Identity Theft Statistics 2026: Cybercriminals Stole $20 Billion From Americans in 2025

The FBI released its 2025 Internet Crime Report in May 2026, and the headline number is stark: Americans filed 1,008,597 cybercrime complaints in 2025, reporting losses of $20.877 billion — a 26% increase from 2024 and the first time annual cybercrime losses have exceeded $20 billion (FBI IC3 Annual Report 2025). The average loss per complaint reached $20,699.

Identity theft sits at the center of almost every cybercrime category in that report. Stolen credentials enable fraud. Data breaches fuel account takeovers. Phishing captures the credentials used in business email compromise. The patterns compound: a single stolen identity doesn't just affect one account — it becomes a master key that cybercriminals rotate across banking, insurance, tax filings, government benefits, and new credit applications.

This article covers the most important identity theft statistics for 2026, where the theft is actually happening, who is most at risk, and what the data says about effective prevention.

Identity Theft by the Numbers: 2025-2026

Scale and Cost

• $20.877 billion in total cybercrime losses reported to the FBI in 2025 — the highest annual figure ever recorded (FBI IC3 2025)
• 26% increase in losses from 2024 — the rate of cybercrime financial damage is accelerating
• 1,008,597 complaints filed in 2025 — more than one million Americans reported cybercrime victimization in a single year
• $6.9 billion in investment fraud losses alone — the largest single category, overwhelmingly driven by crypto fraud built on identity theft and social engineering
• $2.77 billion in business email compromise losses — virtually all BEC attacks begin with credential theft or identity impersonation
• Identity theft specifically cost Americans $185.8 million in directly reported losses — but this figure significantly undercounts total impact, as downstream fraud from stolen identities appears across nearly every other crime category

The Fraud Taxonomy

The FBI's 2025 report categorizes identity-related crime across multiple types. The top five by reported losses:

1. Investment fraud — $6.57 billion (built on fake identities and social trust manipulation)
2. Business email compromise — $2.77 billion (identity impersonation of executives and vendors)
3. Tech/customer support scams — $2.13 billion (impersonation of legitimate services to steal credentials)
4. Personal data breach — $1.45 billion (direct monetization of stolen identity records)
5. Non-payment/non-delivery fraud — $579 million (fake merchant identities and stolen payment credentials)

Who Gets Hit Hardest

The FBI's 2025 data reveals a clear age pattern in cybercrime victimization:

• Americans aged 60+ reported $7.7 billion in losses — 37% of all cybercrime losses despite comprising a smaller share of internet users
• Ages 50-59 reported $3.7 billion in losses
• Ages 40-49 reported $2.957 billion
• The under-40 population is most likely to have their identities stolen and used for credential-based fraud, even if reported dollar losses are lower per incident

Data Breach Scale

The identity theft pipeline runs through data breaches. Without stolen records to monetize, most identity theft couldn't happen at scale. The 2025 numbers show how aggressively the breach pipeline has expanded:

• 3,158 data breaches were publicly reported in the US in 2025 — an average of nearly 9 breaches per day
• The National Public Data breach (disclosed in 2024, with ongoing 2025 impact) exposed an estimated 2.9 billion records including Social Security numbers, addresses, and relatives' information for most of the US population
• SpyCloud's 2025 research found their corpus contained 53 billion identity records, growing 22% year-over-year — representing the practical supply chain for identity theft attacks

How Identity Theft Actually Happens: The 2025 Attack Vectors

Identity theft is not a single attack — it's a pipeline. Understanding where credentials enter that pipeline helps explain why prevention at the network layer matters.

Phishing — Still the Dominant Entry Point

Phishing was the single most reported cybercrime in 2025, with 193,407 complaints filed with the FBI. Phishing emails, SMS smishing, and voice vishing attacks are collectively designed to do one thing: capture credentials. Once someone clicks a fake login page and enters their username and password, those credentials enter the identity theft ecosystem immediately.

CyberFence's Web Shield DNS filtering blocks connections to known phishing domains before the page ever loads — preventing the credential capture that starts the identity theft pipeline at its most common entry point.

Infostealer Malware

As detailed in prior reporting, infostealer malware stole an estimated 6 billion passwords from browsers in 2025 alone (Specops / Verizon DBIR 2025). LummaC2 and RedLine are the dominant families. Infostealers specifically target browser-saved passwords, session cookies, and autofill data — capturing fresh, valid credentials that haven't been changed since the theft. Fresh credentials are significantly more valuable to attackers than breached database credentials that may be years old.

Data Broker Exposure

Even people who've never clicked a phishing link have their personal information circulating in data broker databases — name, address, phone, relatives, employment history, and in many cases partial financial information. Data brokers legally sell this information to anyone willing to pay. Attackers use broker data to add context to stolen credentials (verifying identity, answering security questions, targeting high-value accounts) and to build synthetic identity fraud profiles.

Public WiFi Credential Interception

On unsecured public networks, attackers using packet-sniffing tools can intercept login credentials transmitted over HTTP connections or through other unencrypted channels. Hotel WiFi, airport networks, and coffee shops remain active hunting grounds for credential theft — particularly targeting travelers who are more likely to be logging into banking and work systems on unfamiliar networks.

The Downstream Consequences of Identity Theft

The FBI's dollar figures capture only what victims report. The actual impact of identity theft extends significantly further:

Tax Identity Fraud

The IRS reports that 294,138 identity theft returns were detected and rejected in 2025 — fraudulent tax returns filed with stolen Social Security numbers to claim refunds before the real taxpayer files. Many victims don't discover the fraud until they file their own return and find it rejected. The IRS issues Identity Protection PINs (IP PINs) as a countermeasure, but awareness remains low.

Medical Identity Theft

Medical identity theft — using someone else's identity to receive healthcare — affects an estimated 500,000 Americans annually. The consequences include corrupted medical records (incorrect diagnoses or medications added to a victim's file), denied insurance claims, and collections for services never received. Medical identity theft is among the most difficult types to resolve, with average recovery times exceeding 200 hours per victim.

Synthetic Identity Fraud

The fastest-growing form of identity fraud in 2025. Criminals combine real data (typically a real Social Security number, often belonging to a child or elderly person with no credit history) with fabricated names and addresses to create a "synthetic identity" that can build credit, receive loans, and disappear before the fraud is detected. The Federal Reserve estimates synthetic identity fraud costs US financial institutions $6 billion annually.

What the Statistics Say About Prevention

The good news embedded in the FBI's 2025 data: identity theft is substantially preventable when the right controls are in place. Here's what the evidence shows works:

Breach Monitoring and Rapid Response

The average time between a data breach and when the stolen credentials are first used in an attack is less than 12 hours for fresh breach data (SpyCloud 2025). Real-time breach monitoring that alerts you immediately when your credentials appear in a known breach — combined with rapid password changes — dramatically narrows the window of exposure. Breach Monitor services that continuously scan dark web data and breach databases provide this coverage without requiring victims to actively search for their own compromised information.

Multi-Factor Authentication

Microsoft's identity telemetry shows MFA blocks over 99.9% of automated credential-stuffing attacks. Even when an attacker has your exact username and password, they cannot complete login without the second factor. This is the single most effective countermeasure for account takeover that follows credential theft.

Encrypted Connections on All Networks

Credential interception on public networks can be eliminated entirely with a VPN. AES-256-GCM encryption makes intercepted traffic unreadable, and DNS-level filtering (Web Shield in CyberFence) blocks phishing domains before the credential-capture page ever loads. For professionals traveling or working remotely — the highest-risk population for credential interception — a VPN combined with breach monitoring addresses the two most important prevention vectors simultaneously.

Unique Passwords and Password Management

Password reuse is the force multiplier that transforms one breach into dozens of compromised accounts. The average person reuses passwords across 51% of their accounts (Verizon DBIR 2025). A password manager that generates and stores unique credentials for every service eliminates this exposure — ensuring that a breach at one service doesn't compromise accounts elsewhere.

The Layered Approach That Works

No single control stops identity theft. The attackers who stole $20 billion in 2025 used layered techniques — phishing for credentials, infostealer malware for fresh data, broker databases for context, and automated tools to test at scale. The appropriate response is equally layered:

1. VPN with DNS filtering — blocks phishing at the network level, prevents credential interception on public networks, masks real IP from tracking
2. Breach Monitor — continuous surveillance of your email addresses against known breach databases, with real-time alerts
3. MFA everywhere — blocks account takeover even when credentials are stolen
4. Password manager — unique credentials per service eliminate the reuse vulnerability
5. Credit freeze — prevents new accounts from being opened in your name without your explicit action

CyberFence combines the first two layers in a single subscription: VPN with Web Shield DNS filtering for network-level protection, and Breach Monitor for ongoing credential surveillance. At $7.35/month on the annual plan, it addresses the two highest-impact prevention vectors for less than the monthly cost of a streaming service.

The $20 billion the FBI documented in 2025 represents only reported losses from only the people who filed complaints. The actual toll of identity theft in the US — including unreported incidents, time spent on recovery, and cascading financial consequences — is substantially larger. Getting ahead of it now, before your credentials appear in the next breach, is meaningfully cheaper than recovering after the fact.