Facts + Statistics: Identity theft and cybercrime

The scope of identity theft

According to the Aite Group, 47 percent of Americans experienced financial identity theft in 2020. The group’s report, U.S. Identity Theft: The Stark Reality, found that losses from identity theft cases cost $502.5 billion in 2019 and increased 42 percent to $712.4 billion in 2020. The group explains that the huge increase was fueled by the high rate of unemployment identity theft during the pandemic, as increased and extended unemployment benefits made the sector an attractive target for fraudsters.

Losses are forecast to increase again in 2021 to $721.3 billion. The study narrowed the identity theft definition to include only application fraud, where criminals used a victim’s identity to open a new account of some type, and account takeover, where an account is taken so criminals can steal money or access rewards. Examples of accounts include rewards accounts for airlines, hotels, or merchants; insurance policies; and other accounts.

In the past two years, 37 percent of consumers have been victims of application fraud and 38 percent experienced account takeovers. The highest percentage of consumers who were victimized in 2020 were between 35 and 44 years of age and accounted for 30 percent of all identity theft victims. The findings are from an online survey conducted in December 2020 of 8,653 U.S. consumers age 18 and older.

Identity theft and fraud complaints

The Consumer Sentinel Network, maintained by the Federal Trade Commission (FTC), tracks consumer fraud and identity theft complaints that have been filed with federal, state and local law enforcement agencies and private organizations. There were 4.8 million identity theft and fraud reports received by the FTC in 2020, up 45 percent from 3.3 million in 2019, mostly due to the 113 percent increase in identity theft complaints.  In 2020, 1.4 million complaints were for identity theft, up from 651,000 in 2019. Identity theft complaints accounted for 29 percent of all complaints received by the FTC, up from 20 percent in 2019. About 2.2 million reports were fraud complaints and 1.2 million involved other complaints.  

Out of the total 4.8 million reports received by the FTC in 2020, the most by category were for identity theft complaints. Within identity theft, almost one-third were for scams involving government benefits applied for or received. According to Equifax, federal stimulus payments were an easy target for criminals and were the number one COVID-19 scam. New credit card accounts fraud were the next largest identity theft scam, about 30 percent of all identity theft complaints. Imposter scams were the second-worst overall category of FTC complaints, with almost one-half million reports.

Of the 2.2 million fraud cases, 34 percent reported money was lost. Consumers reported losing more than $3.3 billion related to fraud complaints, an increase of $1.5 billion from 2019. The median amount consumers paid in these cases was $311. Twenty-two percent of imposter scams reported money lost, totaling about $1.2 billion.

The top five states for identity theft ranked by the number of reports per population were Kansas, Rhode Island, Illinois, Nevada and Washington. (See chart below). For fraud and other complaints, the top five states were Nevada, Delaware, Florida, Maryland, and Georgia.

Identity Theft And Fraud Reports, 2016-2020 (1)

 

id_theft_and_fraud_complaints_2016-2020.gif

(1) Percentages are based on the total number of Consumer Sentinel Network reports by calendar year. These figures exclude "Do Not Call" registry complaints.

Source: Federal Trade Commission, Consumer Sentinel Network.

View Archived Graphs

See also the Identity Theft section of our Web site Click Here

Cybercrime

As businesses increasingly depend on electronic data and computer networks to conduct their daily operations, growing pools of personal and financial information are being transferred and stored online. This can leave individuals exposed to privacy violations, and financial institutions and other businesses exposed to potentially enormous liability, when a data security breach occurs.

High-profile data breaches continue to threaten business with losses and consumers with exposure of their personal data. In 2021 more than 280 million Microsoft customer records were left unprotected on the web in January. By March, the U.S. Cybersecurity and Infrastructure Security Agency, a standalone United States federal agency in the Department of Homeland Security, advised all organizations across all sectors follow its guidance to address Microsoft’s email server vulnerabilities. According to the Triple-I, the number of U.S.-based organizations affected is estimated to be at least 30,000, while worldwide that number is close to 100,000. Other notable breaches in 2021 involved Colonial Pipeline Co., an East Coast gas utility that suffered a ransomware attack that shut down the company for six days, along with Facebook and Volkswagen of America breaches. A breach at Marriott Hotels in March 2020 reached a data system containing the personal information of about 5.2 million customers and MGM Resorts was hit by a February 2020 data breach that exposed the personal information of more than 10.6 million guests. Also of note, in late 2020 criminals believed to originate outside the United States breached as many as 18,000 government agencies through software from SolarWinds, a software service company. The breach went undetected for months and was caused by changes made to a software program update. The information targeted appears to be corporate and government intellectual property rather than consumer information. In 2019 the worst data breaches were the Capital One Financial Corp. breach in July that exposed 100 million records and the October Adobe Creative Cloud breach that exposed 7­­ million users. In 2017 the largest U.S. credit bureau, Equifax Inc., suffered a breach that exposed the personal data, including Social Security numbers, of 145 million people. It was among the worst breaches on record because of the amount of sensitive information stolen. In 2019 ransomware attacks—a type of malware that denies access to an organization’s system—more than doubled from 2018. In 2019 an organization fell victim to ransomware every 14 seconds on average. Also troubling is that while more organizations purchase insurance to protect against the risk, ransom demands grow larger as attackers realize that companies can meet these demands.

The Identity Theft Resource Center® (ITRC) reported in early 2021 that cybercriminals continue to be less interested in stealing large amounts of personal information directly from consumers but instead are taking advantage of bad consumer behaviors to commit identity-related crimes against businesses using stolen credentials like logins and passwords. Criminals use these credentials to make ransomware and phishing attacks against businesses.

In 2020, there were 1,108 data breaches, down 19 percent from 1,362 breaches in 2019, according to the ITRC’s 2020 End-of Year Data Breach Report. There was also a significant decrease in the number of individuals impacted. In 2020, 300.6 million people were impacted by data breaches, down 66 percent from 887.3 million people impacted in 2019. Cyberattacks were the most used cause of compromise, accounting for 878 events that affected 170 million individuals. One form of cyberattacks, using emails (phishing) or texts (smishing) supposedly from a reputable company that induces people to supply personal information, was the most used method of cyberattack, accounting for 44 percent of all cyberattacks. Ransomware accounted for 18 percent of cyberattacks and malware accounted for 12 percent. Human and system errors accounted for 152 events that affected 130 million people. Physical attacks, such as stealing a device or document, accounted for 78 events and affected about 943,000 people. Supply chain attacks, which target a vendor, account for the remainder of attacks.

By first half 2021, the ITRC reported that the number of data breaches were on track to exceed those recorded in 2020 and could reach a new record, while the number of individuals impacted is trending lower. In the first half of 2021, there were 846 compromises (breaches and data exposures) representing about 75 percent of all compromises in 2020. About 118.7 million individuals were impacted, compared with 300.6 million in 2020. Phishing and ransomware were the top two causes of data compromise in the first half of 2021. Compromises at manufacturing and utilities companies were up five-fold in first half 2021 compared with a year ago and more than doubled in the retail sector. The largest number of compromises, 162, occurred in the healthcare sector, but these events were down 7 percent from a year ago. Ranked by individuals impacted, the technology sector ranked first with 36.6 million individuals impacted, followed by professional services with 20.1 million, financial services with 9.7 million and healthcare with 9.1 million impacted.

By industry, according to Accenture, insurance companies were the most targeted by ransomware attacks, accounting for almost a quarter of all ransomware attacks on Accenture’s clients. Consumer goods and services, and telecommunications ranked second and third.

According to the 2020 Cost of a Data Breach Report, sponsored by IBM Security and conducted by the Ponemon Institute, global data breaches cost companies $3.86 million per breach, on average. The study surveyed more than 500 organizations worldwide between August 2019 and April 2020. Cost factors included in the survey included legal, regulatory and technical activities related to breaches. Customers’ personally identifiable information (PII) was exposed in 80 percent of the breaches that occurred in the past year. Nearly 40 percent of malicious incidents were caused by stolen or compromised credentials and cloud misconfigurations. Attackers used previously exposed emails and passwords in one out of five breaches studied, stemming from more than 8.5 billion records exposed in 2019. Businesses that experienced breaches of corporate networks through the use of stolen or compromised credentials had nearly $1 million added to data breach costs over the global average, or $4.77 million. Cloud misconfigurations were used to breach networks nearly 20 percent of the time, increasing breach costs by more than half a million dollars to $4.41 million on average. State-sponsored threat actors were the most damaging type of adversary found in the 2020 study, although they accounted for 13 percent of all attacks. The resulting breach costs averaged $4.43 million. The COVID-19 pandemic brought more risk of data breaches because remote work conditions created less controlled environments. The report found that 70 percent of companies studied that adopted telework during the pandemic expect that it would exacerbate data breach costs.

According to the Insurance Information Institute and J.D. Power 2019 Small Business Cyber Insurance and Security Spotlight Survey^SM, 12 percent of businesses surveyed suffered one or more cyber incidents in 2019, up from 10 percent in 2018. Nearly 71 percent said they are “very concerned” about cyber incidents, up from 58 percent in 2018. Seventy-five percent said they believe the risk of being victimized by a cyberattack is growing at an alarming rate compared with 70 percent in 2018. Among the 44 percent of respondents who said they do not currently have cyber insurance and the 21 percent who said they do not know whether they do, 64 percent said they do not plan to purchase a cyber insurance policy in the next 12 months. This number is down from 70 percent in 2018. Given small companies’ growing awareness and concerns about cyberrisk, insurers and agents and brokers could potentially increase their overall support of this market by addressing the issues of affordability and coverage limitations that seem to be an obstacle to purchasing.

Cyber insurance evolved as a product in the United States in the mid- to late-1990s as insurers had to expand coverage for a risk that is rapidly shifting in scope and nature. In 2020, 203 insurer groups reported writing cyber insurance at one or more of their subsidiaries, up from 197 in 2019, according to  data sourced from S&P Global Market Intelligence. Direct premiums written totaled $2.8 billion in 2020, from companies that can report premiums for stand-alone and coverage provided as part of package policies, up from $2.2 billion in 2019. For more information on cyber insurance see Chapter 7, Commercial Lines.

Number Of Data Breaches And Individuals Impacted, 2015-2020

 

num_of_data_breaches_and_rec_exp_15-20.gif

Source: Identity Theft Resource Center, 2020 year in review, Data Breach Report.

View Archived Graphs

The IC3 says that 2020 complaints and dollar losses were the highest since the center began tracking cybercrime statistics in 2000. In 2020 the IC3 received and processed 791,790 complaints, a 69 percent increase from 467,361 in 2019. Losses to individuals and businesses totaled $4.2 billion, up 20 percent from 2019 . Business email compromise continued to cause the most losses, with about $1.8 billion in losses, followed by confidence or romance fraud, with $600.2 million in losses. Business email compromise typically involves a criminal mimicking a legitimate email address. For example, an employee might receive a message that appears to be from an executive within their company requesting a payment or wire transfer that funnels money directly to a criminal. About 19,400 people were victims of email account scams. Confidence fraud occurs when a criminal deceives a victim into believing they have a trust relationship and the victim is persuaded to send money or personal and financial information. In 2020 about 23,750 people reported confidence scams.

Cybercrime Complaints, 2016-2020 (1)

 

cyb_crime_comp_16-20.gif

(1) Based on complaints submitted to the Internet Crime Complaint Center.

Source: Internet Crime Complaint Center.

View Archived Graphs

Additional resources

Federal Trade Commission

Internet Crime Complaint Center