DMARCPulse
Get started — free
All posts FBI IC3 2025 report: $3 billion in losses from business email compromise

The $3 billion email problem: What the FBI's 2025 IC3 report means for the DACH mid-market

Thorsten Dunker
BECFBI IC3DMARCNIS2Mid-MarketEmail Security

The FBI’s Internet Crime Complaint Center released its 2025 annual report a few weeks ago. One number stands out for anyone who runs a mid-sized business: business email compromise generated $3.046 billion in reported losses in the United States last year — across just 24,768 complaints. That works out to an average reported loss of roughly $123,000 per incident.

BEC is now the second-most financially destructive cybercrime tracked by the FBI, behind only investment fraud. And while the IC3 numbers are American, the mechanics travel: the same impersonation tactics, the same wire-transfer payloads, the same gap between “we have email security” and “our domain is actually protected.”

For the DACH mid-market, this matters more in 2026 than in any previous year. Three things have changed: NIS2 is now operational and creates personal liability for managing directors. The Bitkom Wirtschaftsschutz study reports record damages of €289 billion to the German economy. And AI-assisted phishing has, in the FBI’s own words, made detection methods built around spotting poor grammar “increasingly obsolete.”

This post breaks down what the IC3 numbers actually show, what they imply for DACH businesses, and which technical control closes the largest part of the gap — without requiring an enterprise security budget.

What the FBI numbers actually say about BEC

A few details from the 2025 IC3 report are worth pulling out, because the headline number alone doesn’t tell the full story.

Volume vs. impact. The 24,768 BEC complaints are a small slice of the total 1,008,597 complaints filed with IC3 in 2025. But the financial damage per complaint is disproportionate: BEC accounts for less than 3% of complaint volume but 14.6% of total reported losses. This is not a high-frequency, low-impact crime — it’s the opposite.

The wire-transfer reality. According to the report, 86% of BEC-related financial losses occurred through wire transfer or ACH transactions. Once funds are wired, recovery windows are measured in hours, not days. The FBI’s own Recovery Asset Team works through a “Financial Fraud Kill Chain” process that can intercept funds — but only when complaints are filed within roughly 72 hours of the transfer.

AI is scaling, not transforming, the threat. The 2025 report includes a dedicated section on AI-assisted fraud. BEC scams with a confirmed AI nexus accounted for over $30 million in losses, a small but rapidly growing slice. The more important point from the report: AI is not creating new attack categories. It’s making existing ones cheaper to scale and harder to detect by language quality alone.

Year-over-year trajectory. BEC complaints rose from 21,442 in 2024 to 24,768 in 2025, with losses climbing from $2.77 billion to $3.04 billion. The category has held its position as a top-two loss type for multiple consecutive years. This is not a spike — it’s a stable, expanding threat.

Why DACH mid-market firms are the textbook target

The FBI dataset is U.S.-centric, but the structural reasons BEC works generalize.

A typical BEC attack does not require breaking into a company’s mail server. The attacker registers a similar-looking domain, or — even simpler — sends from any domain and forges the visible “From” address. The receiving server has to decide whether to trust the message. If the impersonated domain has no DMARC record, or has DMARC set to p=none (monitoring only), the receiving server has no policy to enforce. The forged email lands in the inbox.

This is exactly the configuration that dominates the DACH mid-market. In a study I conducted earlier this year across 503 DACH domains spanning 16 industries, 97% had an SPF record and 87% had a DMARC record — but only 56% actually enforce DMARC with p=quarantine or p=reject. Roughly one in three DACH domains with DMARC is in monitoring mode: visibility without protection.

The Bitkom Wirtschaftsschutz 2025 study, surveying over 1,000 German companies, reports that 87% of companies were affected by data theft, espionage, or sabotage in the past twelve months — up from 81% the previous year. Total damages reached €289.2 billion, roughly 70% of which trace to cyberattacks. Phishing and social engineering remain the most common attack vectors.

The combination is uncomfortable: DACH mid-market firms are being targeted at near-universal rates, the financial mechanics that make BEC profitable in the U.S. apply equally in Europe, and the technical control that breaks the attack — strict DMARC enforcement — is implemented by barely half of the relevant domains.

Until 2025, DMARC enforcement was a recommendation. With NIS2 operational and the Cybersicherheitsstärkungsgesetz (BSIG) implementing it in German law, the picture has shifted.

NIS2 covers an estimated 29,500 German organizations classified as “essential” or “important” entities. The scope extends well beyond classical critical infrastructure to include healthcare, food production, logistics, manufacturing, and digital service providers. §30 BSIG requires “appropriate technical and organizational measures” to manage cybersecurity risk — and §38 establishes personal liability for executives in cases of gross negligence. Fines can reach €10 million or 2% of annual global turnover.

Email authentication is not named in the law. But under generally accepted interpretation, it falls squarely within “appropriate technical measures.” The reasoning is straightforward: BEC is a recognized, well-documented attack pattern. SPF, DKIM, and DMARC are recognized, documented countermeasures. A breach traceable to domain spoofing on a domain with p=none is hard to defend as anything other than negligence.

This is not legal advice — that conversation belongs with your counsel. But the trajectory is clear. Where DMARC enforcement was a “should” two years ago, it is now part of the documented baseline that auditors, insurers, and regulators expect to see.

Why p=none is the worst place to be

Of the 87% of DACH domains with a DMARC record, the largest single group sits at p=none. This is, paradoxically, the worst configuration to remain in long-term — worse than having no DMARC at all.

A domain with no DMARC record signals to receiving servers: “no policy declared, apply your default.” Many large mailbox providers now apply increasingly strict defaults of their own.

A domain with p=none actively tells receiving servers: “deliver everything, including failures, but send me a report.” The forged emails go through. The legitimate domain owner receives reports about spoofing attempts — but takes no action to block them. The recipient remains unprotected.

Organizations get stuck at p=none for understandable reasons. Three are dominant:

Fear of breaking legitimate email. Marketing automation, payroll providers, ticketing systems, CRM platforms, transactional email vendors — each one is a sender that needs to be authenticated. Moving to p=quarantine or p=reject without first identifying every legitimate sender means breaking real business email.

Lack of sender visibility. DMARC aggregate reports (RUA) are the mechanism that surfaces every IP and domain sending email on your behalf. They are also notoriously hard to read — XML files, sent daily by every receiving mail provider, often hundreds per week.

No translation from report to action. Even when DMARC reports are parsed, generic warnings like “SPF check failed” don’t tell the operator which DNS record to change. The gap between “we have a problem” and “here is the fix” is where most projects stall.

The combination produces a stable equilibrium: DMARC is configured (because compliance requires it), but stays at p=none (because moving forward feels risky). The result is documentation theater — a record exists, no protection is delivered.

What actually closes the gap

Three concrete moves, in order of priority:

1. Move beyond p=none on a defined timeline. Aggregate reports need to be analyzed, every legitimate sender identified, SPF and DKIM fixed for each one, and policy progressed through p=quarantine to p=reject. This is not a weekend project, but for most DACH mid-market domains it’s a matter of weeks, not months — once the reporting pipeline is in place.

2. Deploy MTA-STS. At 8.2% adoption across DACH, MTA-STS is the most under-deployed email security control in the region. It enforces TLS encryption for inbound mail and protects against SMTP downgrade attacks. The setup requires a DNS record and a policy file hosted over HTTPS. The healthcare sector — handling patient data — sits at 15% adoption, better than the regional average but still leaving 85% of healthcare domains exposed.

3. Enable DNSSEC. At 15.7% DACH adoption, DNSSEC remains a minority practice. It protects against DNS hijacking and cache poisoning attacks. Most DNS providers can enable it with a few clicks; the technical lift is small relative to the attack surface it closes.

None of these steps requires an enterprise security budget. All of them are visible to auditors and insurers. All of them break specific BEC attack patterns that the FBI’s $3 billion number reflects.

The honest summary

The FBI IC3 numbers are American, but the underlying pattern is universal. BEC works because impersonation is cheap, wire transfers are fast, and recovery is slow. The single technical control that breaks the impersonation step — strict DMARC enforcement — is implemented correctly by only 56% of DACH domains. NIS2 has shifted the implementation question from “should we” to “when will we be asked why we didn’t.”

For mid-market firms in DACH, the next twelve months are the window where doing this work is still preventive rather than reactive. The cost of getting to p=reject with continuous monitoring is a fraction of one prevented incident. The cost of explaining a successful BEC attack on an unprotected domain — to the board, to the BSI, to insurers, to the affected counterparties — is a different category of expense altogether.

DMARCPulse helps DACH organizations close the enforcement gap. Instead of generic warnings, it delivers actionable recommendations with specific DNS values you can copy and paste, parses aggregate reports continuously, and tracks progress toward enforcement over time. Fixed price per domain, no volume limits, 14-day free trial without credit card. Start at dmarcpulse.io.

Sources: FBI Internet Crime Complaint Center, 2025 Annual Report (ic3.gov). Bitkom Wirtschaftsschutz 2025. DACH Email Security Adoption Report 2026 (DMARCPulse, 503 domains analyzed). NIS2 / §30 BSIG.