The amount of reported losses from cybercrime nearly doubled in 2018 to $2.7 billion, with almost half of that from business email schemes that targeted wire transfer payments, according the FBI’s 2019 Internet Crime Report.
The report, prepared by the FBI’s Internet Crime Complaint Center, said it received approximately 352,000 complaints about cybercrime activity last year. The center has averaged about 300,000 complaints in each of several prior years, but the reported losses climbed from $800.5 million in 2014 to $1.42 billion in 2017.
The report attributed $1.2 billion of last year’s reported losses to a business email scams that use legitimate email accounts through “social engineering” or computer intrusion to conduct unauthorized fund transfers. Over the years, the scam has grown to include spoofed personal, vendor, attorney, and real estate-related emails.
As it happens, tracking down unauthorized payments is one of the real where the FBI has had some success in recovering losses. In February, the bureau launched a Recovery Asset Team to focus on recovering monies lost through business email scams, according to the report. In 2018, the FBI recovered $257 million that has been wired by cybercrime victims, a recovery rate of 75%, the report says.
No other category of cybercrime caused nearly as much reported losses as business email scams. The closest was “confidence fraud/romance,” where a criminal deceives a victim to believe they have a trusting relationship. In another version, grandparents are made to believe their grandchild needs immediate financial assistance. According to the report, 18,493 victims of confidence scams reported $362.5 million in losses last year.
Investment scams caused a reported $253 million in losses from 3,583 victims in 2018. Typically, victims are induced to make purchases on the basis of false information. Usually large returns are offered with minimal risk.
Cyber extortion caused 51,146 complaints and $83 million in losses in 2018, a 242% increase in complaints from the previous year. The FBI said the majority of those complaints involved “sextortion,” in which a criminal threatens to send a pornographic video to family members and friends of the victims unless ransom is paid.
Surprisingly, many types of cybercrime that have received press attention in the past year, such as malware, phishing, and ransomware, caused a relatively minor amount of the reported losses. Ransomware scams, which were known to wreak havoc on several large institutions last year, caused only $3.6 million in losses, according to the report.
But that number was marked with an asterisk. In a footnote, the report notes that the reported losses do not include lost business, time, wages or the cost of vendors paid to recover compromised computer networks. Often ransomware losses are not reported. Also, the reported losses include only what is reported directly to the Internet Crime Complaint Center and not cases that are referred to FBI field offices and agents.
Bill Siegel, a partner in the cybersecurity firm Coveware, said he believes the actual losses from ransomware attacks is 10 to 20 times the amount noted in the Internet Crime Report. He said many ransomware crimes are not reported because victims know that it is difficult for law enforcement to track down the recipients of ransom that is paid through Bitcoin, as almost all ransoms are.
But Siegel said victims should be reporting ransomware crimes. Firstly, he said there is some chance that the money will be recovered. Secondly, he said, the government will not allocate resources to combat a problem if it doesn’t know that problem exists.
“If no one reported that bank robberies were a problem, the government wouldn’t staff people to deter bank robberies,” Siegel said.
This article is a repost from Claims Journal.