Online Scams Cost Americans $119 Billion Annually: CFA Study

U.S. households lose an estimated $119 billion every year to digital fraud, according to a new Consumer Federation of America analysis released Thursday.

The total extrapolates from the FBI’s 2024 accounting of $16.6 billion in internet-crime losses—covering schemes such as phishing—and scales it using Bureau of Justice Statistics rates for incidents and dollars that victims never report.

Online fraud spans a range of familiar plays: phishing messages that try to steal passwords or one-time codes; romance scams that build trust and then ask for money; tech-support scams that impersonate well-known companies to gain device access; lottery or prize scams that demand “fees” before nonexistent winnings; investment scams that promise unusually high, fast returns; online shopping scams that take payment and never deliver; and job-offer scams that use fake recruiting to collect sensitive data or extract money.

Complaints recorded in 2024 frequently involve credential-theft phishing and account takeovers, bogus “support” outreach, investment pitches circulated at scale, non-delivery shopping fraud, and job-related cons that exploit remote-work demand, along with relationship-driven schemes that push victims toward payment apps, gift cards, or crypto transfers.

Scammers typically reach people through email and lookalike login pages, text messages that mimic delivery notices or bank alerts, phone calls that spoof legitimate numbers, paid ads and promoted posts, and direct messages that pose as a company, a friend, or a prospective employer.

Common warning signs include urgent pressure to act immediately, requests for secrecy, instructions to move the conversation off-platform, demands for payment by gift cards, wire transfers, or crypto, requests for one-time codes or passwords, and “too good to be true” offers such as guaranteed returns, surprise prizes, or unusually high pay for minimal work.

Fake websites often reveal themselves through small inconsistencies: misspelled domains or extra characters, pages that lack clear contact information or a physical address, checkout flows that redirect to unfamiliar domains, pop-ups demanding immediate action, and “sign-in” pages that ask for more information than necessary. A quick cross-check—typing the company’s address yourself instead of clicking, verifying that the domain matches the official brand, and avoiding downloads prompted by a webpage—can help reduce the risk of landing on a spoofed site.

To protect yourself from phishing, treat unexpected messages as untrusted until verified: avoid clicking embedded links, open apps or type known addresses directly, confirm requests through an independent channel, and never share one-time passcodes. Using strong, unique passwords with a password manager, enabling multi-factor authentication, keeping devices updated, and limiting what personal information is publicly available can reduce the damage if a scammer gets partial details.

If you suspect a phishing attempt, stop engaging and do not click further or download attachments. If you already entered credentials, change the password immediately, revoke active sessions where possible, enable multi-factor authentication, and review account security settings; if a bank or payment account may be involved, contact the institution’s fraud department right away to place protections on the account.

If you’ve been scammed, document what happened, including usernames, emails, phone numbers, screenshots, and payment details, then contact your bank, card issuer, or payment app promptly to dispute charges or attempt a reversal. Secure affected accounts by changing passwords and checking for forwarding rules or new linked devices, consider placing a fraud alert or credit freeze if sensitive personal data was shared, and report the incident to federal, state, and local authorities so patterns can be tracked and, in some cases, funds can be recovered.

Job-offer scams often begin with an unsolicited message, a fast “interview” conducted only by text or chat, or a recruiter who refuses to verify a company email domain and supervisor identity. Red flags include requests for upfront payments, demands for sensitive information early in the process, and instructions to deposit a check and send money back; applicants can reduce risk by independently confirming the employer, verifying the role through official channels, and treating any offer that relies on urgent financial transactions as suspect.

Victims and targets can report internet scams to the FBI’s Internet Crime Complaint Center, the Federal Trade Commission, and their state attorney general’s office; for immediate financial loss, a report to the relevant bank or payment provider is typically time-sensitive. Local law enforcement can also take reports, which may be useful for documentation and follow-up with financial institutions.

State Trends: Where Losses Hit Hardest

FBI Internet Crime Complaint Center data show California, Texas, New York, and Florida bearing the largest total losses, while less-populous states still suffer meaningful damage. Nevada and Wyoming post steep per-capita hits, and places like Michigan and South Carolina appear to be frequent targets for a mix of reasons, the consumer organization’s report noted.

Escalating Harm and Accountability: CFA’s Alert

Ben Winters, CFA’s director of AI and Privacy, warned that the scale of the damage is a crisis that requires rapid, unflinching action as people feel less safe online. He called for tougher platform responsibility, curbs on data brokers, better reporting channels, clear rules for generative AI, and stronger resources for consumer-protection enforcement.

The federation also highlighted social platforms—particularly Meta’s Facebook, Instagram, and WhatsApp—as common tools scammers use to deceive people, often older adults, into sending money or surrendering personal information. The company did not immediately comment.

In a statement Wednesday, Meta said it is rolling out new tools on Facebook and WhatsApp to combat fraud, working with law enforcement to disrupt criminal operations, and removing ads that violate its policies.

CFA framed the report as a call for policymakers and regulators to act to curb identity theft and financial harm.

Several officials cited the findings to bolster proposals already on the table, including a bipartisan bill introduced last month by Sens. Ruben Gallego (D-AZ) and Bernie Moreno (R-OH). Their Safeguarding Consumers from Advertising Misconduct Act would press online platforms to strengthen prevention and hold them responsible when fraudulent promotions appear.

Social platforms have become prime hunting grounds for con artists siphoning roughly $119 billion a year from Americans. Accountability is overdue. If companies profit by placing ads in users’ feeds, they must ensure those ads aren’t deceptive.

Federal Moves: White House Directive on Cybercrime

Earlier this month, President Donald Trump issued a directive aimed at combating cybercrime, fraud, and predatory schemes that target Americans and U.S. businesses, committing the Administration to review the threat landscape and take action.

The United States will respond to attacks on Americans with appropriate measures, including law enforcement action, diplomacy, and, if necessary, offensive operations.

California Focus: Losses and Enforcement Strategy

Christina Tetreault, deputy commissioner at California’s Office of Financial Technology Innovation, underscored the problem and the need to confront online criminals during a virtual event hosted Wednesday by Payments Dive and Banking Dive that examined fraud in the age of artificial intelligence.

California records the largest total hit—about $18.1 billion statewide, or roughly $460 per resident—according to the federation.

This is an all-hands-on-deck moment. Many schemes originate overseas in sprawling scam compounds, with an around-the-clock criminal industry focused on separating Californians from their money—and that keeps me up at night.

She welcomed the presidential directive and outlined steps California is taking, including consumer education campaigns, cross-industry coordination, and deploying technology to detect and block cons that try to harvest financial information or account numbers.