Credit card fraud analysis: which states are most at risk?


Businesses around the world have never been more at risk of the perils of credit card fraud. As technology evolves, so do the methods of hackers and cybercriminals, who waste no time in stealing sensitive personally identifiable information. The consequences can have severe financial and reputational repercussions for organizations who become the victims of credit card fraud.

Despite the introduction of EMV technology in recent years (the global security standard for chip-based debit and credit card transactions), online retailers and software companies are still at risk. Stolen accounts, counterfeit credit cards and even disputes regarding legitimate transactions can all result in financial losses for businesses

In addition, costly chargeback fees - where an issuing bank returns a customer’s money in the event of a disputed transaction - can also cause disruption and place an unwanted financial burden on businesses. Chargebacks vary in amount from $15 to $100; as one example, PayPal’s chargeback fee currently stands at $20.

Analyzing different types of fraud

Each year, the FBI’s Internet Crime Complaint Center publishes an annual report(1) which details the instances of different types of cybercrime, broken down at a state-by-state level.

By analyzing four of the most prominent types of online crime - credit card fraud, identity theft, personal data breaches, and phishing - we have built a Risk Index to identify the states which may be most at risk of suffering cybercrime.

Credit card fraud

For the purposes of their report, the FBI defines credit card fraud as “...a wide-ranging term for fraud committed using a credit card or similar payment mechanism as a fraudulent source of funds in a transaction.”

Credit card fraud analysis - Credit card fraud heatmap US

Across the 50 U.S. states, there were 14,207 reports of credit card fraud in the most recent dataset available. Those in Alabama were most at risk, with 12.78 reports of credit card fraud per 100,000 residents. South Dakota was least at risk, with 1.49 reports per 100,000 residents.

Annually, the value of non-cash payments fraud costs $8.3 billion(2). Businesses can easily fall victim to credit card fraud without the right protection in place. For example, carding can pose substantial problems for online retailers. This occurs when hackers attempt to make several small purchases with large volumes of stolen card numbers, resulting in an increase in chargebacks.

Phishing and malware can also be utilized by cybercriminals to illegally obtain credentials. A recent report by NTT Security(3) stated that the following industries are most commonly targeted for these types of attacks:

  • Retail and finance (36% of attacks)
  • Telecommunications (28%)
  • Healthcare (13%)
  • Technology (8%)

These sectors are either attacked for the financial information they store, or because they have valuable personal data on their systems.

Identity theft

For the purposes of their report, the FBI defines identity theft as “involves a perpetrator stealing another person’s personal identifying information, such as name or Social Security number, without permission to commit fraud.”

Across the 50 U.S. states, there were 15,339 reports of identity fraud in the most recent dataset available. Those in Nevada were most at risk, with 13.30 reports of identity theft per 100,000 residents. Iowa was least at risk, with just 2 reports per 100,000 residents.

Personal data breach

For the purposes of their report, the FBI defines a personal data breach as “a leak or spill of personal data that is released from a secure location to an untrusted environment.”

Across the 50 U.S. states, there were 47,438 reports of personal data breaches in the most recent dataset available. Those in Nevada were most at risk, with 27.75 reports of a personal data breach per 100,000 residents. Iowa was least at risk, with just 7.02 reports per 100,000 residents.


For the purposes of their report, the FBI defines phishing/vishing/smishing/pharming as ”unsolicited email, text messages, and telephone calls purportedly from a legitimate company requesting personal, financial, and/or login credentials.”

Across the 50 U.S. states, there were 22,633 reports of phishing/vishing/smishing/pharming in the most recent dataset available. Those in Alaska were most at risk, with 60.29 reports of phishing/vishing/smishing/pharming per 100,000 residents. North Dakota was least at risk, with just 2.65 reports per 100,000 residents.

Fraud types by state

This graphic shows the situation at-a-glance for each of the fifty states in the United States, showing how each state fared for each of the four criteria within the analysis. For each fraud type, the number of instances per 100,000 residents was calculated, and each state was then ranked from 1 to 50 (where 1 is the least riskiest state, and 50 is the riskiest). The totals were then combined to give an overall Risk Index figure, with the higher the number, the riskier the state - so Alaska’s total of 195 indicates a far greater chance of suffering credit card fraud and other types of online crime than Iowa, which has a score of 12.

5 Riskiest States

1. Alaska (Risk Index: 195 out of 200)

Despite boasting one of the nation’s smallest populations, Alaskans face the biggest risk of falling victim to online fraud of any state in the United States. Alaska ranked 48th for credit card fraud and identity theft, 49th for personal data breaches, and 50th for phishing. As one example of the risk Alaskans face, in January 2019, Alaska’s Division of Public Assistance sent letters to 87,000 people - 11.7% of the state’s entire population - notifying them that personally identifiable information such as names, Social Security numbers and healthcare details may have been accessed by cyberattackers.(4)

2. Nevada (Risk Index: 194 out of 200)

Nevada may be home to Las Vegas, the gambling capital of the world - but residents of the state may find their money more at risk from cyber crime. The state ranked 49th for credit card fraud, 50th for identity theft, 50th for personal data breaches, and 45th for phishing. Despite ranking as the worst state for two categories in this study, Nevada managed to avoid becoming the riskiest overall state by a lower ratio of phishing complaints compared with Alaska. In August 2019, 650,000 Nevada students were the victim of a data breach, resulting in the exposure of dates of birth and email addresses.(5)

3. Arizona (Risk Index: 181 out of 200)

This southwestern state borders Nevada (the second riskiest state in the United States) and its residents find themselves as the third riskiest place to fall victim to online fraud in the country. The state ranked 45th for credit card fraud, 47th for identity theft, 45th for personal data breaches, and 44th for phishing. Arizona residents lost over $45 million as a consequence of cybercrime. Over the course of a twelve month period, one Phoenix couple stole 2,000 credit card numbers and illegally obtained $1.5 million as a result of credit card fraud.(6)

4. Colorado (Risk Index: 180 out of 200)

Colorado is not only experiencing a growth in population - it’s also unfortunately going through a boom in online fraud. The state ranked 42nd for credit card fraud and identity theft, 47th for personal data breaches, and 49th for phishing. Colorado residents lost over $34 million in total because of online fraud. One incident in Denver saw a gang of cybercriminals clone a number of credit cards to purchase thousands of gallons of stolen fuel.(7)

5. Virginia (Risk Index: 179 out of 200)

Virginia ranked as the fifth most dangerous state in terms of online fraud. The southeastern state ranked 46th for credit card fraud, 44th for identity theft, 41st for personal data breaches and 48th for phishing. Capital One, headquartered in Virginia, recently suffered a catastrophic data breach which resulted in 100 million credit card applications being stolen by a lone hacker.(8)

5 Lowest Risk States

1. Iowa (Risk Index: 12 out of 200)

The data shows that Iowa is the state where Americans are least likely to fall victim to online fraud. This Midwestern state ranked in second place for credit card fraud, eighth place for phishing, and rated as the safest state of all for identity theft and personal data breaches. There were only 53 reports of credit card fraud in Iowa, resulting in a tiny ratio of 1.68 reports for every 100,000 residents.

2. Mississippi (Risk Index: 13 out of 200)

Mississippi is the second safest state according to the data from the FBI’s Internet Crime Agency. The state ranked as the sixth safest for credit card fraud, third safest for identity theft, and as the second safest state for personal data breaches and phishing.

3. South Dakota (Risk Index: 22 out of 200)

South Dakota is the third safest state in the United States in terms of falling victim to online fraud. The data shows that South Dakotans are the least likely of residents across all 50 states to suffer credit card fraud, with just 13 incidents reported in the state. The state was also ranked second safest for identity theft, fifth safest for personal data breaches and 14th safest for phishing.

4. Ohio (Risk Index: 26 out of 200)

One of the most populous states in the country, Ohio has relatively few instances of online fraud. The data from the Internet Crime Agency actually indicates that reports of credit card fraud in Ohio have decreased year-on-year for the last four years. Ohio ranked as fourth safest for credit card fraud, fifth safest for identity theft, 12th safest for personal data breaches and fifth safest for phishing.

5. Maine (Risk Index: 28 out of 200)

Located on the northeastern tip of the United States, Maine is the fifth safest state in terms of online fraud. There were only 35 instances of credit card fraud reported in Maine in the data produced by the Internet Crime Agency. The state ranked ninth safest for credit card fraud, fourth safest for identity theft, ninth safest for personal data breaches and sixth safest for phishing.

Other states

We’ve compiled the Risk Index for all fifty states, ranking them in the four categories by the likelihood of suffering the various types of online fraud.

If you’re wondering how your state fared against the other 49, choose your state from the dropdown menu below.

How to protect your business from credit card fraud

Businesses face severe reputational and financial damage if they have lax security measures in place. In the worst-case scenarios, the bad publicity of data exposure often combines with sizeable compensation packages for affected customers.

There are several steps a software company or online retailer can take to mitigate the risks of credit card fraud:

Credit card fraud - illustration of numerous systems that should be used to protect your business from credit card fraud

1. Implement cutting-edge payment security processes.

Using robust, up-to-date payment security solutions is the best defense against cyberattackers. Your organization can maximize security by using methods such as point-to-point encryption (P2PE).

Credit card fraud - illustration of security shield with tick mark representing security through tokenization

2. Use tokenization to anonymize customer data.

Implementing processes such as tokenization - which replaces sensitive customer details with an algorithmically generated and irreversible number - can protect your customer information in the event of a breach.

Credit card fraud - illustration showing the acronym PCI with a check mark representing PCI compliance

3. Ensure your business is PCI compliant.

PCI compliance can minimize the potential for security vulnerabilities in your systems - as well as help you to avoid the cost of hefty non-compliance fees.

Credit card fraud - illustration of clipboard and pen with checklist being ticked off representing adopting an effective fraud solution

4. Adopt an effective fraud solution.

Utilizing software which identifies fraud ‘red flags’ can help to stop unauthorized transactions. These tools often check IP addresses, email addresses and account details to ensure the behavior is consistent with the history of a cardholder.

Credit card fraud - illustration of cloud connected computer with shopping screen open

5. Stay ahead of the cybercriminals.

Using outdated security methods is an open goal for hackers and fraudsters. Inform yourself and your colleagues of the best ways to safely store, process or transmit your organization’s data. Implementing secure solutions means both your business and your customers are less likely to become victims of credit card fraud.

States most at risk of credit card fraud - illustration of high street business preceding information about what fraud rates mean for your business

What does this mean for your business?

The increasing prevalence of credit card fraud means that businesses have to take action to protect themselves - and their customers.

Recent studies(9) (10) produced on consumer trust found the following statistics:

  • 67% of respondents are concerned about online shopping and banking security - with almost a quarter stating they are “very concerned”
  • 29% had been a victim of online fraud
  • 37% would stop shopping with a retailer if they experienced fraud or were involved in a data breach with the organization
  • 61% stated that information about data breaches or credit card fraud has had a negative impact on their trust of online shopping
  • 98% of consumers believe transaction security is more important than speed

In today’s business environment, this highlights the importance of ensuring your organization has a secure payment solution in place. The potential consequences of credit card fraud have eroded the trust of customers to such an extent that it can have a negative impact on their online behavior, which can subsequently have a negative impact on your bottom line.

Credit card fraud - illustration of a number of individuals with question marks above their heads, representing the sub section of what consumers can do to protect against credit card fraud

What does this mean for consumers?

At an individual level, Americans suffer an annual loss of $6.4 billion due to credit card fraud(11), and every data breach in the United States costs an average of $8.19 million(12). These alarming statistics are despite increased vigilance and publicly available information which make consumers aware of how to keep themselves protected.

Here are a few helpful tips to help consumers avoid becoming a victim of credit card fraud and other forms of online crime:

  • Report lost or stolen credit cards immediately. As soon as you realize your card isn’t in your possession, contact your provider and put a temporary stop on the card.
  • Ensure your passwords are strong and are updated regularly. Using a password management tool can significantly reduce the chances of your passwords being exposed in a data breach.
  • Ensure you use your credit card safely on the Internet. When purchasing items online, make sure the website you’re accessing is secure and trustworthy.
  • Remain vigilant at all times. If you notice anything suspicious, such as an email from an unknown source or unusual transactions on your account, take necessary precautions.

Illustration of male sitting with a cup of coffee preceding the conclusion of the article

In conclusion

While the data tells a clear story that those in states like Alaska and Nevada may be more at risk of online crime, the truth is that regardless of location all businesses need to be extremely vigilant when it comes to credit card fraud.

For businesses, undertaking preventative measures and implementing secure payment solutions can help to reduce the chances of falling victim to credit card fraud.


(1) Annual Internet Crime Report from the FBI, 

(2) ”Federal Reserve Payments Study finds U.S. payments fraud a small but growing fraction of overall payments”, October 16, 2018.

(3) 2019 Global Threat Intelligence Report, NTT Security,

(4) “Alaska notifies 87,000 people after computer security breach” , Seattle Times, January 23, 2019.

(5) Nevada students’ information exposed in data breaches, Las Vegas Review Journal, August 1, 2019.

(6) Indictment: How a Phoenix Couple Cashed in With Your Credit Card Numbers, Phoenix New Times, July 10, 2018.

(7) Federal grand jury indicts 10 in Colorado credit card, fuel theft scam, The Denver Channel, February 12, 2018.

(8) Prosecutors say accused Capital One hacker had stolen data from 30 other companies in her bedroom, Washington Post, August 14, 2019.

(9) ACI Global Consumer Survey: Consumer Trust and Security Perceptions, 

(10) “Payment Card Fraud Declines, but Consumers Are Shouldering More Fraud Costs, Javelin Reports”.

(11) 2019 Cost of a Data Breach Report by the Ponemon Institute/IBM.