On April 22, the Federal Bureau of Investigation (FBI) released its Internet Crime Complaint Center (IC3) Internet Crime Report for 2018. The IC3, which was established in 2000, provides the public with an online reporting mechanism “to submit information to the FBI concerning suspected Internet-facilitated criminal activity, and to develop effective alliances with industry partners.” The IC3 staff analyzes and disseminates information about online crime for investigative and intelligence purposes, for law enforcement, and for public awareness.
The report stated that in 2018, the IC3 received 351,937 complaints (the highest annual total since 2014), which reflected reported victim losses of more than $2.7 billion (nearly twice the 2017 victim losses of more than $1.4 billion). “Hot topics” in the Report included the following:
- Business Email Compromise(BEC)/E-mail Account Compromise (EAC): BEC/EAC scams target both businesses and individuals performing wire transfer payment, and involve compromises of “legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.” In 2018, the IC3 reported that it received 20,373 BEC/EAC complaints with adjusted losses of more than $1.297 billion. In particular, it noted that there was an increase in the number of BEC/EAC complaints requesting that victims purchase gift cards. In those schemes, victims “received a spoofed email, a spoofed phone call or a spoofed text from a person in authority requesting the victim purchase multiple gift cards for either personal or business reasons.”
- Payroll Diversion: Payroll diversion schemes involve targeting of employees
through phishing emails designed to capture an employee’s login credentials. Once the cybercriminal has obtained an employee’s credentials, the credentials are used to access the employee’s payroll account. The cybercriminal will typically add rules to the employee’s account preventing the employee from receiving alerts regarding direct deposit changes. The cybercriminal will then change the direct deposit information, redirecting the payroll funds to an account controlled by the cybercriminal, which is often a prepaid card. Institutions most affected by this scam have been education, healthcare, and commercial airway transportation.
In 2018, the IC3 reported receiving approximately 100 payroll-diversion complaints with a combined reported loss of $100 million.
- Tech Support Fraud: Tech support fraud schemes involve contacts from individuals falsely claiming that victims need their assistance to resolve problems with the victims’ computers. The IC3 stated that tech support fraud “continues to be a growing problem,” as it received 14,408 tech support-related complaints in 2018 from victims in 48 countries, with reported losses of nearly $39 million (a 161 percent increase in losses from 2017). The IC3 also observed that that the majority of tech-support fraud victims reported to be more than 60 years old.
- Extortion: The IC3 stated that in 2018, it received 51,146 extortion-related complaints, with adjusted losses of more than $83 million (a 242 percent increase in extortion-related complaints since 2017). The types of online extortion schemes that victims reported included:
- Denial of Service attacks.
- “Hitman” schemes (i.e., emails threatening to kill recipients and/or their families unless a fee is paid).
- “Sextortion” (i.e., emails threatening “to distribute an individual’s private and sensitive material unless the individual provides the perpetrator images of a sexual nature, sexual favors, or money”). The IC3 reported that the majority of extortion complaints it received in 2018 “were part of a sextortion campaign in which victims received an email threatening to send a pornographic video of them or other compromising information to family, friends, coworkers, or social network contacts if a ransom was not paid.”
- Government impersonation schemes.
- Loan schemes.
- High-profile data breaches..
The IC3 also commented that cybercriminals conducting extortion schemes commonly demand virtual currency as the payment mechanism to add an additional layer of anonymity.
After BEC/EAC schemes, the next highest reported losses from online schemes included confidence fraud/romance scams ($362,500,761), investment schemes ($252,955,320), nonpayment/nondelivery ($183,826,809), and real estate ($149,458,114). With regard to ransomware schemes, which have received substantial publicity in recent months for targeting of prominent businesses, the IC3 stated only $3,621,857 in losses, but cautioned that it
does not include estimates of lost business, time, wages, files, equipment, or any third party remediation services acquired by a victim. In some cases victims do not report any loss amount to the FBI, thereby creating an artificially low ransomware loss rate. Lastly, the number only represents what victims report to the FBI via the IC3 and does not account for victim direct reporting to FBI field offices/agents.
Note: While this IC3 report is based on voluntary reports form the public rather than a random survey of businesses or the general population, the volumes of complaints and reported losses are substantial enough for companies and government agencies to warrant sharing with their information-security and compliance teams. Selected data from the report can also be included in cybersecurity-related training courses and materials.