Cyber Crime Statistics for 2026: The Data IT and Security Teams Need to Know

US cybercrime crossed a once-unthinkable threshold in 2025. According to the FBI Internet Crime Complaint Center's 2025 Annual Report, reported losses reached $20.9 billion, a 26 percent jump from the $16.6 billion recorded the year prior, while annual complaint volume exceeded one million for the first time in IC3's 25-year history. Globally, Cybersecurity Ventures projects that cybercrime cost the world $10.5 trillion in 2025, on track to reach $12.2 trillion annually by 2031. The numbers below come straight from the underlying federal data, industry threat reports, and breach economics studies that journalists, regulators, and security teams rely on, refreshed with the latest 2025 and 2026 figures.

Key cyber crime statistics at a glance

• US losses reported to IC3 reached $20.9 billion in 2025, up 26 percent year over year, with more than 1,008,597 complaints filed.
• Investment fraud was the single largest loss category at $8.6 billion, followed by business email compromise at $3 billion, per the FBI IC3 2025 report.
• Americans aged 60 and older lost $7.7 billion to cyber crime in 2025, a 37 percent increase from the previous year.
• Globally, the average cost of a data breach was $4.44 million in 2025; in the United States it reached $10.22 million, according to IBM.
• Ransomware was present in 44 percent of breaches studied in Verizon's 2025 DBIR, and the human element factored into roughly 60 percent of breaches.
• APWG observed 3.8 million phishing attacks across 2025, with quarterly volumes peaking above 1.13 million in Q2.
• Chainalysis tracked at least $154 billion in illicit cryptocurrency received in 2025, including $3.4 billion in hacks and roughly $820 million in ransomware payments.

The Identity Theft Resource Center counted 3,322 US data compromises in 2025, a new record, with financial services as the most-breached industry.

‍

US losses and complaint volume in 2025

The headline number from the FBI Internet Crime Complaint Center's 2025 Annual Report is $20.9 billion in reported losses, but the operating numbers underneath that figure tell a richer story. IC3 logged 1,008,597 complaints in 2025, the first year ever above the one-million threshold. That works out to more than 2,760 complaints per day, every day, in the United States alone. Loss totals climbed 26 percent year over year, even though complaint volume rose only modestly, meaning the per-incident loss is getting larger.

Investment fraud remained the single biggest loss category at $8.6 billion in 2025, with cryptocurrency the dominant vehicle. Business email compromise produced $3 billion in additional losses across 24,768 complaints, and tech support scams accounted for another $2.1 billion. By contrast, the most common complaint type was phishing and spoofing, with 191,561 reports filed, according to the IC3. Phishing rarely tops the loss tables because individual incidents are smaller, but it remains the highest-volume crime by a wide margin.

Americans aged 60 and older bore the largest share of those losses, reporting roughly $7.7 billion across 201,266 complaints, a 37 percent increase from 2024. That single age group accounts for more than a third of all reported losses in 2025 and underscores how cybercrime risk is unevenly distributed across the population.

The cost of a data breach in 2026

The IBM Cost of a Data Breach Report 2025 offers the most widely cited per-incident economics in the industry. The global average cost of a breach fell to $4.44 million in 2025, the first decline in five years, down 9 percent from $4.88 million in 2024. IBM attributes most of that reduction to faster detection and containment, driven by security AI and automation. Organizations deploying AI extensively in their security operations shaved an average of 80 days off the breach lifecycle and saved nearly $1.9 million per incident.

US averages tell a different story. The average breach cost in the United States rose to $10.22 million in 2025, more than double the global figure and a record high for the country. Healthcare remained the most expensive industry at $7.42 million per breach, even after a meaningful drop from the prior year's $9.77 million peak. For US security leaders building budgets and risk models, the gap between global and domestic figures matters. Most boards still benchmark on the global number, but US organizations are absorbing roughly 2.3 times that cost when an incident occurs.

How attackers actually get in

Verizon's annual Data Breach Investigations Report is the largest open dataset on real-world incident root causes. The 2025 DBIR analyzed more than 22,000 security incidents and 12,000 confirmed breaches across 139 countries. Two findings stand out for IT and security teams planning 2026 controls.

First, the human element factored into roughly 60 percent of breaches, with a heavy overlap between social engineering and credential abuse. Credential misuse remains the single most common initial-access vector across phishing, web application attacks, and ransomware. Second, ransomware was present in 44 percent of all analyzed breaches, a 37 percent year-over-year increase. The disproportionate impact on smaller organizations is striking: in the SMB segment, ransomware was present in 88 percent of breaches studied, a sign that less-mature security programs are absorbing the worst of the current ransomware wave.

One bright spot from the same Verizon dataset: 64 percent of victim organizations did not pay a ransom in 2025, compared with 50 percent two years earlier. The trend suggests that better backups, faster recovery playbooks, and law-enforcement engagement are slowly eroding the attacker business model, even as attack volume rises.

Phishing, BEC, and the social engineering layer

The Anti-Phishing Working Group's quarterly Phishing Activity Trends Reports tracked 3.8 million phishing attacks across 2025, up slightly from 3.76 million in 2024. The annual total masks important quarterly motion: APWG observed 1,003,924 attacks in Q1, 1,130,393 in Q2, 892,494 in Q3, and 853,244 in Q4. Q2 2025 was the busiest quarter for phishing in two full years.

Channel mix is shifting faster than the totals suggest. APWG flagged a sharp rise in attacks delivered through SMS, QR codes, and free email accounts, with social media and SaaS or webmail again the most-attacked sectors. Business email compromise scaled alongside phishing volume; in IC3 reporting, BEC alone generated $3 billion in 2025 losses across the 24,768 complaints noted earlier. The FBI also reported that BEC incidents with a confirmed AI nexus produced over $30 million in losses, a category that did not meaningfully exist two years ago.

Identity theft and consumer fraud

Beyond IC3, the FTC's Consumer Sentinel Network 2024 Data Book (released in March 2025) catalogs the consumer side of cybercrime. US consumers reported losing more than $12.5 billion to fraud in 2024, a 25 percent jump over 2023, even as the total number of fraud reports stayed roughly flat. Investment scams topped the loss leaderboard at $5.7 billion, followed by imposter scams at $2.95 billion. The FTC also noted that consumers reported losing more money via bank transfer and cryptocurrency combined than through every other payment method put together.

Identity theft volumes remained substantial: the FTC received more than 1.1 million identity theft reports in 2024, with credit card identity theft (449,032 reports) the most common type. The agency has signaled that early-2025 identity theft volume is already outpacing the full-year 2024 total, an indicator that consumer-facing fraud is still trending up even as enterprise breach costs moderate.

The data breach landscape

The Identity Theft Resource Center's 2025 Annual Data Breach Report set a new record with 3,322 publicly disclosed US data compromises, a 5 percent increase over 2024 and four percent above the previous 2023 peak. Interestingly, the number of victim notices fell sharply, to 278.8 million, a 79 percent drop versus 2024, because 2025 lacked the mega-breaches that inflated prior-year totals. The implication for IT leaders is that breaches are growing in count but shrinking in median victim impact, a pattern consistent with attackers shifting toward smaller, faster, more targeted compromises.

Industry concentration also matters for planning. ITRC's 2025 dataset ranks financial services as the most-breached industry (739 compromises), followed by healthcare (534), professional services (478), manufacturing (299), and education (188). On the consumer side, ITRC found that 80 percent of surveyed Americans had received a data breach notice in the last 12 months, and 88 percent of those notice recipients experienced at least one negative consequence, ranging from spam and phishing surges to attempted account takeovers.

Cryptocurrency, AI scams, and what's new in 2026

Several categories that barely existed in earlier statistics packs now drive a large share of the cyber crime economy.

Cryptocurrency-linked crime. The Chainalysis 2026 Crypto Crime Report found that illicit cryptocurrency addresses received at least $154 billion in 2025, a 162 percent year-over-year increase, though that figure still represents less than 1 percent of all attributable crypto transaction volume. Within that total, stolen funds reached $3.4 billion across documented hacks, ransomware payments came to roughly $820 million, and the February 2025 Bybit exploit, at nearly $1.5 billion, was the largest single digital heist in cryptocurrency history. DPRK-linked threat actors alone accounted for $2 billion of the 2025 stolen-funds total.

AI-enabled scams. For the first time in IC3's 25-year history, the 2025 Annual Report carved out a dedicated section on artificial intelligence. The FBI logged 22,364 AI-related complaints in 2025, with reported losses approaching $893 million. Deepfake voice cloning, AI-generated phishing lures, and synthetic identity fraud all sit inside that bucket. Expect AI-specific reporting categories to expand in the 2026 report.

Third-party and supply chain exposure. Verizon's 2025 DBIR documented a doubling of third-party involvement in confirmed breaches, with system-intrusion patterns now driving more than half of breaches in EMEA. For US enterprises, the practical implication is that vendor-risk programs and software supply chain monitoring need to be treated as primary controls in 2026, not afterthoughts.

For broader context on the trends above, see our worldwide cyber crime statistics and identity theft statistics roundups.

How swif.ai helps

swif.ai gives IT and security teams a single console to enforce device, identity, and compliance controls across the macOS, Windows, and Linux endpoints behind the numbers above. Explore mobile device management to see how it works.