While phishing attempts were the most common type of cyber crime in 2019, business email compromise (BEC) dominated the threat landscape in terms of average cost to organizations. Though phishing attempts stayed strong, and ransomware came roaring back amidst the unique conditions created by the coronavirus pandemic, the Federal Bureau of Investigation (FBI) reports that BEC attacks were still the most damaging threat to businesses last year.
The FBI and Internet Crime Complaint Center (IC3)’s recently released 2020 Internet Crime Report also reveals that complaints of cyber crime nearly doubled from 2019, hitting a record total of 791,790 (up from about 467,000). There is some good news in that about 82% of this crime spree proved to be fruitless for the perpetrators, with IC3 able to freeze about $380 million of the $462 million in reported direct losses. However, adjusted losses were well into the billions of dollars.
FBI’s overview of cyber crime in 2020: Weathering an “internet crime spree”
The FBI sees cyber crime attempts generally trending toward the most vulnerable in society, for example medical workers and families attempting to secure their government stimulus checks. However, BEC still does the most total financial damage by far: about $1.8 billion in 2020 accounting for total estimated losses. To provide some further general illustration of how much cyber crime expanded in 2020, the IC3 now reports fielding over 2,000 total complaints per day.
BEC appears to be offering cyber criminals even better “bang for the buck” given that damage total stemmed from 19,369 incidents. By contrast, there were 241,342 phishing complaints generating a relatively small $54 million in total damages. However, according to Jerome Becquart (Chief Operating Officer for Axiad), the two should not be separated given how often phishing provides an entry point for BEC scams to unfold: “Email phishing remains a growing issue because an organization’s greatest vulnerability is its users … Most email scams are masquerading as a known email source or colleague within the same organization, which makes the recipient more likely to share sensitive information. Digital Signature of emails should be more widely used to prevent this, as they enable the email recipient to confirm that the sender is authentic and legitimate. In our experience at Axiad, implementation of Digital Signature for e-mails significantly decreased the risk of email phishing, as we know that if an email for a co-worker doesn’t have their digital signature, it is a phishing scam.”
In addition to the continued prominence of BEC in the annual reports, one of the lead stories of 2020 was a notable rise in “Elder Fraud,” or scams that specifically target victims over the age of 60. There were 105,301 complaints creating a total of $966 million in losses, enough that the FBI plans to create a separate Elder Fraud report to be published in 2022.
Another cyber crime trend created by unique 2020 conditions was the targeting of relief payments provided by the CARES Act. There were a total of 28,500 people filing a complaint of this nature mostly involving grant fraud, loan fraud and phishing attempts seeking personally identifiable information. Fraudsters most commonly filed for stimulus checks under someone else’s name using stolen personal information. Some scammers contacted victims directly and pretended to be representatives of government agencies, in some cases promising coronavirus vaccine shots in a bid to steal sensitive information. Timothy Chiu, Vice President of Marketing for K2 Cyber Security, provided some further insight into this trend: “The FBI’s 2020 Internet Crime report shows a big jump in complaints about cyber crime. During this last year, just like everyone else, cyber criminals were working from home, and with the shelter in place and quarantine, they were working harder than ever. Cyber criminals generally prefer attacks that are easy and will give them the biggest return. One way to ensure that is to take advantage of trending topics and news. Last year COVID was the news, all the time and unavoidable, making it the obvious choice to use for scams, phishing and malware attacks, as evidenced by the FBI report.”
After a small dip in 2017, both complaints and total reported losses have been increasing substantially each year. Complaints have more than doubled in the last two years, and total damages have nearly doubled during that time.
While phishing is not nearly as financially damaging on average as BEC is, attempts skyrocketed in 2020 more than doubling from about 114,000 in 2019 to about 241,000. This was after attempts had already quintupled from 2018 to 2019 after remaining relatively stable for several years. The ICE saw complaints about nearly all segments of cyber crime increase to at least some degree in 2020, however. Non-payment / non-delivery scams, extortion and identity theft were among the top categories.
BEC is most likely the central cyber crime concern for organizations. These scams only increased in scope in 2020, with perpetrators moving from simply impersonating CEOs or CFOs to incorporate more sophisticated layers: use of vendor compromise to add authenticity, the impersonation (or even compromise) of attorney accounts, and an increased focus on obtaining large amounts of W-2 tax form information as part of the scheme. Pilfered BEC funds are also more efficiently being pipelined into cryptocurrency, making it more difficult for authorities to freeze and recover stolen money. The IC3’s advice for thwarting BEC is fairly straightforward; never make payment changes without first contacting the intended recipient, and always verify that email addresses are accurate.
Though ransomware accounted for only 2,474 complaints and about $29.1 million in losses, it is in a strong upward trend that organizations should also be taking note of. Ransomware attacks now generally come packaged with exfiltration of sensitive documents and extortion threats to release them to public dark web sites if the ransom is not paid.
Rise in financial losses from cyber crime
Total losses for all types of cyber crime decidedly track upwards with age, though the total victim count does not necessarily increase proportionally. The age 20-29 group was the least likely to be scammed and lost the smallest amount at about $197 million total. There was a large jump in losses with the age 30-39 group, which was hit for about $492 million. Those over age 60 are both the most likely to be scammed and losers of far more money than any other group.
Targeting and total losses also generally track with state population size. California, Texas, Florida and New York were the top four for both total number of victims and total damages. These are also the four states with the highest average earnings per person.
While the report is a helpful reference, Ilia Kolochenko (CEO, Founder and Chief Architect at ImmuniWeb) points out that it is not a comprehensive view of all cyber crime that takes place each year: “The IC3 report mostly covers technology-driven fraud targeting individuals and organizations with modest in-house Incident Detection and Response (IDR) capacities. Moreover, the report includes only those incidents that were reported directly to the FBI’s IC3 center, not all cybercrimes or serious incidents being handled or investigated by the FBI. Many victimized organizations from regulated industries do not report security incidents to the IC3 specifically, let alone stealth incidents like SolarWinds that was undetected for a while and continues bringing new victims almost every day. Total losses from nation-state and other advanced hacking campaigns targeting US companies are probably hundreds of times higher than the adduced numbers, including lost profits and long-lasting losses caused by intellectual property theft, reputational damage and legal costs … What would be useful to have in the upcoming reports is the cybercrime clearance rate and factors that facilitate an investigation. Victimized people and future victims should be prepared to retain at least some basic digital evidence for examination and subsequent prosecution of the wrongdoers, otherwise, we will just continue speechlessly observing a cybercrime surge.”