The Federal Bureau of Investigation (FBI) has released the Internet Crime Complaint Center (IC3) “2019 Internet Crime Report.” For everyone but those engaged in cybercrime, it makes for very difficult reading. Across that one year, the number of cybercrime complaints from both individuals and business organizations reached a staggering 467,361. The total cost of those reported crimes was even more mind-boggling: in excess of $3.5 billion (£2.7 billion.)
Cybercrime reporting, and losses, increased in 2019
The IC3 is an FBI resource that provides a reporting mechanism for suspected cybercrime activity. Since it was first established in May 2000, the IC3 had received a total of 4,883,231 such complaints when the 2019 report was written. In the last five years, there have been 1.7 million complaints, and the total annual losses had increased from $1.1 billion (£847.5 million) in 2015 to more than $3.5 billion (£2.7 billion) last year. In all, in just five years, cybercrime has cost individuals and businesses in the U.S. more than $10 billion (£7.7 billion.) 2019 saw both the most cybercrimes reported to date, an average of nearly 1,300 incidents every single day and the biggest losses accrued by the victims.
It’s not all bad news though, the Recovery Asset Team, part of the FBI’s IC3 Recovery and Investigative Development (RaID) team, managed to recover more than $300 million (£231 million) that had been lost through online scams in its first full year of operation. To put that into some perspective, however, you need to look at the bigger picture. And the threat landscape painted with the broadest brush has got to be email account compromises, specifically, business email compromise (BEC), which the report reveals has accounted for half the $3.5 billion cybercrime total.
Business email compromise (BEC) cost organizations $1.7 billion in 2019
Those business email scammers have reeled in more than $1.7 billion (£1.3 billion) in adjusted losses from a total of 23,775 complaints in 2019. Partly, the reports state, because BEC scammers are becoming more sophisticated and so the threat itself has evolved. “Many organizations remain vulnerable to email attacks because criminals have updated their methods to stay ahead of traditional email security,” Ed Macnair, CEO of Censornet, said. While business is often protected against “volume spam” campaigns, the BEC threat actors have started targeting high-value individuals within a business such as the CEO or staff within the finance department, using what is known as “spear-phishing” tactics.
“By using an email address similar to a trusted company address, criminals can trick an employee into giving away valuable information at almost no cost,” Macnair said, “these attacks are harder for traditional pattern-matching techniques to catch, so organizations have to update their email security technology in kind.” This type of targeted attack is confirmed by the IC3 report, which reveals an increase in payroll funds diversion complaints where human resources of the payroll department are tricked into updating employee direct deposit information by cybercriminals.
Ransomware attacks on the up with highest losses since 2016
Then there is ransomware. The FBI has been warning about the “high impact” threat that ransomware poses to businesses and organizations for some time now. The December 2019 ransomware attack against the City of New Orleans that led to Mayor LaToya Cantrell declaring a state of emergency, illustrates how those warnings are not being properly heeded. That is reinforced by the fact that the IC3 2018 report saw a reduction in the number of ransomware complaints, but in 2019 these increased to their highest point (2,047 complaints) since 2016. In that year, 2016, the losses from ransomware totaled $2.4 million (£1.85 million), whereas, in 2019, the figure rose to $8.9 million (£6.8 million.) Although this places ransomware way down towards the bottom of the “losses by crime type” table within the report, behind the likes of harassment, tech support fraud, identity theft, romance fraud, and, of course, BEC, it doesn’t paint the full picture. Those are the adjusted losses from ransomware, which, the report confirms, do not take into account estimates of lost business, time, wages, files, equipment, third-party remediation and the like. Nor do they address the potential knock-on effects that could come into play if the target of a successful ransomware attack were a major financial institution, for example. The president of the European Central Bank (ECB), Christine Lagarde, has gone on record to warn that a cyber-attack on a major financial institution could trigger a liquidity crisis.