Cybercrime Laws and Penalties

Cybercrimes and cyber-enabled crimes impact millions of people. The technology and criminals behind these acts are becoming increasingly sophisticated. Holding criminals accountable is just one way to combat these crimes. Another is recognizing when they might be happening to you. Read on to learn about different types of cybercrime, including common schemes, and the federal and state laws that penalize these crimes.

What Is a Cybercrime?

Cybercrimes are any crimes that involve the use of the internet, a computer network, or a digital device or that infiltrate these systems. These crimes cross local, state, and national borders and impact businesses, government agencies, and individuals. The penalties for these crimes vary greatly, depending on the seriousness of the offense, the targeted victim(s), and the harm caused.

It's estimated that one in four people have been a victim of cybercrime. Between 2019 and 2023, the FBI received nearly 3.8 million cybercrime complaints involving losses totaling $37.4 billion. (Find updated numbers here.)

Types of Cybercrimes

Cybercrimes involve a range of illicit activities from new crimes involving the internet (like phishing or spoofing) to cyber-enabled crimes (such as theft, stalking, and extortion). Below are common cybercrimes affecting individuals, businesses, and the government.

Cybercrimes Against Individuals

Cybercrimes committed against individuals can take many forms, including theft, fraud, threats, exploitation, and reputational harm. The perpetrator might be after money, property, sensitive data, revenge, or self-gratification. A conviction could result in misdemeanor or felony penalties, depending on the resulting harm or loss to the victim.

Phishing or spoofing. In a phishing or spoofing scheme, the perpetrator often sends emails, calls, or text messages that appear to be from a legitimate business. The unsolicited communication asks the recipient to update or confirm personal, financial, or login credentials that the perpetrator intends to steal.

Identity theft. A perpetrator who wrongfully obtains or uses personal identifying information to open fraudulent accounts, access legitimate accounts, or otherwise defraud victims commits identity theft.

Credit card fraud. Stealing someone's credit card information can happen in several ways. For instance, a hacker might obtain credit card information by hijacking a payment website, through skimmers on credit card readers, or in a data breach.

Cyber scams and fraud. Cyber scams are rampant. Fraudsters might contact people over the phone, email, text, or social media trying to dupe them out of money through tech scams, charity and disaster fraud scams, cryptocurrency investment fraud, lottery and sweepstakes scams, and romance scams—just to name a few. Scammers also use mobile payment apps to trick people into sending them money.

Cyber extortion. A person commits extortion by attempting to gain money, property, or something of value by threatening another with personal or reputational harm. Perpetrators can commit extortion using the internet or electronic communications in a number of ways. Cyber extortion can be as simple as sending threats over text or email, or it can involve complex ransomware schemes. Sextortion is one insidious type of cyber extortion. It often involves threats to release sexually explicit videos or images unless a victim pays or sends additional images.

Cyberstalking and harassment. A person who uses the internet or electronic communications to annoy, threaten, monitor, or intimidate another commits cyberstalking or cyberharassment. These crimes can involve sending harassing or threatening communications or images via text, email, or online or by posting harmful messages or false information on social media.

Revenge porn. Revenge porn is a type of online harassment that involves posting or distributing sexually explicit images of another without their permission. The victim may have originally consented to the images or videos but didn't consent to their distribution. The use of deepfakes is yet another way to commit revenge porn.

Cybercrimes Against Businesses and Governments

Cybercriminals seeking large payouts or widespread harm might try to attack, breach, or compromise a business or government network, software, devices, or accounts. Threats to cybersecurity target all sorts of industries—financial, healthcare, transit, retail, and even schools. Many of these crimes carry felony-level penalties given their breadth and potential harm.

Business email compromise. BEC scams target businesses by tricking employees into divulging sensitive information or compromising data security through the installation of viruses or malware. One common scheme involves scamming businesses that regularly pay suppliers or vendors electronically. For example, the perpetrator might send an email to the accounts payable department and convince an employee to "update" their vendor account information. The alleged "update" then redirects payments from the legitimate vendor to the perpetrator's account.

Malware. A cybercriminal who installs malware onto a business network or server can wreak havoc. Malware is software or code that can damage or disable computer systems and business operations, access confidential, proprietary or financial data, or otherwise cripple a business or organization's ability to function.

Ransomware. Ransomware is a type of malware designed to block access to a computer system until money (the ransom) is paid.

Data breach. Hackers use any number of methods to infiltrate a computer system to steal confidential or secured information from an organization.

Distributed denial of service. DDOS occurs when cyber attackers use multiple devices to flood and overwhelm a website or network with high traffic volume and bring it to a stop. The cybercriminal's goal might be extortion, revenge, political animosity, or market gain.

AI and Cybercrimes

The rapid advancement of artificial intelligence (AI) tools makes cybercrimes and cyber-enabled crimes even more of a threat. Previously, only bad actors with sophisticated coding and software skills could pull off certain cybercrimes. Now, AI capabilities provide new tools that enable more bad actors to tackle high-tech cybercrimes.

Generative AI can assist even the most unsophisticated criminal create content (emails, photos, videos) that looks authentic, produce and send mass phishing or fraudulent emails, texts or voicemails, and exploit security and system weaknesses.

Where Are Cybercrimes Prosecuted?

Both federal and state prosecutors can prosecute cybercrimes. Usually, crimes are charged and prosecuted where they occur, but cybercrimes can involve numerous locations. The perpetrator could be in Florida and victims could be scattered across the United States. Or a business's physical location might be in one state but its hacked servers are in another.

Federal Prosecutions of Cybercrimes

Federal prosecutors can file criminal charges when a crime crosses state lines, uses an interstate communication (like the internet), or harms a federal agency. Complex cybercrimes involving multiple victims or targeting organizations generally fall under this purview. Federal agencies often have more resources to investigate and prosecute complex cases than their state counterparts.

State Prosecution of Cybercrimes

State prosecutors may also file charges in these complex cases, as long as some part of the crime occurred in the state. However, state prosecutions tend to pursue cases that primarily impact their community. State prosecution also comes into play when federal law doesn't criminalize a particular act. For instance, federal law doesn't criminalize revenge porn.

Collaboration Between State and Federal Prosecutors

State and federal prosecutors will also work together to determine who should prosecute a case. A state law might have certain sentencing enhancements that can put the offender away for a longer time, such as an enhancement for targeting elderly persons. Or the opposite could be true—where a federal law allows for easier prosecution and harsher penalties.

What Are the Penalties for Cybercrimes?

Many cybercrimes are felonies, but their penalties vary greatly depending on the amount of harm caused and the number of victims. Some state cybercrimes, such as cyberharassment or identity theft, may have misdemeanor and felony penalties. A defendant convicted on multiple counts could serve consecutive sentences (one after another).

For specific questions about cybercrime penalties, talk to a criminal defense attorney.

Federal Cybercrime Penalties

Federal law imposes harsh penalties for cybercrimes, especially those that target children. Below are a few examples.

Computer Fraud and Abuse Act. The CFAA is one of the main federal statutes used to prosecute cybercrimes. It covers a wide range of criminal activity, such as computer hacking, stealing computer data, cyber extortion, and unauthorized computer access to defraud. The maximum penalties under the CFAA range from 5 to 20 years in federal prison. (18 U.S.C. § 1030 (2024).)

Fraud and theft. Other federal cybercrime statutes carry anywhere from one to 30 years of possible federal prison time. These crimes include aggravated identity theft, access device fraud (often used in phishing cases), and wire fraud. (18 U.S.C. §§ 1028A, 1029, 1343, 2701 (2024).)

Child pornography. Cybercrimes involving child pornography impose minimum sentences and stiff maximum penalties, ranging from 10 to 40 years or up to life imprisonment. (18 U.S.C. § 2252A (2024).)

State Cybercrime Penalties

Over the years, states have enacted new and tougher laws to address cybercrimes. Below are some examples.

Computer and cybercrime laws. Many states have criminal statutes aimed at combatting cybercrime and computer crimes. For instance, California enacted a robust criminal statute directed at computer crimes, network crimes, data breaches, computer malware and viruses, and disruption or damage to government computer services or networks. Most of the crimes carry felony penalties. (Cal. Penal Code § 502 (2024).) Texas's penal code contains a computer crimes chapter that covers breach of computer security, online solicitation of a minor, electronic access interference, electronic data tampering (including ransomware), unlawful decryption, and online impersonation. (Tex. Penal Code ch. 33 (2024).)

Cyber fraud, theft, and extortion. All states have laws prohibiting fraud, theft, and extortion. State prosecutors can use these general criminal statutes to prosecute cyber criminals. As new cybercrimes surfaced, many states created laws aimed at these acts, such as phishing and the use of credit card skimmers. More recently, states have enacted laws to address cyber-enabled crimes, such as theft and extortion. For instance, Colorado's cybercrime law targets those who unlawfully access a computer network or system to commit theft or fraud or to scan payment information. Connecticut makes it a felony to commit computer extortion by use of ransomware. (Colo. Rev. Stat. § 18-5.5-102 (2024); Conn. Gen. Stat. § 53a-262 (2024).)

Cyberstalking and harassment. Most state stalking and harassment laws apply to defendants who use the internet or electronic communications to harm their victims. Because the internet allows the perpetrators to hide behind their computers when committing these crimes, many states now have cyber versions of these laws. For instance, Florida has a cyberstalking law and a sexual cyberharassment law. (Fla. Stat. §§ 784.048, 784.049 (2024).)

Revenge porn and deepfake porn. Nearly all states have crimes directed at revenge porn (also called nonconsensual dissemination of intimate images). Some states have expanded revenge porn laws to cover the increasing problem of deepfake pornography, while others have created new laws to address deepfakes.

Child pornography or enticement. Like federal law, all states punish the possession and sharing of child pornography over the internet. These laws carry harsh felony penalties. Child enticement and exploitation laws also harshly punish defendants who use the internet to entice or solicit sexual conduct or images from minors.

Resources for Victims of Cybercrimes

Anyone can be a victim of a cybercrime. If you've been victimized, check out some of the resources below for information on how to report a cybercrime. These agencies also have tips on identifying cyber scams and protecting yourself online from cybercriminals.

For emergencies, call 911. You can also contact your local police department.

• Cybersecurity and Infrastructure Security Agency (CISA)
• FBI—On the Internet: Be Cautious When Connected
• FBI—Common Scams
• IC3.gov—Reporting Cybercrimes to the Internet Crime Complaint Center
• FTC—Reporting Fraud and Scams to the Federal Trade Commission
• Internet Crimes Against Children
• Find your state's Attorney General's Office
• Cyberbullying Research Center
• Family Online Safety Institute
• Cyber Civil Rights Initiative
• Nolo's Resources for Crime Victims

If you've suffered financial or emotional harm, you may want to contact a lawyer to discuss potential civil remedies.