The FBI’s Internet Crime Report, which provides data on the agency’s complaints and cases for the previous year, has been released. This annual report is prepared by the bureau’s Internet Crime Complaint Center (IC3), and is always a worthwhile read as it helps to identify trending patterns in cybersecurity. This year’s report reveals that the IC3 received nearly 352,000 complaints in 2018, with the most common type being a non-payment or non-delivery scam. However, the most financially damaging scams in 2018 were business email compromise, confidence fraud and investment scams.
2018’s internet crime activity in a nutshell
In 2018, 351,936 complaints were filed with the FBI, an average of about 900 each day of the year. In total, successful internet crime schemes resulted in about $2.7 billion in personal and business losses.
The total number of complaints rose for the fifth year in a row, and made the most significant jump in recent years (by about 50,000). The real spike was in total reported losses, however, which nearly doubled from the figure seen in 2017.
Individuals were hit by internet crime the most frequently, but businesses were hit the hardest. Individuals were most often scammed during some sort of online transaction, buying or selling an item that the other party did not make good on. They were also frequently subject to extortion and to the fallout of personal data breaches, but lost the most money to romance fraud and investment scams. Businesses lost the largest amount of money to business email compromise attacks in which one or more members of the organization were specifically targeted for fraud.
People over the age of 50 were most frequently struck by these crimes and also lost the most money to them. These numbers reflect the results of similar surveys and studies in recent years, and the FBI study may have actually underestimated the total losses in this group. Paul Bischoff, privacy advocate with Comparitech.com, said:
We found 38% of fraud cases target the elderly, and about one in 10 elderly people are victims of elder financial exploitation every year. The vast majority of that goes unreported, so I would guess that the FBI’s estimate of $2.7 billion is very conservative.”
New help for victimized businesses
Though the rise in business email compromise scams is worrying, there was some good news in the 2018 internet crime report. The FBI established the Recovery Asset Team in February, a subdivision of the IC3 tasked exclusively with helping businesses recover funds lost due to business email compromise. In its first year of operation, the team was able to recover 75% of missing funds – $192 million in total. To increase the chances of successful recovery, businesses who experience internet crime are asked to contact the IC3 and their banks as quickly as possible. The FBI can help in expediting the process of freezing the funds transfer and getting the money back from whatever bank it was sent to.
The Operation Wellspring Initiative was also expanded. This initiative began in 2017 and is designed to help state and local law enforcement agencies connect with their local FBI field offices for assistance in responding to cyber crimes.
Businesses that have experienced internet crime should also avail themselves of the services of the FBI’s Victim Services Division. This is a crisis management branch of the bureau that helps victims with intervention services and referrals to helpful resources.
Organizations can do quite a bit to protect themselves from this form of internet crime. The first step is understanding exactly how it happens.
While any business can fall victim to this type of attack, the prime targets are Western companies that regularly transfer funds internationally to vendors and suppliers. The attackers usually make entry by phishing throughout the company looking for any point of entry to the network. Once inside, they will lay low for an extended period while gathering information on the company’s billing processes and regular partners. They then use this information for a targeted phishing attack on one or more members of the finance department, attempting to pressure them into sending fraudulent payments.
The attackers are often very convincing, feigning legitimacy with spoofed email addresses and even sometimes going so far as to register fake companies with a name very similar to the legitimate partner. They are even sometimes bold enough to pose as United States government agencies such as the IRS to perpetrate internet crime.
“The FBI’s report confirms that investing in employee education through simulated phishing attacks and the associated phishing prevention training is a “powerful” defense against cybercrime. Public awareness is one powerful tool in efforts to combat and prevent these crimes.
Industry estimates are that at least 20% of any group of people have a high propensity to fall for various phishing and social engineering attacks, and that we are all vulnerable to these attacks on occasion. Business email compromise (BEC) attacks, in particular, successfully target very smart, highly motivated and educated people. Hackers exploit authority figures such as CEOs and CFOs when they launch BEC attacks.
Other phishing attacks succeed by emulating government authorities, such as the IRS. It is a shame that the IRS attempts to prevent legitimate training exercises which simulate ‘IRS’ phishing scams; these are highly prevalent phishing attacks which exploit the authority and fear associated with the IRS, often to great effect. Awareness, as the FBI notes, would be a powerful tool in defending against IRS phishing attacks.”
Defense against business email compromise begins with making members of the organization aware of it and how common it is. There is an obvious emphasis on educating the finance employees that process payments, but this extends to general cybersecurity awareness throughout the organization. Cyber criminals generally need some illicit access to the network in advance to do the research needed to pull off this particular internet crime, and that access almost always begins with an employee clicking on an email phishing link.
Direct communication is the #1 way to shut down a business email compromise attack. These attacks focus on high pressure because they do not want employees taking time to independently verify the request with the alleged requester. Heightened awareness and scrutiny should be standard when transfers are of a significant dollar amount, or if the requester does something consistent with suspected criminal behavior: for example making the request by email when that is not usually the case, using a different email address, or being unusually pushy. If anything looks wrong, secondary contact information should be available so that the employee can verify the legitimacy of the request.
Given the prevalence of this type of internet crime, some companies are now subscribing to an “active defense” philosophy. This approach focuses not just on securing the network and educating employees, but also on actively investigating the source of attacks and tracking the perpetrators using hacking techniques. This provides an increased chance of recovery should an attack succeed, and the general thought is that if enough companies adopt active defense measures it will reduce the overall number of attempts. This is not an approach for a company to engage in casually, however. Serious liability issues can arise from inadvertently catching an innocent third party up in these measures.
“As the findings demonstrate, there are a wide variety of ways in which cyber crimes are committed – from sophisticated technical techniques to attackers preying on the misplaced trust of unsuspecting victims.
“Not unlike the contributions of seat belts and airbags to the reduction of motor vehicle crash death rates (nearly halved when used), the potential impact of password vaults, multi-factor authentication, and other already available technologies could be more than significant if leveraged broadly and diligently by the masses. The technology is available to combat the effectiveness of big hitters like Business Email Compromise and Personal Data Breach, as highlighted in the findings, we just need to use them.
“However, as popularized in Geoffrey A. Moore’s best-selling book ‘Crossing the Chasm’, there are innovators, early adopters, majorities, and laggards as it pertains to the adoption of virtually any technology. Unfortunately, the ‘Chasm’ has yet to be crossed for the majority, and until that happens, we will likely see these numbers continue to rise.”
It is a hard fact that businesses have budgets, and that allocation of those budgets based on cyber risk assessment is a business necessity. However, the key to making all of that work is an accurate assessment of the risks presented by internet crime such as business email compromise. The FBI study makes clear that increased spend on training and refinement of security protocols is going to make sense for many companies, especially those in highly regulated environments where a data breach can prompt hefty fines.