A new report released by the FBI has revealed that Americans had over $4 billion stolen due to cybercrime in 2020. Also found in the 2020 Internet Crime Report was the fact that the Internet Crime Complaint Center (IC3) saw an increase of 69% compared to what was reported 2019.
Further research has shown that the top three crimes reported by victims in 2020 were phishing scams, non-payment/non-delivery scams, and extortion.
It was highlighted that the majority of victims had lost the most money to business email compromise (BEC) scams, romance and confidence schemes, and investment fraud. Unsurprisingly, 2020 saw the emergence of scams exploiting the COVID-19 pandemic with hacker’s keen to leverage the public chaos, disruption and fear. In total, the IC3 received over 28,500 complaints related to COVID-19, with fraudsters targeting both businesses and individuals.
There is also a noticeable yet concerning trend that hackers are impersonating government officials and interacting with the public through social media and other traditional methods of communication to obtain sensitive information and money.
The purpose of the IC3 is to give the public a reliable and convenient mechanism to report suspected internet crimes to the FBI. The FBI then analyses and shares information from submitted complaints for investigative and intelligence purposes, for law enforcement, and for public awareness.
Providing insight and commentary on the report’s findings are the following cybersecurity experts:
James McQuiggan, Security Awareness Advocate at KnowBe4:
The IC3’s 2020 internet crime report provides excellent insight into the various attacks occurring throughout all types of organizations. Not surprisingly, business email compromise (BEC) leads to victim loss at just over 1.87 billion dollars, lost to under twenty thousand victims.
In comparison, all things phishing, including SMSishing and spear phishing, have a victim count of almost a quarter of a million people. The total impact is over $54 million lost, which dropped slightly from the previous year, from $57 million. However, the victim count doubled from 2019 in phishing, so more people were attacked, but the amount lost was very close.
This report’s statistics can provide the IT and cybersecurity teams with ammunition to discuss with their organization’s upper management the need to evaluate the risks and the costs to mitigate those risks compared to the losses as a result of a BEC scam or phishing attack.
Martin Jartelius, CSO at Outpost24:
“Most phishing scams are based on reaching a need, a desire, a fear, and manipulating this. The sophistication of phishing in general has grown significantly. No longer can the ‘Nigerian princes’ be recognized by their poor-quality emails or content, we have seen phishing in perfect English, Swedish and Dutch whichever language their target speaks.
On a technical level BEC scams have evolved as well, the used infrastructure is no longer a simple burner Gmail or Hotmail address, but rather a complex net of compromised hosts, email accounts and dedicated infrastructure per target. They will buy domains that are similar to their target, with minor spelling mistakes and pinpoint their targets within the organization.
We are witnessing an evolution, where targeted attacks are becoming a commodity trade for phishers. Many organizations are missing the fact that what for them is perceived as a “highly targeted phishing attack” is for these scammers just a newly registered domain, scraped LinkedIn profile and a made-up story. Unsurprising then that the figures revealed in this report are so high and COVID-19 certainly hasn’t helped matters.
Always prepare for a cyber-attack to hit your organization before it actually hurts your financial situation or your reputation. These criminal scammers have nothing to lose, and everything to gain.
Justin Albrecht, security intelligence engineer at Lookout:
As the FBI’s report notes, 2020 showed a massive increase in phishing, smishing (SMS phishing), and vishing (voice phishing). All three of these phishing categories are more successful when the threat actor targets individuals through smartphones and tablets. Lookout data shows that almost one-third of mobile users globally were exposed to a phishing attack in 2020. Of those encounters, Lookout also observed that 85% of mobile phishing attacks intended to deliver mobile malware such as spyware, banking trojans, surveillanceware, or stalkerware to the target’s smartphone or tablet.
The report notes that business email compromise scams, romance and confidence schemes, and investment fraud were all leading financial loss attacks. Each of these attacks can be effectively carried out through mobile devices in email, SMS, and dating apps.
One of the most effective ways that attackers commence a BEC attack is through mobile phishing. Smartphones and tablets don’t have the same security tools and protections as traditional endpoints like desktops and laptops. Being phished through social media or SMS on the same device you use for work could compromise your work data just as much as your personal data.
Many phishing-related mobile malware spread through SMS or other messaging platforms, spamming the contact lists of infected devices. This results in widely spread campaigns that are more likely to succeed as the source of the phishing link is an acquaintance or friend.
Andy Renshaw, VP of payments solutions and strategy at Feedzai:
“The FBI’s findings are consistent with the mass-migration to online banking that happened as a result of branches closing during national lockdowns. In fact, Feedzai’s own data corroborates this, finding that nearly 1 in 10 people have experienced online banking or payment card fraud. Indeed the study showed online banking experienced a 250% increase in attempted fraud in 2020.
“Consumers are recommended to research retailers before making a purchase to avoid the non-payment/non-delivery type scams, and to pay with a credit card rather than a debit one. Enabling two-factor authentication wherever possible adds a layer of protection, and making sure to choose complex, unique password for each account can go a long way to prevent fraud.”