This month, the FBI released the 2020 Internet Crime Report, based on the activity of the Internet Crime Complaint Center (IC3). The IC3 serves worldwide citizens to obtain accurate and up-to-date information about cybercrime and as a reporting mechanism if they suspect they are victims in cyberspace. In cases where they are truly victims, they receive assistance from the FBI. This agency is also responsible for investigating, understanding and holding criminal actors accountable in order to prevent additional attacks. In this post, I want to share with you some highlights from the mentioned report.
A new record
It is now commonplace for cybersecurity reports concerning the past year to begin by referring to the opportunities the COVID-19 pandemic has brought to cybercriminals. For instance, a lot more people working remotely, many more companies turning to digital transformation, lots of overburdened healthcare workers, and, in general, almost everyone in substantial uncertainty about what the virus could represent. As mentioned by Paul Abbate, Deputy Director of the FBI, "These criminals used phishing, spoofing, extortion, and various types of Internet-enabled fraud to target the most vulnerable in our society."
Last year the IC3 received 791,790 complaints —a new record with a 69% increase over 2019— representing losses of more than $4.2 billion. Almost half of these losses (about $1.8 billion) were related to Business E-mail Compromise (BEC) schemes where the number of complaints was much lower (19,369) than for Phishing scams (241,342), for example. This last type of crime was the leader in the number of complaints, but even so, related losses were just close to $54 million. Additionally, according to the report, the number of ransomware incidents again showed growth, reaching a total of 2,474 with losses of over $29.1 million. (If you want to know about phishing and ransomware, visit these posts: Trust Nothing, Verify Everything and Your Files Have Been Encrypted!)
It is relevant to highlight at this point a vulnerable population about which I had honestly heard little in this area and which has significantly been affected in recent times. I'm talking about people over the age of 60. Astonishingly, 105,301 of the total complaints in 2020 were issued by people in that age group. But get the picture, that's only counting those who chose to report their age, so there could have been many more. Their losses were close to one billion dollars. That's why the FBI and the IC3 have invested a lot of time and effort in educating this population to protect themselves and not become victims.
COVID-19 as a tool
The previous year, the IC3 received more than 28,500 complaints in direct relation to the COVID-19. "Fraudsters targeted the Coronavirus Aid, Relief, and Economic Security Act (CARES Act), which included provisions to help small businesses during the pandemic" and unemployment insurance benefits. Loan and grant fraud and phishing for Personally Identifiable Information (PII) made up the majority of the incidents people complained about in connection with the CARES Act. For example, in some U.S. states, there were complaints from citizens that when they wanted to claim their benefits, it turned out that criminals had already stolen their identities and demanded monetary assistance online.
According to the FBI, impersonating government personnel via emails, social media and phone calls has been one of the most frequently observed criminal strategies throughout the pandemic. Thus, when talking about COVID-19 vaccinations caught on, the malefactors knew how to exploit that situation. They started creating scams with fraudulent advertisements, asking people to pay out of pocket or provide personal information to join the waiting list or gain early access to the vaccine.
Business Email Compromise
Based on the data I referenced above, Business Email Compromise (linked to the Email Account Compromise; EAC) is the costliest scheme of attack present in this FBI's report. Again, 19,369 complaints with losses above $1.8 billion. BEC/EAC corresponds to an advanced scam aimed at businesses and individuals making fund transfers. The fraudsters usually employ social engineering or any computer intrusion technique to compromise email accounts and use them to request unauthorized transfers of money to fraudulent locations. In the early days, chief executive/financial officers' email accounts were generally the hacking targets. "Over the years, the scam evolved to include compromise of personal emails, compromise of vendor emails, spoofed lawyer email accounts, requests for W-2 information, the targeting of the real estate sector, and fraudulent requests for large amounts of gift cards."
On the positive side, the IC3's Recovery Asset Team (RAT) operations in response to the BEC/EAC schemes are noteworthy. This team was founded three years ago to facilitate communication with financial institutions and support the freezing of funds for victims of fraudulent transfers. In 2020, the RAT had an extraordinary 82% success rate, freezing more than $380 million of the nearly $463 million in reported losses corresponding to 1,303 incidents.
Tech Support Fraud
Another form of scam emphasized in the report is Tech Support Fraud, which apparently continues to grow. In this scheme, criminals pose as technical support representatives offering solutions to problems such as compromised email and bank accounts, software license renewals, and infected systems. It also seems that they impersonate representatives of financial and utility companies. All this to order the innocent victims to make transfers to fraudulent foreign accounts or acquire lots of prepaid cards. Statistics for this case reveal 15,421 complaints with losses above $146 million, of which approximately 84% corresponded to victims over 60 years of age.
Among additional data I would like to highlight from this FBI's report are the following:
In the last five years, IC3 received an average of approximately 440,000 complaints per year.
The first five types of crime with the highest number of victims were: (1) Phishing/Vishing/Smishing/Pharming (241,342). (2) Non-Payment/Non-Delivery (108,869). (3) Extortion (76,741). (4) Personal Data Breach (45,330). (5) Identity Theft (43,330).
California is the state with the highest number of reported victims in 2020, a total of 69,541. The next four states on the list are Florida (53,793), Texas (38,640), New York (34,505) and Illinois (20,185).
IC3 offers a top 20 countries, excluding the U.S., by the number of victims. The United Kingdom ranks first with 216,633 victims, significantly above Canada, which ranks second with 5,399 victims. Mexico is ranked ninth (1,164), Brazil eleventh (951) and Colombia nineteenth (418).
For more details on the findings, examples of some incidents and even recommendations on certain types of scams, here's the link to the referenced report.
Apropos of annual reports, just a week ago, Fluid Attacks released the 2021 State of Attacks report. It will help you get ideas about practices you can implement within your company to prevent cyberattacks based on security vulnerabilities.
Recommended blog posts
You might be interested in the following related posts.
An OffSec Exploitation Expert review
An interview with members of our hacking team
A brief overview of this recent EU draft regulation
What is invisible to some hackers is visible to others
Increase the board's cyber savvy with these reads
Soon it will be a must in cybersecurity due to NIS2
Toyota's ancient and recently disclosed data leaks
Watch out for keylogging/keyloggers