Cybercrime losses are rising, but not everyone is affected equally. Some groups consistently lose more, and the reasons have less to do with technical weakness than with how decisions are made.
According to the Federal Bureau of Investigation’s Internet Crime Complaint Center, Americans reported $20.9 billion in cybercrime losses in 2025, with more than 1 million complaints filed. Investment scams alone accounted for over $11 billion, much of it linked to cryptocurrency. Cyber-enabled fraud made up roughly $17.7 billion of the total.
Most losses do not come from breaking systems. They come from convincing people to use them as intended.
Losses cluster around specific groups
- Older individuals remain one of the highest-loss groups, particularly in long-running investment and impersonation scams. These cases often involve weeks or months of contact, building trust before large transfers are made.
- Working professionals, especially those in finance or operations, are frequent targets of business email compromise. A supplier updates bank details, an urgent payment is requested, and the transaction is approved through normal workflow.
- Small business owners face similar risks with fewer safeguards. A single person may receive, verify, and approve a payment, making invoice redirection or supplier impersonation far easier to execute.
- Institutions such as schools, local governments, and healthcare administration teams are also affected. Invoice fraud, grant payment redirection, and supplier changes often move through email-based processes with limited verification.
- Financially active consumers, particularly those engaging with cryptocurrency or alternative investments, are at risk of long-term scams. Victims may see fabricated returns on fake platforms before being persuaded to invest larger sums.
- High-trust roles, including HR, payroll, and executive assistants, are prime targets for impersonation. Requests that appear to come from senior staff or internal systems can trigger urgent actions without sufficient verification.
- New or transitional users, such as new hires or recently onboarded clients, are more vulnerable due to a lack of context. For example, a new employee may receive what appears to be a routine IT setup or payroll request and follow instructions without realizing the process has been spoofed.
These are not random victims. They are predictable targets based on role, responsibility, and context.
Awareness helps, but it does not solve the problem
There is no shortage of guidance on avoiding scams. Banks, regulators, and employers increasingly provide training and warnings. Some organizations even require staff to complete awareness courses.
That helps raise the baseline. It does not reliably prevent high-loss cases. Many of the largest losses occur when:
- The request appears legitimate
- The timing feels urgent
- The context matches normal activity
People are not ignoring advice. They are making decisions in situations that look real enough to override it. The point of failure is not a lack of knowledge. It is the moment a decision is made under pressure. Education raises the floor. It does not remove the risk.
Why systems alone are not enough
Technical controls are not designed to catch this type of activity. In many cases:
- The email appears valid or convincingly spoofed
- The user has legitimate access
- The transaction is authorized
From a network or endpoint perspective, nothing is obviously wrong. The system sees a valid user completing a valid action.
This creates a gap. The attack does not defeat your controls. It goes around them.
What actually reduces losses
There is no single fix. Losses fall when systems and people work together to interrupt high-risk decisions. On the system side:
- Delays or review periods for new or unusual payments
- Independent verification for changes to bank details or payment instructions
- Stronger warnings tied to specific risk patterns, not generic alerts
- Limits on irreversible payment methods, where possible
On the human side:
- Treating unexpected requests as high-risk, even when they appear familiar
- Verifying changes through a separate channel
- Recognizing pressure as a warning sign, not a reason to act faster
None of these measures is foolproof. Together, they reduce the likelihood of a single mistake leading to a large loss.
The role of organizations and security teams
For organizations, the challenge is not simply improving security at the network level. It is extending control into the decision-making layer. That means:
- Designing workflows that do not rely on a single point of approval
- Treating change events as inherently risky
- Supporting verification processes that are independent of the original request
Security teams are not positioned to stop these scams at the packet level. Their role is to support systems that make risky decisions harder to execute without scrutiny.
No simple fix
Cybercrime losses on this scale are not the result of a single failure, and they will not be solved by a single control. Technology cannot eliminate the risk. Process alone cannot eliminate the risk. Education alone cannot eliminate the risk. Meaningful reduction comes from applying all three together, particularly at the moment money moves or critical information changes.
Sources
Federal Bureau of Investigation (IC3); Federal Trade Commission; UK Finance; National Cyber Security Centre
About NetworkTigers
NetworkTigers is the leader in the secondary market for Grade A, seller-refurbished networking equipment. Founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms, NetworkTigers provides consulting and network equipment to global governmental agencies, Fortune 2000, and healthcare companies. www.networktigers.com.
