Carding—a type of identity theft that involves the stealing of bank or credit card information to fraudulently withdraw money from ATMs or stores

Phishing—a method of hijacking other people’s login information and passwords

Fiscal fraud—the theft of official online payment information to make false claims for benefits or to avoid payments (including tax obligations)

Viruses and worms—computer programs that affect the storage capacity of a computer or network, which is then used to unlawfully replicate information without the owner’s knowledge and for digital espionage

Cybertheft often occurs as identity theft and identity fraud, which are terms used to describe criminal activities involving unlawful access to or acquisition of another person’s personal information for fraud or deception and economic gain. Identity theft may occur through unlawful interception of a person’s email or by unlawfully obtaining another person’s digital password or passwords. The theft must involve the use of computer technology to unlawfully acquire data, which may subsequently be used fraudulently for applying for loan or credit cards, making bank account withdrawals and money transfers, acquiring and using telephone calling cards, or obtaining goods or other privileges in the other person’s name.

Beginning in 2010, strategies for committing cybertheft were categorized as business email compromise (BEC), email account compromise (EAC), and ransomware. BEC refers to a sophisticated scam that targets businesses engaged in monetary transactions with foreign suppliers and/or businesses that regularly do wire transfer payments. EAC refers to a sophisticated scam targeting the public and professionals associated with, but not limited to, financial and lending institutions, real estate companies, and law firms. EAC perpetrators use compromised emails to request payments to fraudulent locations. Ransomware is a type of malicious software used to block access to a computer system until money is paid. The remainder of this entry focuses on the crime cybertheft, including its prosecution, its victims, and the losses due to cybertheft.

Reporting and Prosecuting Cybertheft

Complaints about cybertheft may be directed to local state, federal, or international law enforcement agencies depending on the level of the theft. In the United States, the Federal Bureau of Investigation (FBI) is the major law enforcement agency responsible for cybercrime investigation. The Internet Crime Complaint Center (IC3), comprising the FBI, the National White Collar Crime Center, and the Bureau of Justice Assistance, is empowered to serve as a vehicle to receive, develop, and refer criminal complaints of cybercrimes. The IC3 provides a central reporting forum for victims and law enforcement officers on all incidents of cybercrime.

There are several laws in the United States under which cybertheft can be prosecuted, including identity theft, larceny, and fraud, among others. Specifically, identity theft is prosecuted under several statutes, including the Identity Theft and Assumption Deterrence Act of 1998, which prohibits the knowing transfer or unlawful use of other people’s means of identification with the intent to commit, aid, or abet an unlawful activity against a federal law or a felony under state and local law. The punishment for the offence is 15 years maximum term of imprisonment, a fine, and forfeiture of any property involved in the commission of the crime. Identity theft is also punishable as identification fraud, credit card fraud, computer fraud, mail fraud, wire fraud, or financial institution fraud—all of which are felonies punishable with imprisonment for a maximum term of 30 years, fines, and forfeiture of assets.

Other laws existing for mitigating the impact of cybertheft provide avenues for victims to dispute claims and receive fraud alerts and free credit reports, and restitution in an amount equal to the value of the victim’s time spent remediating the actual or intended harm of the theft.


Any person—whether an individual or a group of people—or a corporate entity, small business, nonprofit corporation, or government entity may become a victim of cybertheft, as long as the person or entity possesses an identity or anything of value that may be accessed through the use of a computer or via the Internet. In 2013, Target and its customers were victimized when the financial information of 40 million customers was compromised.

U.S. Bureau of Justice Statistics data reveal that in 2014, about 7% of persons aged 16 years or older were victims of identity theft (similar to the 2012 findings) and 86% of identity theft victims experienced the fraudulent use of existing account information, such as credit card or bank account information. There also was an increase in the number of elderly victims of identity theft from 2.1 million in 2012 to 2.6 million in 2014. In 2015, victims of cybertheft included 37 million users of Ashley Madison’s website; more than 100 banks across 30 countries, which were digitally robbed; and 22 million federal employees in the United States. In addition, the personal email of the former CIA director John Brennan, was hacked by a person posing as a Verizon worker to obtain information from AOL customer service for the unlawful publication of several people’s social security numbers, names, addresses and other personal information.

The State and Cost of Cybertheft

A 2005 survey of the National Computer Security Survey (NCSS) shows that among 7,818 businesses, 86% of those victimized detected multiple incidents, with about half of them detecting 10 or more incidents during the year. About 68% of the victims of cybertheft sustained monetary losses of $10,000 or more. By comparison, 34% of the businesses detecting cyberattacks and 31% of the businesses detecting other computer security incidents lost more than $10,000. Of those detecting incidents, 11% detected cybertheft and 24% detected other computer security incidents. Most businesses did not report cyberattacks to the law enforcement authorities.

In 2016, losses in cyber incidents reported to the IC3 amounted to more than $1.4 million. The IC3 received more than 12,005 BEC/EAC complaints, with losses of more than $360 million, and 2,673 ransomware complaints, with losses of more than $2.4 million.

Alaba Oludare

See also ATM Cards ; Digital Passwords ; Email ; Identity Theft ; Online Shopping

Further Readings

Brenner, S. W. Cybercrime and the Law: Challenges, Issues, and Outcomes for Law Enforcement. Holliston, MA: Northeastern, 2012.

Bureau of Justice Statistics. Cybercrime. Washington, DC: U.S. Department of Justice, 2013.

Doyle, C.Cybercrime: An Overview of the Federal Computer Fraud and Abuse Statute and Related Federal Criminal Laws. Washington, DC: Congressional Research Service, 2014.

Federal Bureau of Investigation and National White Collar Crime Center. IC32015 Internet Fraud Report. Washington, DC: National White Collar Crime Center, 2016.

Grabosky, P. Computer Crime: A Criminological Overview. Paper presented at the Workshop on Crimes Related to the Computer Network, Tenth United Nations Congress on the Prevention of Crime and the Treatment of Offenders, Vienna, Austria, April 15, 2000.

Harrell, E. and L. Langton. Victims of Identity Theft, 2014. Washington DC: Bureau of Justice Statistics, 2015.

Herhalt, J. “Cybercrime: A Growing Challenge for Governments.” Issues Monitor: KPMG International, v.8 (2011).

Internet Crime Complaint Center. 2016 Internet Crime Report. Washington, DC: Federal Bureau of Investigation, 2016. (Accessed August 2017).