The U.S. Federal Bureau of Investigation has issued its annual Internet Crime Report, showing cybercriminals have netted at least $1.3 billion last year. The figures for the report were compiled by the FBI’s Internet Crime Complaint Center, or IC3 is it is also known. Those losses came from 298,728 complaints that had been filed with IC3 in 2016.
The Internet Crime Report provides some insight into the main methods used by cybercriminals to fraudulently obtain money. Last year, the three crime types that resulted in the biggest losses were Business Email Compromise (BEC) attacks, romance/confidence fraud and non-payment/non-delivery scams.
BEC scams resulted in losses of $360.5 million last year and the scams are becoming increasingly common. Confidence and romance fraud was second, resulting in losses of $219.8 million with corporate data breaches in third place causing losses of $95.9 million. Phishing, via the web, email, SMS messages and telephone resulted in losses of $31.7 million. Losses from extortion were $15.8 million with ransomware tracked separately and causing losses of $2.4 million. Tech support fraud netted cybercriminals $7.8 million with malware and scareware losses tracked as $3.9 million.
The FBI singled out four key criminal activities in its 2016 Internet Crime Report that have become major issues in 2016: BEC, ransomware, tech support fraud and extortion.
BEC scams involve the impersonation of foreign suppliers and other vendors that are usually paid by wire transfer. A similar type of scam, referred to as email account compromise (EAC), targets individuals in a company responsible for making wire transfers.
Both scams involve the impersonation of company executives with fraudulent wire transfer requests sent to accounts department employees. Since it is the CEO that is often impersonated the scams are commonly referred to as CEO fraud. Transfers are commonly for tens or hundreds of thousands of dollars. In some cases, companies have been conned out of millions. BEC scams topped the list of losses.
BEC scams have also been rife in 2017, with the start of the year seeing an increase in BEC scams with the aim of obtaining the tax information of employees, typically W-2 forms. In 2016, there were 12,005 reported BEC scams, although this is likely just a small percentage of the real total.
Ransomware has become a major threat for businesses with criminals targeting employees using phishing emails. The FBI says Remote Desktop Protocol was also a major attack vector in 2016. The FBI suggests that security awareness training for employees is now a critical preventative measure that should be provided by all organizations. In 2016, there were 2,673 reported ransomware incidents. Similarly, many businesses choose not to report ransomware attacks.
Another major threat comes from tech support scams where criminals impersonate security companies. The attackers claim an urgent security issue must be resolved for which payment is required. These scams can involve screen-locking malware, cold calls or pop up messages. Typosquatting is also commonly used. Criminals register URLs similar to major online brands to take advantage of careless typists.
Extortion continues to be a major problem and it takes many forms. There have been numerous cases of criminals impersonating government agencies, with threats of Denial of Service attacks similarly common. Hackers have been stealing data and demanding ransoms for its return, while sextortion, hitman schemes and loan schemes are also rife.
While the Internet Crime Report provides an indication of how rampant cybercrime has become, the reports hugely underestimate the true extent of the problem. Only a small percentage of victims of cybercrime report the incident to law enforcement. The Department of Justice estimates only 15% of Internet crime is reported, while the FBI suggests only one in seven cases of Internet crime are actually reported. It is not only individuals that fail to report crimes. Many businesses that experience cyberattacks or other Internet crime-related losses fail to report the incidents. The true figures from cybercrime are likely to be several orders of magnitude worse than the Internet Crime Report suggests.