As artificial intelligence democratizes both defense and attack in the cyber realm, the global cost of cybercrime is racing toward $15.63 trillion by 2029—a staggering 70% increase from today’s already crushing $9.22 trillion burden that’s forcing businesses into bankruptcy and leaving everyday users increasingly vulnerable to sophisticated, AI-powered scams they can barely distinguish from reality.
It stands to reason that if the advancement of artificial intelligence can help cybersecurity companies find and patch vulnerabilities more quickly, then it can also help cybercriminals develop malware at equal speed. This isn’t new, as it was laid out plainly in a 2023 press briefing by Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technologies on the National Security Council for the U.S. Department of State.
Naturally, the cost of cybercrime is increasing—and it’s affecting everyone, from governments to businesses to individuals. Battling cybercrime isn’t just the responsibility of cybersecurity experts; it’s also up to small business owners to protect themselves. As a result, users must be more savvy than ever.
The cost of cybercrime
You have to consider several factors when calculating the cost of cybercrime. There’s the financial cost, of course. Significant data breaches have cost businesses millions of dollars and led to a decline in stock prices. There’s great value in a positive reputation, and it took years for some to recover trust. Others never did.
Senior security engineer of Exeter Finance, Ankit Gupta, runs a Microsoft Security blog and acknowledges that any security breach is likely to have a financial impact. These can cost businesses from a few thousand dollars to millions, he said. It’s particularly painful for small businesses because an average cyber incident lands around the six-figure range. The total impact is incalculable, however, as—like we said above—it includes reputational damage.
“When you add up fraud, downtime, recovery costs, and the revenue loss … that is huge,” he said. “It can also shut down the whole company.”
The estimated cost of cybercrime continues to climb. In 2024, the cost worldwide was $9.22 trillion, and by 2029, it’s expected to hit $15.63 trillion—a nearly 70% increase in cost. What’s difficult to understand are the seemingly contradictory statistics. Some independent agencies report cybersecurity costs are down in 2025, while others show the price continuing to increase.
Statistics can swing wildly one way or the other. The Hiscox Cyber Readiness Report of 2023 showed the median cost per SMB for cyber attacks dropped to $8,300 in 2023 from $10,000 in 2022. It also reported the average ransom payment by an SMB was more than $16,000. This data directly conflicts with Verizon’s oft-cited data breach report, which claims an average of $25,000 for an SMB cyberattack (the range varies from $826 to $653,587).
The reason for the differences comes down to scope, median versus average, and whether a report is counting direct and/or indirect costs. Another good example is IBM’s Cost of a Data Breach report for 2025, which shows direct and indirect costs for businesses. It alleges a $4.4M average cost for a data breach globally, and a whopping $10.22M average cost for the U.S. due to higher escalation and detection costs.
You will find more infographics at StatistaHow both sides use AI today
From phishing emails and keyloggers to ransomware and massive data breaches, cybercrime has been an issue for individuals, businesses, and governments for decades. With the prevalence and ease of access to AI tools, cybercriminals are now able to create more believable fake emails, voicemails, and better malware.
“Criminals are still using the same techniques they have always used, but they are able to personalize what they’re doing in a way that is more effective than what would have historically been the case,” said Betsy Cooper, Founding Director of the Aspen Policy Academy. She’s a cybersecurity expert who worked as the Executive Director of the Berkeley Center for Long-Term Cybersecurity.
“And with AI tools now, even someone in a foreign country who speaks very poor English and doesn’t have a lot of experience with U.S. companies can use AI to basically change the way material is being perceived so that it looks more legitimate and it’s harder to check out,” Cooper said.
Anecdotally, the consensus is that cybercriminals have an advantage in using AI over cybersecurity officials. However, the tools are helping IT teams mitigate risks and patch vulnerabilities faster than ever, making it much easier to deploy these actions at scale.
Using AI may also offset the cost of cybercrime: “I would say it’s not just about faster, it’s also about cheaper,” says Jeff Le. “It’s just way cheaper to throw things in the box.” Essentially, investing in AI tools to help combat cybercrime reduces the potential costs without that defense.
Le has extensive experience in cybersecurity, AI, privacy, technology, blockchain, and more, having served as the former Deputy Cabinet Secretary for California Governor Jerry Brown. Currently, he’s the Managing Principal at 100 Mile Strategies, a company that helps guide businesses and organizations in public and political spaces. He noted that one of the significant challenges of AI aiding cybercriminals is that it can be difficult to stop it at the government level.
What governments can do to help
Le observed that one option for governments, which the current U.S. administration is encouraging, is utilizing more offensive capabilities as a response to malicious activity. He also raised the issue of state-sponsored cyberattacks.
“If you’re talking about [the effectiveness of] companies versus entities backed by state sponsors like North Korea, Iran, Russia, or China, that’s a very difficult discussion,” Le said. “State-sponsored actors are probably winning most of the time.”
Le noted that North Koreans have been using AI-powered tools to hack various crypto exchanges. In March 2025, for example, a North Korean-sponsored group hacked $1.5 billion from ByBit.
“I would say the U.S. government has been encouraging offense, but at the same time they have seen some decreases [in cybersecurity investments] for the defender side,” Le said.
To combat this, Cooper is working to help train leaders on how to change policy at local, state, and federal government levels. Civic engagement is a big part of the equation, she said, to get governments to consider what sort of regulation may be needed to prevent AI companies from allowing bad actors to use their products to do harm.
“Oftentimes that’s not the first thing on a government’s agenda until people start speaking up,” she said.
How citizens can inspire change in policies
In September 2025, the Aspen Policy Academy hosted a program specifically designed to teach citizens how they can advocate for stronger cybersecurity infrastructure and be heard by their local officials. Programs include “Rising Civic AI Leaders,” a course that runs from Sept. 18, 2025 until November 20, 2025 and “Cyber Civil Defense Policy Training Series,” a program that’s slated for November 12 to December 10, 2025.
Cooper used an example of a common scam that targets consumers, such as a fake utility bill with a payment link that directs the user to a scamming website. Perhaps the person uses an AI chatbot instead of a search engine to search for the utility site, and the result looks legitimate, so the user clicks and enters payment information. If it’s a scam, the person who trusted the AI chatbot search results would have inadvertently handed over their information to a bad actor.
“Policy could help prevent an organization from publishing fake results… [or] create new avenues for you to be compensated if negative things happen,” Cooper said
New policies could potentially include penalties for AI organizations that allow scams to occur, which would hopefully encourage those organizations to prevent incorrect search results, for example. Cooper suggested that incentive structures help to make scamming less lucrative.
What small businesses can do to protect themselves
Beyond creating policy to prevent scams, protect businesses and individuals, and punish bad actors, there are several steps small businesses can take to protect themselves.
Vulnerabilities exist in business operating systems, software, and online tools. For this reason, it’s vital that small businesses maintain up-to-date systems, apply patches, and use the latest versions of software to ensure there are no back doors for hackers to exploit. Additionally, it’s essential to maintain backups of data on secure servers or hard drives in the event of data loss. The responsibility isn’t solely on business owners and managers; employees and vendors can be liabilities, as well.
“You can include cybersecurity contract language for your vendors because vendors are often huge, vulnerable places,” Cooper said. She also suggested creating a cybersecurity plan by using a template, such as the one she makes available here.
Certain industries are particularly vulnerable to cyberattacks. “I would say areas that are clearly and consistently being attacked at all sides are healthcare, energy, transportation, schools, water, and government,” Le shared. Of course, these aren’t the only departments that need to be vigilant; he reminded us that cybercrime affects everyone.
He added that there’s an intersection between IT and operations that could be tempting to cybercriminals. “No AI-powered tool is going to change the fact that using Windows 98 for your operating system [is] probably not a good idea,” Le said. “… [It makes it] easy to do bad things: pre-positioning, pretty obvious they can do that.”
The good news is that the majority of breaches are preventable through technology training and basic security practices, such as regularly updating software and being more vigilant. In 2024, the Aspen Institute launched the Take9 campaign, encouraging everyone to pause for nine seconds before interacting with an email, downloading an attachment, or clicking a link. Taking a few moments to process what you’re looking at can make all the difference between throwing it safely in the trash bin, or falling victim to a predatory scam.
Why individuals need to be more tech-savvy
Common scams are getting harder to spot for all users because AI is helping bad actors create more believable phishing and malware scams. This means that all individuals, tech-savvy or not, need to know how to identify false information and communications.
“At the end of the day, no AI-powered tools are going to help you always allow for humans to do the right thing,” Le said. “The biggest vulnerability in these systems is the humans, because humans click on stupid things.”
When it comes to everyday circumstances, Le pointed out that many of the attacks involve spam texts, emails, phone calls, and voicemails. He believes there are three primary target groups: everyday consumers, senior citizens, and smaller businesses with limited to no IT security.
Ankit Gupta suggests that everyone carefully examine URLs to ensure they’re going to official websites and not click unless they’re certain it’s from someone they know. Common sense is also required here because if you know the person, you should consider whether it’s a link they would likely send.
Next steps: Tips to protect yourself
- Don’t respond to messages asking for urgency in emails or texts
- Avoid answering spam calls
- Be wary of any communication that asks for money
- Activate multi-factor authorization (MFA) wherever you can
- Use a reputable password manager
- Keep apps and browser extensions updated
- Disable auto-fill
- Keep a backup of your passwords that’s not easily accessible by others
- Use software to detect deepfakes, such as Reality Defender or McAfee Deepfake Detector
- Ask an AI chatbot designed to identify scams, such as Bitdefender’s Scamio
