The FBI Counted AI Fraud for the First Time. It Found $893 Million. The Real Number Is Closer to $9 Billion.

Twenty-two thousand complaints. That is what the FBI's Internet Crime Complaint Center logged in its first dedicated count of AI-enabled fraud, published in the 2025 Internet Crime Report released April 7, 2026, with an attached dollar figure of $893 million that amounts to 4.3% of the report's $21 billion total from over one million complaints.

Not a rounding error, and not the real number, but the first reading from a broken thermometer.

What the FBI Actually Counted

IC3's new AI section tracks complaints where the victim or reporting agent identified artificial intelligence as a component of the scheme, a category covering voice cloning used to impersonate family members, deepfake video deployed in business email compromise, synthetic identity documents generated to open fraudulent accounts, and AI-written phishing sophisticated enough to defeat standard email filters.

That $893 million breaks down across categories the FBI already tracks. Crypto investment fraud, the report's largest bucket at $8.6 billion in total losses, increasingly relies on AI-generated personas and deepfake "proof-of-life" videos to sustain pig-butchering operations over weeks or months of manufactured trust, while business email compromise, still worth $3 billion annually, now deploys AI voice cloning to bypass the "call them back and verify" defense that security teams spent a decade drilling into employees. Tech support scams added $2.1 billion in 2025, with AI chatbots maintaining longer and more convincing interactions than human operators could sustain at equivalent scale.

Government impersonation scams alone generated 32,000 complaints. IC3 does not say how many involved AI voice synthesis, but the consumer data below, drawn from 12,000 people surveyed at Mobile World Congress in March 2026, suggests the answer is substantial and growing at a pace that outstrips the Bureau's ability to categorize it.

The Consumer Side: 1 in 4 Americans

Hiya's State of the Call 2026 report, released at Mobile World Congress on March 2, surveyed 12,000 consumers across six countries and delivered a headline finding that crystallizes the gap between official statistics and lived experience: one in four Americans received a deepfake voice call in the past twelve months. Another 24% said they could not confidently distinguish a cloned voice from a real one, meaning nearly half of American adults are either exposed to or vulnerable to AI voice fraud right now.

Volume tells the rest of the story: Americans receive 9.9 unwanted calls per week, over 500 per year, growing 16% annually since 2023. When Hiya asked who is winning, carriers or scammers, Americans chose scammers by two to one. Thirty-eight percent would switch providers over inadequate protection, sixty-seven percent want carriers to share financial liability, and fifty-five percent want zero-liability fraud coverage comparable to credit cards.

Seniors pay the steepest price: adults 55 and older lose an average of $1,298 per scam incident, triple the amount younger adults report, a disparity compounding across those 500-plus annual unwanted calls. Forty-eight percent of all respondents said spam is getting worse, outnumbering optimists three to one.

The Global Supply Chain of Fraud

While the FBI counts complaints filed by American victims, the United Nations Office on Drugs and Crime has been documenting the industrial infrastructure that generates those complaints: scam compounds across Myanmar, Cambodia, and Laos that have evolved into vertically integrated fraud operations deploying AI for deepfakes, voice cloning, malware generation, and algorithmic victim targeting.

UNODC estimates the United States alone lost $10 billion to Southeast Asian scam operations in 2024. Raids by Philippine and Cambodian authorities have uncovered torture, trafficking, and forced labor inside these compounds, with workers held against their will and beaten when they miss fraud quotas. A Global Partnership Against Online Scams launched in December 2025 with 60 countries and platforms including Meta and TikTok, but the operations continue scaling despite international pressure.

These compounds now sell cybercrime-as-a-service to buyers worldwide, meaning any scam group anywhere can purchase AI-generated voice models, pre-trained phishing scripts, and victim lead lists from Southeast Asian suppliers with nothing more than a cryptocurrency wallet and a phone number database, an industrial supply chain stretching from server farms in Myanmar to call centers in Cambodia to victim bank accounts across all fifty American states.

The Undercount Math

Nobody has published this calculation. It cross-references three independent federal and international data sources to derive a plausible multiplier for what the FBI's voluntary complaint system missed, and three compounding gaps separate the official $893 million from reality.

Gap 1, reporting: The FTC's 2017 Mass-Market Consumer Fraud Survey, the most rigorous study of fraud underreporting in the United States, found that only 4.8% of consumer fraud victims filed a complaint with any government agency. IC3 is one of several such agencies, so its capture rate is lower still, yielding a conservative reporting multiplier of 20 to 33x that pushes the raw figure to between $17.9 billion and $29.5 billion.

That range is too high because not all unreported fraud involves AI, so a correction is needed.

Gap 2, attribution: when a victim falls for a phishing email written by a language model, they report "phishing," not "AI fraud," and when a synthetic identity built from AI-generated documents opens a credit line, the lender reports "identity theft," meaning the FBI's AI category captures only cases where AI involvement was explicitly identified. Given that human deepfake detection rates hover around 24.5%, correct identification is the exception. If half of AI-involved fraud is correctly attributed, the effective capture rate drops to 1.5 to 2.5%.

Gap 3, geography: FBI counts domestic complaints only, but UNODC says Americans lost $10 billion to Southeast Asian operations in 2024, with most of those losses flowing through cryptocurrency wallets, international wire transfers, and gift card purchases that never intersect with IC3 reporting.

Our estimate: Start with $893 million and apply a conservative 10x multiplier for combined reporting and attribution gaps, lower than the raw FTC data implies but accounting for overlap between Gaps 1 and 2, yielding approximately $9 billion. Cross-check: UNODC's $10 billion figure for Southeast Asian operations targeting the US, which includes both AI and non-AI fraud, makes $9 billion in AI-enabled losses plausible without being aggressive.

Nine billion dollars. Not 4.3% of total internet crime but closer to 43%.

Why Measurement Matters More Than the Number

The dollar figure matters less than what it reveals about institutional capacity. That $893 million is not wrong; it is the best count available from a system designed before AI-enabled fraud existed at scale, one that requires victims to recognize they were defrauded, identify the mechanism as AI-related, navigate to the IC3 website, and complete a form, with each step filtering out the majority of actual incidents.

Compare this to how the Bureau of Labor Statistics measures unemployment, a domain where passive self-reporting was abandoned decades ago in favor of the Current Population Survey: a monthly sample of 60,000 households with trained interviewers, statistical weighting, and methodology rigorous enough that policy decisions hinge on its output, because BLS does not wait for unemployed people to file complaints but goes and counts them directly.

AI fraud has no BLS. Just an IC3 that tallies whoever walks through the door.

The Phone Is Becoming Unusable

Set the dollar figures aside and consider what is happening to the telephone as infrastructure. Alexander Graham Bell's invention was designed to connect people, but in 2026 the average American receives 500 unwanted calls per year, growing 16% annually, and at current rates that number exceeds 900 by 2030, which is why people have stopped answering and why Hiya's data shows acceleration rather than stabilization.

This is not an annoyance metric but the functional degradation of a communications network that every hospital, school, emergency service, and family depends on, a slow-motion collapse of trust in a system built on the premise that the person calling is who they say they are, compounded by a regulatory vacuum in which no entity bears the cost of the negative externalities the telephone network now generates for its own users. Credit card companies solved their version of this problem decades ago with zero-liability policies that shifted incentives toward fraud prevention; no telephone industry equivalent exists, and with sixty-seven percent of consumers demanding shared carrier liability, the question is not whether zero-liability arrives but when.

STIR/SHAKEN, the FCC-mandated caller ID authentication framework, has reduced some forms of spoofing. But AI voice cloning operates within authenticated calls. Caller ID is real, but the person on the other end is not.

What We Did Not Prove

The 10x multiplier is a reasoned estimate, not an audited figure. FTC's 4.8% reporting rate comes from a 2017 survey conducted before AI fraud reached its current scale, and if AI fraud victims report at meaningfully different rates than traditional fraud victims, the multiplier shifts in either direction.

UNODC's $10 billion figure has not been independently verified through financial audit, deriving instead from law enforcement seizure data, victim interviews, and financial flow analysis.

Attribution is the weakest link in the entire chain. No study has measured what fraction of fraud involving AI tools is correctly identified as AI-related by the people it targets, which means the 50% assumption is a placeholder and true figures could range from 20% to 80%, carrying the final multiplier through a zone of considerable uncertainty in both directions. No responsible reading should treat $9 billion as precision rather than a plausible order of magnitude.

Recovery also complicates the picture: IC3's Recovery Asset Team froze $561 million in 2025, representing less than 3% of total reported losses, and this analysis counts gross losses rather than net harm.

The Strongest Case Against This Analysis

The most compelling objection is structural: the 10x multiplier assumes AI fraud behaves like traditional fraud in terms of reporting rates, but AI-enabled scams targeting high-value victims, like the Arup deepfake video call that netted $25 million, are far more likely to generate a police report than a $200 voice-cloning scam against a retiree who feels too embarrassed to file. If large-dollar AI fraud carries a higher reporting rate than the FTC's 4.8% baseline, the dollar-loss multiplier shrinks even as the complaint-volume multiplier stays high.

This objection cuts both ways, because the $9 billion figure could overstate dollar losses while understating victim count, but both versions of that error arrive at the same conclusion: measurement infrastructure is inadequate for the threat it faces.

What You Can Do

If someone you know calls asking for money: Hang up and call them back at a number you already have saved, because AI voice clones that are convincing in real time cannot survive a callback to a verified number, and this single habit blocks the majority of voice-cloning scams.

If your organization processes payments: Implement dual-authorization for any transaction above your risk threshold, with the second authorization occurring on a different channel than the original request, such as confirming a Slack request by phone or a phone request in person. Arup lost $25 million because a single video call was treated as sufficient authorization.

If you are a policymaker: Push for a national fraud survey equivalent to BLS employment methodology, because waiting for victims to self-report to IC3 was designed for an era when fraud was slower, simpler, and more visible, and AI fraud at scale requires active measurement rather than passive collection.

If you are a carrier: Sixty-seven percent of consumers want shared financial liability for scam calls, and thirty-eight percent are actively considering switching providers, which means zero-liability fraud protection modeled on credit card networks would both realign incentives and capture the segment of customers most willing to pay for security.

The Bottom Line

The FBI counted AI fraud for the first time, and the number it found, $893 million, does not capture what three independent data sources converge on: AI-enabled fraud losses in the United States likely approach $9 billion annually, the telephone network degrades at 16% per year, and the measurement infrastructure is a full generation behind the threat. First count is a beginning. Treating it as the answer is the most dangerous possible response.