Consumer Reports study finds surge in texting and messaging scams

Washington, DC – Consumer Reports (CR) along with Aspen Digital and the Global Cyber Alliance, released the fourth annual Consumer Cyber Readiness Report today, marking the beginning of Cybersecurity Awareness Month. The report examines American consumer attitudes on digital privacy and security and steps they are taking to protect themselves from potential threats. 

The report found that over the past year, consumers have seen a significant increase in text messaging-based scams, especially for younger American consumers aged between 18 – 29 years old. In addition to revealing disparities based on age, this year’s data showed stark inequities regarding the groups most vulnerable to digital scams. For example, while the percentage of Americans who reported losing money from a digital scam remains the same as last year, at 1 in 10, this year’s report revealed for the first time that, among those who had encountered a scam attempt, people with the lowest household incomes were three times as likely to report financial losses due to scams as people in the highest income households (29 percent compared to 10 percent).

The report also found continued racial disparity in financial losses related to scams: 37 percent of Black Americans who encountered a scam lost money, compared to only 15 percent of white Americans. These figures were similar to those reported last year. This echoes similar findings that have been made by other organizations in the recent past, including the Federal Trade Commission.

“Cyberattacks and digital scams continue to cause serious harm to American consumers, often with devastating consequences,” said Yael Grauer, program manager at Consumer Reports. “During Cybersecurity Awareness Month, CR is elevating the consumer voice and advocating for stronger policies to protect people from digital threats. Government and industry must do more to protect consumer privacy and security, but with federal consumer protection agencies facing reduced resources, it is even more critical to empower consumers to adopt strong cybersecurity practices against increasingly sophisticated scams and attacks.”

CR conducted two separate nationally representative multi-mode surveys–one of 2,158 US adults in April 2025 and one of 2,333 US adults in May 2025–to understand consumers’ behaviors in improving their digital security and privacy and provide new insights into consumer scams and their attack vectors. 

Additional findings of the surveys include: 

• Nearly half of American consumers have personally encountered a cyberattack or a digital scam. Alarmingly, 1 in 5 of those who say they have personally encountered a scam or cyberattack—or about 1 in 10 Americans overall—say they lost money to the scam.
• 84 percent of American social media users encountered types of experiences on social media, each of which may pose a risk of cyberattack or digital scam. 
  • Nearly two-thirds of social media users (64 percent) say they have received friend requests from people they don’t know. About half (48 percent) say they have received direct messages that seemed to be part of a scam or fraud attempt. And roughly half (46 percent) say they have received direct messages on social media from people they don’t know. 
• Three out of four scam attempts (74%) that Americans have experienced began on email, social media, or text messages, or through a messaging app.
  • 30 percent of those who had experienced a cyberattack or digital scam said it began over a text message or a messaging app, while only 20 percent said that last year. 
• Phishing was still the most common type of scam or attack that people experienced with 39 percent of those who had experienced an attack or scam saying that the scam used messages or emails purporting to be from a legitimate source asking for personal information.
• Roughly a third of Americans do not use unique passwords across accounts, even though doing so can limit the damage when a single password is compromised.

We did see some improvements in actions consumers take to improve their security posture: 

• Use of password managers: 42 percent vs. 36 percent last year
• Increase in having identity theft protection services: 33 percent vs. 28 percent last year
• Increase in having browser extensions that block trackers: 29 percent vs. 25 percent last year
• Increase in having file encryption software: 14 percent vs. 10 percent last year

Historically, many of our consumer protection agencies have been underfunded. Consumers’ confidence in the privacy of their data is down, and federal efforts to rein in data brokers and boost security have been rolled back. Companies do not need to wait for government to take action. They, too, can lift the burden from consumers by making products with security built in—by design and by default—and by utilizing best practices such as data minimization.

This study demonstrates that improving the nation’s cyber civil defense through collective behavior change is an ongoing challenge and one that is being addressed. Through a commitment by Craig Newmark Philanthropies, initiatives like Take9 are doubling down their efforts to equip everyday Americans with the skillset to be safe online. By pausing, taking 9 seconds before you click, download and share, we can all take steps to protect ourselves. CR also offers a tool known as Security Planner, which helps individuals build a digital security plan that’s tailored to their unique needs and the devices they use.

“As our lives go digital and a risk of a cyber attack rise, protecting against them is no longer just IT’s problem,” said Dr. Sasha O’Connell, Senior Director of Cybersecurity at Aspen Digital. “Our approach to product design, public policies, and personal preparedness all must evolve if we are going to effectively meet this moment.” 

“Many scams succeed not because of technical genius but because people don’t know or don’t follow basic steps to protect themselves. Strong passwords, multifactor authentication, privacy-protecting web browsers – these things aren’t glamorous, but they are lifesaving. As this report makes clear, real progress depends on collective action: individuals making safer choices, industry building more secure products, and governments holding criminals accountable,” said Komal Bazaz Smith, Chief Business Officer of the Global Cyber Alliance.

While consumers can use resources such as Take9 and Security Planner to improve their cyber hygiene, government and industry have a key role to play in improving the cybersecurity ecosystem. In particular, companies can ease the burden on consumers by adopting secure-by-default, secure-by-design practices, and by making emerging security and privacy tools—such as passkeys, which protect account access without passwords—more accessible and interoperable. Regulators should also take action against companies that fail to use reasonable safeguards to protect consumers from cyber attacks. 

About Aspen Digital

Aspen Digital is a nonpartisan technology and information-focused organization that brings together thinkers and doers to uncover new ideas and spark policies, processes, and procedures that strengthen communities all over the world. This future-focused Aspen Institute program inspires collaboration among voices from industry, government, and civil society to ensure our interconnected world drives networked impact. To learn more, visit aspendigital.org or email aspendigital@aspeninstitute.org.

About the Global Cyber Alliance

The Global Cyber Alliance (GCA) is an international nonprofit organization that mobilizes collective action to tackle the Internet’s greatest challenges and build a safer digital world for everyone. It achieves this in three ways: working with communities; engaging infrastructure owners and operators; and driving Internet ecosystem engagement.