Cybercrime Losses Explode, Up 48%
IC3 Report Reveals Massive Upticks in BEC & Crypto Fraud
The United States Federal Bureau of Investigation (FBI) actively investigates cybercrime complaints around the U.S. that are brought to its attention by both businesses and individuals through its Internet Crime Complaint Center (IC3). Every year an illuminating report is released of that activity showing how cybercrime is trending in the U.S. While the report only counts cybercrime that was reported to law enforcement, it’s still a great way to get a snapshot of how cyberattacks and cybercrime play out in any given year – and it’s easy to see that 2021 was a good year for the bad guys.
Drill down to the bottom line to see why security & compliance awareness training is a smart investment. GET IT>>
Cybercrime Losses Hit a New Record High
The recently released IC3 2021 Internet Crime Report breaks down the cybercrime the Bureau recorded in 2021 to shed a little light on the growth or change in cybercrime in general in the U.S. And what a year it was, easily destroying 2020’s totals. IC3 received a record number of complaints in 2021. The total of 847,376 reported complaints, wasn’t so much larger than the year prior, just a 7% increase from 2020. But the money total is a stunner. The total amount of loss reported hit a new record high in 2021 of $6.9 billion. That’s a whopping 48% increase over 2020.
Source: FBI IC3
Stop cyberattacks & save money: See why security awareness training is your best investment. DOWNLOAD NOW>>
BEC is Still a Chart-Topper
The complaints that IC3 fielded were varied. Everything that you’d expect to see is on the list with ransomware, business email compromise (BEC) and cryptocurrency fraud among the top incidents reported. The BEC/EAC category clocked in at a painful $2,395,953,296 in losses for 2021, 28% higher than 2020’s record total of $1,866,642,107, with 3% more total BEC complaints. In a breakdown, analysts said that while they did receive plenty of complaints that referenced traditional BEC scams, there has been some evolution in the field, making today’s highly sophisticated BEC scams harder for the targets to detect. It’s become commonplace for cybercriminals to perpetrate BEC by breaking into executive email accounts and spoof business leaders’ communications or steal their identities in order to initiate fraudulent wire transfers, even inside a company. In those cases, the fraudulent wire transfers were typically transferred to cryptocurrency wallets and dispersed, making recovery efforts more difficult.
The report also detailed another pandemic-era BEC variant that also makes use of virtual meeting platforms and some smart social engineering to defraud victims in an unfortunately highly believable scenario. In this BEC scheme, cybercriminals start by compromising an executive’s email, like a CEO or CFO. The bad guys then use that email to invite the victim company’s employees to participate in virtual meetings. Once the lure is offered, the bad actors dive into some serious impersonation to get the job done. Of course, the fake executive can’t show up at the meeting, so they just don’t turn on the camera, instead using a picture of the CEO with no audio and claiming they’re having technical difficulties. That’s so common with virtual meetings that no one bats an eyelash anymore. Sometimes the cybercriminals actually take the time to do audio deep fakes. However they pull it off, this scheme results in the bad actor instructing the bamboozled employees to transfer money to them by wire or other means.
Source: FBI IC3
Get ready to pack your bags for Connect IT 2022! Join us June 20-23 in Las Vegas for the industry’s premier event! REGISTER NOW>>
Crypto Phishing/Vishing Didn’t Help Finance Sector Woes
Investment scams took the number two spot, with victims experiencing losses that total $1,455,943,193. That’s an eye-popping 333% increase over the 2020 total loss of $336,469,000. The Finance sector also had the dubious distinction of experiencing the second largest number of ransomware attacks on a CISA-designated infrastructure sector with 89. In a year when Banking and Finance targets have been the biggest targets of cybercrime, it’s not surprising that other finance-related cybercrimes are also experiencing growth. The most beleaguered sector of 2021, Banking and Finance saw almost one-quarter (22%) of ransomware attacks in the last part of 2021 directed at targets in that sector. As bad as that seems, it’s still a huge improvement over the first half of the year when Banking and Finance targets saw a 1,318% increase in the number of ransomware attacks they endured.
No discussion of the way money moves these days is complete without a look at cryptocurrency, a fact that was highlighted with its own section in the 2021 IC3 Report. In 2021, IC3 received 34,202 complaints involving the use of some type of cryptocurrency. That was a small decrease in the total number of complaints when compared with the 2020 total, 35,229. However, the total loss amount for those complaints was staggering, increasing nearly seven-fold, from 2020’s reported amount of $246,212,432 to total reported losses in 2021 of more than $1.6 billion.
The most interesting fraud scenario involving cryptocurrency is a fake tech support phishing scam. The victims of these scams are cryptocurrency investors. Bad actors contact their targets to “alert” them of a supposed problem with their crypto wallet. The cybercriminals then persuade the wallet owner to either give the fraudster access to their crypto wallet to help solve the problem or transfer the contents of their wallet to another wallet to “safeguard” the contents while the issue is resolved. Sometimes a similar fraud is carried out when crypto owners search online for support and end up being fooled by fake support webpages that them to enter their login information or otherwise cede control of their crypto accounts in the name of customer service. Almost 55% of cyberattacks that swindled people out of their cryptocurrency (or the passwords to their digital wallets) came from spoofing or impersonation schemes.
The Guide to Reducing Insider Risk can help IT pros stop security incidents before they start! GET IT>>
Ransomware, Government Impersonation & Tech Support Fraud Ballooned
Rounding out the top 5 categories of complaints IC3 received in 2021, romance scams, usually number two, dropped to number three even though the category had a 59% increase from 2020 to $956,039,739 in total losses. Personal data breach was in the fourth position although the category showed some serious growth, with a 2021 loss total of $517,021,289, a 165% jump from 2020’s total losses of $194,473,055. In fifth, real estate and rental scams came in at $350,328,166 a 64% change from $213,196,082 in 2020. Other notable changes include a major jump in the losses associated with tech support scams, which cost victims $347,657,432, a 137% rise over total losses of $146,477,709 in 2020, and government impersonation scams, which grew by a nice round 30%, with losses totaling $142,643,253 in 2021.
But ransomware wasn’t forgotten, even if it didn’t crack the top 10 for total losses or total complaints. In fact, it barely made the top 20. In 2021, IC3 received 3,729 complaints identified as ransomware with adjusted losses of more than $49.2 million. Ransomware still posted some unfortunately impressive numbers. The bad guys upped their take in ransomware operations by 69%, raking in $49,207,908 in 2021. Summing it all up, the report also offers a look at how five of its highest-ranking cybercrimes have trended for the past five years in a handy chart that makes it easy to follow the flow. The chart includes yearly and aggregate data for total complaints and total losses over the years 2017 to 2021. IC3 notes that it received a total of 2,760,044 complaints, with a total reported loss of $18.7 billion.
Source: FBI IC3
We Can Help You Keep Cybercriminals Out of Your Organization
Protection from dark web danger with Dark Web ID gives your security team the confidence that they’ve got credential compromise threats handled.
- Dark web search finds every compromised company credential fast, enabling you to fix them before the bad guys can exploit them
- Monitoring with 24/7/356 human and machine intelligence ensures that your team knows exactly what your company’s dark web exposure risk is in real-time
- Leverage out-of-the-box integrations with popular PSA platforms, for a fast, frictionless alerting and mitigation process, so you never miss a security event.
Rely on BullPhish ID to deliver comprehensive security awareness training that works and reduces your company’s chance of having to use your incident response plan by up to 70%.
- Don’t just train employees about phishing – get them up to speed on threats like ransomware, smart security behaviors and compliance too.
- Make training and tracking a snap with personalized portals for every user, enabling trainers to painlessly track and assign training.
- Use premade plug-and-play kits or customize your training materials to reflect the unique industry threats that employees face daily.
Book a demo of our innovative, affordable solutions today!
See how ransomware really works, who gets paid & what’s next in our tell-all Ransomware Exposed! DOWNLOAD IT>>