I am increasingly getting firsthand stories of fraud hitting people of all ages, tech-savvy or not. The FBI’s IC3 2024 report logged 859K complaints with $16B in losses. That number is up 33% from 2023. Here is what is actually happening and what to do about it.

Threat vectors (ranked by prevalence)

Phishing and smishing

Still the number one attack vector by volume. Fake texts from a bank, Robinhood, Coinbase or “USPS” with seemingly urgent links. The Verizon DBIR consistently finds phishing in over 30% of breaches. Do not click links or call numbers from unsolicited messages. Go directly to the website or app instead. Hardware security keys are the strongest defense since phishing sites cannot intercept them.

Investment and crypto scams

The highest dollar-loss category in the IC3 report at $6.5B. Scams start with a wrong-number text, build trust over weeks, then steer you into a fake investment platform. If someone you met online is giving you investment advice, it is a scam.

AI voice cloning and deepfakes (IMPORTANT)

The FBI issued a PSA specifically about AI-generated voice and video used to impersonate trusted contacts. A three-second audio clip is enough to clone a voice. Establish a family code word for emergency calls. If someone calls claiming to be a relative in trouble, hang up and call them directly. This is going to get much worse before better AI-assisted defense measures are available. Talk to all of your family members about this. Ask AI about how else to prepare.

SIM swap attacks

Attackers convince your carrier to transfer your phone number to their SIM (it is scarily easy). They then intercept your two-factor SMS codes and reset your bank passwords. The FBI warned about this in 2022 and it has only gotten worse. SMS is not safe for 2FA under any circumstance. Set a PIN with your carrier and switch to hardware security keys or an authenticator app.

Data broker exposure

Your name, address, phone number, and family members are for sale on people-search sites. This is a given. This data fuels targeted scams. The FTC took action against Gravy Analytics for selling location data. The more data about you that is public, the more convincing the scam. Remove yourself from these sites or pay a service to do it for you.

Credential stuffing

When an ecommerce site gets breached, attackers try those passwords everywhere. As soon as they get in, they place orders using your saved billing information. The company you get charged at is not at fault. It is your fault for reusing passwords. If you reuse passwords, you are one breach away from losing multiple accounts and seeing mysterious charges from businesses you have actually transacted with before. Use a password manager and check if you have been breached .

In-person distraction theft

This one surprised me. Someone I know was at a Costco parking lot — not a sketchy area, a normal suburban Costco in the middle of the day. That is the point. A stranger struck up a casual conversation, asked a few friendly questions, got them to turn their attention away from their cart. By the time they got to their car, their purse was gone.

This is organized crime, not opportunistic theft. The person who approaches you is hired specifically because they are friendly and unassuming. A second accomplice grabs your bag while your attention is diverted. They rehearse the timing like magicians. The entire model depends on you not expecting it, which is why it works in “safe” areas on people who have their guard down. Keep your belongings physically on you in parking lots and stay aware of anyone who approaches you unprompted.

Defensive actions (ranked by impact)

Use a password manager and unique passwords everywhere

This eliminates the credential stuffing threat entirely. Use a password manager like 1Password or Bitwarden . Every account gets a unique random password. If you can remember a password, it’s not secure enough.

Use hardware security keys for critical accounts

A YubiKey 5C NFC is the strongest form of two-factor authentication. Phishing sites cannot intercept it. Use one for your email, bank, and social media accounts. At minimum, enable app-based TOTP (like Authy or Google Authenticator) instead of SMS codes.

Freeze your credit at all three bureaus

Not a fraud alert. A full freeze. This prevents anyone from opening new accounts in your name. It is free, takes five minutes per bureau, and you can temporarily lift it when you need to apply for credit. The FTC explains how it works .

Enable real-time push notifications on every card

Turn on instant transaction alerts for any amount on all your credit and debit cards. Most banking apps support this. You want to know about a fraudulent charge in seconds, not when your statement arrives.

Remove your data from people-search sites

Services like DeleteMe will opt you out of data brokers on your behalf. Less public data means fewer targeted scams. You can also do this manually but it takes hours and brokers re-list you over time.

Set a PIN with your mobile carrier

Call your carrier and set an account PIN or passphrase. This makes SIM swap attacks harder. Verizon, AT&T, and T-Mobile all support this. Do it today.

Check haveibeenpwned regularly

Go to haveibeenpwned.com and enter your email. Sign up for breach notifications. If a site you use gets breached, change that password immediately.

Audit devices on all major accounts

Check Apple, Google, and your email provider for unfamiliar sessions or devices. Remove anything you don’t recognize. This catches compromises you might not notice otherwise.

File complaints with IC3

If you or someone you know gets scammed, file a complaint at ic3.gov . The FBI uses these reports to identify patterns, build cases, and take down fraud operations. Even if you think your individual case is small, the aggregate data matters. This is literally the best and likely only way to get cases actually investigated. The IC3’s Recovery Asset Team froze $561 million in fraudulent transfers in 2024 because people filed reports. Your complaint helps protect the next person.