On February 11th, we were treated to an early surprise: The US Federal Bureau of Investigation (FBI) released its Internet Crimes Complaint Center (IC3) report for 2019. The IC3 report is published yearly and goes over cybercrime threats and trends as reported to the FBI. I sat down with Rick and Harrison to record a quick ShadowTalk episode on this year’s report. Check out the full episode here:
In 2019, the FBI responded to over 460,000 complaints and observed estimated losses of over $3.5 billion across all instances of reported cybercrime. In comparison, there were over 350,000 complaints and $2.7 billion in losses, as reported in the previous year’s 2018 IC3 report. That’s a 33% increase in the number of reports and a 30% increase in total reported losses from 2018 to 2019. Our coverage from previous years can be found here.
IC3 statistics showing an increase in reports and reported losses since 2011
There is a significant increase from 2018 to 2019, but how exactly have things changed? This blog covers the main highlights from the 2019 IC3 report, but like last year, I encourage you to download and read the full report. Again clocking in at only 28 pages, it’s light reading compared to some other federal reports and provides excellent insight into cybercriminal activity with real-world examples as witnessed by the FBI.
Business email compromise reigns supreme (again)
To the surprise of absolutely no one, business email compromise (BEC) attacks comprise the highest amount of reported financial loss for the fifth year running – ever since the FBI included it in the breakdown of crime types/losses reported in 2015.
In 2019, financial losses as a result of reported BEC attacks resulted in a whopping total of $1.8 billion. To put that into perspective, that’s more than the combined total of losses from all reported cybercrime in 2017’s report. In 2019, the second most lucrative attack technique was reported as confidence fraud/romance spoofing, which, in comparison, sits at a paltry $475 million. The number of individual reported BEC attacks were less than some other attack techniques, not even making the top five. However, this is to be expected: BEC attacks are inherently more targeted and not nearly as widespread as other, more common attack types like phishing (See our latest piece on The Ecosystem of Phishing). It also speaks to the sheer profitability of BEC: Just one attack can result in the theft of millions of dollars. Significant trends from 2019 highlighted by the FBI include an increase in BEC attacks explicitly targeting the diversion of payroll funds. Successful BEC attacks can result in hefty financial losses; organizations should ensure that staff members are trained on how to identify and report popular social engineering attempts that can result in BEC.
Phishing is king
Phishing attacks, which also include vishing (phishing over the phone), smishing (phishing via SMS), and pharming (redirecting traffic to a malicious website), were by far the widest-reaching. The FBI reported over 110,000 victims in 2019. By nature, the majority of phishing attacks are designed to be indiscriminate and extensive. This also explains why financial losses caused by phishing attacks rank low compared to other attack techniques, coming in at 14th place. $58 million in damages is by no means small, and it’s still a 20% increase from last year.
It’s important to note that in many cases, phishing can serve as the first portion of an attack. For example, phishing can be used to facilitate BEC, which in turn leads to financial loss. The popularity of all-in-one kits that include templates and even the technical infrastructure needed to distribute emails en masse means that the barrier to entry can be much lower than other attack techniques.
Phishing statistics from our latest post on The Ecosystem of Phishing
Phishing can affect companies of all sizes and in all sectors; in addition to security awareness training, organizations should ensure that email filters are configured to prevent phishing emails from reaching employee’s inboxes.
For more information on the technical elements of email phishing, check out Digital Shadows (now ReliaQuest)’ Security Practitioner’s Guide to Email Spoofing and Risk Reduction. We also recently published a guide that provides an in-depth overview of the phishing ecosystem: The Ecosystem of Phishing.
Reported financial losses skyrocket for victims under 20
For all complaints that include a victim age, the IC3 report breaks down the distribution of overall reported financial loss for various age ranges. Typically, individuals over the age of 60 comprise the highest total of victim count. In 2019, over 68,000 complaints concerned victims over the age of 60; this year’s report contained an entire section dedicated to fraud schemes against elders. This (sadly) makes sense: Cybercriminals typically view individuals in this age range to be more likely to fall victim to fraud and social engineering schemes.
But what caught my eye in this year’s report was a seemingly disproportionate impact on victims under the age of 20, especially when compared with previous years. In 2019, the IC3 received just over 10,700 reports from victims in this age bracket, which is in line with the victim counts for this group in previous years. However, the total loss for victims under the age of 20 was reported as over $420 million. On a loss per victim scale, that’s $39,000 per victim, over three times as much as the loss per victim of the second most impacted age bracket. $420 million is a 3,255% (yes, you read that correctly) increase from 2018, where victims under the age of 20 only had a total loss of about $12.5 million. It’s possible these numbers were skewed by a small amount of extremely high-value thefts, caused by reporting inconsistencies or are the result of behind the scenes recategorization of the IC3’s data models. Regardless, it’s currently unclear why these values are so disproportionately high, especially when compared to previous years.
Victims by age group comparison between 2018 and 2019
2019 was a big year for ransomware, particularly in the US. We saw the fall of GandCrab, a wildly popular (and purportedly profitable) ransomware-as-a-service, the subsequent rise of the more sophisticated Sodinokibi, and persistent attacks against small- to medium-size public sector organizations with variants like Ryuk. There is also an emerging trend of the “pay or get breached” model of ransomware attacks, popularized by threat groups such as Maze. In these attacks, ransomware operators steal the victim’s data before encryption, and publicize the names and/or the data of targeted companies that refuse to meet ransom demands. Organizations should have incident response plans in place that account for this new model of ransomware attack.
Contrary to what you may be led to believe based on the swathe of media reports on ransomware attacks over the past year, ransomware sits relatively low in the IC3 chart, both in victims and financial losses. In 2019, the FBI reported approximately 2,000 victims and almost $9 million in total reported losses. But these numbers should not be taken for face value: The FBI notes that these numbers are likely artificially low. The reported financial loss does not account for additional costs that result from a ransomware attack, such as business loss during system downtime or payments to third-party remediation providers. Additionally, the reported financial losses only consist of what was directly reported to the IC3 and do not include any reports made to local field offices or agents.
Of note, the FBI has added guidance for organizations affected by ransomware, explicitly advising them not to pay ransom demands. However, they do also caveat this with an understanding that in crisis scenarios, affected organizations will evaluate all options to protect their shareholders, employees, and customers.
(More) institutional additions to the FBI IC3
Last year, the FBI established its dedicated Recovery Asset Team (RAT) to open more direct communication channels with financial institutions to help assist in the recovery of funds for victims involved in BEC schemes. In their first year, RAT reportedly assisted in the recovery of over $300 million from online scams, claiming an impressive 79% success rate. This year, the IC3 created the Recovery and Investigative Development (RaID) Team to partner with financial and law enforcement investigators to dismantle money mule organizations. RaID oversees both RAT and the Money Mule Team (MMT), which was created to specifically perform analysis and research on previously unknown targets to develop new investigations.
If there’s one thing to take away from all this, it’s that cybercrime will continue as long as money can be made: It would be surprising if next year’s report shows a decrease in reported losses.
If you want to hear more from us, check out our ShadowTalk episode on your favorite podcast player, or listen here. Otherwise, feel free to download and read the full IC3 report here.