There are affiliate links on this page.
Read our disclosure policy to learn more.

2019 Internet Fraud, Scam and Crime Statistics

The most recent report from the IC3 is for year 2017

Statistics regarding internet scams and frauds are presented here as a snapshot in time January 2009, but below are links to archived statistics from previous years. Web crime statistics are notoriously difficult to obtain, with many sources each calculating them in a different manner and different time frame, using a different source.

To provide the most reliable picture, we use the Internet Crime Complaint Center's (IC3) statistics as a baseline. The IC3 began operation on May 8, 2000, as the Internet Fraud Complaint Center and was established as a partnership between the National White Collar Crime Center (NW3C) and the Federal Bureau of Investigation (FBI) to serve as a vehicle to receive, develop, and refer criminal complaints regarding the rapidly expanding arena of cyber crime. These statistics have the advantage of the FBI's expertise, but the weakness of being 1 to 2 years out of date.

To overcome that we add our own tracking system statistics to update the FBI / IC3 statistics.

Background

The statistics for the current Top 10 frauds and scams list can be found below. A description of these scams is on this page. The greatest challenge in assembling a list and statistics of the frauds is that most fall into several categories. Consumers may characterize crime problems with an easier "broad" character, which may be misleading. For instance, a consumer that gets lured to an auction site which appears to be eBay, may later find that they were victimized through a cyber scheme. The scheme may in fact have involved SPAM, unsolicited e-mail inviting them to a site, and a "spoofed" website which only imitated the true legitimate site. The aforementioned crime problem could be characterized as SPAM, phishing, possible identity theft, credit card fraud or auction fraud. In such scenarios, many complainants have depicted schemes such
as auction fraud even though that label may be incomplete or misleading.

These complaints were composed of many different fraud types such as auction fraud, non-delivery, and credit/debit card fraud as well as non-fraudulent complaints such as computer intrusions, spam/unsolicited e-mail, and child pornography. All of these complaints are accessible to federal, state, and local law enforcement to support active investigations, trend analysis, and public outreach and awareness efforts.

Top 10 Internet Scam Complaints by Category

Other significant findings related to an analysis of referrals include:

2017 -2019 Internet crimes by category

Compare this with 10 years ago"

Non-delivered merchandise and/or payment was, by far, the most reported offense, comprising 32.9% of referred complaints.
Internet auction fraud accounted for 25.5% of referred complaints.
Credit/debit card fraud made up 9.0% of referred complaints.
Confidence fraud ("con men"), computer fraud, check fraud, and Nigerian letter fraud (Also called "Advance Fee Fraud" or AFF) round out the top seven categories of complaints referred to law enforcement during the year.

Of those complaints reporting a dollar loss, the highest median losses were found among

check fraud ($3,000),
confidence fraud ($2,000),
Nigerian (west African, 419, Advance Fee) letter fraud ($1,650)

Amount Lost by Selected Fraud Type for Individuals Reporting Monetary Loss

Complaint Type	Percentage of Reported Total Loss	Of those who reported a loss the Average (median) $ Loss per Complaint
Check Fraud	7.8%	$3,000.00
Confidence Fraud	14.4%	$2,000.00
Nigerian Letter Fraud	5.2%	$1,650.00
Computer Fraud	3.8%	$1,000.00
Non-delivery (merchandise and payment)	28.6%	$800.00
Auction Fraud	16.3%	$610.00
Credit/Debit Card Fraud	4.7%	$223.00

Among perpetrators,

77.4% were male and
50% resided in one of the following states: California, New York, Florida, Texas, District of Columbia, and Washington.
The majority of reported perpetrators (66.1%) were from the United States; however, a significant number of perpetrators where also located in the United Kingdom , Nigeria , Canada , China, and South Africa.

Among complainants,

55.4% were male,
nearly half were between the ages of 30 and 50 and one-third resided in one of the four most populated states: California, Florida, Texas, and New York.
While most were from the United States (92.4%), IC3 received a number of complaints from Canada, United Kingdom, Australia, India, and France.
Males lost more money than females (ratio of $1.69 dollars lost per male to every $1.00 dollar lost per female). This may be a function of both online purchasing differences by gender and the type of fraudulent schemes by which the individuals were victimized.
E-mail (74.0%) and webpages (28.9%) were the two primary mechanisms by which the fraudulent contact took place.

For the full report, go to the IC3 webpage on statistics.

Hot Topics for 2017-2019

Business Email Compromise

BEC is a sophisticated scam targeting businesses that often work with foreign suppliers and/or businesses and regularly perform wire transfer payments. The Email Account Compromise (EAC) variation of BEC targets individuals who regularly perform wire transfer payments. It should be noted while most BEC and EAC victims reported using wire transfers as their regular method of transferring business funds, some victims reported using checks. The fraudsters used the method most commonly associated with their victims' normal business practices. Both scams typically involve one or more fraudsters, who compromise legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds. Because the techniques used in the BEC and EAC scams have become increasingly similar, the IC3 began tracking these scams as a single crime type in 2017.

Fraudulent transfers conducted as a result of BEC and EAC have been routed through accounts in many countries with a large majority traveling through Asia.

Ransomware

Ransomware is a form of malware targeting both human and technical weaknesses in an effort to make critical data and/or systems inaccessible. Ransomware is delivered through various vectors, including Remote Desktop Protocol, which allows computers to connect to each other across a network, and phishing. In one scenario, spear phishing emails are sent to end users resulting in the rapid encryption of sensitive files on a corporate network. When the victim organization determines they are no longer able to access their data, the cyber actor demands the payment of a ransom, typically in virtual currency such as Bitcoin. The actor will purportedly provide an avenue to the victim to regain access to their data once the ransom is paid. Recent iterations target specific organizations and their employees, making awareness and training a critical preventative measure.

The FBI does not support paying a ransom to the adversary. Paying a ransom does not guarantee an organization will regain access to their data; in fact, some individuals or organizations were never provided with decryption keys after having paid a ransom. Paying a ransom emboldens the adversary to target other organizations for profit, and provides for a lucrative environment for other criminals to become involved. While the FBI does not support paying a ransom, there is an understanding that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.

In all cases the FBI encourages organizations to contact a local FBI field office immediately to report a ransomware event and request assistance.

Tech Support Fraud

Tech Support Fraud is a widespread scam in which criminals claim to provide customer, security, or technical support in an effort to defraud unwitting individuals and gain access to the individuals' devices. There are many variations of this scam, and criminals are constantly changing their tactics to continue the fraud. For example, in addition to telephone calls, popup and locked screens, search engine advertising, and URL hijacking/typosquatting, criminals now use phishing emails with malicious links or fraudulent account charges to lure their victims. Criminals also pose as a variety of different security, customer, or technical support representatives and offer to resolve any number of issues, including compromised email, bank accounts, computer viruses, or offer to assist with software license renewal. Some recent complaints involve criminals posing as technical support representatives for income tax assistance, GPS, printer, or cable companies, or support for virtual currency exchanges. In some variations, criminals pose as government agents, who offer to recover losses related to tech support fraud schemes or request financial assistance with "apprehending" criminals. The "fake refund" variation of tech support fraud is increasing in reports and losses. In this scheme, the criminal contacts the victim offering a refund for tech support services previously rendered. The criminal pretends to refund too much money to the victim's account and requests the victim return the difference. The "refund and return" process can occur multiple times, resulting in the victim potentially losing thousands of dollars. During this scheme, if the criminal can connect to the victim's devices, the criminal will download the victim's personal files containing financial accounts, passwords, and personal data, like health records, social security numbers, and tax information. The information is used to request bank transfers or open new accounts to accept and process unauthorized payments. Criminals will also send phishing emails to the victim's personal contacts from the victim's computer.

Extortion

Extortion occurs when a criminal demands something of value from a victim by threatening physical or financial harm or the release of sensitive data. Extortion is used in various schemes reported to the IC3, including Denial of Service attacks, hitman schemes, sextortion, government impersonation schemes, loan schemes, and high-profile data breaches.

Virtual currency is commonly demanded as the payment mechanism because it provides the criminal an additional layer of anonymity when perpetrating these schemes. In 2017, the IC3 received 14,938 extortion-related complaints with adjusted losses of over $15
million.

2019 Patterns

In 2019, that ranking has changed considerably - Lottery scams are number, followed by Auction scams, non delivery and check fraud.

How much money do victims typically lose?

Where are the scammers located?

The greatest concentration (per capita) of internet scammers in the United States are concentrated in the District of Columbia (Washington, D.C.) and Nevada. By sheer numbers, California, NY and Florida take the top three positions, based on their population sizes.

Map 1 - Top Ten States (Perpetrators)

California 15.8%
New York 9.5%
Florida 9.4%
Texas 6.4%
D.C. 5.2%
Washington 3.9%
Illinois 3.3%
Georgia 3.1%
New Jersey 2.8%
Arizona 2.6%

Providing insight into the demographics of fraud perpetrators, in those cases with a reported location, over 75% of the perpetrators were male and over half resided in one of the following states: California, Florida, New York, Texas, District of Columbia, and Washington.

Globally, in 2019, most scammers operated from the China, Russia and United States. The U.S. still held a huge lead in active internet users then, a gap that has since closed considerably. In 2019, China and the U.S. each have approximately 200 million internet users, and most of the world has grow commensurately. As the user populations have grown abroad, so have their scammer populations. Several countries stand out in 2019 as have disproportionately huge populations of scammers: Nigeria, Romania, the Netherlands and China. Lottery and fake money transfer (AFF)frauds seem to be the specialty of the Nigerians. The United States still leads in Identity Theft and Phishing/Spoofing frauds.

These locations are among the most populous in the country. Controlling for population, the District of Columbia, Nevada, Washington, Montana, Florida, and Delaware have the highest per capita rate of perpetrators in the United States.

Map 2 - Top Ten Countries By Count (Perpetrators)

United States 66.1%
United Kingdom 10.5%
Nigeria 7.5%
Canada 3.1%
China 1.6%
South Africa 0.7%
Ghana 0.6%
Spain 0.6%
Italy 0.5%
Romania 0.5%

Perpetrators also have been identified as residing in the United Kingdom, Nigeria, Canada, Romania, and Italy. Inter-state and international boundaries are irrelevant to Internet criminals. Jurisdictional issues can enhance their criminal efforts by impeding investigations with multiple victims, multiple states/counties, and varying dollar losses.