Facts + Statistics: Identity theft and cybercrime

The scope of identity theft

According to the Aite Group, 47 percent of Americans experienced financial identity theft in 2020. The group’s report, U.S. Identity Theft: The Stark Reality, found that losses from identity theft cases cost $502.5 billion in 2019 and increased 42 percent to $712.4 billion in 2020. The group explains that the huge increase was fueled by the high rate of unemployment identity theft during the pandemic, as increased and extended unemployment benefits made the sector an attractive target for fraudsters.

Losses are forecast to increase again in 2021 to $721.3 billion. The study narrowed the identity theft definition to include only application fraud, where criminals used a victim’s identity to open a new account of some type, and account takeover, where an account is taken so criminals can steal money or access rewards. Examples of accounts include rewards accounts for airlines, hotels, or merchants; insurance policies; and other accounts.

In the past two years, 37 percent of consumers have been victims of application fraud and 38 percent experienced account takeovers. The highest percentage of consumers who were victimized in 2020 were between 35 and 44 years of age and accounted for 30 percent of all identity theft victims. The findings are from an online survey conducted in December 2020 of 8,653 U.S. consumers age 18 and older.

Identity theft and fraud complaints

The Consumer Sentinel Network, maintained by the Federal Trade Commission (FTC), tracks consumer fraud and identity theft complaints that have been filed with federal, state and local law enforcement agencies and private organizations. There were 4.8 million identity theft and fraud reports received by the FTC in 2020, up 45 percent from 3.3 million in 2019, mostly due to the 113 percent increase in identity theft complaints.  In 2020, 1.4 million complaints were for identity theft, up from 651,000 in 2019. Identity theft complaints accounted for 29 percent of all complaints received by the FTC, up from 20 percent in 2019. About 2.2 million reports were fraud complaints and 1.2 million involved other complaints.  

Out of the total 4.8 million reports received by the FTC in 2020, the most by category were for identity theft complaints. Within identity theft, almost one-third were for scams involving government benefits applied for or received. According to Equifax, federal stimulus payments were an easy target for criminals and were the number one COVID-19 scam. New credit card accounts fraud were the next largest identity theft scam, about 30 percent of all identity theft complaints. Imposter scams were the second-worst overall category of FTC complaints, with almost one-half million reports.

Of the 2.2 million fraud cases, 34 percent reported money was lost. Consumers reported losing more than $3.3 billion related to fraud complaints, an increase of $1.5 billion from 2019. The median amount consumers paid in these cases was $311. Twenty-two percent of imposter scams reported money lost, totaling about $1.2 billion.

The top five states for identity theft ranked by the number of reports per population were Kansas, Rhode Island, Illinois, Nevada and Washington. (See chart below). For fraud and other complaints, the top five states were Nevada, Delaware, Florida, Maryland, and Georgia.

Identity Theft And Fraud Reports, 2016-2020 (1)

 

(1) Percentages are based on the total number of Consumer Sentinel Network reports by calendar year. These figures exclude "Do Not Call" registry complaints.

Source: Federal Trade Commission, Consumer Sentinel Network.

View Archived Graphs

Top Five Types of Identity Theft, 2020 (1)

 

Type of identity theft Number of reports Percent of total top five
Government benefits applied for/received 394,324 32.0%
Credit card fraud—new accounts 365,597 29.7
Miscellaneous identity theft (2) 281,434 22.9
Business/personal loan 99,667 8.1
Tax fraud 89,391 7.3
Total, top five 1,230,413 100.0%

(1) Consumers can report multiple types of identity theft. In 2020, 15 percent of identity theft reports included more than one type of identity theft.
(2) Includes online shopping and payment account fraud, email and social media fraud, and medical services, insurance and securities account fraud, and other identity theft.

Source: Federal Trade Commission, Consumer Sentinel Network.

View Archived Tables

Identity Theft By State, 2020 (1)

 

State Reports per
100,000
population (2)
Number of
reports
Rank (3) State Reports per
100,000
population (2)
Number of
reports
Rank (3)
Alabama 354 17,376 21 Montana 228 2,439 32
Alaska 127 926 47 Nebraska 113 2,182 49
Arizona 380 27,661 14 Nevada 740 22,801 4
Arkansas 579 17,470 8 New Hampshire 169 2,301 38
California 373 147,382 15 New Jersey 362 32,125 19
Colorado 361 20,762 20 New Mexico 165 3,454 40
Connecticut 191 6,821 35 New York 345 67,202 23
Delaware 449 4,374 13 North Carolina 288 30,176 26
D.C. 368 2,595 18 North Dakota 166 1,266 39
Florida 472 101,367 11 Ohio 222 25,893 33
Georgia 654 69,487 7 Oklahoma 349 13,797 22
Hawaii 271 3,835 28 Oregon 176 7,432 37
Idaho 132 2,353 45 Pennsylvania 265 33,886 29
Illinois 1,066 135,038 3 Puerto Rico 52 1,663 52
Indiana 257 17,306 30 Rhode Island 1191 12,621 2
Iowa 96 3,022 50 South Carolina 373 19,193 15
Kansas 1,483 43,211 1 South Dakota 72 637 51
Kentucky 127 5,693 47 Tennessee 281 19,182 27
Louisiana 473 21,976 10 Texas 465 134,788 12
Maine 534 7,183 9 Utah 292 9,366 25
Maryland 343 20,718 24 Vermont 130 810 46
Massachusetts 661 45,575 6 Virginia 183 15,632 36
Michigan 244 24,370 31 Washington 712 54,247 5
Minnesota 146 8,246 44 West Virginia 148 2,646 43
Mississippi 371 11,048 17 Wisconsin 154 8,986 41
Missouri 222 13,653 33 Wyoming 151 875 42

(1) Includes the District of Columbia and Puerto Rico.
(2) Population figures are based on the 2019 U.S. Census population estimates.
(3) Ranked per complaints per 100,000 population. States with the same number of complaints per 100,000 population receive the same rank.

Source: Federal Trade Commission, Consumer Sentinel Network.

View Archived Tables

See also the Identity Theft section of our Web site Click Here

Top 10 Writers Of Identity Theft Insurance By Direct Premiums Written, 2020 (1)

($000)

Rank Group/company Direct premiums written (2) As a percent of
total direct
premiums written
1 Nationwide Mutual Group $33,005 13.9%
2 State Farm  32,694 13.7
3 Travelers Companies Inc. 23,812 10.0
4 Hanover Insurance Group Inc. 13,352 5.6
5 Liberty Mutual 13,174 5.5
6 Allstate Corp. 10,630 4.5
7 Farmers Insurance Group of Companies 10,430 4.4
8 American Family Insurance Group 10,138 4.3
9 Erie Insurance Group 8,917 3.7
10 Mercury General Corp. 6,614 2.8

(1) Includes stand-alone policies and the identity theft portion of package policies. Does not include premiums from companies that cannot
report premiums for identity theft coverage provided as part of package policies.
(2) Before reinsurance transactions.

Source: NAIC data, sourced from S&P Global Market Intelligence, Insurance Information Institute.

View Archived Tables

Cybercrime

As businesses increasingly depend on electronic data and computer networks to conduct their daily operations, growing pools of personal and financial information are being transferred and stored online. This can leave individuals exposed to privacy violations, and financial institutions and other businesses exposed to potentially enormous liability, when a data security breach occurs.

High-profile data breaches continue to threaten business with losses and consumers with exposure of their personal data. In 2021 more than 280 million Microsoft customer records were left unprotected on the web in January. By March, the U.S. Cybersecurity and Infrastructure Security Agency, a standalone United States federal agency in the Department of Homeland Security, advised all organizations across all sectors follow its guidance to address Microsoft’s email server vulnerabilities. According to the Triple-I, the number of U.S.-based organizations affected is estimated to be at least 30,000, while worldwide that number is close to 100,000. Other notable breaches in 2021 involved Colonial Pipeline Co., an East Coast gas utility that suffered a ransomware attack that shut down the company for six days, along with Facebook and Volkswagen of America breaches. A breach at Marriott Hotels in March 2020 reached a data system containing the personal information of about 5.2 million customers and MGM Resorts was hit by a February 2020 data breach that exposed the personal information of more than 10.6 million guests. Mimecast revealed in its 2021 State of Email Security Report that 61 percent of organizations suffered a ransomware attack that led to at least a partial interruption of business operations. In 2020, 51 percent of organizations stated that they underwent these types of malware attacks.

Data breach costs have only increased in recent years, with the average attack rising to $4.24 million in 2021, up from $3.86 million 2020. Costs remained highest in the U.S., rising to $9.05 million from $8.64 million in 2020. According to modeler CyberCube, rating agency AM Best and insurance and reinsurance broker Aon, a $12.5 billion industry loss from non-physical damage could transfer to property carriers if a major event occurs, triggering a one-in-100-year loss in the U.S. property insurance market. This loss figure suggests that the U.S. property insurance market is exposed to $9.5 billion of attritional losses and $3 billion of catastrophic losses. According to AM Best, the prospects for the cyber insurance market are “grim” due to rapid growth in exposure without adequate risk controls; growing sophistication of cyber criminals; and the cascading effects of cyber risks and a lack of geographic or commercial boundaries.

The Identity Theft Research Center (ITRC) reports a 17 percent increase in U.S. business data breaches in the first three quarters of 2021 compared with the 2020 total. There were 1,291 breaches, January to September, 2021, compared with 1,108 in 2020. The record high was 1,529 in 2017. The report estimates 250 million people will have their data compromised by the end of 2021, as opposed to 310 million people in 2020. In the second quarter of 2021, the ITRC found that there was a 38 percent increase in data compromises from the first quarter.

According to Accenture, insurance companies were most affected by ransomware attacks in the first half of 2021, totaling almost 25 percent of all ransomware attacks on Accenture’s clients. Consumer goods and services, and telecommunications ranked second and third.

The (ITRC) also reported in early 2021 that cybercriminals remain less invested in taking large amounts of personal information directly from consumers, instead manipulating poor consumer behaviors to perpetrate identity-related crimes against businesses using stolen credentials, such as logins and passwords. Criminals then utilize these stolen logins and passwords to perpetrate ransomware and phishing attacks against businesses.

Additionally, organizations often leave their cybersecurity teams understaffed, according to ISACA, a global IT professional organization. In its 2021 State of Cybersecurity report, ISACA found that 61 percent of cybersecurity professionals consider their organization’s cybersecurity team understaffed. This understaffing among organizations, which includes business and government, creates a burden on existing staff and can consequently cause an increased risk from malware threats. The study found that 47 percent stated that their organizations were “somewhat” understaffed, while 14 percent reported they were “significantly” understaffed. Additionally, 34 percent reported that their organization is “appropriately” staffed, with only 4 percent stating that they are either “somewhat” or “significantly” overstaffed.

According to the 2021 Cost of a Data Breach Report, a global study sponsored by IBM Security and conducted by the Ponemon Institute, the average data breach cost rose from $3.86 million in 2020 to $4.24 million in 2021. Ransomware attacks cost an average of $4.62 million, surpassing the average data breach cost. The percentage of companies where ransomware was a factor in the breach was 7.8%. Malicious attacks that destroyed data in destructive wiper-style attacks cost an average of $4.69 million. The study utilized results from 537 organizations across 17 countries and regions, as well as 17 industries, providing global averages. The costs of these breaches included escalation, notification, lost business and response costs. Cost factors included in the survey included legal, regulatory and technical activities related to breaches. Customers’ personally identifiable information (PII) was exposed in 80 percent of the breaches that occurred in 2021, and 20 percent of breaches were caused by stolen or compromised credentials and cloud misconfigurations.

Cyber insurance evolved as a product in the United States in the mid- to late-1990s as insurers had to expand coverage for a risk that is rapidly shifting in scope and nature. In 2020, 203 insurer groups reported writing cyber insurance at one or more of their subsidiaries, up from 197 in 2019, according to data sourced from S&P Global Market Intelligence. Direct premiums written totaled $2.8 billion in 2020, from companies that can report premiums for stand-alone and coverage provided as part of package policies, up from $2.2 billion in 2019. For more information on cyber insurance see Chapter 7, Commercial Lines.

Number Of Data Breaches And Individuals Impacted, 2015-2020

The IC3 says that 2020 complaints and dollar losses were the highest since the center began tracking cybercrime statistics in 2000. In 2020 the IC3 received and processed 791,790 complaints, a 69 percent increase from 467,361 in 2019. Losses to individuals and businesses totaled $4.2 billion, up 20 percent from 2019 . Business email compromise continued to cause the most losses, with about $1.8 billion in losses, followed by confidence or romance fraud, with $600.2 million in losses. Business email compromise typically involves a criminal mimicking a legitimate email address. For example, an employee might receive a message that appears to be from an executive within their company requesting a payment or wire transfer that funnels money directly to a criminal. About 19,400 people were victims of email account scams. Confidence fraud occurs when a criminal deceives a victim into believing they have a trust relationship and the victim is persuaded to send money or personal and financial information. In 2020 about 23,750 people reported confidence scams.

Cybercrime Complaints, 2016-2020 (1)

 

(1) Based on complaints submitted to the Internet Crime Complaint Center.

Source: Internet Crime Complaint Center.

View Archived Graphs

Top 10 States By Number Of Cybercrime Victims And By Losses, 2020 (1)

 

Rank State Number Rank State Losses ($ millions)
1 California 69,541 1 California $621.5
2 Florida 53,793 2 New York 415.8
3 Texas 38,640 3 Texas 313.6
4 New York 34,505 4 Florida 295.0
5 Illinois 20,185 5 Ohio 170.2
6 Pennsylvania 18,636 6 Illinois 150.5
7 Washington 17,229 7 Missouri 115.9
8 Nevada 16,110 8 Pennsylvania 108.5
9 New Jersey 14,829 9 Virginia 101.7
10 Maryland 14,804 10 Colorado 100.7

(1) Based on the total number of complaints submitted to the Internet Crime Complaint Center via its website from each state where the complainant provided state information.

Source: Internet Crime Complaint Center.

View Archived Tables

Top 10 Writers Of Cybersecurity Insurance By Direct Premiums Written, 2020 (1)

($000)

Rank Group/company Direct premiums written (2) As a percent of
total direct
premiums written
1 Chubb Ltd. $404,144 14.7%
2 AXA XL 293,025 10.7
3 American International Group (AIG) 228,425 8.3
4 Travelers Companies Inc. 206,817 7.5
5 Beazley Plc 177,746 6.5
6 AXIS Capital Holdings Ltd. 133,550 4.9
7 CNA Financial Corp. 119,612 4.4
8 Fairfax Financial Holdings 108,543 4.0
9 Hartford Financial Services 102,865 3.7
10 BCS Insurance Co. 86,583 3.2

(1) Includes stand-alone policies and the cybersecurity portion of package policies. Does not include premiums from companies that cannot report premiums for cybersecurity coverage provided as part of package policies.
(2) Before reinsurance transactions.

Source: NAIC data, sourced from S&P Global Market Intelligence, Insurance Information Institute.

View Archived Tables

Additional resources

Federal Trade Commission

Internet Crime Complaint Center

Back to top