Entrance to the FBI building showing cyber crime report

FBI Annual Internet Crime Report Finds Hot New Trend in Online Scams: “Pig Butchering”

“Pig butchering” investment scams have overtaken business email compromise (BEC) as the preferred method of cyber crime, according to the FBI’s annual Internet Crime Complaint Center (IC3) report.

This type of scam was lumped in with the general category of “romance scams” in prior reports, as there was not enough activity to merit its own label. Investment scams that involve grooming a target to invest in fraudulent endeavors took off like a rocket in 2022, however, racking up $3.3 billion in losses on the year.

Cyber crime scammers turn much of their focus to fake crypto investments

While activity dropped by about 5%, in terms of complaints made to the IC3, reported losses shot up from about $6.9 billion in 2021 to $10.2 billion in 2022. Much of that is still due to BEC attacks, which racked up over 21,800 complaints and over $2.7 billion in losses. But that number was eclipsed by “pig butchering” incidents for the first time, with $3.31 billion stolen.

While it is far from time to stop worrying about BEC numbers, the FBI did also report some heartening recovery figures for medium-to-large businesses. 2022 saw substantial improvements to its Financial Fraud Kill Chain (FFKC) program, used in domestic thefts that originate from a domestic source. This program followed up on 2,838 BEC complaints that collectively represent $590 million in potential loss, and was able to freeze $433 million of that amount before it could be stolen.

Dror Liwer, co-founder of Coro, additionally notes that BEC numbers continue to rise despite it being passed up as the most active single form of cyber crime: “We saw a 182% increase in BEC attacks between Q1 2022 and Q1 2023. The attack is extremely difficult for traditional email security platforms to detect, as the email is sent from a legitimate account. This of course, makes it very lucrative for attackers, as the success rate is very high, and with it, the payoff. Siloed cybersecurity can’t deal with a multi-vectored attack. When one tool deals with user authentication, and another with email content inspection, we get cybersecurity blind spots that attackers exploit. We need a unified, holistic approach to cybersecurity to eliminate these blind spots.”

This is the first year in which cyber crime complaint numbers dropped in quite some time, but they remain slightly above 2020 levels and almost double those seen in 2019. Loss amounts continue to trend strongly upward, however, with 2022’s total jumping by more than double the increase usually seen in recent years. Cyber crime types that saw a small increase in 2022 include tech support scams and personal data breaches; phishing actually saw a small drop, as did non-payment/non-delivery schemes (which surged during the stay-at-home days of 2020 but now appear to be quickly leveling off to more “normal” numbers).

Investment fraud jumped 127% in 2022 to become the costliest form of cyber crime; the bulk of this was cryptocurrency investment schemes, which jumped 183% from the prior year and represented $2.57 billion in loss. While the vast majority of scams target older age demographics, crypto schemes are unique in that they tend to specifically target people age 30 to 49. There are a variety of different schemes of this nature: tricking victims into linking their crypto wallet to a fraudulent liquidity mining system, using hacked social media accounts to target friends and contacts, impersonating celebrities, and using fake offers of employment at investment firms as a pretext to pass bogus investing advice.

Cyber crime sees shifts in activity, but old threats continue to be serious problems

While cyber crime patterns may be shifting to scams, ransomware is far from gone. The IC3 saw 2,835 complaints in 2022 that totalled losses of $34 million, but these numbers are usually an underrepresentation as organizations often choose not to report ransomware incidents.

While other studies have found that ransomware incidents dropped overall in 2022, the IC3 data says that attackers are now more commonly using “double extortion” threats to leak stolen data.

Ransomware is also increasingly targeting critical infrastructure companies. Of the 16 industries that the federal government places in this category, some are doing much better than others in terms of cyber defense. Defense companies saw only one reported ransomware incident in 2022, and wastewater facilities only had three. On the other end of the scale, 210 health care organizations were hit, as were 157 critical manufacturing companies. The most active current groups are LockBit, ALPHV and Hive.

Mark Sangster, Chief of Strategy at Adlumin, notes that this reflects broader patterns that are emerging in the targeting of specific sectors that seem to remain uniquely vulnerable to ransomware attacks: “… The ‘Misfortune 500’ continue to target those industries most vulnerable to multi-pronged operational outages: manufacturing and healthcare. These segments rely on extensive industrial IoT technology and are especially susceptible to operational disruption. It seems the Misfortune know how to identify and capture target markets as good if not better than most Wall Street invested organizations. The report should be a catalyst for technical leaders to engage their business executives. The report reads like an enviable investor report from a global corporation full of diversity, growth and record profit. It’s the language business leaders understand. It makes a compelling argument for why they should invest in cybersecurity.”

Call center fraud is another cyber crime category that saw a significant spike in 2022, with collective losses of over $1 billion. This is a category that is more traditional for scammers in the sense that it heavily targets the elderly, seeking targets that are not tech savvy. And though middle aged people have become much more popular with scammers as of late, seniors over the age of 60 were taken for the largest amount of money of any cohort (a total of $3.1 billion).

Roger Grimes, data-driven defense evangelist at KnowBe4, sees these rising numbers as a call for targeted public education akin to the programs that organizations run to increase employee awareness of common cyber crime attempts: “The amount of money lost to online scams has continued to increase for decades and shows no signs of reducing anytime soon. We know that 70%-90% of all cybercrimes are conducted by social engineers, and simply educating people to recognize the signs of a scam is the single best way to prevent scams out of everything you could possibly do. Everyone should be educated about the most common types of scams, how to spot them, how to defeat them, and how to appropriately report them. And everyone should be taught to be proactively skeptical of any request, no matter how it arrives (be it, email, chat, SMS, social media, a phone call, or in person), if it arrives unexpectedly and is asking the receiver to do something they have never done before for that requestor. Any message with these two traits is a high-risk message and the desired request should be confirmed as legitimate, using some alternate method (such as calling the real requestor or visiting the legitimate website) before performing the requested actions. If everyone could be made a default skeptic of any message with those two traits (i.e., it arrives unexpectedly and it asks the receiver to do something new for that receiver), it would go a long way to mitigating online scams.”