In 2022, 800,944 cyber-crimes were reported in the US.[1] But while the total number of reported cyber-attacks was lower than in 2021, financial losses rose nearly 50%, from $6.9 to $10.3 billion.
Between 2018 and 2022, the FBI received 3.26 million complaints about cyber-attacks, with reported losses totaling $27.6 billion. These complaints are recorded and investigated by the FBI’s Internet Crime Complaint Center, also known as IC3.
Cyber-attacks and cyber-fraud are a mounting problem for both individuals and the government. Although these are a fraction of total crimes, the financial losses are severe, demonstrating the need for a robust law enforcement response, according to the Government Accountability Office.
What is a cyber-attack?
The National Institute of Standards and Technology defines a cyber-attack as “any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information system resources or the information itself.” This includes both technical attacks involving data breaches, as well as personal cons where the victim is communicating with the fraudster.
The term “cyber-crime” is technically an overarching term used to describe general criminal activities that target a computer or network to cause damage or steal information, but people use both terms interchangeably.
Types of cyber-attacks include:
Phishing is a fraudulent attempt to obtain sensitive information such as usernames, passwords, and credit card details via email or text by masquerading as a bank or other trusted entity.
A personal data breach is an incident where an unauthorized individual accesses, or an authorized user misuses, Personally Identifiable Information (PII).
Non-payment/non-delivery scams include non-delivery of paid items, non-payment for shipped goods, misrepresented products on auction sites, and payment demands via gift cards.
Malware is software designed to disrupt, damage, or gain unauthorized access to computer systems.
Ransomware is a type of malware that encrypts the victim's data, making it inaccessible; the attacker then demands payment for the decryption key.
Distributed Denial of Service (DDoS) attacks involve overloading a system, network, or website with traffic, so it crashes and becomes unavailable to regular users.
Cyber-crimes incur imprisonment, fines, or both, depending on the nature and severity of the crime.
Who monitors cyber attacks in the US?
The FBI leads national efforts to identify, prosecute, and reduce cybercrimes. IC3 is the Nation’s cybercrime reporting hub, giving victims an opportunity to recover their information or financial assets.
In 2018, the US also established the Cybersecurity and Infrastructure Security Agency, responsible for defending the nation’s critical infrastructure from large-scale cyber attacks.
What cyber attacks are most common?
Phishing is by far the most frequent, targeting 300,497 victims in 2022 and representing 41% of total reported crimes.
This medium was followed by personal data breaches and non-payment/non-delivery scams.
How much do cyber-crimes cost individual Americans?
Some types of cyber-attack generate higher costs for victims than others. Online scams involving fake investments resulted in over $3.3 billion in lost assets in 2022, roughly one-third of total losses. These scams induce investors to make purchases based on false information, usually offering large returns with minimal risk (e.g., Ponzi and pyramid schemes).
Other costly scams include business email compromise — a sophisticated fraud technique that tricks business’ employees to transfer of funds to scammers' accounts — and tech support scams in which the attacker subject poses as a technical and/or customer service agent to get the victim to reveal personal data.
Who is most affected by cyber-crimes?
The 60+ age group reported 37% of all financial losses in 2022, the largest percentage among all age demographics.
However, victims within the 30–39 age group generated the most complaints — 94,506 in 2022 — compared to 88,262 for the 60+ cohort.
Critical national infrastructure suffered from cyber-attacks as well, typically through ransomware attacks that prevented organizations from completing work until a ransom had been paid.
The healthcare and public health sectors experienced the most ransomware attacks, with 210 incidents recorded. They present a critical challenge, as it can impede the delivery of proper care to patients until the cyber attacks are resolved.
Healthcare was closely followed by critical manufacturing with 157 attacks, and government facilities at 115.
The US defense industrial base, which includes the network of businesses, factories, and workers that supply the military with weapons, vehicles, technology, and more, only had one reported cyber-attack in 2022.
How to report a scam
You can report internet-enabled crime against yourself or someone else via the Internet Crime Complaint Center. The IC3 processes complaints to determine their accuracy and completeness then investigates to return lost documents, information, and financial assets, if possible.
The FBI also has guidance on how to spot and report online scams.
For more information and data on the incarcerated population, including how many people are in prison in America, check out the America in Facts 2023 report and sign up for our newsletter.
[1] The number of individuals affected by reported cyber-attacks is likely lower than estimated, as victims may report their cases multiple times.
