The Federal Bureau of Investigation (FBI) reported that it recently received a record number of complaints related to online scams and investment fraud.
It took seven years for the FBI’s Internet Crime Complaint Center (IC3) to record the first million complaints. The center then reached the five million reports record on March 12, 2020, twenty years since its inception in 2000. However, it only took 14 months for the bureau to receive one million complaints and reach six million complaints on May 15, 2021.
This period coincided with the COVID-19 pandemic and marked a 69% increase in internet crime reporting since 2019.
The FBI noted that the pandemic contributed to increased online scams as most operations and transactions shifted online.
Investment fraud, business email compromise, and romance online scams prevalent
The FBI received 791,790 reports of online scams costing Americans about $4.1 billion for the 2020 reporting period.
The law enforcement agency attributed the increase in internet crime reports to five types of online scams namely, phishing scams (241,342), non-payment or non-delivery scams (108,869), extortion (76,741), personal data breaches (45,330), and identity theft (43,330).
Although phishing attacks remained the most prevalent online crime the biggest losses were through business email compromise (BEC) scams amounting to $1.87 billion. Romance and confidence schemes and investment fraud also cost Americans over $0.6 and $0.3 billion, respectively.
BEC scams trick business employees into transferring money into accounts held by cybercriminals. The fraudsters compromise business executives’ or clients’ emails and order employees to send money to their accounts instead of the legitimate ones. IC3 received 19,369 BEC scam complaints during the reporting period.
Romance scams involve fraudsters manipulating victims to send money by appealing to their love fantasies, desperation, or gullibility. It also involves sextortion by luring victims to perform sexual acts on camera. The criminals then blackmail the individuals and demand money to prevent them from leaking the embarrassing content. Criminals use online dating apps or social media to connect to potential sextortion victims. Additionally, online fraudsters may trick their love matches into fake investment schemes after developing trust.
Most online investment fraud schemes involve fake cryptocurrency trading or get-rich-quickly schemes. The fraudsters promise their victims’ high returns within a very short period. The increase in cryptocurrency prices and the adoption by popular individuals such as Elon Musk increased public interest in cryptocurrencies and further propelled cryptocurrency-related scams. Scammers impersonating the SpaceX CEO stole about $2 million. Pump-and-dump investment fraud schemes inflate the cost of worthless merchandise and lure people to buy them.
The FTC reported that scammers defrauded 7,000 people through cryptocurrency investment fraud schemes since October 2020, reporting losses of over $80 million.
People in their 20s and 30s lost most money to investment fraud schemes compared to other forms of online scams. Half of the losses occurred through cryptocurrency scams.
Similarly, people over 60 years old were targeted through investment fraud schemes, romance, home repair, tech support, grandparent, and lottery scams. Being perceived as wealthy made them attractive targets for investment fraud and romance scams.
Other online scams include ransomware incidents (2,474) which the bureau says were on the rise.
Prevalence of COVID-19 scams
Additionally, cybercriminals targeted businesses and individuals in online scams related to the COVID-19 pandemic.
“Notably, 2020 saw the emergence of scams exploiting the COVID-19 pandemic. The IC3 received over 28,500 complaints related to COVID-19, with fraudsters targeting both businesses and individuals,” the FBI stated.
The IC3 Chief Donna Gregory said that the increase in the total number of reported Internet crimes indicated that more people were affected. However, she noted that the numbers also represented a positive development in crime reporting.
“On one hand, the number holds some positive news,” Gregory said. “People know how to find us and how to report an incident.”
Gregory added that reporting such crimes makes the FBI more effective in investigating them.
“Through the Recovery Asset Team, IC3 worked with its partners to successfully freeze approximately $380 million of the $462 million in reported losses in 2020, representing a success rate of nearly 82%.”
Hank Schless, Senior Manager, Security Solutions at Lookout, said that “attackers know that if they’re able to compromise an individual’s account or device through a personal channel, they could gain access to corporate data stored on the device or that the device is connected to through tools like VPN.”
He noted that mobile devices were the perfect reconnaissance targets. Additionally, malicious actors were looking for ways to compromise organizations.
“Malicious actors can harvest contact lists, credentials, private conversations, and social media content from mobile devices in order to plan subsequent attacks. These phishing attacks can even be launched from a co-worker or friend’s infected device, improving the chances of success.”
Schless added that “while many of the attacks that the FBI cited in this report are carried out on personal apps like SMS, dating, and social media, a successful phishing attempt can go much further than that.”
He encouraged organizations to adopt security measures ensuring that no unauthorized individuals can gain access to corporate infrastructure.
“Organizations need to ensure that no unauthorized users can gain access to their infrastructure. Implementing Zero Trust policies that assume no user or device can be trusted until proven otherwise will help mitigate this risk. Zero Trust Network Access (ZTNA) enables organizations to implement access policies that look at the context under which the device and the user, respectively, are attempting to access the corporate network. This could uncover anomalous activity such as a different login location than usual or malware lurking on a device before it connects.”