2025 Identity Fraud by Numbers

At the customer level, identity fraud is viewed through personal experience. While this makes the data subjective, large-scale consumer surveys still show how people perceive and react to fraud incidents.

These findings serve two purposes. First, they show the potential consequences for companies facing breaches involving customers’ personal details or accounts. Second, they reveal how aware individuals are of different fraud risks. Together, they help businesses pinpoint weak spots in their identity fraud prevention strategies, especially where customer behavior plays a role.

A recent report shows that 85% of US customers believe AI makes scam detection harder — from bank impersonations to voice-cloning phone calls and synthetic identity fraud. 

Security expectations are also rising: 97% of respondents list fraud prevention among the most important factors when choosing a bank. This isn’t surprising, as 62% have either been victims of AI-driven scams or know someone who has. One in five lost more than $5,000 due to these incidents.

The 2025 Consumer Impact Report by the Identity Theft Resource Center® (ITRC) amplifies this picture. Over 20% of respondents reported fraud losses above $100,000, and more than 10% lost at least $1 million. While current top fraud categories include social media account takeovers (35%) and loan and credit card fraud (14%), over two-thirds of consumers believe AI will become the main battleground for identity security. Also, 73% think everyone — businesses, governments, and individuals — shares responsibility for preventing AI-enabled scams. 

This trend dates back to 2024, when deepfakes became one of the top tools used in identity fraud. As Regula’s survey revealed, half of all companies have experienced fraud involving audio and video deepfakes. What’s more, 66% of leaders believe deepfakes pose a serious threat.

The ITRC’s survey also shows that 67.8% of fraud victims “had seriously considered self-harm as a way of dealing with identity theft.” This points to a growing emotional burden linked to fraud.

Mastercard’s global survey reflects the same trend: 76% of people are more worried about cyber risks than they were two years ago, and 80% received at least one scam attempt last year. What’s even more alarming, nearly 60% say fraud is so widespread that falling victim feels inevitable.

Shame is another critical factor: 59% say they would feel ashamed if they fell victim to online fraud — especially romance scams. Additionally, about half of the respondents said they would feel embarrassed to report a fraudulent transaction.

For e-commerce businesses, one finding stands out: 66% of consumers would stop shopping with a retailer after experiencing transaction fraud. This makes one thing clear: digital trust is now a must for every online business.

Security also shapes traveler expectations — a broad customer category worth highlighting in this overview. 

IATA’s 2025 Global Passenger Survey shows that 78% of passengers want to manage their entire journey via smartphone, boosting the adoption of biometrics and digital IDs for airport processes and payments. 

Still, privacy remains a barrier. Among those unwilling to share their biometric data, 42% say they would reconsider if privacy were guaranteed. In the US, where biometrics are already widely used, privacy concerns are the highest globally.

From a business perspective, identity verification can be a routine procedure, a compliance requirement, and a cybersecurity measure — all at the same time. This shapes how companies across sectors respond to changes in the industry.

Regardless of category, all businesses face fraud. The following insights can help build stronger defenses. 

Recognizing two sides of AI — positive and negative — has become a standard approach. Research supports this view. 

According to Google’s Cybersecurity Forecast 2026, AI will be a normal part of daily attack and defense strategies. 

Cybercriminals will use it to scale social engineering, information operations, and malware development. Additional AI threats include prompt injection (used to bypass security protocols and manipulate AI through hidden commands) and direct attacks on AI models.

In turn, companies should use AI to strengthen their defenses. Recommended actions include using multi-factor authentication (MFA) to prevent access via stolen credentials and integrating AI agents as digital actors for identity and access management (IAM). 

These recommendations are already being adopted by many businesses, as Regula’s global survey of fraud prevention professionals reveals: 24% of respondents use MFA, and another 23% rely on biometric verification and authentication. Also, 18.6% of companies go further by using smart IDV orchestration from IDV platforms to improve security and verification for high-risk customers or transactions. 

Microsoft Digital Defense Report 2025 reinforces the dual nature of AI and recommends treating cyber risks as business risks. 

Currently, AI-driven attacks are especially concerning for organizations storing personally identifiable information (PII). According to the report, government agencies, IT companies, and academic institutions were most affected by cyber threats this year. For these sectors, it’s critical to use phishing-resistant MFA (which helps block over 99% of unauthorized access attempts), train staff, and maintain a proactive breach response plan. 

Notably, major breaches are often followed by low-tech methods like stolen credentials and phishing. Check Point’s study found that credential abuse (22%), vulnerability exploitation (20%), and phishing (16%) were the top attack methods. In 2025, compared to 2024, leaked credentials increased by 160%, with most compromised accounts being personal, not corporate — often due to password reuse. 

Nevertheless, 87% of organizations still rely on passwords or other low-security methods, though few believe these approaches work well for either user experience or security. And while most organizations say they use MFA somewhere in their environment, few apply it consistently across all customer-facing apps.

To respond, companies should implement continuous credential monitoring and actively detect and remove compromised accounts that could be exploited for phishing.

Exposed identity data online continues to grow. SpyCloud’s 2025 study found more than 53 billion unique identity records on the web, with 7.6 billion recaptured in 2024 alone. These include employee, consumer, and organizational credentials that can be exploited for account takeovers, ransomware, and other fraud.

Interestingly, when seemingly separate data like login/password pairs is combined with other leaks, the real impact becomes more alarming. One compromised asset can be linked to full names, dates of birth, and phone numbers, as well as Social Security or ID numbers, addresses, and even financial data, recreating a victim’s full identity. 

To tackle this, companies should monitor all digital identities within their ecosystem, enhance third-party security for internal apps and vendors, improve password hygiene, and implement MFA.   

At the governmental level, organizations involved in identity theft and fraud monitoring also collect extensive statistical data, along with customer reports and complaints. This information helps companies assess the impact of breaches, phishing campaigns, and other fraud attacks. Also, it highlights current key weaknesses in the digital ecosystem. 

Let’s start with a striking statistic from the World Bank’s Identification for Development (ID4D). Currently, a significant portion of the global population lacks official identity documents — meaning one in ten people on the planet can’t prove who they are. More than half of them are children whose births were never registered. The good news is that this number is declining. In 2017, over 1 billion people fell into this category. 

Access to identification systems varies across regions. For instance, in Sub-Saharan Africa, basic identity coverage is around 80%, with nine countries reporting rates below 70%. On the other hand, countries like Singapore have already launched digital ID systems — Singpass, for example, has nearly 5 million users. In regions such as Europe, Central and East Asia, and Latin America, the coverage is close to 100%. 

This disparity creates major barriers to accessing many services. For instance, people without ID can’t buy a SIM card, open a bank account, or use governmental services. At the same time, individuals without identity documents can be more vulnerable to exploitation by fraudsters, especially in informal or unregulated environments.

In 2024, the FBI’s Internet Crime Complaint Center (IC3) recorded a new high in losses reported by victims — $16.6 billion, a 33% increase compared to 2023. The average loss has been growing since 2020 and reached $19,372 last year.  

Fraud accounted for most reported losses, and people over the age of 60 suffered the most, both in losses and number of complaints. This age group filed 147,127 complaints, while younger people (aged 20-29) filed 71,399. The average loss for older adults was $83,000, and total losses for this group amounted to $4.8 billion — a 43% increase since 2023. 

Other profitable schemes include payment and delivery fraud ($785.44 million), romance scams ($672 million), and government impersonation ($405.62 million).

The Consumer Sentinel Network report by the FTC supports the trends observed by the IC3. In 2024, the organization recorded over 6.47 million victim reports. Most were related to fraud (40%) and identity theft (18%). 

Fraud incidents cost victims over $12 billion — an increase of more than $2 billion from 2023. Popular fraud types included romance scams, government impersonation, and fake investment or job opportunities.  

According to the FTC, people aged 20-29 were the most likely to report losing money due to fraud (44%). However, seniors (aged 70 and older) reported the highest median loss: $1,000, compared to $417 for younger victims. 

In 2024, IC3 received 263,455 complaints from businesses, including 4,878 complaints from critical infrastructure, mostly related to ransomware, viruses and malware, data breaches, and denial-of-service (DoS) attacks. These incidents resulted in $1.57 billion in losses. 

Most affected were companies in critical manufacturing, healthcare, government, financial services, and IT sectors. 

• AI is driving a new wave of fraud. Both consumers and businesses are seeing more AI-powered scams: voice cloning, synthetic identities, and prompt injection attacks are on the rise. At the same time, AI is becoming a tool for defense.

• Digital trust makes or breaks customer relationships. More people feel anxious due to fraud and scams, and many would stop shopping with a brand after a fraud incident. 

• Most organizations still rely on weak credentials. Despite the surge in credential-based attacks, companies continue to use passwords or other low-security methods. MFA adoption and the orchestration of multiple IDV tools and scenarios through platform-based solutions remain inconsistent.

• Identity data exposure is exploding. Over 53B identity records were found online in 2024. Leaked data often includes names, contact info, government IDs, and financial credentials — enough to fully impersonate a victim.

• Biometrics adoption is rising — along with privacy concerns. Consumers support biometric tech for travel and banking, but 42% would only share their data if privacy is guaranteed.