U.S. losses in 2020 exceed $ 4.2 billion
Business Email Compromise (BEC), cybercrime, fraud management and cybercrime
$ 1.8 billion stolen from business email scams, FBI reports
Mathew J. Schwartz (euroinfosec) •
March 18, 2021
Online crime has increased during the pandemic, with more than $ 4.2 billion in losses reported by victims to U.S. authorities in 2020.
This is what the FBI says in its latest annual Internet Crime Report, noting that its Internet Crime Complaints Center, or IC3, has received nearly 792,000 reports from victims of alleged Internet-facilitated crimes. ‘last year. This record number represented a 69% increase from the 300,000 complaints registered in 2019.
“The top three crimes reported by victims in 2020 were phishing scams, non-payment or non-delivery scams, and extortion,” the FBI said. “Victims lost the most money to business email scams, love and trust schemes, and investment fraud.”
In 2020, total reported losses from business email scams reached $ 1.8 billion, with an average loss of $ 92,932, compared to $ 1.7 billion in reported BEC losses – and an average loss of 72,000. dollars – in 2019, reports the FBI. Phishing scams resulted in losses of over $ 54 million in 2020.
As the COVID-19 pandemic continued, IC3 reports that last year it received more than 28,500 COVID-19 fraud complaints. Many of them involved fraudsters trying to make bogus claims under the Coronavirus Help, Relief and Economic Security Act – aka CARES – which was designed to help small businesses. But through a combination of tactics, including the use of phishing attacks to steal personally identifiable information, some organizations have discovered during a request for funds that someone else has already done so fraudulently in their name.
Meanwhile, tech support fraud – masquerading as a customer support representative for banks, utility companies, e-commerce giants and cryptocurrency exchanges – continued to be lucrative, representing over $ 146 million in losses last year, an increase of 171% from 2019.
“Although pandemic lockdowns caused a brief slowdown in this fraud activity, victims still reported an increase in incidents and losses related to tech support fraud,” the FBI said, noting that in 2020, it had received 15,421 complaints from victims in 60 countries.
$ 29 million in reported ransom payments
Criminals also continue to resort to extortion, particularly in the form of ransomware attacks, in which they demand ransom in exchange for the promise of a decryption tool or a promise not to disclose or sell. stolen data.
In 2020, IC3 received a total of 2,474 ransomware complaints, with total reported losses exceeding $ 29 million.
This last statistic, however, carries a big caveat: “This number does not include estimates of lost business, time, wages, files or equipment, or third party repair services acquired by a victim, “the FBI notes – meaning the ransomware losses were much greater.
“In some cases, victims fail to report any amount of loss to the FBI, creating an artificially low overall ransomware loss rate,” the agency notes. “The number represents only what victims report to the FBI via IC3 and does not take into account direct reports of victims to FBI offices or agents in the field.”
Authorities continue to urge victims never to pay a ransom, although in most cases this is not illegal. “Paying a ransom can embolden adversaries to target additional organizations, encourage other criminal actors to engage in ransomware distribution and / or fund illicit activity,” notes the FBI. “Paying the ransom also does not guarantee that a victim’s files will be recovered.”
Law enforcement officials also continue to urge victims to come forward and report attempted – or successful – crimes, including ransomware incidents, even when paying ransom.
As the pandemic led to an increase in coronavirus-themed crime, governments urged victims to help them mitigate the outbreak by immediately reporting such attempts. And the same goes for ransomware attacks, says the FBI.
Immediate reporting can block fraud
“Publishing public reports is essential to the mission and success of IC3. Submitting a cybercrime complaint to IC3.gov not only helps the FBI process specific complaints – and provide support and assistance to victims – but also helps us prevent further crimes by finding and detaining criminals. responsible actors, ”said FBI Deputy Director Paul Abbate. “The information reported to the IC3 helps the FBI better understand the motivations of cybercriminals, the evolution of the threat posed and the tactics used, allowing us to work more effectively with our partners to mitigate damage to victims.
For example, IC3 launched its Recovery Asset Team – or RAT – in February 2018 to work with banks and help recover funds transferred by U.S. fraud victims to domestic banks.
Last year, the FBI reported that the RAT team contributed to 1,303 incidents and was able to help recover 82% of the funds stolen in those cases. Funds frozen last year totaled $ 380 million out of $ 463 million in reported losses.
The FBI recommends that any organization that suspects it has been the victim of a BEC attack “contact the originating financial institution as soon as the fraud is recognized to request a recall or cancellation and a” letter of formal notice “or” letter. compensation “. says they should also” file a detailed complaint on www.ic3.gov “, and notes that” it is essential that the complaint contains all the required data in the fields provided, including banking information ” .
Success Stories: Asset Recovery Team
The FBI claims it has been able to recover money stolen from internet fraud schemes, even after it has been moved overseas or converted to cryptocurrency.
In June 2020, according to the agency, a victim company located in St. Louis filed an IC3 report indicating that it had wired $ 60 million to fraudsters who were controlling a bank account in Hong Kong. As the report came too late for the “International Financial Fraud Channel” to be employed, the FBI says its Hong Kong legal attorney worked with local police to prevent the wire transfer from being added to the account. of the recipient, which resulted in the full return. missing funds.
Also in June 2020 – several months after the start of the pandemic – the FBI said that a Chicago company specializing in the production of hand sanitizers, believing it was investing in ventilators, sent a fraudster close to ‘one million dollars via two wire transfers. The company reported the alleged scam to the FBI, which said it was able to reverse the second wire transfer through the nationwide financial fraud elimination chain.
But the previous payment had already been wired to a cryptocurrency exchange at another bank and the funds had been converted to bitcoin. “The collaboration with the bank, which housed the cryptocurrency account, and with the company that held the cryptocurrency account, helped chart the path of the wallet of funds once converted to bitcoin,” says the FBI.
While it does not appear that these funds have been recovered yet, previous cases have shown that investigators often identified suspects months or years later, as more intelligence and evidence emerged.
Primary target: elderly victims
A final trend highlighted in the latest FBI Internet Crime Report is the increase in the number of fraudsters targeting people aged 60 and over. While not all crime reports include the age of the victim, scammers seem to target older people in particular. “Victims over the age of 60 are targeted by perpetrators because they are believed to have significant financial resources,” says the FBI.
The main scams encountered by older victims include:
- Advance fee systems, which consist of guaranteeing advance payment for goods or services that never arrive;
- Investment fraud schemes;
- Romantic scams;
- Tech support scams, with 84% of all known losses in 2020 – over $ 116 million – going to people aged 60 and over;
- Grandparent scams, in which fraudsters pose as a relative of the victim in distress;
- Government Identity Theft Scams;
- Raffle / charity / lottery scams;
- Home repair scams;
- TV / radio scams;
- Family / caregiver scams, which can lead victims to apply for bogus jobs and be tricked into handling stolen goods or redirecting stolen funds.
“If perpetrators are successful after first contact, they will often continue to victimize these individuals,” says the FBI.