Facts + Statistics: Identity theft and cybercrime

The scope of identity theft

Identity theft continues to pose challenges for consumers as criminals develop new mechanisms to commit fraud. According to the 2019 Identity Fraud Study from Javelin Strategy & Research, the number of consumers who were victims of identity fraud fell to 14.4 million in 2018, down from a record high of 16.7 million in 2017. However, identity fraud victims in 2018 bore a heavier financial burden: 3.3 million people were responsible for some of the liability of the fraud committed against them, nearly three times as many as in 2016. Moreover, these victims’ out-of-pocket fraud costs more than doubled from 2016 to 2018 to $1.7 billion. New account fraud losses also rose slightly, with criminals beginning to focus their attention on different financial accounts, such as loyalty and rewards programs and retirement accounts. Additionally, criminals are becoming adept at foiling authentication processes, particularly mobile phone account takeovers. These takeovers nearly doubled to 680,000 victims in 2018, compared with 380,000 in 2017. The study does note that the shift to embedded chip cards is helping to contain existing card fraud, which showed the steepest decline of any fraud type in 2018, with losses at $14.7 billion in 2018, down from $16.8 billion in 2017.

Identity theft and fraud complaints

The Consumer Sentinel Network, maintained by the Federal Trade Commission (FTC), tracks consumer fraud and identity theft complaints that have been filed with federal, state and local law enforcement agencies and private organizations. There were 4.8 million identity theft and fraud reports received by the FTC in 2020, up 45 percent from 3.3 million in 2019, mostly due to the 113 percent increase in identity theft complaints.  In 2020, 1.4 million complaints were for identity theft, up from 651,000 in 2019. Identity theft complaints accounted for 29 percent of all complaints received by the FTC, up from 20 percent in 2019. About 2.2 million reports were fraud complaints and 1.2 million involved other complaints.  

Out of the total 4.8 million reports received by the FTC in 2020, the most by category were for identity theft complaints. Within identity theft, almost one-third were for scams involving government benefits applied for or received. According to Equifax, federal stimulus payments were an easy target for criminals and were the number one COVID-19 scam. New credit card accounts fraud were the next largest identity theft scam, about 30 percent of all identity theft complaints. Imposter scams were the second-worst overall category of FTC complaints, with almost one-half million reports.

Of the 2.2 million fraud cases, 34 percent reported money was lost. Consumers reported losing more than $3.3 billion related to fraud complaints, an increase of $1.5 billion from 2019. The median amount consumers paid in these cases was $311. Twenty-two percent of imposter scams reported money lost, totaling about $1.2 billion.

The top five states for identity theft ranked by the number of reports per population were Kansas, Rhode Island, Illinois, Nevada and Washington. (See chart below). For fraud and other complaints, the top five states were Nevada, Delaware, Florida, Maryland, and Georgia.

Identity Theft And Fraud Reports, 2016-2020 (1)

 

(1) Percentages are based on the total number of Consumer Sentinel Network reports by calendar year. These figures exclude "Do Not Call" registry complaints.

Source: Federal Trade Commission, Consumer Sentinel Network.

View Archived Graphs

Top Five Types of Identity Theft, 2020 (1)

 

Type of identity theft Number of reports Percent of total top five
Government benefits applied for/received 394,324 32.0%
Credit card fraud—new accounts 365,597 29.7
Miscellaneous identity theft (2) 281,434 22.9
Business/personal loan 99,667 8.1
Tax fraud 89,391 7.3
Total, top five 1,230,413 100.0%

(1) Consumers can report multiple types of identity theft. In 2020, 15 percent of identity theft reports included more than one type of identity theft.
(2) Includes online shopping and payment account fraud, email and social media fraud, and medical services, insurance and securities account fraud, and other identity theft.

Source: Federal Trade Commission, Consumer Sentinel Network.

View Archived Tables

Identity Theft By State, 2020 (1)

 

State Reports per
100,000
population (2)
Number of
reports
Rank (3) State Reports per
100,000
population (2)
Number of
reports
Rank (3)
Alabama 354 17,376 21 Montana 228 2,439 32
Alaska 127 926 47 Nebraska 113 2,182 49
Arizona 380 27,661 14 Nevada 740 22,801 4
Arkansas 579 17,470 8 New Hampshire 169 2,301 38
California 373 147,382 15 New Jersey 362 32,125 19
Colorado 361 20,762 20 New Mexico 165 3,454 40
Connecticut 191 6,821 35 New York 345 67,202 23
Delaware 449 4,374 13 North Carolina 288 30,176 26
D.C. 368 2,595 18 North Dakota 166 1,266 39
Florida 472 101,367 11 Ohio 222 25,893 33
Georgia 654 69,487 7 Oklahoma 349 13,797 22
Hawaii 271 3,835 28 Oregon 176 7,432 37
Idaho 132 2,353 45 Pennsylvania 265 33,886 29
Illinois 1,066 135,038 3 Puerto Rico 52 1,663 52
Indiana 257 17,306 30 Rhode Island 1191 12,621 2
Iowa 96 3,022 50 South Carolina 373 19,193 15
Kansas 1,483 43,211 1 South Dakota 72 637 51
Kentucky 127 5,693 47 Tennessee 281 19,182 27
Louisiana 473 21,976 10 Texas 465 134,788 12
Maine 534 7,183 9 Utah 292 9,366 25
Maryland 343 20,718 24 Vermont 130 810 46
Massachusetts 661 45,575 6 Virginia 183 15,632 36
Michigan 244 24,370 31 Washington 712 54,247 5
Minnesota 146 8,246 44 West Virginia 148 2,646 43
Mississippi 371 11,048 17 Wisconsin 154 8,986 41
Missouri 222 13,653 33 Wyoming 151 875 42

(1) Includes the District of Columbia and Puerto Rico.
(2) Population figures are based on the 2019 U.S. Census population estimates.
(3) Ranked per complaints per 100,000 population. States with the same number of complaints per 100,000 population receive the same rank.

Source: Federal Trade Commission, Consumer Sentinel Network.

View Archived Tables

See also the Identity Theft section of our Web site Click Here

Top 10 Writers Of Identity Theft Insurance By Direct Premiums Written, 2019 (1)

($000)

Rank Group/company Direct premiums written (2) As a percent of total
direct premiums written
1 State Farm $31,492 13.4%
2 Nationwide Mutual Group 30,982 13.2
3 Travelers Companies Inc. 24,251 10.4
4 Hanover Insurance Group Inc. 12,722 5.4
5 Liberty Mutual 11,845 5.1
6 Allstate Corp. 10,863 4.6
7 American Family Insurance Group 10,119 4.3
8 Farmers Insurance Group of Companies 9,855 4.2
9 Erie Insurance Group 8,973 3.8
10 American International Group (AIG) 5,997 2.6

(1) Includes stand-alone policies and the identity theft portion of package policies. Does not include premiums from companies that cannot
report premiums for identity theft coverage provided as part of package policies.
(2) Before reinsurance transactions.

Source: NAIC data, sourced from S&P Global Market Intelligence, Insurance Information Institute.

View Archived Tables

Cybercrime

As businesses increasingly depend on electronic data and computer networks to conduct their daily operations, growing pools of personal and financial information are being transferred and stored online. This can leave individuals exposed to privacy violations, and financial institutions and other businesses exposed to potentially enormous liability, if and when a data security breach occurs.

High-profile data breaches continue to threaten business with losses and consumers with exposure of their personal data. In 2021 more than 280 million Microsoft customer records were left unprotected on the web in January. By March, the U.S. Cybersecurity and Infrastructure Security Agency, a standalone United States federal agency in the Department of Homeland Security, advised all organizations across all sectors follow its guidance to address Microsoft’s email server vulnerabilities. According to the Triple-I, the number of U.S.-based organizations affected is estimated to be at least 30,000, while worldwide that number is close to 100,000. A breach at Marriott Hotels in March 2020 reached a data system containing the personal information of about 5.2 million customers and MGM Resorts was hit by a February 2020 data breach that exposed the personal information of more than 10.6 million guests. Also of note, in late 2020 criminals believed to originate outside the United States breached as many as 18,000 government agencies through software from SolarWinds, a software service company. The breach went undetected for months and was caused by changes made to a software program update. The information targeted appears to be corporate and government intellectual property rather than consumer information. In 2019 the worst data breaches were the Capital One Financial Corp. breach in July that exposed 100 million records and the October Adobe Creative Cloud breach that exposed 7­­ million users. In 2017 the largest U.S. credit bureau, Equifax Inc., suffered a breach that exposed the personal data, including Social Security numbers, of 145 million people. It was among the worst breaches on record because of the amount of sensitive information stolen. In 2019 ransomware attacks—a type of malware that denies access to an organization’s system—more than doubled from 2018. In 2019 an organization fell victim to ransomware every 14 seconds on average. Also troubling is that while more organizations purchase insurance to protect against the risk, ransom demands grow larger as attackers realize that companies can meet these demands.

The Identity Theft Resource Center® (ITRC) reported that cybercriminals continue to be less interested in stealing large amounts of personal information directly from consumers but instead are taking advantage of bad consumer behaviors to commit identity-related crimes against businesses using stolen credentials like logins and passwords. Criminals use these credentials to make ransomware and phishing attacks against businesses. This occurred despite increased online shopping and remote work as a result of the COVID–19 pandemic.

In 2020, there were 1,108 data breaches, down 19 percent from 1,362 breaches in 2019, according to the ITRC’s 2020 End-of Year Data Breach Report. There was also a significant decrease in the number of individuals impacted. In 2020, 300.6 million people were impacted by data breaches, down 66 percent from 887.3 million people impacted in 2019. Cyberattacks were the most used cause of compromise, accounting for 878 events that affected 170 million individuals. One form of cyberattacks, using emails (phishing) or texts (smishing) supposedly from a reputable company that induces people to supply personal information, was the most used method of cyberattack,  accounting for 44 percent of all cyberattacks. Ransomware accounted for 18 percent of cyberattacks and malware accounted for 12 percent. Human and system errors accounted for caused 152 events that affected 130 million people. Physical attacks, such as stealing a device or document, accounted for 78 events and affected about 943,000 people. Supply chain attacks, which originate with a vendor, account for the remainder of attacks.

Despite conflicting analyses, the costs associated with cybercrime are increasing. McAfee and the Center for Strategic and International Studies (CSIS) estimated the likely annual cost to the global economy from cybercrime is $445 billion a year, with a range of between $375 billion and $575 billion. The average cost of a data breach globally was $13.0 million in 2018, up 12 percent from $11.7 million in 2017, according to a 2019 study from the Ponemon Institute and Accenture. Researchers polled 355 organizations located in 11 countries to determine what costs they faced after a cyberattack, such as the costs to detect, recover, investigate and manage the incident response. They also included the cost of activities that occur after the fact and efforts to reduce business interruption and loss of customers. In the United States, the average annual cost of cybercrime rose 29 percent in 2018, to $27.4 million, compared with $21.2 million in 2017. Globally, the banking industry had the highest average annual cost in 2018—$18.4 million—up from $16.7 million in 2017, followed by utilities and software companies. By type of attack, malware incidents had the highest cost, at $2.6 million followed closely by web-based attacks at $2.3 million.

Cyber insurance evolved as a product in the United States in the mid- to late-1990s as insurers have had to expand coverage for a risk that is rapidly shifting in scope and nature. In 2018, 545 insurers reported writing cyber insurance, up from 505 in 2017, according to NAIC data sourced from S&P Global Market Intelligence. Direct premiums written totaled $2.0 billion in 2018, from companies that can report premiums for stand-alone and coverage provided as part of package policies, up from $1.86 billion in 2017.

According to the Insurance Information Institute (I.I.I.) and J.D. Power 2019 Small Business Cyber Insurance and Security Spotlight SurveySM, 12 percent of businesses surveyed suffered one or more cyber incidents in the prior year, up from 10 percent in 2018. Nearly 71 percent said they are “very concerned” about cyber incidents, up from 58 percent in 2018, and 75 percent said they believe the risk of being victimized by a cyberattack is growing at an alarming rate–up from 70 percent in 2018. Among the 44 percent of respondents who said they do not currently have cyber insurance and the 21 percent who said they do not know whether they do, 64 percent said they do not plan to purchase a cyber insurance policy in the next 12 months. While this is down from 70 percent in 2018 and given small companies’ growing awareness and concerns about cyberrisk, insurers and agents and brokers might be able to increase their overall support of this market by addressing the issues of affordability and coverage limitations that seem to be an obstacle to purchasing.

Number Of Data Breaches And Records Exposed, 2010-2019

The IC3 says that 2019 complaints and dollar losses were the highest since the center began tracking cybercrime statistics in 2000. In 2019 the IC3 received and processed 467,361 complaints and losses to individuals and businesses rose to $3.5 billion from 2018. Both the number of complaints and the losses reported rose from 2018 by about 30 percent. In terms of dollar losses, business email compromise caused the most losses, with about $1.7 billion in losses, followed by confidence fraud or romance complaints, with almost half a billion dollars in losses. Business email compromise typically involves a criminal mimicking a legitimate email address, for example, an employee will receive a message that appears to be from an executive within their company requesting a payment or wire transfer that funnels money directly to a criminal. About 24,000 people were victims of email account scams. Confidence fraud occurs when a criminal deceives a victim into believing they have a trust relationship and the victim is persuaded to send money or personal and financial information. In 2019 about 20,000 people reported confidence scams.

Cybercrime Complaints, 2015-2019 (1)

 

(1) Based on complaints submitted to the Internet Crime Complaint Center.

Source: Internet Crime Complaint Center.

View Archived Graphs

Top 10 States By Number Of Cybercrime Victims, 2019 (1)

 

Rank State Number
1 California 50,132
2 Florida 27,178
3 Texas 27,178
4 New York 21,371
5 Washington 13,095
6 Maryland 11,709
7 Virginia 11,674
8 Pennsylvania 10,914
9 Illinois 10,337
10 Indiana 9,746

(1) Based on the total number of complaints submitted to the Internet Crime Complaint Center via its website from each state where the complainant provided state information.

Source: Internet Crime Complaint Center.

View Archived Tables

Top 10 Writers Of Cybersecurity Insurance By Direct Premiums Written, 2019 (1)

($000)

Rank Group/company Direct premiums written (2) As a percent of
total direct premiums written
1 Chubb Ltd. $356,856 15.9%
2 AXA 229,680 10.2
3 American International Group (AIG) 225,758 10.1
4 Travelers Companies Inc. 178,526 7.9
5 Beazley Plc. 150,943 6.7
6 AXIS Capital Holdings Ltd. 97,305 4.3
7 CNA Financial Corp. 94,722 4.2
8 BCS Insurance Co. 76,062 3.4
9 Liberty Mutual 68,377 3.0
10 Fairfax Financial Holdings 65,101 2.9

(1) Includes stand-alone policies and the cybersecurity portion of package policies. Does not include premiums from companies that cannot report premiums for cybersecurity coverage provided as part of package policies.
(2) Before reinsurance transactions.

Source: NAIC data, sourced from S&P Global Market Intelligence, Insurance Information Institute.

View Archived Tables

Additional resources

Federal Trade Commission

Internet Crime Complaint Center

Back to top