Here’s What the FBI’s 2024 IC3 Report Means for Businesses Like Yours—And What You Need To Do About It

Every year, the FBI’s Internet Crime Complaint Center (IC3) releases its annual report, and this year’s edition is a wake-up call.

Cybercrime losses hit $16.6 billion in 2024. That’s not just a big number. That’s payroll diverted, contracts sabotaged, and retirement savings wiped out. 

Last year, more than 859,000 incidents were reported. That’s over 2,000 cybercrime victims per day. These aren't just Fortune 500 companies. Most are individuals and small to mid-sized businesses that never saw it coming.

Cybercrime has become the biggest invisible tax on doing business today. It drains your time, your trust, and your budget, and it’s mostly preventable.

We read the full 80+ page report so you don’t have to. Below, we break it down in plain language: what’s changed, what’s rising, and what you should be doing right now to protect your business.

Official FBI Press Release

What the FBI IC3 Report 2024 Tells Us About Cybercrime Today

The FBI IC3 Report 2024 confirms what many small and midsize businesses are already seeing firsthand: cybercrime is now part of the cost of doing business. And the costs are climbing fast.

Here’s what stood out in the data:

Key Figures from 2024

• $16.6 billion in reported losses, up 33% from 2023

• 859,532 total complaints filed

• Over 256,000 of those complaints resulted in direct financial loss

• The average reported loss per incident was $19,372

• Business Email Compromise (BEC) scams alone accounted for $2.77 billion

The FBI also noted a significant rise in cyber-enabled fraud, scams that involve social engineering, impersonation, or deceptive digital communication. In other words, most incidents weren’t caused by sophisticated hacking. They were caused by simple mistakes, misplaced trust, or lack of awareness.

Most Common Attack Types

The most frequently reported scams by volume:

1. Phishing and Spoofing (193,407 complaints) – fake emails, fake websites, and fake texts

2. Extortion (86,415) – threats to leak data or expose information unless paid

3. Personal Data Breaches (64,882) – stolen names, emails, and credentials

4. Non-Delivery/Non-Payment (49,572) – fake transactions and failed shipments

5. Investment Fraud (47,919) – scams tied to cryptocurrency, fake advisors, or manipulated apps

Each of these hits different parts of a business: sales, payroll, client relations, reputation. No single tool or software fixes that. Prevention starts with awareness and layered protection.

Who’s Being Targeted

The report breaks down complaints by age, and the takeaway is clear: every demographic is getting hit, but in different ways.

• People aged 30–59 filed the most complaints

• Victims aged 60+ suffered the highest financial losses ($4.8 billion total)

• The elderly are often targeted with fake tech support, government impersonation, and investment scams

• Business owners, real estate agents, law firms, and healthcare providers show up frequently in BEC and fraud cases

You don’t have to run a bank to be a target. If you send invoices, manage client data, or receive payments online, you’re in the crosshairs.

What This Means for You

You don’t need to memorize cybercrime categories. But you should know what’s trending and how it affects your day-to-day operations.

• If your email is exposed, BEC is a risk

• If your team uses weak passwords, phishing can compromise your accounts

• If your finance team isn’t trained, a fake invoice can go through

• If your customers are older, they may fall for scams that use your company’s name

The FBI IC3 Report 2024 isn’t theoretical. These are real cases, real victims, and real businesses losing money, trust, and time.

The Threats That Are Costing Businesses the Most

The FBI IC3 Report 2024 doesn’t just track how many scams were reported. It shows which threats are bleeding businesses dry.

Here’s where the biggest losses came from last year:

What These Attacks Look Like in Practice

• Investment scams don’t just hit crypto bros. They show up in inboxes, fake websites, and social media. Many involve long cons where victims are coached into transferring money “voluntarily.”

• Business Email Compromise (BEC) often happens after an employee’s email is compromised, or faked. Attackers pose as vendors or internal staff and request invoice changes, wire transfers, or payroll updates.

• Tech support fraud is typically phone-based and targets the elderly or less tech-savvy staff. Scammers pretend to be from Microsoft or your MSP, asking for remote access or payments.

• Data breaches and personal data theft aren’t always caused by malware. Many come from weak credentials, exposed cloud drives, or unvetted apps.

Why It Matters to SMBs

Large enterprises can absorb losses. You probably can’t.

A single BEC incident could mean:

• A six-figure wire transfer to the wrong account

• A vendor relationship permanently damaged

• A lawsuit or regulatory hit if client data is exposed

These aren’t IT issues. They’re business risks that hit operations, finances, and reputation.

This is why Securafy focuses on protecting how your business actually works, email, finance, operations, client data, not just the tech stack.

Who’s Getting Hit the Hardest, and Why That Should Worry You

The FBI IC3 Report 2024 breaks down who’s filing complaints and who’s losing the most money. It’s not who most businesses expect.

This isn’t just a problem for high-profile companies or tech newbies. It’s a threat hitting across industries, age groups, and job roles. And the impact goes deeper than dollars lost—it’s client trust, business continuity, and reputation on the line.

The Victims by Age Group

Here’s what the data shows:

Victims aged 60 and older suffered the highest financial losses, nearly $5 billion last year alone. That’s not just personal. Many were targeted through their roles or relationships with companies.

How This Plays Out in Real Life

If your business handles:

• Real estate transactions

• Retirement accounts

• Healthcare billing

• Client data

• Vendor payments

...you’re likely dealing with people in the 40–70+ range, either internally or externally. That makes your company part of the attack surface.

Scams don’t always start with you. But they can end with your company’s name being used to exploit someone.

These Risks Aren’t Evenly Distributed

Older adults are the most financially exposed, but your employees, especially anyone who handles email, wire transfers, or customer data, are the most frequent targets.

Common risk points:

• Admins or executives working remotely

• Finance staff using personal devices

• Team members using the same password everywhere

• Untrained employees clicking unknown links or sharing too much info

You don’t need 500 employees to be at risk. You just need one person with access and no training.

Why this matters

This section of the FBI IC3 Report 2024 highlights the human factor. Technology can only do so much if your people aren't prepared.

Cybersecurity isn’t about locking the door. It’s about training the people who hold the keys.

Who This Hits the Hardest: By Industry and Location

The FBI IC3 Report 2024 doesn’t break things down by industry—but when you cross-reference the attack types and complaint patterns, the risks align clearly with the industries we serve.

High-Risk Industries for Cybercrime

Based on the data and attack methods reported, here’s how the threat landscape maps to your business:

• Legal and Law Firms
  Regular targets of Business Email Compromise (BEC), real estate fraud, and client impersonation scams. If your firm handles wire transfers, escrow, or confidential communications, you're exposed.

• Healthcare and Medical Services
  Patient data, outdated systems, and underfunded IT make this a prime target for ransomware and data breaches. The report notes a continued rise in complaints from critical infrastructure sectors—including healthcare.

• Manufacturing and Industrial Sectors
  Ransomware and phishing attacks often disrupt production schedules and vendor payments. If you rely on digital supply chains, you’re on the radar.

• Accounting and Auditing Firms
  High volumes of personal and financial data = high-value targets. The FTC Safeguards Rule and GLBA also make these firms attractive for data theft, phishing, and credential compromise.

• Country Clubs and Recreational Facilities
  Often overlooked, these facilities are rich in customer data and payment systems—and weak in cybersecurity posture. We’ve seen increased attacks targeting online booking, POS systems, and staff email accounts.

These aren’t speculative risks. They're patterns pulled directly from real case data in the IC3 report.

Geographic Hotspots—Including Ohio

Ohio ranks #7 in the U.S. for number of complaints and #15 for total reported losses. The problem isn’t just national—it’s local.

We regularly work with small and medium-sized businesses (SMBs) across:

• Cleveland, Medina, Akron, and Painesville

• Columbus metropolitan area

• And neighboring cities across the Midwest

You don’t need a cybersecurity division to be at risk. You just need one weak link—one email, one missed update, one distracted employee.

That’s why we take a hyper-local approach to security. It’s not just about protection. It’s about understanding how your team, your clients, and your location shape the risk.

How the FBI Is Responding, And Where You Fit In

The FBI IC3 Report 2024 isn’t just a warning. It’s a record of what the government is doing to disrupt cybercrime, and what they need from businesses to make that work.

Here’s the summary of their response efforts last year:

FBI Actions in 2024

• $561.6 million recovered through rapid-response coordination (aka the Financial Fraud Kill Chain)

• 3,020 complaints escalated for fund freezing, 66% resulted in successfully blocked or reversed transactions

• Operation Level Up identified 4,323 crypto scam victims before they even knew they were being scammed

• 215 arrests tied to call center fraud rings, in partnership with Indian law enforcement

• 67 new ransomware variants identified, tracked, and reported to law enforcement and victims

• Warzone RAT malware operation shut down, a major remote access trojan used for spying, data theft, and ransomware staging

These aren’t minor efforts. They show the FBI is not only responding to crimes but actively working to stop them before the damage is done.

But Here’s the Catch

The FBI can’t act if businesses don’t report.

And most companies don’t.

Why?

• Fear of reputational damage

• Uncertainty about what counts as a “cybercrime”

• No internal policy for documenting or escalating incidents

• Lack of clarity on what to do once something goes wrong

Here’s what the FBI wants you to do:

1. Report cyber-enabled crime immediately via ic3.gov

2. Work with your IT or MSP to secure email, backup systems, and account credentials

3. Help protect others by submitting info that may be used to flag patterns, locate actors, or recover funds

Securafy supports this model. We’re not just here to react, we help our clients recognize incidents, preserve evidence, and respond fast.

Cybercrime moves quickly. If you wait too long, there may be nothing left to recover.

Why SMBs Can’t Afford To Ignore This Anymore

Here’s the part the FBI IC3 Report 2024 doesn’t say outright, but it’s written between every line:

Small and midsize businesses are easy targets.

Not because you’re careless. But because most of you:

• Don’t have full-time IT security teams

• Rely on one vendor or employee to handle everything tech-related

• Think you’re too small to be worth the effort

Attackers know that. They’re not going after hard targets, they’re going after fast money.

And that makes you a top target.

Here’s What That Looks Like

• A fake email gets through and someone wires $30,000 to a criminal account

• An old vendor password is reused and leads to a ransomware lockout

• An employee installs a browser extension that turns into spyware

• A client is targeted using your name in a spoofed email, and they blame you for it

You don’t need to be hit with a headline-making breach to suffer damage. Most incidents are quiet, private, and expensive.

What Securafy Sees Every Day

We talk to businesses who:

• Had no clue their email credentials were circulating on the dark web

• Missed the warning signs because no one knew what to look for

• Thought cyber insurance would cover everything (it rarely does)

• Waited until after an attack to ask about backups

You don’t have to operate like that.

Cybersecurity isn’t a nice-to-have anymore. It’s part of running a business in 2025. If you send money online, manage customer data, or access your systems remotely, then you're already on the field. Whether you like it or not.

What Securafy Recommends Based on This Year’s Data

The FBI IC3 Report 2024 confirms that most cybercrime starts with simple, preventable gaps.

You don’t need a million-dollar security stack. But you do need a clear, working defense strategy that fits how your business actually runs.

Here’s what we recommend if you're running a small or midsize business in Ohio—or anywhere else cybercrime doesn’t care about your zip code.

1. Conduct a Cyber Risk Review (Not Just a Vulnerability Scan)

Most businesses aren’t hacked, they’re exploited. That means someone got in because of a reused password, unsecured email, or a spoofed message.

You need a risk-based assessment, not a checklist.

• Review how your staff communicates (email, apps, messaging tools)

• Map out who can move money or access sensitive data

• Look at how remote access is handled, especially for admins, vendors, and executives

• Review third-party tools you’ve connected to your systems

Securafy offers a free, fast-read assessment designed for real business workflows—not IT fantasy worlds.

2. Lock Down Email, It’s Still the #1 Target

According to the FBI IC3 Report 2024, Business Email Compromise (BEC) scams caused $2.77 billion in losses last year. That’s more than ransomware and phishing combined.

Here’s what to check:

• Is multi-factor authentication (MFA) turned on for every email account?

• Can employees recognize a spoofed address?

• Who’s allowed to approve invoice changes or wire transfers?

• Are auto-forwarding rules being abused?

We set up and audit Microsoft 365 and Google Workspace for this reason. If you're not reviewing email rules quarterly, you're exposed.

3. Train People, Even Just the Basics

Tech support scams, fake invoices, ransomware... nearly all of them start with a person getting tricked.

We’re not talking about full-day trainings. We’re talking about practical, plain-language examples:

• How to spot fake links

• What to do when someone “from IT” calls

• How scams actually unfold (with examples pulled from FBI case data)

• Who to notify when something seems off

We run short, high-impact sessions for busy teams. No jargon, no scare tactics, just real talk.

4. Have an Incident Plan, Before You Need It

Once something happens, the clock starts ticking.

• Do you know who to call if funds go missing?

• Who’s in charge of reporting to the FBI or the bank?

• Can you recover your data from backups, or are those backups locked too?

• Can you prove you had reasonable protections in place if regulators ask?

We help clients build simple playbooks for this. Nothing bloated. Just what you need to act fast and reduce damage.

5. Stay Informed Without Getting Overwhelmed

You don’t need to read every breach headline or security bulletin. But you should know:

• What new scam types are trending

• What tactics are hitting businesses like yours

• What your IT provider is doing, and not doing

We translate FBI updates, threat alerts, and legal shifts into business-focused briefings. If it affects your business, we’ll let you know in plain English.

Cybercrime isn’t going away. But there’s a huge difference between being an easy target and being ready.

Let us help you move to the right side of that line.

Schedule a Free Cybersecurity Readiness Call with Securafy.

What to Do Next

The FBI IC3 Report 2024 lays out the facts. Cybercrime is rising. Losses are growing. And small businesses like yours are in the line of fire.

Here’s the reality:

• Over 2,000 cybercrime complaints are filed every day

• Most attacks start with an email, a phone call, or a weak password

• Older clients, employees, or partners are increasingly exploited

• Business Email Compromise and crypto fraud are doing the most damage

• Ohio ranks among the top states for reported losses

And yet, most businesses still think “it won’t happen to us.”

We don’t say this to scare you. We say it because we see it play out every day. And we know how to stop it.

If you’re reading this, you’ve already done more than most businesses do. You’re paying attention. Now it’s time to act.

Three things you can do right now:

1. Get a free cyber risk assessment tailored to how your business operates

2. Train your team with a short session that actually sticks

3. Talk to us, about what protection looks like for your size, industry, and budget

You don’t need to know every cyber term. You just need someone who can explain what matters, what’s exposed, and what comes next.

We’re here for that.

Read the official FBI press release