This week, the Federal Bureau of Investigation released its 2018 Internet Crime Complaints Center (IC3). In 2018, the IC3 responded to over 350,000 complaints and observed an estimated $2.7 billion in financial losses as a result of reported cybercrime. This annual report provides readers a glimpse into the types of cybercrimes being reported to the FBI and the trending threats the Bureau has responded to in the last year.
The report itself is a short 28-pages and a really interesting read for those wanting to learn more about the ongoing threats, the sheer scale of cybercriminal activity, and real-world examples from FBI cases. This blog covers the main highlights from the report, though I encourage everyone to go download it for themselves.
Business email compromise still reigns
BEC or Email Account Compromise (EAC) fraud accounted for $1.2 billion of adjusted loss over 2018, which is just under half of the overall reported losses for the entire year. The closest attack technique in terms of adjusted loss numbers was Confidence/Romance scams which had a reported loss amount of $362 million. While significant, the nearly $1 billion-dollar difference between those two highlights just how prevalent BEC/EAC scams remain. Digital Shadows (now ReliaQuest)’ Photon Research Team outlined the market for stolen corporate email accounts as well as highlighting the already 33,000 accounting email credentials exposed publicly in Pst! Cybercriminals on the Outlook for Your Emails. Interestingly, the IC3 report noted a sharp increase in BEC threat actors requesting their victims to purchase gift cards as the payment option.
Extortion attacks increased significantly
Extortion-style attacks increased in 2018 according to the FBI, rising 242% from the previous year, resulting in a reported $83 million in losses. The majority of the complaints handled by the IC3 were related to the mass sextortion campaigns being distributed in the latter half of the year. Sextortion was a topic that Digital Shadows (now ReliaQuest) heavily covered in several blogs and in a Photon Research report A Tale of Epic Extortions. Interestingly, ransomware’s reported losses accounted for about $3.6 million, a 54% increase from the previous year. However, the report this year included the caveat that this does not include the losses that business may have experienced as a result of a ransomware infection (like lost revenue or remediation costs).
Payroll diversion scams; low volume but high risk
Whereas BEC fraud averaged almost $59,000 per incident according to the IC3’s statistics, payroll diversion averaged $1 million. From the 100 complaints of victims reportedly affected by a payroll diversion scam, the combined losses totaled $100 million. For those that don’t know, the payroll diversion scam occurs when a threat actor gains access to an employee’s payroll account, disables any notifications that may alert the employee to account changes, and replaces the employee’s direct deposit information with their own.
Institutional additions to the FBI IC3
The IC3 established a dedicated team Recovery Asset Team (RAT) in February 2018 to open more direct communication channels with financial institutions to help combat BEC/EAC fraud. Since the team’s inception, RAT has recovered over $192 million from the $257 million in reported losses. A recovery rate of 75% shows how critical law enforcement cooperation can be when attempting to recuperate stolen funds. For further information of FBI recovery techniques and assistance, check out a webinar I recorded with the FBI in late 2018. Additionally, a new role at IC3 called Victim Specialists-Internet Crimes (VSIC) was created to provide crisis intervention and critical resources to victims of cybercrime activity.
IC3 complaints and reported losses are increasing
Between 2014 and 2018, the IC3 has steadily increased in the amount of complaints they handle, though 2018 took it to a new level. Nearly 50,000 more complaints were handled in 2018 than in 2017; for reference, there was only a 3,000-complaint difference between 2016 and 2017. In seemingly a direct correlation, total reported losses increased $1.28 billion; again, for reference, the total reported losses actually decreased between 2016 and 2017 by about $32 million. If there was any thought that cybercrime activity was slowing down, that notion has been surely put to bed.
Figure 1: IC3 statistics showing a significant increase in total losses during 2018 (source: FBI IC3)
I highly encourage you, dear reader, to download the report and read for yourself as there are several other interesting statistics to analyze.
To stay up to date with the latest digital risk and threat intelligence news, subscribe below.