A New Report Says Email Fraud Cost the U.S. Economy $22 Billion Last Year—7x the FBI's Number, and Most of It Never Got Reported

On May 4, 2026, TrustNFT, the research arm of email security firm Remergify, released a policy white paper titled The $22 Billion Problem: Email Fraud's True Economic Cost to the American Economy. The paper makes a single argument that should be familiar to anyone who has ever quietly absorbed a wire fraud loss without filing a police report: the official numbers are nowhere near the real numbers, and the gap is growing.

The headline figure is 22 billion dollars in annual U.S. economic damage from email based fraud. That number is more than seven times the 2.9 billion dollars in business email compromise losses the FBI's Internet Crime Complaint Center reported for 2023, and almost double the 12.5 billion dollar total IC3 figure for all reported internet crime that year. TrustNFT's CEO Stuart Fine summarized the gap bluntly: "We are treating a 22 billion dollar annual problem as if it were a 3 billion dollar problem."

The paper's core methodological move is to stop counting only the dollars that ended up in a police report. Most email fraud never makes it into IC3's database. Companies eat the loss internally, victims feel embarrassed, the case sits below the threshold a federal agent will pick up, or the fraud succeeded in a way the victim has not yet noticed. Once you start counting the categories that the FBI does not track, the economic damage looks completely different.

Where the $22 Billion Comes From

TrustNFT breaks the total into six categories, only the first two of which appear in standard FBI reporting:

• Direct BEC losses ($2.9 billion). The FBI IC3 figure for reported business email compromise. Wire fraud, fake invoices, fake CEO requests, fake vendor banking change notices.
• Elder fraud losses ($3.4 billion). Reported losses by victims aged 60 and over, the vast majority of which arrived through email or email derived channels.
• Unreported consumer email fraud ($4.2 billion). Calculated by applying a conservative 3 to 1 multiplier on the reported consumer figures, a ratio that survey data has consistently shown to be on the low end of actual underreporting.
• Corporate fraud management costs ($5.8 billion). Internal incident response, legal review, public relations, security operations time, and third party forensics. The expenses companies absorb every time someone in finance forwards a fake invoice up the chain.
• Lost productivity ($3.1 billion). The hours employees spend triaging suspicious messages, sitting through phishing training, calling colleagues to verify wire requests, and pausing legitimate transactions because the team is now nervous.
• Trust erosion in digital commerce ($2.6 billion). The sales that do not happen because customers no longer trust unsolicited email from their banks, their utilities, or their insurers.

The first three lines are the part that should look familiar to anyone reading IC3 reports. The last three are the part that the FBI does not have a mechanism to capture, and that the paper argues makes up the majority of the actual economic damage. They are also the categories where blocking fraud at the perimeter would produce the largest savings.

Why FBI Numbers Are So Small

The Internet Crime Complaint Center is the only federal collection point for civilian email fraud reporting. Filing a complaint takes time, requires going through a federal portal, and produces a federal case number that may or may not lead anywhere. The structural incentives are wrong for capturing the full picture of what is happening in inboxes.

Several reasons consistently push fraud out of the IC3 database:

• Small dollar losses. Anything below a few hundred dollars is rarely worth a victim's time to file. Aggregate small losses are still real money.
• Corporate embarrassment. A company that just wired 400,000 dollars to a fake vendor account does not want a police report on file with the FBI, especially if it has not yet decided how to communicate the loss internally.
• Insurance pathway. Victims who have cyber insurance often go through the carrier first. The carrier's claims process is the de facto reporting mechanism, and IC3 never sees the file.
• Recovery efforts. Some victims recover funds through their bank's fraud department within hours. They never escalate to law enforcement.
• Cross border perpetrators. Victims who can identify that the fraud originated outside the U.S. often correctly assume that there will be no federal investigation, and skip the report.

The result is that IC3's annual number is closer to a partial sample than a true estimate. TrustNFT's 5 to 1 ratio of actual incidents to reported incidents is the conservative end of survey ranges. Some industry estimates put the ratio at 8 to 1 or higher.

The 2026 Email Threat Landscape Backs the Numbers Up

If the TrustNFT paper had landed in isolation, it would be easy to dismiss as marketing. It did not. Microsoft's own Q1 2026 email threat landscape report said the company blocked 8.3 billion phishing emails in the first quarter alone, a number that comes out to roughly 92 million blocked attempts every day. QR code phishing more than doubled over the period. None of those blocked attempts shows up anywhere in IC3 statistics, because they never produced a successful theft, but every one of them carried real cost in the form of inbox processing, security tooling, and end user attention.

The FBI's own 2025 IC3 annual report tallied 17.6 billion dollars in cyber fraud losses, with business email scams as the second biggest driver. That figure is itself the FBI's record high. TrustNFT's argument is that it is still an undercount.

The threat landscape is also getting more sophisticated. Phishing kits like Bluekit and Tycoon now ship with AI generated lure templates and voice cloning. ATHR is selling AI vishing as a 4,000 dollar a month subscription that auto generates callback phishing emails. And a UK Cifas survey just put the insider angle into the mix with 13% of workers admitting they would sell or know somebody who has sold their company login. The marginal cost to attackers of sending another billion fraudulent emails is already approaching zero. The marginal cost to defenders, in the form of the categories TrustNFT counts, is going up.

The Policy Asks

The paper concludes with three concrete federal policy recommendations:

• Extend the 2018 DHS DMARC mandate to federal contractors. The Department of Homeland Security's binding operational directive currently requires DMARC enforcement on federal civilian executive branch domains. Extending it to the federal contractor base would push roughly 100,000 additional U.S. companies into a stronger sender authentication baseline, the single highest leverage technical control against domain spoofing in business email compromise.
• Create regulatory safe harbor for documented authentication programs. A formal safe harbor from FTC or state attorney general action for companies that can document an enforcement level DMARC, SPF, and DKIM rollout. The proposal mirrors how the SEC has historically treated documented compliance programs.
• Mandate public DMARC enforcement disclosure. Public companies and large consumer facing private companies would be required to disclose their domain authentication enforcement status, similar to how cybersecurity incident disclosure rules now require them to disclose material breaches. The mechanism is meant to create a market for accountability that does not currently exist.

None of these are likely to pass in 2026. The federal privacy and cybersecurity legislative pipeline is heavily backed up. But the proposals matter because they map exactly to the gap between TrustNFT's number and the FBI's. Every dollar prevented at the sender authentication layer is a dollar not later distributed across IC3, internal incident response, and lost productivity.

What This Means for Compliance and Risk Teams

For a compliance officer or risk lead inside a U.S. company, the practical takeaway from the paper is that the budget conversation about email security has been operating on the wrong baseline. If the actual annualized cost of email fraud to the U.S. economy is closer to 22 billion dollars than to 3 billion, the per company allocation that follows is several times higher than what most boards have approved. The implication is that anti fraud investment is currently underfunded relative to the underlying loss exposure.

Concrete steps that match the paper's framing:

• Move DMARC to enforcement. Most companies have a DMARC record in monitor only mode. Moving to quarantine and then reject is the single most consequential step against domain spoofing.
• Audit your vendor change procedures. The biggest line in the BEC category is fake banking change requests. Mandate out of band confirmation by phone for any vendor banking change above a low dollar threshold.
• Track unreported losses internally. Even if your incidents do not go to IC3, capturing them in your own GRC tooling lets you make the budget case the paper is trying to make at the federal level.
• Watch for AI generated lures. The 2025 to 2026 phishing wave includes much higher quality copy, including voice cloning and persona impersonation. Phishing training built on the older "look for typos" advice no longer works.

What It Means for Individual Users

For consumers, the most immediate signal in the paper is the elder fraud number. The 3.4 billion dollar elder fraud line is the largest single category that almost entirely arrives through email. Phishing messages targeting people 60 and older have higher success rates, larger per incident losses, and a near zero rate of recovery. Anyone who has elderly relatives connected to email should treat the inbox as the highest risk surface area in their household.

Practical defenses that map to the underlying threat:

• Treat any urgent financial request from email as suspicious. Bank, IRS, Social Security, Medicare, utility company, anything that says "act now to avoid a problem" is statistically more likely to be fraud than a real notice.
• Verify by phone using a number you already have. Never call a number printed in the email itself. Look the number up independently.
• Block tracking pixels in the inbox. Phishing campaigns frequently use tracking pixels to confirm a live recipient before escalating to a higher quality lure. Stripping the pixel before it loads removes the attacker's most basic feedback signal.
• Report attempts even when nothing was lost. The IC3 portal accepts attempted fraud reports, and the only way the FBI's number eventually moves toward TrustNFT's number is if more victims and near victims file.

The Larger Argument

The TrustNFT paper is not the first attempt to argue that the FBI's number is incomplete. What is new is the breakdown of where the missing dollars actually live, and the fact that a sizeable share of them are not direct fraud losses at all but secondary costs that show up on completely different parts of a company's balance sheet. Fraud management is real labor. Lost productivity is real labor. Trust erosion shows up in declining customer engagement that nobody traces back to the fraudulent emails that started the decline.

What the paper does well is force the question of where the real cost of an unfiltered inbox actually falls. Some of it falls on the wire fraud victim. Most of it falls on everyone else. That is the argument anyone making a budget case for stronger email defenses, at the federal level or inside a single company, should be ready to make.