FBI Now Tracks AI Scams Separately. $893M Lost in One Year.

The FBI's Internet Crime Complaint Center has been publishing an annual fraud report since 2000. This year's edition, released in April 2026, includes something it has never tracked before: a standalone category for artificial intelligence.

For the first time in more than two decades, the FBI formally tracked AI-related fraud in its annual cybercrime report. Americans reported nearly $21 billion in cybercrime losses in 2025, the highest total ever recorded. Within that, more than 22,000 complaints were tied to artificial intelligence, totaling about $893 million in losses.

That decision to separate AI fraud into its own reporting bucket signals a watershed moment. The technology isn't just making existing scams slightly better. It's rewriting how fraud works at a fundamental level.

Why the FBI's New AI Fraud Category Matters Right Now

For the first time in the IC3's 26-year history, the FBI formally introduced 'AI-related' as a specific crime descriptor, acknowledging what the fraud industry has known for two years: that AI is no longer simply a tool enhancement for existing crimes but a category-defining force reshaping the entire fraud landscape.

The $893 million figure almost certainly undercounts the real damage. Most victims who receive a polished phishing email, a frantic voice call from a 'family member,' or a video message from their 'CEO' never realize AI was involved. They just know they lost money.

The FBI says Americans reported losing more than $20 billion to scams last year, the first time reported losses have reached that level. The agency also received more than 1 million complaints for the first time in the history of the report. Investigators say artificial intelligence is helping criminals scale their operations faster than ever, making scams harder to detect and more convincing.

Three attack types dominate the AI fraud category, and each one has produced documented cases in the past 90 days with named victims, real dollar amounts, and ongoing investigations.

Voice Cloning: Three Seconds of Audio, Thousands of Dollars Gone

Bay Area mom Deborah Del Mastro was hit with that exact tactic in early May, when a phone call quickly escalated into what felt like a hostage situation. The caller claimed Del Mastro's daughter had been kidnapped by a Mexican drug cartel. Del Mastro heard her daughter's voice over the phone, having a panic attack.

The frantic mom followed the caller's instructions to save her daughter, wiring money from various ATMs. Del Mastro told ABC7 News she only called her daughter after she sent $5,400 to scammers. Her daughter picked up right away, and Del Mastro quickly realized the scam.

The technology behind the attack is brutally simple. Three seconds of audio is all it takes. With a small sample of audio, they can clone the voice of nearly anyone and send bogus messages by voicemail or voice messaging texts.

Scammers pull that audio from voicemails, TikTok videos, Instagram Reels, YouTube clips, or any other public source where someone's voice appears. In one instance, just three seconds of audio was enough to produce a clone with an 85% voice match to the original. Train the model with a few more samples and the match rate climbs to 95%.

The old tells don't work anymore. Strange pauses or vocal fluctuations were previously considered red flags that a caller's voice might be AI-generated. But those signals may no longer be present now that AI has advanced.

That's why the standard advice has shifted. Don't try to detect whether the voice sounds real. Families or coworkers can also establish a precautionary 'code word' that can be used to verify each other's identity. It should be a word or phrase that only a small group of people know and isn't discoverable online.

If you get an urgent call from a family member asking for money, hang up and call them back on the number you already have saved. If they answer, the emergency call was fake. If they don't answer, they're probably fine and just unavailable. Either way, you didn't wire $5,000 to a stranger.

The $25 Million Deepfake Video Call That Fooled an Entire Finance Team

Voice cloning is one thing. Live video fraud is another level entirely.

On a single day in early 2024, an Arup finance employee in Hong Kong transferred HK$200 million (roughly US$25 million) across 15 wire transactions to five bank accounts after joining what appeared to be a routine video conference with the company's CFO and several colleagues. Every participant except the employee was AI-generated. The deepfakes were built from publicly available meeting footage. When the employee later contacted a real executive to confirm, the scam unraveled. By then, the money was gone.

The case remains under investigation by Hong Kong police as of early 2026, with no arrests and no recovered funds.

What makes deepfake video calls especially dangerous is that they bypass the intuition most people have developed around phone scams. You can see the person. The video quality is fine. The audio syncs. The video quality was perfect. The audio was crisp. Everyone looked and sounded exactly right.

The deepfakes in the Arup attack weren't static videos. They were real-time interactive participants in a video conference. That capability was experimental two years ago. In 2026, it's commoditized.

On the dark web, real-time deepfake services for video conferences are already being advertised from around 30 US dollars, including custom face and voice profiles. At the same time, open-source projects give technically minded users everything they need at no cost.

Businesses have started implementing procedural defenses because technical detection alone doesn't cut it. The strongest defense is procedural, not technical: businesses should never allow voice or video alone to authorize sensitive actions. High-risk requests should require independent verification through a separate communication channel, especially for wire transfers, payroll changes, password resets, or requests involving confidential information.

That means if your CFO appears on a Zoom call and asks you to wire $200,000, you call the CFO's known office number and confirm before you move a dollar. The video call is not verification. It's the request.

AI-Generated Phishing That Looks Exactly Like Your Bank

The third major category is the one most people will actually encounter: phishing emails and fake websites that no longer look fake.

Hoxhunt analysts uncovered a 14x surge in AI-generated phishing attacks that bypassed email filters and landed in inboxes. Their share of all reported attacks across the Hoxhunt global threat detection network soared from 4% to 56% over the holiday season. That surge held into 2026.

LLM-powered phishing uses large language models to generate hyper-personalized emails that reference specific organizational details, recent transactions, and individual communication styles. These AI-powered phishing attacks lack the telltale signs that legacy email filters were trained to catch.

The grammar is perfect. The tone matches. The branding is pixel-accurate. AI has erased many of the giveaway signs that once protected consumers. Poor grammar. Robotic voices. Generic pleas for help. Those markers have vanished. What remains looks and sounds exactly like a trusted colleague, a bank representative or a family member in distress.

One documented campaign shows how targeted this has become. Brightside AI documented a campaign targeting 800 accounting firms with AI-generated emails referencing specific state registration details, achieving a 27% click rate. That's far above the baseline for traditional phishing, which typically lands in the single digits.

The fake websites are just as polished. Scammers use AI to generate entire storefronts, banking login pages, and customer support portals that mirror real brands down to the SSL certificate and footer links. Phishing websites have also become significantly more convincing. Many are designed to closely mirror real brands, making it difficult for users to spot the difference.

What Actually Stops These Scams When Detection Fails

The industry consensus is converging on a uncomfortable truth: you can't reliably detect AI fraud by looking at it or listening to it anymore. The quality gap has closed.

Gartner predicts 30% of enterprises will find standalone identity verification unreliable by 2026. Voice biometrics, video verification, and email sender reputation are all compromised to varying degrees.

What works instead is procedural friction and out-of-band verification. Slow the process down. Verify through a second channel. Require a code word. Never let a single phone call, video conference, or email authorize a financial transaction by itself.

For individuals, the single highest-impact step is the family safe word. The National Cybersecurity Alliance recommends establishing a family secret code word as the most critical protection method. If someone receives a suspicious call, they should demand the code word before proceeding. The code word should be shared with the entire extended family, including aunts, uncles and grandparents.

Pick a word that isn't guessable, isn't written down anywhere online, and wouldn't come up in normal conversation. Share it with every family member who might get an emergency call. If someone calls claiming to be your nephew and needs bail money, ask for the code word before you move. If they can't provide it, hang up and call your nephew directly.

For businesses, the equivalent is a mandatory callback policy for any request involving money, credentials, or sensitive data. Require that all large fund transfer requests be verified through an independent communication channel. Call the requesting executive at a known, verified phone number to confirm the request. This simple step would have immediately exposed the Arup fraud.

The Scale Problem: Why AI Fraud Is Growing Faster Than Defenses

The 2026 International AI Safety Report found that the AI tools powering these scams are free, require no technical expertise, and can be used anonymously. That combination . zero cost, zero skill, zero accountability . explains why AI fraud is growing faster than any other threat category.

Traditional scams had natural friction. A human scammer could only run so many calls, write so many emails, or manage so many fake identities at once. AI removes those limits.

According to Group-IB's 2026 research, AI-powered scam call centers now combine synthetic voices, LLM-driven coaching, and inbound AI responders to run fully automated fraud operations at scale. One operation can target thousands of people simultaneously, with each interaction personalized in real time.

The economic asymmetry is crushing. Generative AI-enabled fraud surged 1,210% in 2025 per Vectra AI's March 2026 analysis, and projected losses from AI-facilitated fraud in the United States alone are forecast to reach $40 billion by 2027.

Defenders have to protect against every attack. Attackers only need one success. When the attacker's cost approaches zero and the success rate climbs above even 1%, the math favors the scammer.

Where to Report AI Fraud and What Happens Next

If you've been targeted or lost money, report it even if you think nothing will come of it. The FBI uses those complaints to track patterns, build cases, and in some cases recover funds.

IC3 receives nearly 3,000 complaints per day. If you believe you or someone you know may have been a victim of a fraud or scam, contact your local FBI office or submit a complaint at ic3.gov as soon as possible. You should document the name of the scammer/company, methods of contact, dates of contact, methods of payment, where funds have been sent, and a thorough description of the interactions.

You can also file with the FTC at reportfraud.ftc.gov. The FTC doesn't typically recover individual losses, but it uses complaint data to investigate operations and pursue enforcement actions.

The FBI's Operation Level Up is something that we continue to do. In 2025 we estimated over $200 million in losses prevented just by contacting people in the midst of a scam. The agency actively calls and emails people who appear to be mid-scam based on complaint patterns and financial intelligence.

In some cases, reporting quickly enough can freeze transfers before they clear. In most cases, the money is gone. But the data still matters for prosecution, victim notification, and building the intelligence picture that lets law enforcement dismantle the operation.

What the Next Wave Looks Like

The FBI's decision to track AI fraud separately wasn't reactive. It was anticipatory. The agency knows the current $893 million figure understates the problem, and it knows the trajectory is steep.

Last year, 66% said it's hard to tell scams apart from the real thing. Now, 85% agree. That's from a Malwarebytes survey conducted in March 2026 across 1,500 adults in the U.S., UK, and Europe.

The technology is improving faster than awareness. Exposure is highest among Gen Z at 67% (vs. 51% Millennials, 46% Gen X, and 30% Boomers and older). Younger users encounter more AI scams because they spend more time online, but older victims lose more money per incident.

One in five have been impersonated. One in seven have had explicit AI-generated content created of them without consent . and just as many have had someone threaten to do so. AI fraud isn't just about money anymore. It's about reputation, identity, and psychological harm.

The defenses that worked in 2023 don't work in 2026. The defenses that work today might not work in 2027. What remains constant is the human vulnerability: urgency, fear, trust, and the instinct to help someone you believe is in trouble.

That's why the procedural defenses matter more than the technical ones. Slow down. Verify independently. Use a code word. Never let a single voice, video, or message authorize anything that matters.

The technology will keep improving. The scams will keep evolving. But the friction you build into your own response process is something the AI can't bypass.

Verified against FBI IC3 2025 Annual Report (released April 2026), ABC7 News reporting on the Del Mastro case (June 2026), and Malwarebytes 2026 AI Scams Survey. Last updated: June 10, 2026. Reviewed and published by the RecentScam Editorial Team on 2026-06-10.