What the FBI's 2025 cybercrime report means for Sacramento small businesses

A record year for cybercrime

In 2025 the FBI received 1,008,597 complaints, the first time the total has passed one million, with $20.877 billion in reported losses. That is a 26% jump in losses over 2024, and the average reported loss was $20,699. Cyber-enabled fraud, where criminals use technology to trick people out of money or data, accounted for about 85% of all losses.

The largest loss categories were investment fraud ($8.6 billion), business email compromise ($3.0 billion), and tech-support scams ($2.1 billion). The most common complaint of all was phishing and spoofing, with more than 191,000 reports. Phishing matters out of proportion to its direct losses because it is the entry point for so many of the costlier scams.

California was the hardest-hit state

For businesses in our area, the geography is not comforting. California led the nation in both the number of complaints (116,414) and total losses (about $3.675 billion), well ahead of any other state. A large, prosperous state is simply a larger target, and Sacramento-area businesses are part of that picture.

The lesson is not that California businesses are doing something wrong. It is that the volume of attempts is high enough that every small business should assume it will be targeted, and prepare accordingly.

The threats that matter most to small businesses

Not every category in the report is equally relevant to a small business. These four are the ones worth your attention, and we have written a deeper guide on each.

Business email compromise

The second-largest source of losses in the entire report, at $3.0 billion. A criminal impersonates an executive, vendor, or partner and tricks an employee into wiring money or changing payment details. It is highly preventable with a simple verification habit. See our full guide: what is business email compromise.

Tech-support and government-impersonation scams

Run largely out of illegal call centers, these two scams together caused more than $2.9 billion in losses and over 80,000 complaints. Tech-support fraud losses alone jumped from $1.46 billion to $2.1 billion in a single year. They prey on fear and urgency. See our guide: tech-support and government-impersonation scams.

Ransomware

Ransomware reports are badly undercounted, yet the FBI still identified 63 new variants in 2025, and small professional-services firms (legal, contracting, engineering, consulting) were among the hardest hit outside critical infrastructure. See our guide: why ransomware is hitting small professional-services firms.

AI-powered fraud

Tracked for the first time as its own category, AI-related fraud drove more than $893 million in losses across 22,000-plus complaints, including AI-written impersonation emails, voice cloning, and deepfake video. See our guide: how AI is powering a new wave of scams.

What Sacramento-area businesses should do

The encouraging news is that the defenses that address the report's biggest threats overlap almost entirely. A small business that does the following is protected against the large majority of what the FBI describes:

• Verify money and banking-change requests on a second channel, every time, by calling a known number.
• Turn on multi-factor authentication for email, banking, and all critical accounts.
• Layer email security that detects impersonation and phishing that standard filtering misses.
• Keep offline, immutable, tested backups so ransomware cannot hold you hostage.
• Train your team to recognize phishing, urgency, and the payment red flags (gift cards, wire, crypto).
• Act fast if money is sent. Call your bank immediately and report to the FBI at ic3.gov; the FBI's Recovery Asset Team froze funds in 58% of the cases it worked when victims reported quickly.