Cybercrime by year (AKA the rise of phishing)
The number of cybercrime incidents reported to the FBI’s Internet Crime Complaint Center (IC3) has more than doubled over the past decade, and 2020 marked a nearly 70 percent increase in reports, likely related to the pandemic.
In addition to becoming more common, cybercrimes have become more costly, with total losses surging by 765 percent since 2011.
Year |
Complaints |
Losses |
2011 |
314,246 |
$485,300,000 |
2012 |
289,874 |
$525,400,000 |
2013 |
262,813 |
$781,800,000 |
2014 |
269,422 |
$800,500,000 |
2015 |
288,012 |
$1,070,700,000 |
2016 |
298,728 |
$1,450,700,000 |
2017 |
301,580 |
$1,400,000,000 |
2018 |
351,937 |
$2,700,000,000 |
2018 |
467,361 |
$3,500,000,000 |
2020 |
791,790 |
$4,200,000,000 |
The shape of cybercrime has also changed as consumers and security providers have caught onto particular tactics, forcing criminals to change their methods.
In 2016, the most common type of cybercrime reported to the FBI was a non-payment or non-delivery crime, which are incidents in which goods or services are sent but payment is never made or vice versa (payments made but goods never provided). By 2020, non-payment/non-delivery crimes had fallen to a distant second thanks to the rise of phishing.
The FBI’s data classifies phishing alongside three related attack types — vishing, smishing and pharming. They’re grouped together because the basic premise is the same. An individual is contacted by what appears to be a legitimate company that requests login credentials or some other personal or financial information.
What distinguishes them is the contact method; phishing refers to email attacks, vishing and smishing refer to text message/mobile phone call attacks, and pharming refers to fraudulent website attacks. Over just the past half-decade, phishing and related attacks have climbed by more than 1,100 percent.
Year |
Phishing/vishing
smishing/pharming |
Non-payment/
non-delivery |
Extortion |
Personal data breach |
Identity theft |
2016 |
19,465 |
81,029 |
17,146 |
27,573 |
16,787 |
2017 |
25,344 |
84,079 |
14,938 |
30,904 |
17,636 |
2018 |
26,379 |
65,116 |
51,146 |
50,642 |
16,128 |
2018 |
114,702 |
61,832 |
43,101 |
38,218 |
16,053 |
2020 |
241,342 |
107,869 |
76,741 |
45,330 |
43,330 |
According to FBI researchers, almost 30,000 of the complaints the agency received about cybercrime in 2020 were directly related to the COVID-19 pandemic, as fraudsters targeted federal and state funding, including stimulus payments and business loans.
One of the most common end results of business email attacks is deploying ransomware, which installs malware on a device when a file is opened or a link is clicked. The malware holds hostage the target’s data until the ransom is paid. If it’s not paid, the attacker may threaten to destroy the data or release it publicly. Though it’s a relatively new tool in their arsenal, fraudsters’ ransomware attacks are growing more sophisticated and targeted, and the results have been serious.
A ransomware attack in the spring of 2020 forced a shutdown of Colonial Pipeline, the largest gasoline pipeline in the U.S. Higher fuel prices, shortages, and gasoline hoarding all quickly spread to many parts of the country.
It’s also worth noting that all of the data we’re exploring in this story comes from incidents reported to the FBI’s cybercrime specialists. That doesn’t account for the unknown number of incidents that are never reported. As it is, the average ransomware attack costs almost $12,000 per incident, and the real number is almost certainly higher. The FBI has suggested that only 15 percent of all fraud victims report the incidents to law enforcement.
Global ransomware attacks are projected to cost about $20 billion this year alone and over the next decade, costs will surge to about $265 billion per year, as incidents become more common and many companies begin to consider ransomware a cost of doing business.