FBI: $3.5B Lost in 2019 to Known Cyberscams, Ransomware

Cybercriminals double down on successful internet scams, with a focus on phishing, BEC and other defrauding schemes that have proven to work.

Cybercriminals are focusing on previously successful internet scams to defraud businesses and individuals in the United States out of more money than ever before, according to the FBI’s annual report on cybercrime. Meanwhile, ransomware continues to take a big financial toll on victims.

Businesses and individuals lost $3.5 billion to cybercriminals last year while reporting more incidents of internet crime to the FBI than any year previously, according to the bureau’s Internet Core Competency Certification (IC3) 2019 Internet Crime Report, which was released on Tuesday.

The results demonstrate that cybercrime is flourishing despite increased awareness of cyber-scams and improved security products. People reported 467,361 complaints of cybercrime to the FBI in 2019—an average of nearly 1,300 incidents every day, and more than 100,000 more than the year prior, according to the report.

The success of cybercriminals in 2019 may be the results of their doubling down their efforts on scams that have already proven successful rather than inventing new ones, said Donna Gregory, the chief of IC3, in a press statement. Phishing and similar ploys, non-payment/non-delivery scams and extortion were the top crime complaints reported to the FBI in 2019.

She said that rather than see instances of new types of fraud, instead the FBI saw cybercriminals honing their skills with scams they know work — improving their approaches to make it more difficult for victims to detect or defend against the crime.

“Criminals are getting so sophisticated,” she said. “It is getting harder and harder for victims to spot the red flags and tell real from fake.”

Indeed, just last week a new phishing scam surfaced that can deliver sophisticated malware called Anubis to Android mobile devices to steal user credentials, install a keylogger and even hold a device’s data for ransom.

However, the attacks that proved most costly to victims were different than those most-seen by the FBI last year, although these scams also are widely reported and proven to be effective. The 2019 report found that business email compromise (BEC), romance or confidence fraud, and spoofing (mimicking the account of someone known to the victim to gather personal or financial information) are the crimes that defraud people and businesses out of the most money, according to the report.

BEC or email account compromise alone cost people $1.7 billion in 2019, according to the report. The FBI received 23,775 reports of these scams—in which cybercriminals use social engineering or computer intrusion to transfer money from legitimate accounts to ones they can access. Indeed, security researchers also have reported a steady increase in the number of these type of attacks over the last several years.

Meanwhile, cybercriminals are continuing their raids on companies and government agencies with ransomware. The FBI’s Internet Crime Report reveals while the number of ransomware attacks decreased last year, the amount of loses increased and ransomware is now spiking back up.

“It’s interesting to see this trend gaining momentum regardless of the ever-increasing investment in cybersecurity solutions that should have stopped ransomware from infecting user devices and causing damage,” said Tal Zamir, Founder and CTO of Hysolate, via email. “Typical anti-ransomware solutions use endpoint security agents that are embedded in the operating system and try to protect it from malicious software. However, this approach is bound to fail as the underlying operating systems are bloated monolithic operating systems written decades ago and have hundreds of millions of potentially vulnerable lines of code. The current cat-and-mouse approach to fighting ransomware will not solve the problem — enterprises and individuals seeking to protect themselves against ransomware should consider fully segregating/isolating their sensitive resources, both local files and access to sensitive cloud resources.”

The FBI’s IC3 began reporting on cybercrime complaints in 2015, and there has been an uptick every year in the number of crimes reported—part of which could be attributed to more awareness over the years that the reporting program exists.

Losses, too, have steadily increased over the six years of reporting. In 2018, $2.7 billion in losses were reported to the FBI, which was a sharp increase over the prior year, when people reported $1.4 billion in cybercrime losses. Since reporting began, more than 1.7 million complaints have been logged by the bureau, resulting in $10.2 billion in losses.

While both companies and individuals get caught up in internet crime, companies that conduct their businesses online take the biggest hit for online scams — because they have to pay twice, noted one internet fraud expert.

“When stolen payment card info or login credentials are used to make purchases, e-tailers are left ‘holding the bag’ and are left responsible for not only refunding defrauded customers, but also for paying chargeback fees from the payment provider,” Kevin Lee, trust and safety architect at Sift, said in an email to Threatpost.

Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us Wednesday, Feb. 19 at 2 p.m. ET when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.

 

 

 

Suggested articles

Discussion

  • Gerard Grealish on

    Some worrying statistics and some good suggestions on counter-measures. I also suggest looking at Remote Browser Isolation technology to neutralize threats hidden in active web content and to help prevent phishing attacks and credential theft via we-based e-mail.
  • Anonymous on

    IC3 does not, in this FBI, stand for Internet Core Competency Certification but rather their Internet Crime Complaint Center. :)

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.