Financial losses related to cybercrimes of all types increased 33% last year, even as the number of complaints fielded by the Internet Crime Complaint Center declined.
Losses totaled $16.6 billion in 2024, with the average per-incident jumping to $19,372 from $14,197 in 2023.
The No. 1 complaint to IC3, a part of the Federal Bureau of Investigation, was for phishing/spoofing, at 193,407 reports. Business email compromise, one of the leading causes of losses when it comes to real estate transactions according to CertifID, ranked seventh at 21,442. Real estate cybercrime had 9,359 complaints in 2024.
In 2023, 21,489 instances of BEC were reported, while in the year before that 21,832. For real estate, this compared with 9,521 for last year and 11,727 in 2022.
But by dollars lost, BEC was second at $2.8 billion; real estate losses were $173.6 million. This is just from the cases which were reported to IC3, CertifID’s annual analysis of the data, written by Matt O’Neill, along with the company’s Will Looney, noted. O’Neill is the former managing director of the Secret Service’s Global Investigative Operations Center.
BEC losses were down from $2.9 billion in 2023 but higher than $2.7 billion in 2022. In 2022, real estate losses totaled $397 million, but slipped to $145.2 million the following year.
In a separate report released on April 16, after four straight quarters of decline, a higher percentage of mortgage loans had at least one issue which could contribute to wire and/or title fraud in the three months ended March 31, FundingShield found.
On average, every problematic loan — whether residential, commercial or business purpose — had 2.5 issues, which is a new record, according to FundingShield. This indicates the lack of appropriate controls by closing agents and lenders to identify and fix issues, according to CEO Ike Suri.
In the first quarter, 46.8% of mortgages in an almost $80 billion portfolio FundingShield examined were cited for potential wire or title fraud issues. This was up from 45.5% in the fourth quarter but down from 48% one year ago.
During 2024, cyber-enabled fraud added up to $13.7 billion of losses, or 83% of the total, but just 38% of the complaints, IC3 said.
“While deepfakes, audio spoofing, and other forms of AI-enabled fraud indeed empower fraudsters, the truth is more frustrating,” the CertifID report said. “The attacks that are winning aren’t new or sophisticated; they’re just effective,” hitting on a similar theme to the FundingShield report.
BEC works because it relies on trust, routine and some distraction, including a spoofed email and a rushed wire transfer. The fraudsters keep using this tactic precisely because it is working. “For the teams that want to combat this threat, that means refocusing on the basics,” Looney and O’Neill said.
For the sixth consecutive quarter, FundingShield found wire-related errors in more than 8% of transactions during the period, at 8.4%. But more importantly, record levels for closing protection letter validation errors were reached in the first quarter in 10.8% of transactions; this involved data points such as borrower information, vesting/vested parties, non-borrowing parties on title, property addresses, borrower information and more.
The government-sponsored enterprises, likely prodded by Federal Housing Finance Agency Director Bill Pulte, are making an additional focus on closing agent risk management for loan sellers, the commentary to the report from Suri said.
“FundingShield received requests for data from many of its lender clients that sell to Fannie Mae who recently underwent Mortgage Origination Risk Assessment Audits during Q1 2025,” Suri said. “Fannie Mae had reached out to our clients, asking them to confirm the risk framework, measurement, and tracking the lender used to conduct transaction-level risk reviews of the closing agent, the title insurance firm, and transaction-specific details at the time of closing on each loan sold to them.”
The FHFA was looking at whether the lenders did the check at the time the loan closed and it was transaction-specific, rather than just using a list of approved agents which was updated “‘X’ days, months or years ago,” Suri said.
The CertifID report compared fraud prevention to mastering the basics, using a play designed by Vince Lombardi called the Packer Sweep as the example. Much like the Tush Push run by the Super Bowl Champion Philadelphia Eagles, even though the defense knows it is coming, it is hard to stop.
Lombardi would drill the Packer Sweep over and over. “We will run it, and we will run it again and again, until everybody in the stadium knows we’re going to run it — and we’ll still gain four yards,” the CertifID report quoted Lombardi as saying.
“Business email compromise isn’t new or clever,” O’Neill and Looney said. “Yet many organizations still haven’t mastered their basic plays to get yards on the fraudsters.”
