The high cost of cyber crime
- By Derek B. Johnson
- Apr 29, 2019
In 2018, losses due to cyber crime topped $2.7 billion, up from $1.4 billion in 2017, according to the FBI's latest annual Internet Crime Report.
The bureau's Internet Crime Complaint Center (IC3) received more than 20,000 complaints from organizations about business email compromise, a catch-all phrase for crimes that leverage phishing, targeted email spoofing and other forms of credential theft to facilitate the fraudulent transfer of funds.
Five years ago, BEC scams routinely spoofed the email accounts of CEOs with requests to wire payments to fraudulent locations. Since then, the report said, emails from personal accounts, vendors and lawyers have been spoofed, often requesting W-2 information or targeting of the real estate sector.
In one instance, a New Jersey town victimized by a BEC scam ended up transferring more than $1 million to a fraudulent account. The FBI said its Recovery Asset Team and Newark field office worked with the town's financial institution to freeze and eventually return the stolen funds.
Extortion schemes dangling stolen or sensitive data in exchange for money saw an explosion of growth in 2018, with 51,146 complaints and $83 million in adjusted losses. That represents a 242% increase from 2017. Cyber criminals are more frequently using those schemes in conjunction with high-profile data breaches, denial-of-service attacks and government impersonation schemes.
As with previous years, the report illustrated how susceptible older Americans are to internet crime. Approximately $1.15 billion and more half the total victims in 2018 were over the age of 50, and Americans over 60 were the most likely to fall prey to such scams.
The FBI received more than 351,000 complaints from businesses and organizations in 2018, or about 50,000 more than it received the year before. That continues what has been a steady trend of increased reporting over the past five years, something officials have said is the result of constant outreach efforts and engagement by FBI officials with the private sector.
"Our No. 1 piece of advice [to companies] would be to have an incident response plan … and No. 2, and probably very close second if not tied, is to notify us," Amy Hess, executive director of the FBI's Criminal, Cyber, Response and Services branch, said at an April 16 public event.
Law enforcement officers can also access the IC3 database, which recently expanded its remote search capabilities. Users can run reports filtered by city, state, county and country, as well as by crime type, and export the results to Excel or as a PDF. The remote access helped the Putnam County Sheriff’s Office in Carmel, N.Y., identify three related IC3 complaints in less than an hour.
FBI leaders have emphasized just how much of the bureau's work has shifted in recent years to rely on digital forensics and evidence for virtually every type of crime or counterintelligence area it works on. A big part of the new model for success involves building trust in the private sector so companies that are victims of cyber crime aren't reluctant to share what they know with investigators.
"I understand of course the mindset in the past of, 'Hey wait a minute that brings risk to me because now I'm exposed, and what are you going to do with that information?'" Hess said. "We're not going to then 'out' you to the world and say, 'Hey this is what happened to them,' she said. "We do want to strive for two things. One: attribution, to try to figure out who did it and hold them accountable. In the meantime, we also want to try to share that information out there, non-attributable … to put it in such a way that other consumers can defend themselves."
This article was first posted on FCW, a sibling site to GCN.
Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.
Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.
Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at [email protected], or follow him on Twitter @derekdoestech.
Click here for previous articles by Johnson.