I am grateful to Maria Gutierrez for research assistance.

1 Introduction

This research report by Florida Atlantic University’s Center for Forensic Accounting is the result of compiling FBI internet crime statistics from 2015 through 2018. It shows trends in kinds of internet crime and U.S. states with the highest reported victim losses and number of victims. This information can be used for public awareness and by government for law enforcement and policy making.

The U.S. Federal Bureau of Investigation (FBI) created the Internet Crime Complaint Center (IC3) in 2000 to receive internet crime complaints from the public. Once someone files a complaint, FBI classifies it into a crime type so that data can be sorted and disseminated to law enforcement agencies and the public. Every year, FBI’s IC3 publishes general data with victim numbers and loss amounts for each internet crime type. Separately, IC3 publishes annual data for each of the U.S. states and territories.

Over the years, FBI data show some internet crimes persist and others have disappeared. Yet, new and more sophisticated types of crimes now prevail. Our report shows online crime trends in the last four years for six top states having higher internet crime activity: California, Florida, New York, North Carolina, Texas, and Virginia. We have identified these top states as having the largest victim monetary losses and number of victims in the most recent year.

We also identified seven top internet crimes with high victim losses. Business Email Compromise/Email Account Compromise (BEC/EAC) is the top online crime in 2018 with reported victim losses of $1.2 billion.¹ BEC/EAC explained about 30% to 50% of all victim losses during 2018 in five of the six top states. BEC/EAC accounted for 50% in New York, 46% in Texas, 33% in California, 33% in Virginia, 32% in Florida, and 20% in North Carolina. The second top internet crime is Confidence Fraud/Romance where losses and number of victims were high in 2018. Corporate Data Breach, Real Estate/Rental fraud, and Credit Card Fraud were also crimes with higher victim losses in 2018, especially in California and Florida.

2 Data Collection

FBI collects internet fraud complaints through its Internet Crime Complaint Center. IC3’s website, www.IC3.gov. It is a website for victims to file alleged internet related crimes. Filing a complaint requires the victim or complainant to provide detailed information about the internet crime. Information requested by FBI includes:²

Victim’s name, address, telephone, and email
Financial transaction information (e.g., account information, transaction date and amount, who received the money)
Subject’s name, address, telephone, email, website, and IP address
Specific details about the victim
Header(s) in the email messages
Any other relevant information believed necessary to support the complaint

After FBI collects the information, it classifies the activity by crime type and analyzes it to identify present and predict future crime trends. The agency prepares intelligence reports with detailed information and disseminates them to law enforcement.

For public awareness, IC3 produces an annual report with aggregate data showing internet crime trends and possible emerging online crime trends. Each year, FBI reports the number of complaints and total victim losses by crime type and other information.

FBI reports information on number of victims and total victim losses for each of the 50 states, District of Columbia, and U.S. territories. Crucially, FBI data only reflect reported internet crime that is only a portion of the actual internet crimes occurring.

3 Data Analysis

3.1 All Internet Crime

This report covers four years of FBI data from 2015 through 2018 as these FBI reports have the same general format. The agency used different data formats in earlier years. Our report herein shows the reported internet crime in absolute numbers of victim losses and numbers of victims, and relative loss and victim rates. Loss rate is defined as the amount of total monetary victim losses divided by the population in millions. Similarly, victim rate is defined as the total number of victims divided by the population in millions. Further, our report uses internet crime and internet fraud interchangeably.

In 2018, the states with the highest monetary victim losses and number of victims from internet crimes were California, Florida, New York, North Carolina, Texas, and Virginia. Much of our analysis focuses on these six top states.

Beginning our analysis with all internet crime in each state, the two plots below show California had the largest victim losses and largest number of victims over the past four years. From 2015 through 2018, California had an increase in victim losses of 130%, from $195 million to $451 million. The number of victims in California also increased significantly, from 35,000 in 2015 to 49,000 in 2018, a 41% increase.

Almost certainly, California has higher victim losses and number of victims mostly because of its higher population. To scale losses and number of victims to population size, loss rates and victim rates appear below in the two plots. The loss rate plot shows the losses in the six top states adjusted for population, where California had the largest loss rates for total internet crime losses in 2015, 2016, and 2017. In 2018, the loss rate in North Carolina rose from $1,900,000 per million in population in 2017 to $13,000,000 per million, surpassing California’s $11,400,000 loss rate, and becoming the state with the largest loss rate in 2018 for all reported internet crime.

Going back to total victim losses for all internet crime in the top states (see earlier plot), Florida was second after California in 2015 for states with highest victim losses with total losses of $95 million. Florida’s total victim losses grew 88% from 2015 through 2018 to $178 million. Yet, in 2018, Florida fell to fourth place in total victim losses following California, New York, and Texas. Additionally, from 2015 through 2018, Florida’s total victims increased somewhat, 18%, from 20,000 to 24,000.

In general, Florida’s victim losses decreased by 6% from 2015 through 2016 but increased 25% by 2017 and had a sharp increase of 61% from 2017 through 2018 (see Florida plots above). Victim numbers in Florida have also increased from 2015 through 2018 but the increase has been slower compared to victim losses overall.

Victim losses in New York had a sharp increase from $58 million in 2015 to $201 million in 2018, a 246% increase. Yet, the number of victims increased only 20% from 15,000 to 18,000. Further, Texas had total victim losses of $63 million in 2015 and grew to $196 million in 2018, a 210% increase. The number of victims in Texas rose 39% from 18,000 to 26,000 over these years.

In 2018, North Carolina became the leader with the highest loss rate while Virginia became the leader with the highest victim rate (see earlier plots). As stated, North Carolina’s 2018 loss rate was $13 million per million in population, well above California with the second highest. In absolute numbers, North Carolina had the highest growth in victim losses among the six top states. Victim losses rose from $19 million in 2015 to $137 million in 2018, a 626% increase. This increase was mainly a result of large losses from online investment fraud.

Virginia had the highest victim rate growth among the six top states, well above California and Florida. In absolute numbers, the number of victims in Virginia increased 96% from 8,000 in 2015 to 15,000 in 2018 (see earlier plots).

Overall, from 2015 through 2018, victim losses from All Internet Crime increased by more than 100% in California, New York, North Carolina, Texas, and Virginia. Although Florida did not have this level of growth in the total victim losses from 2015 through 2018, the state did have an increase of 88%.

3.2 Top Types of Internet Crime

3.2.1 Introduction

Internet frauds have gotten more sophisticated over time and new online crimes have taken over schemes that were popular in earlier years. Since 2015, Business Email Compromise/Email Account Compromise and Confidence Fraud/Romance have been main types of internet fraud and have grown sharply in the last two years among the six top states.

3.2.2 Business Email Compromise/Email Account Compromise

Business Email Compromise/Email Account Compromise (BEC/EAC) takes place when fraudsters hack or spoof business or personal emails accounts with the purpose of diverting funds to their bank accounts by electronic transfer. This scheme may have started with hacking emails accounts of company CEOs where fraudsters pretended to be the CEO and instructed a subordinate by email message to make a (fraudulent) wire transfer. Throughout the years this kind of internet fraud has expanded to hacking and spoofing personal email accounts to obtain sensitive information for diverting funds from many kinds of people including lawyers, vendors, and parties to real estate transactions. FBI received increasing complaints in 2018 where victims received seemingly credible emails or text messages from their bosses (or others in positions of authority) requesting victims buy gift cards that would unknowingly go to the fraudster.³

BEC/EAC fraud is a significant kind of internet crime. According to FBI, in 2018 20,000 victims around the world reported BEC/EAC fraud with losses of more than $1.2 billion.⁴ From 2015 through 2018, the six top states had sharp increases in BEC/EAC fraud. In five of the six top states, BEC/EAC fraud accounted for 30% to 50% of all victim losses. Victim losses from BEC/EAC in 2018 accounted for 50% of the total internet fraud losses in New York, 46% in Texas, over 30% in California, Florida, and Virginia, and 20% in North Carolina.

Texas had the largest growth in BEC/EAC victim losses from 2015 through 2018 as losses grew from $11 million to $117 million, increasing more than ten times. In addition, the number of BEC/EAC victims in Texas almost quadrupled from 2015 through 2018.

States with the second and third largest increases in BEC/EAC victim losses were New York and North Carolina, growing more than 400% and 500%, respectively, from 2015 through 2018. In Florida, BEC/EAC losses grew over 300%, increasing from $20 million in 2015 to $83 million in 2018 and the number of victims increased over 200% from 400 to 1,400. Moreover, Virginia BEC/EAC victim losses grew more than 200%, from $5 million to $19 million and, in California, losses increased almost 200% from $65 million to $190 million.

New York experienced the largest BEC/EAC fraud loss rate in 2018 among the six top states of $6.3 million per million people, followed by $4.8 million in California, and $4.1 million in Texas. Looking at 2018 victim rates, Virginia had the highest victim rate in 2018 followed closely by California and Texas.

3.2.3 Confidence Fraud/Romance

Another significant internet crime is Confidence Fraud/Romance. This kind of online fraud occurs when a fraudster pretends to be a friendly or romantic person, or family member to win the trust of the victim to obtain money, or other assets. Variations of Confidence Fraud/Romance crime include romance/dating scams and grandparent scams. Like BEC/EAC, Confidence Fraud/Romance has become more frequent and the victim numbers and losses have increased during the past four years. In 2018, Confidence Fraud/Romance crime accounted for the second largest victim loss amounts after BEC/EAC in five of the six top states. In Florida, Confidence Fraud/Romance was the third top internet crime in victim losses after BEC/EAC and Corporate Data Breach.

From 2015 through 2018, the six top states experienced increases in victim losses from Confidence Fraud/Romance crime with North Carolina and California having the highest growth of 257% and 140%, respectively. Confidence Fraud/Romance crime has been increasing significantly in North Carolina. Comparing 2015 to 2018, North Carolina had 297 victims in 2015 with losses of $6 million growing to 432 victims in 2018 with $21 million in losses. As stated, California had the second highest growth in victim losses among the six top states. Victims experienced $72 million in losses in 2018, a 140% increase from $30 million in 2015. In terms of the number of victims from Confidence Fraud/Romance crime, California had the highest growth among the six top states, increasing 57%, from 1,300 victims in 2015 to 2,100 in 2018. Texas and Virginia followed California, both with a 56% increase in the number of victims from 2015 through 2018. Further, the number of victims in North Carolina, Florida, and New York grew 45%, 43%, and 35%, respectively, over the four years.

In terms of loss rates for Confidence Fraud/Romance crime (see plot below), North Carolina had the highest rate among the six top states in 2018, with a $2,000,000 loss rate per million people followed by California with $1,830,000, and Virginia with $1,070,000. Florida, New York, and Texas followed with loss rates of $970,000, $870,000, and $720,000, respectively. For victim rates (see plot below), Florida and Virginia were the top states in 2018 with 55.9 and 56.4 per million people.

3.2.4 Corporate Data Breach

FBI describes Corporate Data Breach as the “leak or spill of business data from a secure location to an untrusted environment. It may also refer to a data breach within a corporation or business where sensitive, protected, or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.”⁵

The proportion of Corporate Data Breach incidents to actual incidents may be much lower than for other online fraud types because business organizations tend to be very reluctant reporting a data breach fearing public knowledge might negatively affect their reputations.

Two states stand out in Corporate Data Breach during the four years through 2018 (see plot below). First, New York experienced a large spike in victim losses during 2016. Victims in this state lost almost $40 million in 2016 compared to $2 million the previous year, an increase of almost 1,700%. Second, Florida had the largest increase in victim losses from 2017 to 2018. Corporate Data Breach losses in Florida rose from $5 million in 2017 to $28 million in 2018, a 340% increase. Moreover, Florida had the highest victim losses in 2018 among the six top states followed by Texas with $14 million, and California with $13 million. Since the number of victims reporting Corporate Data Breaches is low, losses per victim are high in comparison to other internet crime types.

3.2.5 Credit Card Fraud

Online Credit Card Fraud is more prevalent in Florida than in any of the other six top states (plots below). In 2018, Florida’s victim rate of 84.4 per million in population, was much higher than California (51.8), New York (35.7), North Carolina (29.5), Texas (30.4), and Virginia (71.6). Not only did Florida have the highest victim rate, but it also had the highest victim loss rate in 2018, with $634,000 per million in population, followed by California of $419,000 per million, and triple the rates of the other top states. In terms of growth in online Credit Card Fraud, from 2015 through 2018 victim losses in Florida rose from $4 million to $14 million, an increase of 207%. North Carolina had the highest growth rate among the top states with an increase of 650% from $200,000 in 2015 to $1.5 million in 2018.

3.2.6 Identity Theft

Identity Theft can be described as an individual or group of individuals stealing another person’s identity to commit fraud. Fraudsters typically steal names, birthdates, addresses, and social security numbers. These activities later trigger a chain of other types of fraud on the Identity Theft victim.

Among the six top states, California had the most victim losses from Identity Theft each year from 2015 through 2018. Although California experienced victim losses of $26 million in 2018, its victim rate of 53.2 per million people is lower than Florida (69.4) and Virginia (59.8). California’s victim loss rate in 2018 was $652,000 per million people, much higher than the rates in Florida ($258,000), New York ($292,000), North Carolina ($164,000), Texas ($230,000), and Virginia ($141,000).

Florida had the highest victim rate among the six top states in 2018, seemingly making Florida the state where a person is most likely to fall victim to online Identity Theft. However, the Florida trends are somewhat optimistic. Victim losses rose modestly from $5 million in 2015 to $6 million in 2018 while the number of Identity Theft victims has generally declined since 2015 (see plots below).

3.2.7 Investment Fraud

Online Investment fraud is a white-collar crime where fraudsters generally lure investors, many times seniors, over the internet by promising high returns if they make an investment. Although Investment fraud does not involve large numbers of victims, the average loss per victim can be relatively high. In general, victim losses to online Investment fraud have varied among the six top states from 2015 through 2018. A sharp spike in victim losses occurred in North Carolina during 2018, and another in New York during 2016.

In North Carolina victim losses to online Investment fraud increased 5,746%, rising from $1.3 million in 2017 to $76 million in 2018. California had the second highest victim losses from investment fraud in 2018 with losses of $34 million. One somewhat bright spot for Florida, the state was ranked only fifth for victim losses from online Investment fraud in 2018 after North Carolina, California, New York, and Texas.

3.2.8 Real Estate/Rental Fraud

Real Estate/Rental fraud is an internet scheme involving real estate, rental, and timeshare property. This area has been a growing online scam among the six top states over the past four years through 2018, increasing by more than 300%. In absolute numbers, California had the largest victim losses during 2018 in this category of $25 million followed by Florida with $18 million. Further, New York had the highest growth in victim losses over the past four years of 1,282%, rising from $1 million of victim losses in 2015 to $15 million in 2018. New York is followed by North Carolina with victim loss growth of 567%, Florida increasing 415%, Texas 400%, and Virginia 340% over these four years.

Florida had the highest loss rate during 2018 in Real Estate/Rental internet fraud of $820,000 per million people and the second highest victim rate after California. Following Florida in the 2018 loss rate, is New York ($780,000), and California ($630,000).

4 Conclusion

This report is based on FBI internet crime statistics from 2015 through 2018. FBI collects data from victims reporting alleged internet crimes. Almost certainly, actual internet crimes are larger than what is reported to FBI. FBI’s Internet Crime Complaint Center (IC3) receives victim complaints and classifies them by number of victims and loss amounts according to location and crime types.

We identified six top states, California, Florida, New York, North Carolina, Texas, and Virginia, with the largest monetary losses to internet crime during 2018. Although victim losses and victim numbers for all types of internet crime have increased in all six top states from 2015 through 2018, losses have had higher growth than victim numbers suggesting a victim has lost more money to internet crime on average over these years. California was the state with the largest losses and number of victims in all four years. This can be partly explained by California’s larger population. Yet, losses adjusted for population size show that the gap in losses between California and the other five top states is much smaller and in some years other states had larger loss rates than California.

Business Email Compromise/Email Account Compromise BEC/EAC is the top internet crime, accounting for about 30% to 50% of all victim losses in all six top states and growing rapidly from 2015 through 2018. Following BEC/EAC is Confidence Fraud/Romance accounting for the second largest losses from 2015 through 2018 in five of the six top states. In addition to BEC/EAC and Confidence Fraud/Romance, we identified Corporate Data Breach, Credit Card Fraud, Identity Theft, Investment fraud, and Real Estate/Rental fraud as other top internet crimes with largest victim losses in the six top states. Although growth in victim losses have increased in all the top crimes from 2015 through 2018, some internet crimes have grown at a higher rate in some states than in others. Apart from BEC/EAC, predominant internet crimes differ somewhat in each of the six top states.

Information in this report should be useful to the public, law enforcement agencies, other government agencies, and policy makers. Increasing public awareness may be the most effective way of mitigating internet crime since most internet crime likely originates outside the United States, beyond the reach of U.S. law enforcement. Foreign sources of internet crimes on U.S. residents and businesses make it challenging whether internet crime levels can be reduced as the public becomes more connected and dependent on the internet.

5 APPENDIX–CRIME TYPE DEFINITIONS

Advanced Fee: In advance fee schemes, the perpetrator informs a victim that the victim has qualified for a large financial loan or has won a large financial award, but must first pay the perpetrator taxes or fees in order to access the loan or award. The victim pays the advance fee, but never receives the promised money.

Business Email Compromise/Email Account Compromise: BEC is a scam targeting businesses working with foreign suppliers and/or businesses regularly performing wire transfer payments. EAC is a similar scam that targets individuals. These sophisticated scams are carried out by fraudsters compromising email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfer of funds.

Charity: Perpetrators set up false charities, usually following natural disasters, and profit from individuals who believe they are making donations to legitimate charitable organizations.

Civil Matter: Civil lawsuits are any disputes formally submitted to a court that is not criminal.

Confidence Fraud/Romance: A perpetrator deceives a victim into believing the perpetrator and the victim have a trust relationship, whether family, friendly or romantic. As a result of that belief, the victim is persuaded to send money, personal and financial information, or items of value to the perpetrator or to launder money on behalf of the perpetrator. Some variations of this scheme is romance/dating scams or the grandparent’s scam. Corporate Data Breach: A leak or spill of business data that is released from a secure location to an untrusted environment. It may also refer to a data breach within a corporation or business where sensitive, protected, or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.

Credit Card Fraud: Credit card fraud is a wide-ranging term for fraud committed using a credit card or any similar payment mechanism as a fraudulent source of funds in a transaction. Crimes Against Children: Anything related to the exploitation of children, including child abuse. Denial of Service/TDoS: Denial of Service (DoS) Attack floods a network/system or Telephony Denial of Service (TDoS) floods a service with multiple requests, slowing down or interrupting service.

Employment: An individual believes they are legitimately employed, and loses money or launders money/items during the course of their employment.

Extortion: Unlawful extraction of money or property through intimidation or undue exercise of authority. It may include threats of physical harm, criminal prosecution, or public exposure.

Gambling: Online gambling, also known as Internet gambling and iGambling, is a general term for gambling using the Internet.

Government Impersonation: A government official is impersonated in an attempt to collect money.

Hacktivist: A computer hacker whose activity is aimed at promoting a social or political cause. Harassment/Threats of Violence: Harassment occurs when a perpetrator uses false accusations or statements of fact to intimidate a victim. Threats of Violence refers to an expression of an intention to inflict pain, injury, or punishment, which does not refer to the requirement of payment.

Health Care Related: A scheme attempting to defraud private or government health care programs, usually involving health care providers, companies, or individuals. Schemes may include offers for fake insurance cards, health insurance marketplace assistance, stolen health information, or may involve medications, supplements, weight loss products, or diversion/pill mill practices. These scams are often initiated through spam email, Internet advertisements, links in forums or social media, and fraudulent websites.

IPR/Copyright and Counterfeit: The theft and illegal use of others’ ideas, inventions, and creative expressions, to include everything from trade secrets and proprietary products to parts to movies, music, and software.

Identity Theft/Account Takeover: Identify theft involves a perpetrator stealing another person’s personal identifying information, such as name or Social Security number, without permission to commit fraud. Account Takeover is when a perpetrator obtains account information to perpetrate fraud on existing accounts.

Investment: Deceptive practice that induces investors to make purchases on the basis of false information. These scams usually offer the victims large returns with minimal risk. Variations of this scam includes retirement schemes, Ponzi schemes and pyramid schemes.

Lottery/Sweepstakes/Inheritance: An individual is contacted about winning a lottery or sweepstakes they never entered, or to collect on an inheritance from an unknown relative and are asked to pay a tax or fee in order to receive their award.

Malware/Scareware/Virus: Software or code intended to damage or disable computers and computer systems. Sometimes scare tactics are used by the perpetrators to solicit funds.

Misrepresentation: Merchandise or services were purchased or contracted by individuals online for which the purchasers provided payment. The goods or services received were of a measurably lesser quality or quantity than was described by the seller.

No Lead Value: Incomplete complaints which do not allow a crime type to be determined.

Non-Payment/Non-Delivery: In non-payment situations, goods and services are shipped, but payment is never rendered. In non-delivery situations, payment is sent, but goods and services are never received.

Overpayment: An individual is sent a payment/commission and is instructed to keep a portion of the payment and send the remainder to another individual or business.

Personal Data Breach: A leak or spill of personal data that is released from a secure location to an untrusted environment. It may also refer to a security incident in which an individual’s sensitive, protected, or confidential data is copied, transmitted, viewed, stolen or used by an unauthorized individual.

Phishing/Vishing/Smishing/Pharming: Unsolicited email, text messages, and telephone calls purportedly from a legitimate company requesting personal, financial, and/or login credentials.

Ransomware: A type of malicious software designed to block access to a computer system until money is paid.

Re-shipping: Individuals receive packages purchased through fraudulent means and subsequently repackage the merchandise for shipment, usually abroad.

Real Estate/Rental: Fraud involving real estate, rental or timeshare property.

Spoofing: Contact information (phone number, email, and website) is deliberately falsified to mislead and appear to be from a legitimate source. For example, spoofed phone numbers making mass robo-calls; spoofed emails sending mass spam; forged websites used to mislead and gather personal information. Spoofing is often used in connection with other crime types.

Social Media: A complaint alleging the use of social networking or social media (Facebook, Twitter, Instagram, chat rooms, etc.) as a vector for fraud. Social Media does not include dating sites.

Tech Support: Attempts to gain access to a victim’s electronic device by falsely claiming to offer tech support, usually for a well-known company. Scammer asks for remote access to the victim’s device to cleanup viruses or malware or to facilitate a refund for prior support services.

Terrorism: Violent acts intended to create fear that are perpetrated for a religious, political, or ideological goal and deliberately target or disregard the safety of non-combatants. Virtual Currency: A complaint mentioning a form of virtual cryptocurrency, such as Bitcoin, Litecoin, or Potcoin.

Virtual Currency: A complaint mentioning a form of virtual cryptocurrency, such as Bitcoin, Litecoin, or Potcoin.

Federal Bureau of Investigation FBI, Internet Crime Complaint Center IC3. (2018). 2018 Internet Crime Report, 10. Retrieved August 15,2019, from https://pdf.ic3.gov/2018_IC3Report.pdf ↩
Federal Bureau of Investigation, Internet Crime Complaint Center (IC3). Filing a complaint with IC3. Retrieved August 29, 2019 from https://www.ic3.gov/default.aspx ↩
FBI.(2019). 2018 Internet Crime Report, 10. Retrieved September 6, 2019 from https://pdf.ic3.gov/2018_IC3Report.pdf.↩
Ibid.↩
Ibid., 25.↩

Internet Crime–2018 Version

Dr. Michael A. Crain, Florida Atlantic University, Center for Forensic Accounting