It can happen to anyone. You get a phone call from a company claiming to be your internet provider or operating system host, and they tell you something’s wrong with your computer. They can help, but they either need unlimited access to your system or money to make the problem go away. It may sound legitimate at first, but this isn’t your run-of-the-mill tech guy – it’s probably a scam.

If you think that might be too obvious, consider this one instead: You’re browsing the web and get a pop-up for a survey and discounted airline tickets as a reward. The URL from the pop-up is identical to one of the biggest airline brands in America, and the landing page has been designed to look exactly as you’d expect. Again, just because it looks official doesn’t mean it is, and this real-life example actually led to phishing of compromised personal data.

Perhaps the most troubling aspect of internet scams is that every year, they become harder and harder to spot. In 2017, more millennials than older Americans lost money to these fraudulent transactions, going to show no one is immune to scams. So what does cybercrime look like in America, and where are people targeted the most? We utilized data from the FBI’s Internet Crime Complaint Center annual reports to learn about cybercrime victims, the most common scams, and which states lose the most money to internet crimes. Keep reading to see what we learned.

An Alarming Trend

You might feel cybercrime gets more media attention these days, but that doesn’t mean it’s a recent phenomenon. With wire fraud cases dating back to the ’70s, the early 2000s made way for a more sophisticated, low-profile criminal as digital fraud became more prevalent. While the ability of law enforcement to recognize and locate the perpetrators has evolved dramatically, 2017 still marked a six-year high for the number of cybercrimes reported to the FBI.

In 2001, there were 50,412 registered instances of cyberattacks and digital fraud, which rose to roughly 75,000 in 2002 and nearly 125,000 in 2003. By 2017, cybercrime increased to over 300,000 registered victims according to the FBI.

The Most Common Cyberattacks


Cybercrime is increasing, but what does it mean in terms of the kinds of fraud you should be aware of?

The most common and costly cybercrimes aren’t necessarily the same. According to the FBI’s 2017 IC3 report, three particular scams accounted for more than 140,000 victims of cybercrime combined:

  • Nonpayment or nondelivery: This is defined as situations where customers either pay for goods that aren’t shipped or they ship out goods and never receive payment for them. These fraudulent transactions are common on peer-to-peer selling sites like eBay.
  • Personal data breach: This is when a person’s sensitive, protected, or confidential data are copied or stolen by an unauthorized individual. The 2013 Yahoo hack remains the largest breach of personal data, having compromised over 3 billion users.
  • Phishing: These are unsolicited emails, text messages, and telephone calls from a company masquerading as legitimate and looking to acquire personal or financial information.

While these schemes accounted for the most cybercrime victims, they weren’t the most costly. Combined with nonpayment and nondelivery, these two scams amounted to more than $1 billion in losses:

  • Business email compromise (BEC) or email account compromise (EAC): These are scams that target companies working with foreign suppliers or other businesses with regular wire transfers. BEC fraud imitates those email correspondences to pose as the rightful recipient of a transfer.
  • Confidence fraud: This is where the perpetrator deceives a victim by building a trusting relationship to extract money or personal information. In 2017, more than $211 million was lost as a result of reported confidence fraud.

It’s important to note that these figures only account for crimes that were reported to the FBI. It’s possible that crimes went unreported and the total number of victims and amount of monetary loss are actually greater.

Regional Cybercrime Trends


Not every part of the country falls victim to digital scams with the same frequency. In 2017, Alaskan residents represented the most vulnerable demographic for cybercrime, with more than 19 cybercrime victims for every 10,000 residents. Experts suggest the trans-Alaska pipeline faces an ongoing threat of cyberattacks including very targeted phishing attempts. And while there hasn’t been lasting damage as of yet, officials say Alaska’s election system was hacked by Russian cyberactors in 2016.

Washington, D.C. (16.5), Nevada (15.6), and California (14.2) also had the greatest average number of cybercrime victims. Research suggests much of the digital fraud in California is aimed at online shoppers and e-commerce outlets.

No Small Sum


Business email compromise (BEC) remains one of the fastest-growing scams in America, and it specifically targets businesses and their most sensitive data. These emails disguise themselves as coming from high-ranking company leadership to employees or as outside agencies targeting wire transfers for company assets. These emails are almost always well-crafted and can be very hard to spot by the untrained eye.

No state had a higher per-person cost for cybercrime in 2017 than Arizona, where residents who were victimized lost an average of $9,200, the bulk of which was attributed to business email compromise/email account compromise according to state-by-state data included in the IC3 report.

Massachusetts ($7,463), Idaho ($6,457), and South Dakota ($6,119) also had the highest average costs for victims of digital fraud. In contrast, Alaska, Hawaii, and Maine had the lowest costs – all averaging less than $1,800 per victim in 2017. Beyond the cost, cybercrime can have long-term effects on businesses and individuals who may struggle to fully recover their identities after a targeted attack.

Identifying Criminals


In some cases, orchestrating a cybercrime isn’t a complicated endeavor. Particularly where confidence scams are concerned, perpetrators can easily identify victims and potentially cost them thousands of dollars in damages. However, catching these scammers isn’t always easy, even for trained authorities.

So where are American cyberattacks coming from? Not all of the crimes registered in America originate within U.S. borders, but according to the FBI, some have been traced back to U.S. residents. In 2017, there were nearly 13 alleged cybercrime perpetrators per 10,000 residents in Washington, D.C. Nebraska (11.2), Delaware (8.5), and Nevada (6.9) also ranked for the number of cybercrime perpetrators.

Local and federal authorities often don’t attempt to go after cybercriminals and largely admit to needing better training to turn allegations into concrete convictions.

Mapping the Change


The landscape of cybercrime is constantly changing, and most experts admit cybersecurity countermeasures aren’t always equipped to respond as quickly as the attacks evolve. From businesses to individuals and even government organizations, cybercrime doesn’t discriminate. While anyone can be targeted by scammers and hackers, some states have become more vulnerable than others.

Californians were 70 percent more likely to be cybercrime victims in 2017 than in 2012. Residents in Hawaii were more than 65 percent more likely to be targeted by internet crimes than five years prior. In contrast, some states might be safer today than in 2012. With a nearly 24 percent decrease in cybercrimes, residents in Maine saw the most positive adjustment in cyberattacks.

Costly Concerns


Cybercrime isn’t just becoming more prevalent; it’s getting more costly. Compared to 2012, the cost of cybercrime in Arizona increased by nearly 340 percent in 2017.

In Massachusetts, the increase from 2012 to 2017 was nearly 318 percent in monetary loss, followed by nearly 271 percent in South Dakota and 268 percent in Wyoming. While very few states truly saw a decrease in the amount of cybercrime damage endured since 2012, Hawaii (-21 percent) and West Virginia (-4 percent) managed to see a decrease in the cost of cybercrime.

Stay Safe Out There

It’s easy to become the victim of a targeted cyberattack. No matter who you are or where you work, it seems no one is ever truly out of the reach of these crimes and their long-term (and often expensive) consequences. Even though the total number of reported victims by the FBI has fallen since 2009, the last six years have seen a rise in both the number of victims and the overall cost of these fraudulent interactions.

It’s worth noting that anyone can be exposed to cybercrime, and these crimes occur with varying degrees of frequency. States including Arizona, California, and Alaska often ranked as some of the most dangerous regions for cybercrime victims, while others including Maine and North Dakota saw much lower frequencies of the same attacks. Wherever you live, take steps to educate and protect yourself.


For this project, we used data from the FBI’s Internet Crime Complaint Center (IC3) annual reports, with an emphasis on the latest data from 2017. The Internet Crime Complaint Center (IC3) allows Americans who have been cybercrime victims to report information on their experiences to the FBI. Information submitted by citizens is analyzed and sent to various law enforcement agencies for investigation.

IC3 was started in 2000 as the Internet Fraud Complaint Center, with its first annual report published in 2001. The center was renamed in 2003 to reflect the fact that it investigates a broad spectrum of internet crimes, not solely fraud.

The IC3 reports are all based on self-reported data in the form of complaints to the IC3. It’s possible that there were instances of cybercrime and related monetary losses that were not reported to the IC3. However, the FBI encourages all victims to submit a complaint through the center. Additionally, the complaints submitted to the IC3 are for suspected crimes. The data available do not specify whether complaints resulted in convictions.

All per-capita measures in this project were calculated using population estimates from the U.S. census. Additionally, when calculating the percentage change from 2012 to 2017, the average amounts of monetary losses for 2012 were adjusted for inflation.

Cybercrime perpetrators (referred to as “subjects” in the IC3’s reports) are determined based on information from cybercrime victims. When submitting a complaint, victims can enter various information about an alleged perpetrator including their name, email, business, address, phone number, website, and IP address. If the victim includes an address for an alleged perpetrator, then the perpetrator is recorded in the report based on the state in which the address was given.


Fair Use Statement

Want to compare the rate of cybercrime in your state with your friends? You can share this project for any noncommercial reuse, but make sure to link back here. This allows others to view all our findings and explore the methodology of the project.