$20.877 Billion. One Million Complaints. One Year.

The FBI’s 2025 Internet Crime Complaint Center Annual Report (PDF) recorded a milestone that should stop every executive in their tracks: for the first time in the center’s 25-year history, IC3 received over one million cybercrime complaints in a single year, 1,008,597, with reported losses of $20.877 billion, a 26% increase over 2024. Business email compromise accounted for $3.05 billion of that total. Phishing and spoofing was the single most-reported complaint category.

The 2024 IC3 Report (PDF) had already set records: 859,532 complaints, $16.6 billion in losses (a 33% increase from 2023), with BEC accounting for $2.77 billion across 21,442 incidents. The Congressional Research Service analysis (PDF, August 2025) noted that almost 83% of financial losses reported to IC3 in 2024 were cyber-enabled and often initiated through technological means, such as email.

Behind every one of these statistics is an organization that was attacked through email. Many of those attacks could have been prevented by a single DNS record: DMARC at enforcement. This report reverse-engineers the most significant email attacks documented in government and institutional PDF sources to show exactly what happened, why it worked, and what DMARC enforcement would have changed.

The BEC Trajectory: Six Years of FBI PDF Data

The FBI’s IC3 Annual Reports provide the most authoritative longitudinal dataset on business email compromise. Here is the trajectory, sourced exclusively from the official government PDFs:

Year	BEC Complaints	BEC Losses	Total IC3 Losses	Source PDF
2020	19,369	$1.87B	$4.1B	2020 IC3 Report
2021	19,954	$2.4B	$6.9B	2021 IC3 Report
2022	21,832	$2.7B	$10.2B	2022 IC3 Report
2023	21,489	$2.9B	$12.5B	2023 IC3 Report
2024	21,442	$2.77B	$16.6B	2024 IC3 Report
2025	N/A	$3.05B	$20.877B	2025 IC3 Report

The trajectory is unmistakable. BEC losses have grown from $1.87 billion to $3.05 billion in five years, a 63% increase. Total cybercrime losses have surged from $4.1 billion to $20.877 billion, a 409% increase. And as the 2025 IC3 PDF notes, these figures represent only reported incidents. The actual losses are estimated to be three to five times higher due to chronic underreporting.

The 2020 IC3 PDF documents how BEC has evolved since 2013: from simple CEO email spoofing to compromised vendor accounts, spoofed lawyer emails, W-2 information theft, real estate targeting, gift card fraud, and cryptocurrency conversion. Each evolution relies on the same foundational technique: making an email appear to come from a trusted source. DMARC at enforcement eliminates exact-domain spoofing, cutting off the primary impersonation vector.

Case Study 1: North Korea’s Kimsuky Group Exploiting p=none

The FBI/NSA/State Department Joint Cybersecurity Advisory (PDF, May 2024) provides the most detailed government documentation of DMARC exploitation in a real-world attack campaign.

What Happened

North Korean cyber actors from the Kimsuky group (also tracked as APT43, Emerald Sleet, Velvet Chollima, and Black Banshee) conducted spearphishing campaigns posing as legitimate journalists, academics, and policy experts. They spoofed both the sender name and the actual email domain of real people at think tanks and universities. Because the targeted sending domains had DMARC set to p=none or had no DMARC record at all, the spoofed emails passed through to inboxes indistinguishable from authentic communications.

What the Advisory Says

The PDF states directly: “Without properly configured DMARC policies, malicious cyber actors are able to send spoofed emails as if they came from a legitimate domain’s email exchange.” The advisory explicitly recommends updating DMARC policies to p=quarantine or p=reject to prevent this exploitation.

DMARC Spearphishing Prevention Flowchart

The Ongoing Threat

The FBI FLASH on Kimsuky QR Code Phishing (PDF, January 2026) confirms that as of 2025, Kimsuky actors continue targeting think tanks, academic institutions, and government entities. The ESET APT Activity Report Q4 2024-Q1 2025 (PDF) documents that Kimsuky returned to usual activity levels in early 2025, using cloud services for command and control and distributing malicious payloads through spearphishing. The NSA/DOD 2023 Kimsuky advisory (PDF) provides additional background on the group’s decade-long social engineering operations.

What DMARC Would Have Changed: If the targeted organizations had published DMARC records at p=reject, Kimsuky actors could not have spoofed their domains. The spoofed emails would have been blocked by receiving mail servers before reaching any inbox. The entire spearphishing campaign would have failed at the protocol level, regardless of how convincing the email content was.

Case Study 2: The $2.1 Million Spoofed Wire Transfer

The Coalition 2025 Cyber Claims Report (PDF) documents a case study that illustrates the mechanics of BEC fraud and the specific role domain spoofing plays.

What Happened

A distributor of household and personal goods attempted to wire a $2.1 million payment to its landlord for a new lease. The company received what appeared to be a legitimate email from the title company containing wire instructions. The funds were sent to a fraudulent bank account controlled by threat actors. The company only realized the fraud after the wire had been sent.

The Forensic Finding

Coalition’s Incident Response team conducted a forensic investigation and determined that no unauthorized access to the business’s email account occurred. The fraudulent transfer was triggered entirely by a spoofed email, an email that appeared to come from the title company’s domain but was actually sent by an attacker. This is the precise attack vector that DMARC at enforcement prevents.

The Recovery

Coalition contacted the business within one hour of notification and engaged government contacts to freeze the assets. Less than 24 hours later, all but approximately $100 of the $2.1 million was frozen and held for return. The FBI’s Recovery Asset Team initiated the Financial Fraud Kill Chain, which the 2024 IC3 PDF notes has a 73% success rate for freezing funds in BEC cases reported quickly enough.

What DMARC Would Have Changed: If the title company’s domain had DMARC at p=reject, the spoofed email would have been blocked by the distributor’s mail server. The wire instructions would never have reached the finance team. The $2.1 million would never have been at risk. No forensic investigation. No FBI involvement. No anxious 24-hour wait for funds to be frozen.

Case Study 3: The $6 Million City Government BEC

The 2025 IC3 Annual Report (PDF) documents a BEC incident involving a city government office in Oregon that reported a loss of over $6 million. The FBI Portland Office notified the IC3’s Recovery Asset Team in April 2025.

The Pattern

This case follows the BEC pattern documented across six years of IC3 PDFs: a government entity received a compromised or spoofed email containing fraudulent payment instructions, leading to a wire transfer to an attacker-controlled account. The scale, $6 million from a single city government, demonstrates that BEC is not just a corporate problem. Government entities, which often have less sophisticated email security than large enterprises, are increasingly targeted.

The 2022 IC3 PDF documented how BEC has specifically evolved to target real estate transactions, vendor relationships, and government payment processes, all high-value, high-trust contexts where email-initiated wire transfers are standard practice.

What DMARC Would Have Changed: If the sending domain was spoofed (exact-domain impersonation), DMARC at p=reject would have blocked the email. If the email came from a look-alike domain, DMARC would not have prevented it directly, but DMARC enforcement on the legitimate domain provides a baseline that makes look-alike detection easier through DMARC reporting, which flags unauthorized sending activity. A DMARC analyzer monitoring both inbound and outbound authentication provides the visibility to catch these attacks earlier.

The Cost of Email Attacks: What the IBM and Verizon PDFs Reveal

IBM: The Financial Impact Per Breach

The IBM Cost of a Data Breach Report 2024 (PDF) found that the global average cost of a data breach reached $4.88 million, a 10% increase over the previous year and the biggest jump since the pandemic. Business disruption and post-breach customer support drove the cost spike. More than half of breached organizations passed costs on to customers through higher prices.

The IBM Cost of a Data Breach Report 2025 (PDF) shows ransomware breach costs reaching $5.08 million. The report marks 20 years of data breach research by Ponemon Institute, covering 6,485+ breaches and 34,652+ interviews. Phishing and social engineering remain among the most expensive initial attack vectors, consistently ranking above the average breach cost because they typically involve larger data sets and longer detection times.

Verizon: Phishing as the Top Initial Access Vector

The Verizon 2025 DBIR (PDF) analyzed 12,195 confirmed breaches and found that exploitation of vulnerabilities as an initial access step grew 34%, ransomware prevalence rose 37% (accounting for 44% of all breaches), and 30% of breaches involved third-party compromise (nearly doubling from 2023). 60% of all breaches still involved a human element, particularly credentials stolen via social engineering.

The Verizon 2025 DBIR Retail Snapshot (PDF) and Healthcare Snapshot (PDF) confirm that phishing remains the most common initial access vector across sectors, and that pretexting (BEC’s social engineering technique) is one of the most frequently observed attack patterns. The AHLA/Verizon DBIR Retail Analysis (PDF) found phishing was the most common initial access vector at 23% of retail incidents.

Coalition: The Cyber Insurance Perspective

The Coalition 2025 Cyber Claims Report (PDF) provides the insurance industry’s view: BEC events that result in funds transfer fraud are classified as FTF events, with severity calculated separately. The report documents that a single spoofed email, not an account compromise, not a malware infection, just a spoofed email, can trigger a multi-million dollar wire transfer to a fraudulent account. The KnowBe4 Cyber Insurance and Security Report (PDF) notes that phishing-resistant authentication and DMARC are increasingly cited as minimum controls in insurance applications and underwriting criteria.

The Pattern: What Every Email Attack Has in Common

Across six years of FBI IC3 PDFs, the IBM Cost of Data Breach reports, the Verizon DBIR analyses, and Coalition’s claims data, every email-initiated attack follows the same pattern:

Step 1: An attacker sends an email that appears to come from a trusted domain, a CEO, a vendor, a title company, a government colleague. The email looks legitimate because the sender address matches a real organization.

Step 2: The recipient, trusting the apparent sender, takes action: clicks a link, opens an attachment, provides credentials, or initiates a wire transfer.

Step 3: Funds are transferred, credentials are harvested, ransomware is deployed, or data is exfiltrated. By the time the deception is discovered, the damage is done.

DMARC at enforcement breaks this chain at Step 1. If the attacker cannot spoof the sender’s domain, the email is blocked before it reaches the recipient. Steps 2 and 3 never happen. The wire is never sent. The credentials are never entered. The ransomware is never deployed.

This is why the CISA Healthcare DMARC guidance (PDF) says that DMARC provides an automated approach to reducing fraudulent email before it ever reaches an employee’s inbox. And why the CISA Enhance Email and Web Security guidance (PDF) recommends setting DMARC to p=reject. The government has told you, on the record, in official PDFs, that DMARC enforcement is the solution.

The Prevention Roadmap: How to Avoid Becoming the Next Case Study

Step 1: Publish DMARC at p=none on Every Domain

Every domain your organization owns needs a DMARC record, including domains you do not actively use for sending. The EasyDMARC 2025 PDF shows that valid DMARC records grew from 523,921 to 937,931 among the top 1.8 million domains, but 525,996 remain at p=none, the policy that the Kimsuky advisory (PDF) explicitly identifies as exploitable.

Step 2: Deploy a DMARC Report Analyzer

The CISA email security PDF states that reading and understanding DMARC reports is extremely difficult without a tool. The analyzer transforms raw XML reports into operational intelligence: which services send email on your behalf, which are properly authenticated, and which represent unauthorized activity.

Step 3: Authenticate Every Legitimate Sender

For each identified sender, configure SPF and DKIM alignment. The PowerDMARC 2026 PDF notes that DMARC, when properly implemented and enforced, remains one of the most effective controls for reducing phishing risk. Proper implementation means every legitimate sender passes authentication with alignment.

Step 4: Move to p=reject

Advance through p=quarantine to p=reject using phased enforcement. The CISA Healthcare DMARC PDF recommends this staged approach with feedback loops. Once at p=reject, all spoofed email from your domain is blocked before reaching any recipient.

Step 5: Monitor Continuously

The 2025 IC3 PDF documents that cybercrime threats continue to evolve, with AI accelerating attack sophistication. Ongoing DMARC monitoring through an analyzer catches new unauthorized senders, configuration drift, and spoofing attempts, ensuring your enforcement remains effective as the threat landscape evolves.

The Bottom Line: Every Breach Is a Case Study Someone Else Could Learn From

The PDF evidence is overwhelming. Six years of FBI IC3 reports documenting $15.69 billion in BEC losses alone. IBM’s research showing $4.88-$5.08 million per breach. Verizon’s data confirming phishing as the top initial access vector across industries. Coalition’s claims data proving that a single spoofed email, not malware, not an exploit, just a spoofed email, can trigger a $2.1 million wire transfer. And three separate FBI/NSA advisories documenting how North Korean state actors specifically exploit weak DMARC policies.

In every case, the attack followed the same pattern: an email that appeared to come from a trusted domain, a recipient who trusted it, and an action that could not be reversed. In every case, DMARC at enforcement would have blocked the spoofed email before it reached any inbox.

The organizations in these case studies did not plan to become case studies. They were caught by a vulnerability they either did not know about or did not prioritize. The cost was measured in millions of dollars, months of forensic investigation, regulatory scrutiny, and irreparable damage to trust.

A DMARC report analyzer is how you ensure your organization does not become the next case study. It provides the visibility to discover every sender on your domain, the diagnostics to fix authentication failures, the phased enforcement to reach p=reject safely, and the continuous monitoring to stay protected as threats evolve.

The FBI has given you the data. CISA has given you the guidance. The DMARC standard gives you the technology. A DMARC analyzer gives you the operational path. The only remaining variable is whether your organization acts before or after becoming a statistic in next year’s IC3 report.