new banking details for upcoming payments
✦ Your "CEO" sends an urgent wire transfer request while travelling
✦ A vendor sends a revised invoice with a new account number
✦ "Microsoft Support" calls about a problem with your account
✦ A lawyer emails about a confidential acquisition requiring immediate payment
✦ HR receives a payroll redirect request from an "employee"
5 things your business can do to reduce exposure right now
Any email requesting a change to payment details, bank account numbers, or wire transfer instructions should be verified via a phone call to a number you already have on file — never a number provided in the email itself. This single habit stops the majority of BEC attacks cold.
These three email security protocols make it dramatically harder for attackers to spoof your domain — sending emails that appear to come from your business to trick clients, suppliers, or staff. Many small businesses have never configured these. Your IT provider can do it in under an hour.
Modern BEC emails are well-written, contextually appropriate, and often arrive from compromised legitimate accounts rather than obvious fakes. Generic phishing training isn't enough. Your team needs to understand the specific scenarios attackers use — especially payment redirects and CEO fraud — and have a clear protocol for what to do when they're unsure.
Tech support fraud starts with a pop-up warning or an unexpected call. Legitimate IT providers — including 247Techify — will never call you unsolicited and ask for remote access. If any employee receives this kind of contact, they should hang up immediately and call their IT provider directly. Make this a standing rule.
The FBI's IC3 Recovery Asset Team froze $679 million in 2025 — but only when businesses reported quickly enough. In Canada, report cyber fraud to the Canadian Anti-Fraud Centre (CAFC) at antifraudcentre.ca. The faster you report, the better the chance of stopping the money before it moves beyond reach.
"Cybercrime losses have jumped almost 400% from $4.2 billion in 2020. Cumulative losses in that five-year period surpassed $71 billion." — FBI IC3 2025 Annual Report
The bottom line
The FBI's 2025 Internet Crime Report is not a story about nation-states or billion-dollar corporations. It's a record of what happened to real businesses and real people — one fraudulent email, one phishing link, one fake phone call at a time. The $21 billion figure is built from millions of individual incidents, most of them preventable.
What makes these attacks succeed isn't sophisticated technology. It's the absence of basic defences — email authentication that was never configured, staff who were never trained, verification steps that were never put in place. The businesses that got hit in 2025 mostly had all the right intentions. They just hadn't done the maintenance.
At 247Techify we help Ontario businesses put those defences in place — from email security and employee training to 24/7 monitoring and incident response planning. If you'd like an honest look at where your business stands, a free IT security review is the fastest place to start.