On March 17th, the Federal Bureau of Investigation (FBI) published its 2020 Internet Crimes Complaint Center (IC3) report. This report can be found here and provides a glimpse into the types of cybercrime reported to the FBI and the prominent trends observed by this law enforcement agency. Having an annual threshold to compare the size and impact of cybercrime across the years is a handy tool to monitor how the threat landscape evolves. And the stats for 2020 are merciless.

In 2020, IC3 received 791,790 complaints from the American public, resulting in a total of reported losses exceeding $4.1 billion. That’s 69% more than the previous year. Interestingly enough, Business E-mail Compromise (BEC) schemes accounted for almost half of the annual reported losses ($1.8 billion), followed by phishing scams and ransomware incidents. The COVID-19 pandemic also impacted the threat landscape, with unemployment and tax frauds reigning undisputed. Let’s now dive into the report and see how these threats are shaping the cybersphere. 

Quick stats from this year’s report highlighting cybercrime’s development

Cybercrime in 2020 Shaped by COVID-19

To the surprise of absolutely no one, the COVID-19 pandemic was the main protagonist of last year. Throughout 2020, the IC3 received over 28,500 complaints related to COVID-19; primarily complaints associated with fraudsters targeting the Coronavirus Aid, Relief, and Economic Security Act (CARES Act), a plan envisioned to support small businesses during the pandemic. Here at Digital Shadows (now ReliaQuest), we discussed some of the main tactics used in unemployment and tax relief fraudulent schemes in our recent posting Targets And Predictions For The COVID-19 Threat Landscape

According to the IC3 report, one of the most prevalent schemes seen during the pandemic has been government impersonators reaching out to individuals through social media, emails, or phone calls. With many individuals spending more time online and becoming easily excited about COVID-19 updates and resources, click-through rates on malicious links undoubtedly soared. This factor enabled threat actors to extract valuable personal identifiable information (PII) and financial information from these phishing campaigns. Unsurprisingly, scammers also leveraged the vaccine rollout processes to lure victims into opening malicious links. However, we’ve stopped being surprised when it comes to fraudsters exploiting important events for nefarious purposes.

Coronavirus Tax Relief and Economic Impact Payments fraud on Exploit Forum

Business Email Compromise Increased Significantly

In the words of Digital Shadows (now ReliaQuest)’ CISO Rick Holland, “BEC just doesn’t get the attention it deserves.” In 2020, the IC3 handled almost 20,000 Business Email Compromise (BEC) complaints with a whopping estimate of over $1.8 billion in losses. The IC3 report claims that BEC schemes have significantly evolved over the past years, and they are now more sophisticated and targeted than ever before. According to Interpol, criminals use BEC scams to leverage social engineering tactics to gain sensitive information about corporate payment systems and then deceive company employees into transferring money into their bank accounts. An example of this trend is using stolen IDs to set up fraudulent bank accounts. Threat actors then use the bank accounts and transfer stolen money to their cryptocurrency wallets. 

Tech Support Calls Fraud and Defrauding the Eldery

One particularly vicious technique highlighted by the IC3 reports concerns Tech Support Frauds. According to the FBI, “this scheme involves a criminal claiming to provide customer, security, or technical support or service to defraud unwitting individuals.” Criminals impersonate representatives from various well-respected institutions and convince their victims to make wire transfers to overseas accounts. This kind of fraud is a growing problem worldwide, with victims in 60 countries reporting these schemes to the FBI and estimates highlighting a 171% increase in losses from 2019.

One of the most pernicious aspects of this fraud is that most victims— two-thirds of them, to be precise—are reported to be over 60 years of age and experienced approximately 84% of the losses (over $166 million). That number is too significant to be left unaddressed. Digital security should be a priority for our society as we move towards an ever interconnected way of life. Empowering the elderly to prevent themselves from falling victim to frauds and cybercrime will be central in the coming years. Consequently, the Department of Justice and the FBI partnered to create the “Elder Justice Initiative” to grant everybody this right.

Breakdown of the 2020 victims reported to IC3 by age group

Don’t Worry, Ransomware Has Its Own Section Too

It should come as no surprise that one of the main threats observed by the IC3 in 2020 was ransomware. Our reporting about the evolution of ransomware in 2020 highlighted the severe danger caused by these operations, and the FBI just confirmed that.

 In 2020, the IC3 received 2,474 complaints identified as ransomware with adjusted losses of over $29.1 million. 

When I saw this number, I was surprised as it looked significantly lower than the figure than I had expected. However, the IC3 report also claims, “this number does not include estimates of lost business, time, wages, files, equipment, or any third-party remediation services acquired by a victim.” Besides, the number does not take into account victims who reported directly to FBI field offices and agents and, unsurprisingly, cannot consider the cases where victims decide to avoid reporting an attack to law enforcement.

January’s Department of Justice Netwalker indictment adds some additional perspective to the $29.1 million loss figure. A single Canadian Netwalker affiliate made over $27.6 million starting as early as April of 2020. To put that number into context—in less than a year, a person made nearly as much as all the losses due to cybercrime in the IC3 report combined.

Cybercriminals can use various techniques to infect victims with ransomware, such as email phishing campaigns and software vulnerabilities exploitation. The IC3 report also reserved a section to Remote Desktop Protocol (RDP) vulnerabilities as the means through which ransomware groups tend to gain an initial foothold in a victim’s environment. As we highlighted in our report, Initial Access Brokers: An Excess of Access, RDP access enables an attacker to control a victim’s computer remotely and is thus widely sold on cybercriminal marketplaces and the dark web. According to FBI Special Agent Joel DiCapua, “RDP is still 70 to 90 percent of the initial foothold that ransomware actors use”. Since this access-type is particularly prominent among cybercriminals, we even mapped MITRE ATT&CK to RDP exploits to have a better picture of how they leverage it in malicious operations.

Graph extracted by our Initial Access Brokers research about popular access types

Another interesting point raised by the report is when the FBI claims companies should never pay a ransom to the criminal actors demanding it. According to the report, “paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.” On top of that, there’s no guarantee that paying the requested sum to the attacker will guarantee the desired result of having the files back. 

The discussion about this aspect could go on forever and it would involve topics such as private-public partnerships and cyber insurance firms for sure. However, for the sake of this blog, it’s important to highlight that the report contains the process to follow to contact the FBI in the case of a successful ransomware attack. So go check that out if you’re interested in it (even keep it handy does not harm anyone).

Looking Forward to Cybercrime in 2021

The FBI IC3 report provides every year an exciting ensemble of cybercrime data and metrics that are useful to track the evolution of this phenomenon over time. This year’s report was fascinating because it highlighted the impact of the COVID-19 pandemic on the threat landscape. It reminded us once again of the importance of protecting the most vulnerable layers of our society in the security community’s commitment to make the internet a safer place. 
Given the significant shift in the cyber threat landscape, due primarily to COVID-19, Digital Shadows (now ReliaQuest) will continue monitoring the development in threat actor activity and related techniques attempting to exploit “the new normal.” In the meantime, we continuously update a page of COVID-19 Threat Intelligence resources to help you navigate cyber threats in these challenging times. Additionally, you can sign up for our Threat Intelligence newsletter, which proactively learn of emerging intelligence events and adaptations in cybercriminals’ tradecraft.