The FBI’s Internet Crime Complaint Center (IC3) has released its 2024 Internet Crime Report. And it has revealed a record-breaking surge in cybercrime losses across the United States. Last year, total losses reached $16.6 billion, which is a 33% increase from the previous year. Email continues to be the most exploited attack vector, with cybercriminals using it for phishing scams, business email compromise (BEC) attacks and data exfiltration at scale.
Proofpoint looked at this year’s report through the lens of email security. Our review underscores the growing need for organizations to adopt layered, human-centric defenses that mitigate human-activated threats across email, cloud and collaboration platforms. Here are the top takeaways.
FBI IC3 report complaint and loss trends for the past five years.
Email-based threats dominate the landscape
Email continues to be the single largest conduit for cybercrime, both in terms of frequency and financial impact.
- Phishing and spoofing led all complaint types with 193,407 incidents. These attacks are increasingly subtle, using QR codes, fake login pages and compromised brand assets to trick users.
- Business email compromise (BEC) was the second costliest cybercrime, generating $2.77 billion in losses across 21,442 incidents.
- Personal data breaches, many of which happen because of email compromise, caused $1.45 billion in losses. There were 64,882 reports.
When these categories are combined, they represent more than $4 billion in losses. That just shows how deeply email threats are tied to data loss, fraud and brand damage. Today’s cybercriminals aren’t simply bypassing technology—they’re exploiting human behavior.
BEC: email’s most expensive threat
BEC attacks are highly targeted and driven by social engineering. Threat actors pretend to be executives, suppliers or legal representatives to trick employees into wiring funds or sharing sensitive documents.
Last year, the IC3 report found:
- $2.77 billion in losses caused by BEC, making it the second costliest cybercrime category overall
- 21,442 incidents, which was largely consistent year over year
A significant portion of these losses were from real estate and payroll fraud, where bad actors impersonated people in order to change wire transfer details or banking account information for paychecks. Victims over the age of 60 lost $385 million to these scams in 2024 alone.
The FBI’s IC3 Recovery Asset Team reported a 66% success rate in freezing fraudulent BEC transfers. In one case, it was able to intercept and return nearly $1 million in stolen funds to a victim of real estate fraud.
Proofpoint helps mitigate BEC. We use behavioral AI to evaluate message intent, linguistic cues and anomalous sender-recipient relationships to detect threats that evade traditional email gateways.
Phishing: most common, increasingly costly
Phishing continues to be the most popular type of attack with nearly 200,000 reports in 2024. But what's more alarming is the surge in losses, which jumped from $18.7 million in 2023 to $70 million this year. That’s a 274% increase.
Attackers have evolved their tactics:
- Using QR codes to bypass email link detection tools
- Embedding malicious payloads into PDF attachments
- Using compromised or look-alike domains to impersonate brands
Notably, the total number of phishing complaints was down from 298,878 in 2023. This drop may be due to attackers preferring higher-conversion, lower-volume campaigns—particularly those that use BEC or account takeover strategies.
To protect against phishing, Proofpoint recommends a multilayered approach. That means using adaptive warning banners, enforcing click isolation and prioritizing awareness training programs that help users become resistant to phishing threats.
Seniors: cybercrime’s most targeted demographic
The IC3 report details a sharp rise in attacks that target people 60 and older:
- 147,127 complaints, up 46% year over year
- $4.8 billion in losses, a 43% increase from 2023
Older adults were the hardest hit by phishing, tech support fraud and BEC schemes. They also bore the brunt of cryptocurrency investment scams, losing more than $2.8 billion via schemes that often begin with phishing lures or spoofed emails.
As these users may lack digital literacy or familiarity with modern threat vectors, Proofpoint encourages organizations to extend awareness training beyond employees—reaching family members, retirees and older customers.
FBI IC3 report’s complaints by age group in 2024.
The bottom line
The IC3’s 2024 report reinforces what defenders already know: email is still the leading source of cyber risk. While phishing and BEC are not new threats, they are growing more targeted, more costly and more damaging when they’re successful.
To stay ahead, organizations must shift from reactive defense to proactive prevention. This starts with detecting human-centric threats early, automating threat response and prioritizing protection for the people who are most likely to be targeted.
Proofpoint is here to help. Our AI-driven platform stops advanced threats before users can engage, dramatically reducing risk and time to resolution.
Explore how Proofpoint can help secure your people against today’s top email threats with Core Email Protection.
