The FBI released its 2025 Internet Crime Report in April. The headline number is one most of my readers do not yet know: $20.9 billion in reported losses, up 26% year over year. The interesting structure inside that number, $893 million attributed directly to AI-enabled fraud, $797 million in government impersonation losses (nearly double the prior year), $30 million in business email compromise with confirmed AI components.
Small businesses are not equipped for the new attack surface. The 2010-era advice to watch for spelling errors and obvious grammar issues no longer works against AI-generated content that has been optimized via Reinforcement Learning from Human Feedback to be more engaging than the average human writer. The voice-cloning advances have outrun the brain's ability to be skeptical in time. Familiar voices fire trust signals in under 200ms, before conscious thought engages.
The reflexes that work against this attack pattern are mechanical, not vigilant. They run after the trust signal has fired but before money moves. The full set is covered in the AI fraud reflexes post on this site. The FBI Fraud Reflex Card at /tools/fbi-fraud-reflex-card/ generates a printable one-pager of those reflexes, customized with your business's internal contact details, for posting at every workstation.
What the card includes
The six reflexes:
- Callback rule. Any voice contact about money or urgency, hang up and call back using a number you saved before the call. Not the number that just called.
- Dual-channel verify. Wire transfer or change in payment instructions on one channel, confirm on a second. Email request gets phone confirmation. Phone request gets email confirmation.
- Did I initiate this? Inbound urgency from a "government," "court," "bank," or vendor is the alarm. Verified institutions do not initiate urgent payment demands.
- Voice-print phrase. Anyone with money authority shares a phrase only they know. If they cannot produce it on a call, the call is fraudulent.
- Defer-response on tailored asks. Messages that seem perfectly targeted to your specific situation are no longer trustworthy by default. Wait 24 hours.
- Clean-channel review. Open suspicious mail in a known-good email client. Never click login links. Type the URL or use a saved bookmark.
The customization fields:
- Business name (header)
- Internal finance contact (the actual number to call back when the callback rule fires)
- How vendors normally reach you (so a deviation surfaces faster)
- Verification phrase pattern (for the voice-print rule; the actual phrase obviously stays out of the printed card)
- Internal incident report line (where to send near-miss reports)
The card prints clean on a single sheet of letter-size paper. Print, post at every workstation, train the team to read the rules out loud the first time they take a call about money.
Why mechanical reflexes work and "be careful" does not
The structural argument is in the broader AI fraud reflexes blog post. The short version: human threat detection is built around voice recognition that runs faster than conscious thought. Familiar-voice trust fires in under 200ms. By the time the conscious mind engages with whether the situation makes sense, the trust signal has already fired. "Be more skeptical" is not a strategy you can execute at sub-200ms timescales.
A mechanical rule is. Hanging up and calling back the saved number does not require the brain to second-guess the voice in real time. It only requires following a rule the team agreed to in advance. The reflex card is a memory aid for the team agreement.
Why this fits the jwatte.com mission
This site is built for small business owners who do not have a CISO, a dedicated security team, or a budget for managed security services. The fraud-reflex card is the smallest possible unit of training. Print it. Read it. Post it. Total time investment: under five minutes.
The FBI's 2025 IC3 report makes the cost-benefit obvious. Single BEC scams have averaged tens to hundreds of thousands of dollars in losses. Government-impersonation scams have run from $1,000 to $50,000+ per incident. The five-minute training cost is in a different order of magnitude than any single incident outcome.
What the tool does not do
It does not solve the broader operational hygiene layer. Two-factor authentication on accounts that touch money. Documented payment authorization workflows. Vendor-change reviews. Quarterly access audits. No-blame internal culture for reporting near-misses. All of those are covered in the underlying blog post, none are addressed by a printable card.
It does not replace a real incident response plan. A team that needs incident response should consult a qualified specialist and develop the plan. The card is a daily-reflex tool that runs in the absence of a plan.
It does not handle the legal-and-insurance side of fraud incidents. Reports go to ic3.gov and your local law enforcement. Your insurance carrier may have additional reporting requirements.
Related reading
- The AI Fraud Reflexes post for the full reasoning, the FBI numbers, and the broader operational hygiene checklist
- The Conversation Has Moved Past The Model for the broader infrastructure shift that scaled the attack surface
- DNS / Email Auth Audit for the technical layer that defends against business email compromise specifically
- Security Headers Audit for the related technical surface
Fact-check notes and sources
- FBI 2025 Internet Crime Report headline numbers: FBI press release, SecureWorld coverage, Nextgov on government impersonation doubling
- IC3 advisories on AI fraud reflexes: Senior US Officials Impersonated PSA, Generative AI financial fraud PSA
- Business cybersecurity baseline: CISA cybersecurity best practices
Informational only, not security or legal advice. The reflexes above are widely recommended industry practices but cannot eliminate fraud risk on their own. For incident response, contact local law enforcement and file a report at ic3.gov. Consult a qualified specialist for guidance specific to your operations.
