Security vendors rank threats by how scary they sound. A broker ranks them by the claims they generate. Built from the FBI's newest numbers, these are the six threats actually reaching businesses like yours, each with the training that cuts it and the coverage part that responds when training is not enough.
The answer
Americans reported $20.9 billion in internet crime losses in 2025, up about 26 percent in a single year, and nearly all of the business share moved through deception rather than code. That gives an owner exactly two levers. Training lowers how often it happens. The policy caps what it costs when it does. Neither lever replaces the other.
The fastest growing entry method is not an email at all. It is a phone call from someone posing as your own IT support, sometimes with falsified caller ID, walking an employee into a screen share and a remote access install. The FBI issued a formal advisory about the group running this playbook against professional firms, and Google's investigators clocked the full crime, first call to stolen files, inside a single business day.
Nothing in that sequence touches a firewall. The entire attack is a conversation.
Training. A written rule that real IT identifies itself a specific way and that nobody grants access from an inbound call. Coverage. Breach response, cyber extortion, and privacy liability carry the aftermath when a call succeeds. The June wave is covered at the fake IT call hitting America's law firms.
The most expensive email in America is not malicious code. It is new wire instructions that look exactly right. Business email compromise produced over $3 billion in reported losses in 2025, edging past the prior year, and it works because the employee sending the money believes they are doing their job.
For any business that moves funds, this is the single largest preventable loss on the list.
Training. Callback verification on every new or changed payment instruction, dual approval on large transfers, no changes accepted by email alone. Coverage. A social engineering fraud endorsement sized to your real wires, because standard forms can read a deceived transfer as an authorized one. The endorsement anatomy lives at social engineering fraud.
Phishing was the most reported internet crime in the country again in 2025, with 191,561 complaints, and its direct losses understate it badly, because phishing is rarely the crime itself. It is the front door for the wire fraud, the account takeover, and the data theft that follow.
Filters catch the sloppy ones. The current campaigns are built to pass filters and land on a busy human at a busy moment.
Training. Teach the seven checks, reward fast reporting, and never punish the employee who reports a click. Coverage. The policy funds the forensics and response when the front door opens, which is exactly the moment training hands off to insurance.
Ransomware complaints rose again in 2025, to 3,611 from 3,156 the year before, and the FBI's dollar figures dramatically understate the real cost because they exclude downtime, lost business, and rebuilding. The newer variant skips encryption entirely, quietly stealing files and extorting on the threat of publication, which means systems can run normally while the loss is already complete.
The FBI calls ransomware the most pervasive threat to critical infrastructure, and small businesses face the same tools with smaller reserves.
Training. Tested backups, multifactor authentication everywhere, and restricted software installs, which are the three controls carriers ask about first. Coverage. Cyber extortion, business interruption, and breach response, with sublimits read against what a week of downtime actually costs you.
Complaints about tech and customer support fraud jumped to 47,794 in 2025, from about 36,000 the year before. The script is a pop-up, a call, or an email claiming a problem only they can fix, ending with a remote access tool on your machine and a stranger inside your accounts.
It is the consumer cousin of the fake IT call, and it reaches business machines through the same busy humans.
Training. Remote support software gets installed only by your own IT provider, never from an inbound contact, and pop-ups never get called. Coverage. The crime and cyber seams decide who pays when a remote session turns into a theft, and those seams are readable in advance.
The last threat on the list is the one you fully control. Reused passwords, missing multifactor authentication, unpatched systems, and no written procedures. None of it is an attack, and all of it decides whether the five attacks above succeed. This is also the threat your insurance carrier can see, because underwriting applications now ask about these controls directly.
Weak basics raise your premium before they ever cause a claim. Strong basics get priced.
Training. One afternoon a year on the basics, documented, moves both your risk and your quote. Coverage. Answer the application accurately, because a control claimed but not practiced can complicate a claim exactly when you need it clean.
Training lowers how often it happens. The policy decides what it costs when it does.
Dallas Downey, CLCS, Commercial Lines and Workers Compensation Specialist
This article uses public source material from the FBI Internet Crime Complaint Center's 2025 annual report and the FBI's advisory on IT impersonation attacks and Google Cloud's Mandiant threat intelligence report.
The purpose is to rank the threats by the money they actually move, not the headlines they generate. The FBI's numbers describe the frequency and the direction. What any of it would cost your business is set by your controls and your policy's sublimits, which is exactly what the review reads.
Size it to your real numbers, not a default. The inputs are the records you hold, the funds that move through your accounts, what a week of downtime costs in lost revenue, and the security requirements in your client and vendor contracts. Each coverage part carries its own sublimit, and the sublimits matter more than the headline number on the policy.
Increasingly, yes. Carriers ask about multifactor authentication, backups, verification procedures, and training on the application, and documented controls move pricing and terms in your favor. Training is the rare expense that cuts both the chance of a claim and the cost of the coverage at the same time.
The uncomfortable answer is that nobody has to target you. Phishing and support scams run at industrial scale against every inbox and phone number they can reach, and the FBI logged over a million complaints in 2025 alone. Small businesses absorb these attacks with smaller reserves and thinner staffing, which is exactly why the two levers matter more, not less, below a certain size.
Prevention is training and controls, and it reduces frequency. Nothing reduces frequency to zero, which is where the policy takes over, converting an unbounded loss into a bounded one, your retention plus anything above your limits. A business that trains but does not insure is betting its reserves on a perfect record. About 40 percent of the time we tell clients to stay with their current carrier because that is the right answer, but every business should know exactly where its cap sits.
Send us the cyber policy you carry today, or tell us you do not have one yet. We will read the coverage against these six threats, show you which controls your carrier rewards, and put the whole answer in plain English before any of the six tests it for you.
Commercial reviews route to our commercial desk and follow your calendar, not ours. Local broker. National infrastructure.