The introduction of the most recent FBI Internet Crime Report says, “At the FBI, we know ‘cyber risk is business risk’ and ‘cybersecurity is national security.’” And the numbers in the report back up this statement. The FBI report details more than 800,000 cyber crime-related complaints filed in 2022. Meanwhile, total losses were over $10 billion, shattering 2021’s total of $6.9 billion, according to the bureau’s Internet Crime Complaint Center (IC3).
Top Five Cyber Crime Types
In the past five years, the IC3 received a total of 3.26 million complaints for $27.6 billion in losses. During 2022, the top five cyber crime types were:
- Phishing: 300,497 complaints.
- Personal Data Breach: 58,859 complaints.
- Non-Payment / Non-Delivery: 51,679 complaints.
- Extortion: 39,416 complaints.
- Tech Support: 32,538 complaints.
The FBI also outlined various threat overviews in their report. These overviews included business email compromise (BEC), investment scams, ransomware and call center fraud.
Business Email Compromise (BEC)
In 2022 the IC3 received 21,832 complaints related to BEC, which caused losses of over $2.7 billion. In BEC scams, fraudsters use social engineering or hacking methods to gain access to legitimate business email accounts to enable unauthorized transfers of funds.
As the battle between threat actors and security teams escalates, BEC has also evolved. Historically, these schemes relied on compromised vendor emails, W-2 information requests, real estate sector scams or asking for large amounts of gift cards. More recently, attackers increasingly utilize custodial accounts held at financial institutions for cryptocurrency exchanges. They may also request victims to send funds directly to cryptocurrency platforms where funds can be quickly dispersed.
Last year, the IC3 also noticed a subtle shift in the targets of BEC scams. Actors are now targeting victims’ investment accounts in addition to traditional banking accounts. Furthermore, bad actors are increasingly spoofing legitimate business phone numbers to confirm fraudulent banking transactions. This technique is particularly effective as it provides the appearance of legitimacy to the scam.
As a result, the FBI stresses multi-factor authentication as essential for adequate security. It’s also crucial to scrutinize all email addresses, URLs and spelling used in any bank correspondence. Users should never click on links in unsolicited emails or text messages that request to verify account information.
The IC3 report revealed that the most costly cyber crime category in 2022 was investment fraud. The complaints related to investment fraud nearly doubled from $1.45 billion in 2021 to $3.31 billion in 2022, an increase of 127%. Among these complaints, cryptocurrency investment fraud accounted for a major portion of reported losses, rising from $907 million in 2021 to $2.57 billion in 2022 (183% increase).
Reports indicate that the most targeted individuals for this type of fraud are aged between 30 to 49. This highlights the need for increased awareness and caution when it comes to investing in cryptocurrencies.
Some common crypto-investment scams outlined in the IC3 report include:
- Liquidity Mining: Victims are duped into linking their cryptocurrency wallet to a fraudulent liquidity mining application that siphons funds without authorization.
- Social Engineering: Actors use hacked social media accounts to perpetrate fraudulent investment opportunities using cryptocurrency. This involves targeting existing friends of the hacked user.
- Celebrity Impersonation: Scammers impersonate celebrities or social figures to engage with a target. Actors then entice the victim with false cryptocurrency investment opportunities, which are actually schemes to take money from victims.
- Real Estate Agent: Cyber criminals contact real estate agents and offer to buy a property for cash or cryptocurrency. Once engaged, the fraudster exposes details about fictitious accounts with a purported value of millions of dollars. The actors then entice real estate agent victims to engage in an investment scheme.
- Job Scams: Victims apply for fake jobs posted online at an investment firm or company affiliated with investing. Instead of a job offer, the victims are offered fraudulent investment advice designed to steal their money.
The IC3 reported that in 2022, it received a total of 2,385 complaints classified as ransomware. Adjusted losses associated with ransomware totaled more than $34.3 million.
Phishing, Remote Desktop Protocol (RDP) exploitation and software vulnerabilities were the most commonly reported initial infection vectors for ransomware incidents reported to the IC3. Businesses and individuals must take steps to protect themselves against these types of attacks, including keeping software and systems up to date, implementing strong access controls and educating employees on how to spot phishing attempts.
The top five sectors affected by ransomware, according to the IC3 report, are:
- Healthcare and Public Health
- Critical Manufacturing
- Government Facilities
- Information Technology
- Financial Services.
The top three ransomware variants reported to the IC3 were:
- Lockbit: 149 incidents.
- ALPHV/BlackCat: 114 incidents.
- HIVE: 87 incidents.
The FBI does not encourage paying a ransom to criminal actors. The IC3 report says:
“Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware and/or fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered.”
Call Center Fraud
As per the IC3, illegitimate call centers defraud thousands of victims every year. Tech / Customer Support Fraud and Government Impersonation were responsible for over $1 billion in losses in 2022. Call centers overwhelmingly target the elderly, with devastating effects. Almost half the victims report to be over 60 (46%) and experience 69% of the losses (over $724 million).
The majority of call center scams originate from South Asia, particularly India. For this reason, the Department of Justice (DOJ) and the FBI are partnering with law enforcement in India (Central Bureau of Investigation in New Delhi and local Indian states) to combat cyber financial crimes and transnational call center fraud.
U.S. victims of call center fraud have provided testimony for use in legal proceedings against the alleged perpetrators. The IC3 states that this joint effort between U.S. and Indian law enforcement agencies is critical in bringing these criminals to justice and preventing future victimization.
Fighting Cyber Crime Loss
When it comes to ransomware, the FBI report states, “Regardless of whether you or your organization have decided to pay the ransom, the FBI urges you to report ransomware incidents to the IC3. Doing so provides investigators with the critical information they need to track ransomware attackers, hold them accountable under U.S. law and prevent future attacks.”