Online Scams Directory: Common Schemes Targeting US Users
Online scams represent one of the most pervasive and economically damaging categories of cybercrime facing US consumers and businesses. The Federal Trade Commission reported that US consumers lost more than $10 billion to fraud in 2023 (FTC Consumer Sentinel Network Data Book 2023), marking the first time that threshold was crossed. This directory maps the primary scheme types, their operational mechanics, regulatory jurisdiction, and classification boundaries — serving as a reference for professionals, researchers, and service seekers navigating the online fraud landscape.
- Definition and Scope
- Core Mechanics or Structure
- Causal Relationships or Drivers
- Classification Boundaries
- Tradeoffs and Tensions
- Common Misconceptions
- Checklist or Steps
- Reference Table or Matrix
Definition and Scope
An online scam, as described in the FBI's Internet Crime Complaint Center (IC3) annual reporting framework, is a fraudulent scheme conducted through internet-connected channels with the intent to deceive a victim into transferring money, disclosing credentials, or surrendering personal data. The scope of this definition encompasses schemes delivered via email, social media, messaging applications, search engine advertising, and fraudulent websites.
Regulatory jurisdiction over online scams in the United States is distributed across multiple federal bodies. The FTC holds primary authority over consumer protection under 15 U.S.C. § 45 (the FTC Act), which prohibits unfair or deceptive acts in commerce. The FBI and its IC3 unit handle criminal investigation referrals. The Cybersecurity and Infrastructure Security Agency (CISA) addresses scams that intersect with critical infrastructure. The Consumer Financial Protection Bureau (CFPB) oversees fraud in financial products and services.
The Online Safety Listings on this platform catalog service providers operating within this regulatory landscape, including fraud prevention firms, identity recovery services, and digital forensics consultancies. The population of scheme types documented in this directory reflects the IC3's 2023 classification taxonomy, which identifies 33 distinct fraud categories, of which 12 generated losses exceeding $100 million individually.
Core Mechanics or Structure
Online scams share a common operational architecture regardless of surface variation. The sequence below represents the generalized fraud execution chain documented across IC3 complaints and CISA advisories.
Stage 1 — Target Acquisition: Perpetrators identify potential victims through data broker lists, credential dumps from prior breaches, social media profile scraping, or mass email distribution. Phishing campaigns may be sent to lists of 100,000 or more addresses in a single blast.
Stage 2 — Contact and Pretext Establishment: The initial contact mimics a trusted entity — a bank, government agency, employer, or known contact. The FTC's consumer alert database documents impersonation of the Social Security Administration, IRS, and Medicare as among the highest-volume pretext categories.
Stage 3 — Trust Cultivation: Romance scams and investment fraud schemes operate on an extended trust-building timeline, sometimes 3 to 6 months, before a financial request is made. This phase involves fabricated identity construction, manufactured urgency, and emotional manipulation.
Stage 4 — Extraction: The victim transfers funds via wire transfer, cryptocurrency, gift cards, or peer-to-peer payment applications. IC3 data shows that cryptocurrency was the payment method associated with the highest per-victim losses in 2023, with investment fraud victims losing an average of $47,900 per incident (IC3 2023 Internet Crime Report).
Stage 5 — Obfuscation and Exit: Funds are rapidly moved through layered accounts, cryptocurrency mixers, or overseas wire chains. Perpetrators may also execute a "reload" attempt — re-contacting the victim under a different pretext, sometimes posing as a recovery service.
Causal Relationships or Drivers
Three structural drivers sustain the online scam ecosystem at scale in the United States.
Technology accessibility: The commoditization of phishing kits, AI-generated voice cloning tools, and deepfake video software has lowered the technical barrier for fraud execution. CISA's 2023 advisory AA23-061A documented the deployment of business email compromise (BEC) schemes using AI-assisted text generation to pass automated spam filters.
Payment irreversibility: Wire transfers, cryptocurrency transactions, and peer-to-peer payment applications (Venmo, Zelle, Cash App) offer limited or no chargeback mechanisms. The CFPB has flagged Zelle-related fraud as a policy concern, with $440 million in reported scam losses on the platform in 2022 alone (Senate Permanent Subcommittee on Investigations, Scams on Major Bank-Owned Peer-to-Peer Payment Platform, 2023).
Jurisdictional fragmentation: A scheme operated from overseas against a US victim may fall under concurrent jurisdiction of the FBI, FTC, Secret Service, and a state attorney general — with no single agency holding exclusive enforcement authority. This diffusion slows investigation timelines.
For professionals navigating this sector, the purpose and scope of this directory outlines how service categories are organized against these structural drivers.
Classification Boundaries
Online scams are classified differently across regulatory, legal, and insurance frameworks. The three primary taxonomies in use are:
IC3 Taxonomy (FBI): 33 categories including BEC, confidence/romance fraud, non-payment/non-delivery, investment fraud, government impersonation, and tech support fraud. This taxonomy governs complaint routing and statistical reporting.
FTC Sentinel Categories: Broader consumer fraud classifications that overlap with IC3 but include offline fraud channels. The FTC uses categories such as imposter scams, online shopping fraud, and telephone/mobile services fraud.
Criminal Statute Alignment: Prosecuted schemes map to federal statutes including 18 U.S.C. § 1343 (wire fraud), 18 U.S.C. § 1030 (Computer Fraud and Abuse Act), and 18 U.S.C. § 1956 (money laundering). A scheme may simultaneously constitute wire fraud, identity theft under 18 U.S.C. § 1028A, and conspiracy.
Classification boundaries matter for service providers because insurance coverage, forensic scope, and incident response protocols differ by fraud type. A business email compromise incident triggers different remediation steps than a credential-stuffing attack monetized through account takeover.
Tradeoffs and Tensions
Victim reporting incentives vs. shame barriers: IC3 acknowledges that internet crime is substantially underreported. Older adults — a demographic that IC3 data shows suffers the highest aggregate losses, with victims over 60 losing $3.4 billion in 2023 (IC3 Elder Fraud Report 2023) — report at lower rates due to social stigma and fear of judgment.
Platform liability vs. user protection: Section 230 of the Communications Decency Act (47 U.S.C. § 230) limits civil liability for online platforms hosting fraudulent content, which creates tension between platform immunity and the policy goal of reducing scam infrastructure. Legislative reform proposals in this area remain contested as of the 116th and 117th Congress sessions.
Speed of recovery intervention vs. payment finality: Financial institutions face a structural conflict between fraud intervention speed and customer experience. Mandatory hold periods, while reducing fraud completion rates, generate consumer complaints and operational friction.
AI-assisted fraud detection vs. privacy constraints: Financial institutions and email providers deploying behavioral AI for fraud detection collect transaction and communication metadata that may conflict with state-level privacy statutes, including the California Consumer Privacy Act (CCPA, California Civil Code § 1798.100).
Common Misconceptions
Misconception: Only unsophisticated users fall victim to online scams.
Correction: IC3 data shows that victims in the $100,000–$500,000 income bracket account for a disproportionate share of investment fraud losses. Business email compromise specifically targets financial professionals, executives, and accounts payable personnel at established companies — not exclusively low-information users.
Misconception: Scams always originate from foreign actors.
Correction: The FTC and DOJ document domestic perpetrators across advance-fee fraud, tech support fraud, and romance scam categories. Operation Cross Country and related FBI enforcement actions have identified US-based fraud networks in at least 8 states.
Misconception: Reporting a scam to IC3 initiates a direct investigation.
Correction: IC3 functions as a complaint aggregation and referral system, not an investigative unit. Complaints are forwarded to law enforcement partners based on thresholds, patterns, and jurisdictional relevance. Individual case investigation is not guaranteed.
Misconception: Cryptocurrency transactions are always untraceable.
Correction: The IRS Criminal Investigation division and the DOJ's National Cryptocurrency Enforcement Team (NCET) have recovered hundreds of millions of dollars in cryptocurrency tied to fraud through blockchain analytics. The 2021 Colonial Pipeline ransom recovery of approximately $2.3 million in Bitcoin demonstrated law enforcement's blockchain tracing capability (DOJ Press Release, June 7, 2021).
Additional service context and provider qualifications are documented in the how to use this resource reference section.
Checklist or Steps
The following represents the standard sequence of actions documented by CISA and the FTC for entities involved in online fraud incident response — not a directive, but a structural description of the documented response workflow.
Incident Documentation Phase
- Preserve all communications (emails, messages, receipts) in original format with metadata intact
- Record all transaction identifiers: wire confirmation numbers, cryptocurrency wallet addresses, payment app transaction IDs
- Screenshot fraudulent websites, social media profiles, and any correspondence before perpetrators remove them
- Note timestamps and sequence of all victim-perpetrator interactions
Reporting and Notification Phase
- File a complaint with IC3 at ic3.gov (FBI's designated intake point for internet crime)
- Report to the FTC at reportfraud.ftc.gov (generates a FTC Report number usable for identity theft recovery)
- Notify the financial institution within 24 hours of unauthorized wire transfer; domestic wires may be recallable within a short window under FinCEN guidance
- Report cryptocurrency fraud to the platform and file with the CFPB if a regulated financial product is involved
- Notify state attorney general's consumer protection division if a state-specific law may apply
Financial Containment Phase
- Contact the receiving bank directly with the wire routing details; SWIFT network recall procedures apply to international transfers
- Engage the Internet Crime Complaint Center's Financial Fraud Kill Chain (FFKC) for wires above $50,000 reported within 72 hours
- Request account freeze or hold on compromised financial accounts
- Place a fraud alert with all 3 major credit bureaus (Equifax, Experian, TransUnion) under the Fair Credit Reporting Act, 15 U.S.C. § 1681c-1
Reference Table or Matrix
| Scheme Type | Primary Vector | Avg. Loss per Victim (IC3 2023) | Lead Federal Agency | Applicable Statute |
|---|---|---|---|---|
| Business Email Compromise (BEC) | Spoofed email / domain | $121,000+ | FBI / IC3 | 18 U.S.C. § 1343 |
| Investment / Crypto Fraud | Social media, apps | $47,900 | SEC / FBI | 15 U.S.C. § 77q |
| Romance Scam | Dating platforms, social media | $39,000 | FTC / FBI | 18 U.S.C. § 1343 |
| Government Impersonation | Phone, email | $14,000 | FTC / SSA OIG | 18 U.S.C. § 912 |
| Tech Support Fraud | Pop-up ads, cold call | $24,000 | FTC / FBI | 18 U.S.C. § 1030 |
| Advance Fee / 419 Fraud | Email, social media | $9,000 | FTC / FBI | 18 U.S.C. § 1343 |
| Non-Delivery / Counterfeit Goods | E-commerce platforms | $2,300 | FTC / DHS HSI | 18 U.S.C. § 2320 |
| Account Takeover / Credential Theft | Phishing, credential stuffing | $12,000 | CISA / FBI | 18 U.S.C. § 1030 |
| Elder Fraud (aggregate category) | Phone, email, social | $33,900 | FBI Elder Justice / FTC | 18 U.S.C. § 1343 |
Loss figures sourced from IC3 2023 Internet Crime Report. Statutes represent primary federal charges — actual prosecution may involve additional counts.
References
- FTC Consumer Sentinel Network Data Book 2023 — Federal Trade Commission
- IC3 2023 Internet Crime Report — FBI Internet Crime Complaint Center
- IC3 Elder Fraud Report 2023 — FBI Internet Crime Complaint Center
- CISA Advisory AA23-061A — Cybersecurity and Infrastructure Security Agency
- FTC Act, 15 U.S.C. § 45 — US House of Representatives Office of the Law Revision Counsel
- Wire Fraud Statute, 18 U.S.C. § 1343 — US House of Representatives Office of the Law Revision Counsel
- Computer Fraud and Abuse Act, 18 U.S.C. § 1030 — US House of Representatives Office of the Law Revision Counsel
- Fair Credit Reporting Act, 15 U.S.C. § 1681c-1 — Federal Trade Commission
- California Consumer Privacy Act, Civil Code § 1798.100 — California Legislative Information
- DOJ Press Release: Colonial Pipeline Cryptocurrency Recovery, June 7, 2021 — US Department of Justice
- Senate PSI Report: Scams on Major Bank-Owned Peer-to-Peer Payment Platform, 2023 — US Senate Permanent Subcommittee on Investigations
- FTC ReportFraud Portal — Federal Trade Commission
- CFPB Consumer Financial Protection Bureau — Consumer Financial Protection Bureau
- [CISA —