The FBI recorded more than one million online crime complaints last year, with total losses reaching $20.9 billion, a figure that dwarfs the prior year’s tally of more than $16 billion. The jump of roughly 149,000 additional complaints, from 859,532 to 1,008,597, raises a pointed question: are Americans actually being victimized at a faster rate, or are more of them simply reporting what has long gone uncounted?
Why the $20.9 billion record matters right now
The sheer speed of the increase is what separates this year’s data from a slow upward trend. Losses climbed by nearly $5 billion in a single year while complaints rose by about 17 percent. Phishing, spoofing, extortion, and investment schemes drove the bulk of the damage, and Americans over 60 bore a disproportionate share of the financial harm, according to the FBI’s discussion of cryptocurrency and AI scams.
One explanation for the complaint surge is straightforward: more people now know where to file. The FBI’s Internet Crime Complaint Center, or IC3, has existed since 2000, but public awareness campaigns, state attorney general referrals, and media coverage have steadily widened its reach. The FTC runs a parallel intake system through its Consumer Sentinel Network, which publishes its own data books and accepts reports at reportfraud.ftc.gov. When two large federal portals actively solicit complaints, submission volumes can climb even if the underlying crime rate holds steady. That does not mean the threat is exaggerated. It means the $20.9 billion figure likely still understates reality, because many victims never file at all.
IC3 data and the DOJ forfeiture action behind the numbers
The FBI stated that “cyber-enabled crimes defrauded Americans of nearly $21 billion,” a figure drawn from the 1,008,597 complaints the IC3 processed. The prior year’s internet crime data set the baseline at 859,532 complaints and losses exceeding $16 billion. Cryptocurrency investment fraud and schemes amplified by artificial intelligence tools featured prominently in both years, but the FBI’s press materials do not break out how much of the loss total is attributable to AI-specific tactics versus traditional crypto cons.
Federal enforcement actions offer a window into how authorities are trying to claw back stolen funds. The Justice Department filed a civil forfeiture complaint targeting $225 million tied to cryptocurrency investment fraud money laundering. That single case, large as it is, represents barely one percent of the annual loss total, illustrating the gap between reported harm and recovered assets. Even in high-profile operations, the government typically seizes only a fraction of what victims report losing, and many smaller cases never result in any meaningful recovery at all.
The IC3’s methodology also shapes what the numbers can and cannot tell us. Complaints are self-reported and unverified at the time of submission. The FBI uses them for trend analysis and case referrals, not as a census of all cybercrime. The FTC’s Consumer Sentinel Network operates under similar constraints, noting in its own data book that reports are unverified and do not constitute a statistical survey. Both agencies caution against treating raw complaint counts as a precise measure of crime volume, and the dollar figures are best understood as minimums rather than exhaustive tallies.
What the FBI’s complaint data still cannot answer
Several crucial questions remain unresolved even as the totals hit new highs. The IC3 figures do not distinguish between first-time victims and people who have been targeted repeatedly, so the million-plus complaints could reflect a smaller base of individuals being hit over and over. Nor do the numbers reveal how many incidents were thwarted before money moved, leaving defensive successes invisible.
Attribution is another blind spot. The database tracks what happened to victims-phishing emails, romance scams, business email compromise-but not, in public reports, which threat actors were responsible. That makes it difficult for outside researchers to connect specific complaint spikes to particular criminal groups or geopolitical events. Similarly, the data does not fully capture how much of the loss burden falls on small businesses versus households, or how often institutions like banks absorb part of the damage through fraud refunds.
Geographic patterns are also hard to interpret. While IC3 reports include state-level breakdowns, they reflect where victims live, not where criminals operate. A state that appears to be a hotspot for cybercrime might instead be a hotspot for reporting, with better outreach from local law enforcement or consumer protection agencies. Without a matching dataset on offender locations, policymakers risk misreading where resources are most urgently needed.
These gaps matter because lawmakers and regulators routinely cite IC3 and FTC complaint figures when proposing new rules or funding levels. If the data skews toward populations that are more likely to report-older adults who respond to government warnings, for example-then emerging harms affecting less-connected communities may be underweighted in policy debates.
What victims and policymakers can do next
For individuals and businesses, the immediate takeaway is practical: treat the FBI’s loss totals as a floor, not a ceiling, and assume that sophisticated scams are more common than the numbers alone suggest. Reporting remains critical, both to improve the visibility of new fraud patterns and to give investigators starting points for cases like the $225 million forfeiture action.
Policymakers, meanwhile, face a dual task: expanding support for prevention and tightening the feedback loop from complaint to consequence. That could mean dedicating more resources to victim assistance, investing in analytic tools that can sift IC3 data for early warning signs, and pressing for more transparent public breakdowns of how much stolen money is ultimately recovered.
For anyone trying to keep up with evolving threats, the FBI encourages the public to stay informed through its email alerts, which highlight new scam patterns and enforcement actions. The record-setting $20.9 billion in reported losses underscores that awareness is no longer optional; it is a basic requirement of participating safely in the digital economy.



