Technology

Tech Scams 2025: FBI $12.5B losses, AI deepfakes surge

Tech Scams 2025: FBI .5B losses, AI deepfakes surge

Cybercriminals are weaponizing AI to scale classic frauds—and the financial damage keeps climbing. The FBI’s Internet Crime Complaint Center (IC3) reported $12.5 billion in cybercrime losses in 2023, while the FTC confirmed a record $10 billion in consumer fraud losses the same year. Early 2025 threat reporting from industry and law enforcement indicates these trends are accelerating, especially in scams powered by deepfake audio and video, business email compromise (BEC), and crypto investment schemes. Below, we break down how today’s most costly scams work, who’s being targeted, and exactly how to stop them.

AI Deepfake Scams

Recent Cases and Financial Impact

AI-generated audio and video are being used to impersonate executives, family members, and celebrities to coerce urgent payments or sensitive data. In a widely reported 2024 case in Hong Kong, a finance worker was duped into sending more than $25 million after participating in a video conference populated by deepfaked “colleagues.” Security firms and regulators have warned of rapidly rising deepfake-enabled fraud attempts against both consumers and businesses. While precise 2025 figures are still emerging, law enforcement and cybersecurity research agree that deepfake-driven impersonation is one of the fastest-growing social engineering methods.

How This Scam Works

  • Reconnaissance: Scammers scrape social media and company sites to harvest voices, videos, and profiles.
  • Modeling: Freely available tools clone a target’s voice or face from short samples.
  • Bait: Targets receive a video call, voicemail, or social DM that appears to be a known person (boss, spouse, celebrity).
  • Pressure: The imposter demands urgent action—wire transfers, crypto payments, gift cards, or credentials.
  • Cover: Attackers often spoof phone numbers, emails, and meeting invites to look legitimate.

Warning Signs

  • Urgent, high-stakes requests that bypass normal approval channels.
  • Inconsistent eye movement, lighting, or lip-sync in video calls; unusual pauses or audio artifacts in calls.
  • Requests to move conversations to encrypted apps or to keep the request confidential.
  • Payment requests that deviate from standard vendor or payroll procedures.

Protection Strategies

  • Use a “challenge phrase” or second-factor identity check for sensitive requests (e.g., a shared codeword or callback to a verified number).
  • Enforce “trust but verify”: No funds, credentials, or gift cards without out-of-band verification via a contact method on file.
  • Disable auto-join and require waiting rooms so unknown callers can be vetted.
  • Train staff and families to expect realistic AI fakes and practice verification drills.
  • For executives, limit public release of high-quality voice/video when feasible; use watermarks where appropriate.

Business Email Compromise (BEC)

Recent Cases and Financial Impact

BEC remains one of the most expensive enterprise scams. The FBI IC3 reported approximately $2.9 billion in adjusted losses from BEC in 2023, contributing to the $12.5 billion total across all cybercrime. Attackers now blend AI to write flawless emails, mimic vendor invoices, and even deploy deepfaked voices to approve transactions.

How This Scam Works

  • Account takeover: Criminals phish or brute-force an executive’s or vendor’s email account.
  • Monitoring: Attackers quietly study payment cycles and tone, then insert fake invoices or banking “updates.”
  • Escalation: They pressure finance/AP teams with urgent, confidential payment requests.
  • Money mule networks: Funds are routed through multiple accounts and often converted to crypto.

Warning Signs

  • Banking detail “changes” sent by email without signed agreements or prior notice.
  • Subtle domain spoofing (e.g., company-name.co vs. company-name.com) or display-name tricks.
  • Unusual tone, timing, or urgency from executives or vendors; deviations from normal approval paths.

Protection Strategies

  • Mandate out-of-band verification for payment changes and large transfers (phone number on file; never call numbers in the email).
  • Deploy DMARC/DKIM/SPF, MFA on email, and conditional access; monitor for impossible travel and forwarding rules.
  • Implement dual approval and payment hold periods; use payee name verification where available.
  • Use vendor portals with strong authentication instead of email for invoice/banking updates.
  • Run quarterly BEC tabletop exercises; simulate vendor-compromise scenarios.

Tech Support Fraud

Recent Cases and Financial Impact

Tech support fraud disproportionately impacts older adults. The FBI and FTC have repeatedly warned about fake “Microsoft/Apple” pop-ups and phone calls that lead to remote access, bank-draining “refund” scams, or gift card purchases. In the FBI’s 2023 data, tech support fraud losses were substantial, with older Americans bearing a significant share of the harm.

How This Scam Works

  • Trigger: A pop-up claims your device is infected and lists a “support” number, or scammers cold-call as “Microsoft” or your bank.
  • Access: They convince you to install remote software.
  • Manipulation: They stage fake diagnostics, show “errors,” and claim urgent fees or refunds.
  • Extraction: Victims are directed to move funds, buy gift cards, or share banking credentials.

Warning Signs

  • Unsolicited calls or pop-ups claiming to be from Microsoft/Apple.
  • Requests to install remote-access tools or to keep the call “confidential.”
  • Pressure to pay with gift cards, crypto, or wire transfers.

Protection Strategies

  • Never call phone numbers in pop-ups; close the browser or reboot. Real tech companies don’t display support numbers in error messages.
  • Use a trusted local technician or the official manufacturer’s support site; bookmark it.
  • Enable bank alerts and set transaction limits; use call-blocking on mobiles and landlines.
  • For families: designate a “tech helper” and a shared callback plan for suspicious computer issues.

Cryptocurrency Schemes

Recent Cases and Financial Impact

Crypto investment fraud—particularly “pig butchering” romance-investment hybrids—has fueled multi-billion-dollar losses worldwide. Chainalysis reported that overall illicit crypto transaction volumes totaled tens of billions of dollars in 2023, with ransomware revenues rebounding and investment scams remaining a major driver of harm. The FBI has also highlighted large year-over-year losses in investment fraud categories, much of it crypto-related.

How This Scam Works

  • Grooming: Scammers build trust over weeks via dating apps, WhatsApp, or social media.
  • Hook: They introduce a “broker” app or website that shows fabricated profits.
  • Scaling: Victims are encouraged to invest more, then blocked when they try to withdraw.
  • Exit: Funds are laundered through mixers and cross-chain bridges.

Warning Signs

  • Guaranteed returns, limited-time “insider” opportunities, or screenshots of extraordinary gains.
  • Requests to move conversations to private messaging and to keep investments secret.
  • Complex steps to fund wallets and no clear, regulated entity behind the platform.

Protection Strategies

  • Use only regulated exchanges; verify company registration and executive identities.
  • Check domain age, company address, and independent reviews; avoid apps not listed in official app stores.
  • Refuse any investment that discourages withdrawals or requires recruiting.
  • Use hardware wallets for self-custody and enable allowlists for withdrawal addresses.
  • If scammed, quickly file with your exchange, bank, and law enforcement and preserve on-chain transaction IDs.

Romance/Social Engineering (including Pig Butchering)

Recent Cases and Financial Impact

Romance fraud continues to climb, with losses often measured in tens of thousands per victim. Law enforcement notes that pig-butchering operations are run by organized criminal groups that combine romance grooming with fake crypto trading platforms, leveraging AI chatbots and cloned voices to maintain control.

How This Scam Works

  • Contact: “Wrong number” texts, dating-app matches, or social media friend requests.
  • Bonding: Daily messages and calls, sometimes with AI-synthesized voice and images.
  • Con: Transition to investment advice or urgent financial help requests.
  • Control: Emotional manipulation, isolation from friends/family, and escalating deposits.

Warning Signs

  • Reluctance to video chat live or meet; inconsistencies in backstory.
  • Fast escalation to money, crypto, or gift-card requests.
  • Pressure to keep the “relationship” secret or private.

Protection Strategies

  • Reverse-image search profile photos; verify identities through live video and public records.
  • Refuse financial transactions with online-only acquaintances.
  • Set personal limits: no crypto transfers or account sharing in online relationships.
  • For families: agree on a “pause and verify” rule if anyone requests money due to a supposed emergency.

Phishing Evolution (Email, Smishing, Vishing)

Recent Cases and Financial Impact

Phishing remains the most reported cybercrime tactic. The FBI IC3 has consistently recorded phishing as the top complaint volume, and the Verizon 2024 Data Breach Investigations Report found that the majority of breaches involve the human element—social engineering, errors, or misuse. Attackers now use AI to generate near-perfect messages, spoof login portals, and create convincing voice calls at scale.

How This Scam Works

  • Email: Credential theft via lookalike domains and realistic MFA push fatigue.
  • Smishing: Malicious links sent by SMS (delivery, tax, bank alerts).
  • Vishing: Phone calls spoofing banks or IT, often paired with MFA interception.

Warning Signs

  • Unexpected password resets, invoice attachments, or DocuSign requests.
  • Login pages that lack HTTPS lock icons or have odd subdomains.
  • Calls urging you to read back one-time passcodes.

Protection Strategies

  • Use phishing-resistant MFA (FIDO2/security keys) where possible.
  • Deploy advanced email defenses (DMARC enforcement, anomaly detection, QR-code scanning).
  • Train with real-world simulations that include smishing and vishing.
  • Use password managers (auto-fill only on the correct domain) and enable account lockouts.

Audience-Specific Guidance

For General Consumers

  • Enable MFA on email, bank, and social accounts; prefer app or security key over SMS.
  • Set bank and card transaction alerts; use account recovery codes and store them offline.
  • Freeze your credit at all three bureaus; use a PIN with your mobile carrier to prevent SIM swaps.

For Business Owners

  • Implement payment-change verification and dual authorization; enforce least privilege for finance roles.
  • Adopt Zero Trust: device posture checks, conditional access, and identity threat protection.
  • Run quarterly BEC and deepfake drills; measure and remediate risky SaaS OAuth consents.
  • Log and monitor email rules, OAuth grants, and impossible travel; retain logs for at least 12 months.

For Elderly Users and Caregivers

  • Use call-screening and block unknown callers; let unknown numbers go to voicemail.
  • Never pay with gift cards or crypto on phone demand. Hang up and call back using a trusted number.
  • Pre-plan: designate a family “tech helper” and create a callback checklist for pop-ups or bank “alerts.”

For Tech-Savvy Users

  • Adopt passkeys/security keys; enable phishing-resistant MFA everywhere possible.
  • Use hardware-backed passwordless on admin accounts and enforce verified device posture.
  • Monitor for deepfake artifacts in real time; record-risk meetings should require out-of-band verification.
  • Use allowlists for crypto withdrawals; monitor on-chain exposure and revoke risky dApp approvals.

Industry Expert Insights

Patterns are converging across law enforcement and industry reports. The FBI IC3’s 2023 report underscores the cost concentration in BEC and investment scams, while the Verizon 2024 DBIR reiterates the dominant role of the human element in breaches. Chainalysis data shows crypto crime’s composition is shifting—ransomware revenues rebounded in 2023 while some scam revenues became more targeted and sophisticated. Together, these point to a 2025 threat landscape where AI amplifies social engineering scale and realism, not just technical exploits.

What changes in 2025? Expect: more deepfake video in BEC approvals, widespread AI-written vendor emails that perfectly match tone and formatting, and increased targeting of small finance teams and managed service providers (MSPs) as high-leverage entry points. Organizations that pair strong identity controls with rigorous payment-verification workflows will be best positioned to blunt these attacks.

Immediate Action Steps

  • Turn on phishing-resistant MFA (security keys/passkeys) for email, bank, payroll, and cloud admin accounts today.
  • Set a company-wide rule: no payment/banking changes without out-of-band verification via a phone number on file.
  • Establish a family/caregiver callback plan for pop-ups, bank “alerts,” and emergency money requests.
  • Freeze credit at Equifax, Experian, and TransUnion; add an account PIN to your mobile carrier.
  • Run a 30-minute BEC + deepfake drill this week; document the verification steps and escalation contacts.
  • Audit SaaS admin/OAuth grants; remove unused apps and enforce least privilege.
  • Back up critical data offline and test restores; segment finance systems from general IT.

Conclusion

Tech scams in 2025 aren’t science fiction—they’re scalable, AI-powered versions of familiar cons. The numbers from the latest official reports are clear: billions are being lost, and the most damaging attacks exploit human trust more than technical flaws. If you adopt verification-by-default, deploy phishing-resistant authentication, and rehearse your response to deepfake and BEC scenarios, you convert that reality into an advantage. Start with the immediate steps above, share them with your team and family, and revisit them each quarter—because the criminals certainly will.

Related Posts