Industry Insights April 14, 2026

FBI IC3 2025 Annual Report — Legal Sector Intelligence Brief

THE FOWLER GROUP  |  CYBER BRIEF  |  LEGAL EDITION

This brief distills the FBI’s 2025 Internet Crime Report for managing partners, general counsel, CISOs, and IT directors at law firms. Legal services led all non-critical-infrastructure sectors in ransomware reporting in 2025, and the data below provides a comprehensive, data-driven view of the threats most relevant to legal practice.

1,008,597 Total Complaints$20.9B Total Losses+26% YoY Loss Increase$20,699 Average Loss

National Threat Overview

The FBI’s Internet Crime Complaint Center (IC3) received 1,008,597 complaints in 2025—the first time the million-complaint threshold has been crossed—with reported losses totaling $20.877 billion, a 26% increase over 2024. The average reported loss was $20,699 per complaint.

Investment fraud dominated at $8.6 billion, followed by business email compromise ($3.0B), tech/customer support scams ($2.1B), personal data breaches ($1.3B), and confidence/romance fraud ($929M). Cryptocurrency was involved in $11.4 billion in total losses, up 22% year over year. Phishing/spoofing was the highest-volume crime type by count (191,561 complaints).

Ransomware Landscape

IC3 received 3,611 ransomware complaints with $32 million in directly reported losses—a figure the FBI acknowledges significantly understates true costs because many entities do not report lost business, time, wages, files, equipment, or third-party remediation. The top 10 reported variants (Akira, Qilin, INC/Lynx/Sinobi, BianLian, Play, Ransomhub, Lockbit, Dragonforce, SAFEPAY, Medusa) accounted for 56.8% of all incidents. IC3 identified 63 new variants in 2025, averaging over five new strains per month.

Legal Services: #1 Ransomware Target Outside Critical Infrastructure

Legal services accounted for 18% of all non-critical-sector ransomware complaints filed with IC3—the single largest industry category outside the 16 designated critical infrastructure sectors. Contracting services (17%), engineering/architectural services (10%), consulting services (7%), and non-critical manufacturing (5%) followed. IC3 received more than 1,400 ransomware complaints from non-CI businesses and organizations, meaning legal services accounted for roughly 250+ of those incidents.

The top 10 ransomware variants—Akira, Qilin, INC/Lynx/Sinobi, BianLian, Play, Ransomhub, Lockbit, Dragonforce, SAFEPAY, and Medusa—accounted for 56.8% of all incidents and approximately half of all reported losses. IC3 identified 63 new variants in 2025 (5.25 per month), requiring continuous updates to detection capabilities.

The Silent Ransom Group was specifically called out in a May 23, 2025 IC3 Industry Alert for targeting law firms via callback phishing and data exfiltration without encryption—a double-extortion variant that steals data without deploying ransomware, making detection more difficult. The Scattered Spider advisory (July 29, 2025) and the BlackSuit (Royal) disruption announcement (August 11, 2025) further highlight the FBI’s focus on threat actors targeting professional services.

The $32 million in directly reported ransomware losses nationally understates true costs significantly. The FBI notes that figures typically exclude lost business, time, wages, files, equipment, and third-party remediation—all of which hit law firms particularly hard given billable hour economics, client notification obligations, and reputational damage.

 Business Email Compromise & Real Estate Fraud

BEC generated $3.046 billion in losses from 24,768 complaints—a 10% increase in losses over 2024. For law firms, BEC manifests most acutely in real estate closings, M&A escrow, trust account disbursements, and client settlement payments. Wire transfer/ACH was the transaction method in 86% of BEC complaints.

Real estate fraud specifically generated $275 million in losses from 12,368 complaints. The IC3 documented multiple cases where compromised emails impersonating attorneys led to six- and seven-figure wire diversions. In one case, a Missouri senior citizen closing on a property received a compromised email from the “title company” with fraudulent wire instructions for over $1.3 million. In another, a $6 million BEC against an Oregon government office was traced to the same fraudulent recipient account used in the earlier real estate closing scam—demonstrating how attackers reuse infrastructure across multiple victims.

In a third case, individuals closing on a home received an email impersonating their attorneys directing a wire of over $449,000 to a fraudulent account. After their bank and actual attorneys failed to reach the recipient bank, the IC3 FFKC successfully froze the full amount.

Investment club scams generated approximately 1,600 complaints and $160 million in losses, targeting investors through social media and messaging platforms. Law firms advising clients on investment matters should be aware of these schemes and their increasingly sophisticated use of AI-generated endorsements.

Account Takeover & Credential Compromise

Account Takeover (ATO) fraud generated approximately 4,700 complaints and $359.7 million in losses. For law firms, ATO of partner and associate email accounts is frequently the entry point for BEC—attackers monitor email threads for pending transactions, learn communication patterns, and inject fraudulent wire instructions at the precise moment of maximum credibility.

The FFKC saw a notable rise in Tech Support and ATO-related initiations in 2025. ATO incidents can involve 50 or more simultaneous ACH transactions to different recipient accounts at multiple banks, making rapid detection and response critical. The IC3 emphasized that knowing your financial institution’s recall policies in advance is essential.

SIM swap attacks (971 complaints, $17.4 million in losses) provide another credential compromise vector. Attackers use social engineering against mobile carriers to redirect a victim’s phone service to an attacker-controlled device, intercepting MFA codes and password resets. Partners and firm administrators with access to banking and trust account systems are high-value SIM swap targets.

AI-Enabled Threats to Legal Practice

Over 22,364 complaints referenced AI, with $893 million in associated losses. The AI vectors most relevant to law firms:

AI-enhanced BEC ($30+ million in reported AI-linked BEC losses): Chat generators produce emails that closely mimic the tone and style of specific partners or executives. Voice cloning enables phone calls that sound like a managing partner authorizing an urgent wire transfer. These attacks bypass the “does this email sound right?” intuition that has traditionally been a last line of defense.

AI in investment fraud ($632 million): AI-generated videos featuring deepfaked celebrities and CEOs create convincing fraudulent investment opportunities. High-net-worth attorneys are targeted through social media, messaging apps, and dating platforms.

Distress scams using voice cloning ($5+ million): Voice cloning technology mimics a loved one in distress to extract emergency payments. This vector is evolving to impersonate various family members in different emergency scenarios, and can target anyone—including firm partners during business hours.

Employment fraud with AI ($13 million): Deepfake video during online interviews allows applicants to misrepresent their identity. The primary goal appears to be gaining network access rather than financial theft, making this relevant to firms hiring remote paralegals, IT staff, or contract developers.

DPRK IT Worker Threat

IC3 identified dozens of victim companies of the DPRK IT worker scheme. North Korean operatives obtained remote positions, then exfiltrated proprietary and sensitive data and facilitated cyber-criminal activities. The FBI published two advisories in 2025 (January and July) on this threat, noting that DPRK IT workers have escalated to conducting data extortion against former employers.

For law firms using contract developers, remote IT support, or outsourced document review platforms, this threat demands rigorous identity verification: live on-camera interviews with identity document validation, monitoring for anomalous remote access patterns, and awareness that AI-generated interview performances are an active tactic.

Phishing, Extortion & Data Breach

Phishing/spoofing remained the highest-volume crime type by complaint count (191,561 complaints, $216 million in losses)—a threefold increase in losses over 2024 despite slightly fewer complaints. For law firms, phishing is typically the initial access vector for both BEC and ransomware campaigns.

Extortion generated 89,129 complaints and $122 million in losses. While much of this volume relates to sextortion, law firms also face extortion via data theft (exfiltration of client-privileged material followed by ransom demands) and DDoS threats.

Data breaches generated 3,963 complaints and $435 million in losses. For firms holding client-privileged material, a data breach carries cascading obligations: client notification, bar disciplinary exposure, malpractice claims, and potential disqualification from pending matters.

FBI Response & Asset Recovery

The FFKC processed 3,900 incidents in 2025, freezing $679 million of $1.16 billion in attempted theft (58% success rate). The three FFKC case studies highlighted in the report all involved BEC scenarios directly relevant to legal practice: a fraudulent real estate closing ($1.3M), a government office BEC ($6M), and a BEC impersonating attorneys ($449K). In all three cases, IC3 reporting enabled successful fund freezes.

Operation Level Up notified 3,780 crypto investment fraud victims, saving $226 million. The DOJ Scam Center Strike Force is targeting Southeast Asian organized crime compounds. Joint FBI/CBI operations in India produced approximately 175 arrests through 13 operations focused on call center fraud, including Operation Chakra which dismantled a Noida-based network responsible for $48.7 million in losses.

Regulatory & Compliance Implications

ABA Model Rule 1.6 (duty of confidentiality) and state bar ethics opinions increasingly interpret cybersecurity failures as potential competence violations under Rule 1.1. The IC3 data—particularly the 18% legal-services ransomware concentration, Silent Ransom Group targeting, and BEC/real estate fraud patterns—provides concrete, quantifiable justification for security investments that firm leadership may otherwise view as overhead.

Firms with IOLTA and fiduciary trust accounts face additional regulatory exposure from state bar client protection fund rules and banking regulators’ expectations for controls over wire transfer processes.

The FBI’s mitigation recommendations—offline encrypted immutable backups, elimination of default credentials, network segmentation, MFA on all services, EDR deployment, and timely patching—map directly to the reasonable safeguards standard used in malpractice and ethics proceedings. Documenting adoption of these controls creates a defensible record.

Cyber insurance carriers are increasingly scrutinizing law firm security postures. The IC3 loss data—particularly the ransomware, BEC, and ATO figures—provides actuarial context for coverage discussions and reinforces the value of pre-breach investments over post-breach premiums.

Recommended Actions

  • Address the Silent Ransom Group threat: review the May 2025 IC3 Industry Alert and validate defenses against callback phishing and data exfiltration without encryption.
  • Implement mandatory out-of-band wire verification for all real estate closings, trust account disbursements, and settlement payments; BEC + real estate fraud totaled $3.3B in combined losses.
  • Brief firm leadership: legal services is the #1 ransomware target outside critical infrastructure (18% of non-CI complaints) to justify EDR, network segmentation, and immutable backup investments.
  • Deploy AI-aware training: deepfake voice calls impersonating partners, AI-generated phishing mimicking client communications, and fraudulent investment club endorsements are all active vectors.
  • File IC3 complaints immediately upon discovering fraudulent transfers—the three FFKC case studies in the report are all BEC scenarios directly relevant to legal practice, with successful recoveries.
  • Vet remote hires rigorously: require live on-camera interviews with identity validation for IT staff, contract developers, and document review personnel given the DPRK IT worker threat.
  • Review SIM swap exposure: ensure partners and administrators with trust account access use phishing-resistant MFA (hardware keys) rather than SMS-based authentication.
  • Audit ATO defenses: monitor for anomalous email forwarding rules, mailbox delegation changes, and impossible-travel logins that indicate compromised accounts.
  • Document security controls adoption aligned to FBI mitigation guidance to strengthen the defensible record for ethics, malpractice, and insurance purposes.
  • Evaluate cyber insurance adequacy against the IC3 loss data—$32M in reported ransomware losses excludes remediation, notification, business interruption, and reputational costs.

Source: FBI Internet Crime Complaint Center (IC3) 2025 Annual Report. Analysis and sector framing by The Fowler Group, LLC.