With cybersecurity and fraud studies and reports launching almost weekly, who can keep up with all the stats related to account takeover, ransomware, BEC, fraud, and identity theft? We keep a tally ourselves and thought our readers might want access to help bolster their business case to invest in solutions to combat cybercrime and protect their employees, vendors, and consumers from the ever-evolving tactics of cybercriminals.
Account Takeover (ATO) Statistics:
- ATO attacks increased 307% between 2019 and 2021. Sift’s Q3 2021 Digital Trust & Safety Index
- ATO losses increased 90% in 2021 alone, totaling $11.4B. Javelin 2022 ID Fraud Study
- 22% of U.S. adults have been victims of account takeover (24M households). Security.org + Deduce Report
- Nearly a quarter of identity-related fraud in North America was related to ATO in 2021. LexisNexis True Cost of Fraud Study
- 1 in every 140 login attempts during the early 2021 holiday season was an ATO attempt. Riskified
- An annual analysis of recaptured data from the darknet shows a 72% password reuse rate for users exposed in two or more breaches in the last year, an 8-point increase from 64% the previous year. SpyCloud 2023 Annual Identity Exposure Report
- Of the 25% of U.S. adult consumers who experienced identity theft in 2021, 64% experienced ATO fraud. Most of those experienced credit card ATO fraud (i.e. the unauthorized access to or use of a consumer’s card to make fraudulent transactions). Aite-Novarica 2022 U.S. Identity Theft: Adapting and Evolving
- 24% of victims of ATO fraud had contact information (such as an email address or phone number) changed after an ATO incident. “Fraudsters want to steal funds or buy goods quickly, changing contact info so that the FI contacts the thief instead of the legitimate account holder if suspicions arise.” Aite-Novarica 2022 U.S. Identity Theft: Adapting and Evolving
Ransomware Statistics:
- There were 493+ million ransomware attacks globally in 2022. While down 21% year-over-year, some industries saw huge spikes, including finance (+41%). 2023 Sonicwall Cyber Threat Report
- In 2022, ransomware took over the second spot after denial of service in breach incidents, now being present in 15.5% of all incidents. Meanwhile, the share of ransomware in breaches held statistically steady at 24%. Verizon 2023 Data Breach Investigations Report
- Despite increased investment in tools to fight ransomware, 90% of organizations were affected by ransomware in some capacity over the past 12 months, a striking uptick from last year’s 72.5%. SpyCloud 2022 Ransomware Defense Report
- The IC3 received 2,385 complaints in 2022 identified as ransomware, reflecting losses of more than $33.4 million. FBI Internet Crime Report 2022 [PDF]
- In 2022, the IC3 received 870 complaints regarding ransomware attacks on critical infrastructure organizations, with 14 of the 16 critical infrastructure sectors having at least one member fall victim to an attack. Healthcare was the sector with the most reported attacks. FBI Internet Crime Report 2022 [PDF]
- A survey of more than 400 CISOs found that ransomware is the top cyber threat most concerning to respondents. The CISOs Report: Perspectives, Challenges and Plans for 2022 and Beyond
- According to IT security leaders, the top three riskiest entry points for ransomware are:
#1 Unpatched vulnerabilities
#2 Phishing emails with malicious attachments/links
#3 Unmanaged devices accessing the network.
SpyCloud 2022 Ransomware Defense Report - 87% of IT security leaders agree that reports of credential-stealing malware such as RedLine Stealer have elevated their organization’s concern of unmonitored personal devices as a potential entry point for ransomware. SpyCloud 2022 Ransomware Defense Report
Data Breach Statistics:
- There were 1,802 publicly reported data breaches in 2022, just 60 events shy of the all-time high set in 2021. These breaches impacted 422.1 million people, an increase of 41.5% from 2021. Identity Theft Resource Center’s 2022 Data Breach Report
- The average data breach cost reached an all-time high of $4.35 million in 2022, a 2.6% increase from last year’s average of $4.24 million. IBM Cost of a Data Breach Report 2022
- The most common initial attack vector for data breaches is compromised credentials, responsible for 19% of breaches (at an average cost of $4.5 million). IBM Cost of a Data Breach Report 2022
- The use of stolen credentials remains the primary way into organizations, with 44.7% of breaches involving credentials as the top “action” to entry taken. Verizon 2023 Data Breach Investigations Report
- 86% of breaches for Basic Web Application attacks involved the use of stolen credentials as initial access. 50% of organizations experienced 39+ web application attacks in 2022. Verizon 2023 Data Breach Investigations Report
- 74% of all breaches involve the human element, whether by error, privilege misuse, use of stolen credentials, or social engineering. Verizon 2023 Data Breach Investigations Report
- 27% of global companies suffered a data breach that cost them between $1M and $20M USD in the past three years. That percentage rises to 34% for North American firms. Only 14% of global companies reported no data breaches during that same time frame. 2023 PwC Global Digital Trust Insights Report
Business Email Compromise Statistics:
- In 2022, the FBI received 21,832 BEC complaints, with estimated losses totaling more than $2.7 billion. FBI Internet Crime Report 2022 [PDF]
- There was a 65% increase in identified global exposed losses from Business Email Compromise fraud. FBI PSA: Business Email Compromise (BEC): The $43 Billion Scam
- The use of cryptocurrency in BEC-specific crimes was first identified in 2018, and has continued to skyrocket over the last four years. As of 2021, $40 million in losses has been reported in BEC/cryptocurrency complaints. FBI PSA: Business Email Compromise (BEC): The $43 Billion Scam
- Pretexting, including BEC, overtook phishing as the most prevalent social engineering tactic in 2022, with BEC attacks accounting for more than 50% of social engineering incidents. Verizon 2023 Data Breach Investigations Report
Fraud & Identity Theft Statistics:
- Identity fraud losses totaled $52B in 2021, affecting 42 million U.S. adults. 1 in 20 Americans were victims of fraud in 2021. Javelin 2022 ID Fraud Study
- 25% of US consumers (one in every 4 adults) experienced identity theft in 2021, according to a survey of over 8,500 consumers by Aite-Novarica. 2022 U.S. Identity Theft: Adapting and Evolving
- Losses from identity theft are predicted to grow to $635.4 billion by 2023. Aite-Novarica U.S. Identity Theft: The Stark Reality
- Losses resulting from stolen identities across all industries grew 43% in the US, from $502.5 billion in 2019 to $712.4 billion in 2020. Aite-Novarica U.S. Identity Theft: The Stark Reality
- The average per-victim time to resolve identity fraud issues has grown to 9 hours. Javelin 2022 ID Fraud Study
- In the past 2 years, 37% of consumers had new accounts opened using their identity. Aite-Novarica U.S. Identity Theft: The Stark Reality
- New account fraud, where criminals open unauthorized bank or credit accounts, increased 109% in 2021. Javelin 2022 ID Fraud Study
- Every $1 lost to fraud costs financial services firms $4.23, and every $1 lost to fraud costs merchants $3.75. LexisNexis True Cost of Fraud Study
- Card Not Present (CNP) losses are estimated to grow to $48 billion in 2023, an increase of 16% from $41 billion in 2022. Juniper Research Online Payment Fraud: Market Forecasts, Emerging Threats & Segment Analysis 2022-2027
- New accounts are 9.5 times riskier than mature accounts. NICE Actimize 2023 Fraud Insights Report
- Attempted fraud transactions have increased by 92% and attempted fraud amounts have jumped by 146%. NICE Actimize 2023 Fraud Insights Report
- The types of fraud most concerning to fraud executives at financial institutions: ACH fraud and P2P fraud (both with 39% of fraud executives concerned. The types of fraud attacks most concerning? Synthetic identities resulting from application fraud and wire fraud resulting from ATO. Aite-Novarica Market Trends in Fraud for 2022 and Beyond: New Fraudsters, New Era
- Synthetic identity fraud losses will grow to $2.42 billion in 2023. Aite-Novarica Synthetic Identity Fraud Report
- 55% of merchants reported a higher amount of synthetic identity fraud compared to 2019, and 59% reported an increase in CNP (card not present) fraud. Worldpay Global Payment Risk Report
- Online payment fraud losses are set to exceed $206 billion between 2021 and 2025. Juniper Research Online Payment Fraud: Emerging Threats, Segment Analysis & Market Forecasts 2021-2025
- The ecommerce sector experienced an 140% increase in the volume of fraud attacks in 2021 compared to pre-COVID. LexisNexis True Cost of Fraud Study
About SpyCloud: SpyCloud transforms recaptured darknet data to protect businesses from cyberattacks. Its products operationalize Cybercrime Analytics (C2A) to produce actionable insights that allow enterprises to proactively prevent ransomware and account takeover, protect their business from consumer fraud losses, and investigate cybercrime incidents. Its unique data from breaches, malware-infected devices, and other underground sources also powers many popular dark web monitoring and identity theft protection offerings. SpyCloud customers include half of the ten largest global enterprises, mid-size companies, and government agencies around the world. Headquartered in Austin, TX, SpyCloud is home to nearly 200 cybersecurity experts whose mission is to make the internet a safer place.
To learn more and see insights on your company’s exposed data, visit spycloud.com/check-your-exposure/.