FBI IC3 data, local trends, and the risk picture for Phoenix-area businesses
Unlock full access
Executive Summary
Arizona is not a cybercrime backwater. It is an active, high-loss target market that the FBI’s Internet Crime Complaint Center consistently places among the top 10–15 states nationally for both complaint volume and total financial losses.
The Phoenix-Mesa-Scottsdale metropolitan statistical area accounts for the majority of Arizona’s cybercrime exposure. As the 5th largest city in the United States and one of the fastest-growing business markets in the country, Phoenix presents a combination of high transaction volume, rapid business formation, and IT security infrastructure that has not kept pace with growth.
This report summarizes the current threat landscape, documents the attack categories where Arizona businesses are most vulnerable, and provides a prioritized risk framework for Phoenix-area business owners and IT decision-makers.
Section 1: Arizona in the FBI IC3 Data
National Context
The FBI’s IC3 Annual Report is the most comprehensive publicly available source of cybercrime data in the United States. It aggregates complaints filed directly with the IC3 and provides state-level breakdowns of complaint volume and dollar losses.
Key national data points from recent IC3 reporting:
• Over 800,000 cybercrime complaints are filed with the IC3 annually, representing only a fraction of actual incidents (most go unreported).
• Total losses reported to IC3 exceed $12 billion annually — a figure that has grown significantly year over year.
• Business Email Compromise remains the highest-dollar crime category, accounting for billions in annual losses despite being less frequently reported than other crime types.
• Ransomware incident count significantly understates actual ransomware losses because many victims pay without reporting.
Arizona’s Position
Arizona consistently appears in the top tier of states for both complaint volume and total losses. This reflects several structural characteristics of the Arizona economy:
Factor | Why It Creates Cyber Risk |
High-growth business market | Rapid company formation outpaces security infrastructure build-out |
Real estate and construction activity | High-volume wire transfers create BEC opportunity |
Healthcare concentration | Maricopa County has one of the highest concentrations of medical practices per capita in the Southwest |
Legal market growth | Phoenix ranks among the fastest-growing legal markets in the country; smaller firms dominate |
Remote workforce density | Post-2020 relocation wave created large distributed workforce with inconsistent home office security |
Financial services hub | Significant concentration of insurance, mortgage, and financial services processing |
Retiree population | Maricopa County’s large retiree population is disproportionately targeted by tech support and investment fraud |
Section 2: Top Threat Categories for Arizona Businesses
1. Business Email Compromise (BEC)
BEC is the highest-dollar cybercrime category in Arizona and nationally. Attackers compromise or spoof business email accounts to redirect wire transfers, divert payroll, or fraudulently authorize payments.
Arizona-specific exposure is elevated by:
• Active real estate and construction markets with frequent, large wire transfers
• High volume of legal settlements and trust account transactions
• Rapid business growth creating new vendor relationships with limited verification history
Average BEC loss per incident nationally: $120,000+. Arizona’s transaction-heavy economy pushes incident losses higher.
Key prevention: Implement call-back verification for any change to payment instructions or banking information. No exceptions, regardless of urgency claimed by the requestor.
2. Ransomware
Arizona’s SMB-heavy business landscape makes it a prime ransomware market. Smaller businesses lack the security infrastructure of enterprise targets but often have sufficient revenue to make ransom demands financially rational.
Healthcare and legal sectors are disproportionately targeted due to the sensitivity of their data and the leverage it creates in ransom negotiations. Maricopa County’s concentration of medical practices, legal firms, and professional services creates a target-dense environment.
Average recovery cost for a small business ransomware incident: $500,000–$1,000,000 when all costs are included (ransom, forensics, legal, notification, downtime, reputational damage).
Key prevention: Immutable off-site backups, MFA on all accounts, EDR on all endpoints. These three controls break the most common ransomware attack chains.
3. Tech Support Fraud
Arizona’s large retiree population in the greater Phoenix area creates an unusually active tech support fraud market. These scams target both individuals and small businesses, often using pop-up warnings or phone calls claiming to be from Microsoft, Apple, or antivirus vendors.
For businesses, the risk is compounded when employees — particularly those in non-technical roles — engage with fake tech support callers who request remote access to business systems. Remote access granted in this context can lead to credential theft, malware installation, and data exfiltration.
Key prevention: Security awareness training that specifically covers tech support fraud scenarios. Clear policy: no external party is granted remote access to any business system without IT approval.
4. Investment and Cryptocurrency Fraud
Arizona ranks among the top states for investment fraud losses, a category that includes pig butchering scams (long-con cryptocurrency investment fraud), fake business investment opportunities, and fraudulent wire transfer solicitations disguised as investment vehicles.
The business risk: executives and business owners are disproportionately targeted for high-value investment fraud. These schemes often begin with LinkedIn outreach or conference connections and escalate over weeks or months.
5. Data Breaches and Credential Theft
Arizona’s rapid population growth and high volume of online account creation creates fertile ground for credential stuffing and account takeover attacks. Breached credentials from other services are systematically tested against business applications, email accounts, and financial systems.
The prevalence of password reuse in the SMB market — where the same credentials are used across personal and business accounts — means that breaches from consumer services regularly translate into business account compromises.
Key prevention: Password manager deployment across the organization. MFA on all business accounts. Monitoring for compromised credentials through dark web scanning.
Section 3: Industry-Specific Risk in the Phoenix Market
Industry | Primary Threat | Arizona-Specific Factors | Risk Level |
Healthcare / Medical Practices | Ransomware, HIPAA breach | Maricopa County has >3,000 medical practices; most are SMBs with limited IT | CRITICAL |
Legal | Ransomware, BEC, privilege breach | Fastest-growing legal market in AZ; dominated by small/mid firms with minimal IT | CRITICAL |
Real Estate / Title | BEC / wire fraud | High transaction volume; frequent large wire transfers; multiple parties | CRITICAL |
Construction / GC | BEC, ransomware, mobile device | High-value project payments; mobile-first workforce; subcontractor risk | HIGH |
Financial Services | BEC, credential theft | Insurance, mortgage, and lending concentration in Phoenix metro | HIGH |
Professional Services | Ransomware, data theft | Accounting, consulting, marketing; high client data density | HIGH |
Retail / Hospitality | POS malware, credential theft | High card transaction volume; seasonal staffing creates access control gaps | MEDIUM |
Manufacturing / Distribution | Ransomware, industrial IoT | Growing manufacturing sector in East Valley and North Phoenix | MEDIUM |
Section 4: Prioritized Risk Framework
Not every control can be implemented simultaneously. The following framework prioritizes investments by their impact on the most active threat vectors in the Arizona market.
TIER 1: IMMEDIATE PRIORITY (ADDRESS FIRST)
□ ☐ Multi-factor authentication on all email, VPN, and remote access — blocks BEC and credential-based attacks
□ ☐ Immutable off-site backup with tested restoration — eliminates ransomware leverage
□ ☐ Security awareness training with BEC and phishing focus — targets Arizona’s #1 dollar-loss category
□ ☐ MFA on all financial systems and banking portals
TIER 2: NEAR-TERM PRIORITY (ADDRESS WITHIN 90 DAYS)
□ ☐ Endpoint detection and response (EDR) on all devices
□ ☐ Email filtering with advanced phishing protection
□ ☐ Dark web credential monitoring
□ ☐ Written incident response plan with tested procedures
□ ☐ Cyber insurance policy review (or initial procurement)
TIER 3: ONGOING SECURITY PROGRAM
□ ☐ Quarterly phishing simulations
□ ☐ Annual third-party security assessment
□ ☐ Vendor risk reviews
□ ☐ Patch management program with documented SLAs
□ ☐ Annual cyber insurance questionnaire verification
AEGITz publishes this report annually. To receive the next edition automatically, subscribe at aegitz.com. For a personalized risk assessment based on your specific industry and size, contact us for a SCOUTz assessment.
