FBI's 2024 Report: $16.6 Billion in Cybercrime Losses

The FBI's 2024 Internet Crime Report released this week showed total cybercrime losses of $16.6 billion last year — a 33% increase from 2023, according to PYMNTS citing the report directly.

Phishing and spoofing alone accounted for 193,407 incidents, the most common crime category logged. Cyber-enabled fraud represented 83% of total losses: roughly $13.7 billion across 333,981 complaints.

How the Attack Strategy Has Evolved

Previous reporting detailed how AI chatbots were being weaponized through conversational manipulation—jailbreaks, persona hijacking, prompt injection. That continues. The shift now is how criminals deploy AI tools outside platforms, directed at ordinary people at scale.

Agentic AI Changes the Game

Ozan Ucar, founder and CEO of Keepnet Labs, identifies agentic AI as a critical development receiving minimal mainstream attention. Unlike a standard chatbot, agentic AI autonomously gathers intelligence on targets, writes hyper-personalized lures, and executes attacks at scale with minimal human involvement.

Cybercriminals send 3.4 billion phishing emails daily, according to Keepnet—over a trillion per year. AI doesn't just increase volume; it makes each message harder to distinguish from legitimate correspondence.

A Harvard Kennedy School and Avant Research Group study tested this directly across 101 real participants:

• Generic scam emails: 12% clicked
• Human expert-written phishing: 54% clicked
• AI-generated phishing: 54% clicked
• AI-generated with light human edits: 56% clicked

AI matched human experts in effectiveness. With minor revisions, it surpassed them.

Voice Cloning Crosses a New Threshold

As of October 2025, AI-generated voices are now indistinguishable from genuine ones in controlled listening tests, according to a Consumer Reports investigation. Commercial voice cloning tools can produce convincing replicas with minimal safeguards.

The resulting attack is called vishing—voice phishing. Fraudsters now impersonate bank representatives, tech support agents, and government officials over the phone to extract login credentials and credit card numbers, according to a Kaufman Rossin analysis published in October.

Fake IVR systems—those "press 1 for account information" menus—can now be built with generative AI, adjusting tone and prompts in real time based on victim responses. The caller hears a convincing facsimile of their bank's system, one that adapts to what they say.

New Employees Are Specific Targets

CrowdStrike's May 2025 analysis details how attackers use social media data to establish credibility before IT systems flag the interaction. "Boss scams"—where criminals impersonate managers and pressure new staff into buying gift cards—specifically target employees in their first weeks, when they're least likely to question authority.

The psychology mirrors traditional con artistry. Now it's automated, personalized, and scalable.

What's Happening Now

The externalization of AI-powered fraud represents the actual crisis. The threat isn't a chatbot producing unfiltered output. It's a complete, automated social engineering operation that costs criminals almost nothing to run and produces returns in the billions.

CrowdStrike's 2026 Global Threat Report states that "AI threats have reached a critical turning point." Media coverage has largely focused on AI safety debate, guardrails, and model releases instead.

Practical Defense

If you receive a call from your bank, your boss, or a government agency asking for credentials, card numbers, or gift cards, hang up and call back using a number you find independently—not one provided by the caller.

If an email passes every grammar check and reads professionally, that no longer indicates legitimacy. AI produces such content in seconds.

If your company recently hired someone, make sure they recognize what a boss scam looks like before a fake version of their manager makes contact.

The FBI has the data. $16.6 billion in losses. Defense starts with knowing what's happening.